Former SAP CEO Bill McDermott taking over as ServiceNow CEO

When Bill McDermott announced he was stepping down as CEO at SAP a couple of weeks ago, it certainly felt like a curious move — but he landed on his feet pretty quickly. ServiceNow announced he would be taking over as CEO there. The transition will take place at year-end.

If you’re wondering what happened to the current ServiceNow CEO, John Donahoe, well he landed a job as CEO at Nike. The CEO carousel goes round and round (and painted ponies go up and down).

Jeff Miller, lead independent director on the ServiceNow board of directors, was “thrilled” to have McDermott fill the void left by Donahoe’s departure. “His global experience and proven track record will provide for a smooth transition and continued strong leadership. Bill will further enhance ServiceNow’s momentum and reputation as a digital workflows leader committed to customer success, and as a preferred strategic partner enabling enterprise digital transformation,” Miller said in a statement.

Jennifer Morgan and Christian Klein replaced McDermott as co-CEOs at SAP, and during the announcement, McDermott indicated he would stay until the end of the year to help with the transition. After that, no vacation for McDermott, who will apparently start at ServiceNow after his obligations at SAP end.

As Frederic Lardinois wrote regarding McDermott’s resignation:

I last spoke to McDermott about a month ago, during a fireside chat at our TechCrunch Sessions: Enterprise event. At the time, I didn’t come away with the impression that this was a CEO on his way out (though McDermott reminded me that if he had already made his decision a month ago, he probably wouldn’t have given it away).

ServiceNow is a much different company than SAP. SAP was founded in 1972 and was a traditional on-premises software company. ServiceNow was founded in 2004 and was born as a SaaS company. While McDermott was part of a transition from a traditional, on-premises enterprise software company to the cloud, working at ServiceNow he will be leading a much smaller organization. Published estimates have SAP at around 100,000 employees, while ServiceNow now has around 10,000.

It’s worth noting that the company made the announcement after the market closed and it announced its latest quarterly earnings. Wall Street did not appear to the like news, as the stock was down $13.34, or 5.84%, in early after-hours trading.

In latest $10B JEDI contract twist, Defense secretary recuses himself

The JEDI drama never stops. The $10 billion, decade-long cloud contract has produced a series of twists and turns since the project was announced in 2018. These include everything from court challenges to the president getting involved to accusations of bias and conflict of interest. It has had all this and more. Today, in the latest plot twist, the Secretary of Defense Mark Esper recused himself from the selection process because one of his kids works at a company that was involved earlier in the process.

Several reports name his son, Luke Esper, who has worked at IBM since February. The RFP closed in April and Esper is a Digital Strategy Consultant, according to his LinkedIn page (which is no longer available), but given the persistent controversy around this deal, his dad apparently wanted to remove even a hint of impropriety in the selection and review process.

Chief Pentagon Spokesperson Jonathan Rath Hoffman issued an official DoD Cloud update earlier today:

As you all know, soon after becoming Secretary of Defense in July, Secretary Esper initiated a review of the Department’s cloud computing plans and to the JEDI procurement program. As part of this review process he attended informational briefings to ensure he had a full understanding of the JEDI program and the universe of options available to DoD to meet its cloud computing needs. Although not legally required to, he has removed himself from participating in any decision making following the information meetings, due to his adult son’s employment with one of the original contract applicants. Out of an abundance of caution to avoid any concerns regarding his impartiality, Secretary Esper has delegated decision making concerning the JEDI Cloud program to Deputy Secretary Norquist. The JEDI procurement will continue to move to selection through the normal acquisition process run by career acquisition professionals.

Perhaps the biggest beef around this contract, which was supposed to be decided in August, has been the winner-take-all nature of the deal. Only one company will eventually walk away a winner, and there was a persistent belief in some quarters that the deal was designed specifically with Amazon in mind. Oracle’s co-CEO Safra Catz took that concern directly to the president in 2018.

The DoD has repeatedly denied there was any vendor in mind when it created the RFP, and internal Pentagon reviews, courts and a government watchdog agency repeatedly found the procurement process was fair, but the complaints continue. The president got involved in August when he named his then newly appointed defense secretary to look into the JEDI contract procurement process. Now Espers is withdrawing from leading that investigation, and it will be up to others, including his deputy secretary, to finally bring this project over the finish line.

Last April, the DoD named Microsoft and Amazon as the two finalists. It’s worth pointing out that both are leaders in Infrastructure as a Service market share with around 16% and 33%, respectively.

It’s also worth noting that while $10 billion feels like a lot of money, it’s spread out over a 10-year period with lots of possible out clauses built into the deal. To put this deal size into perspective, a September report from Synergy Research found that worldwide combined infrastructure and software service spending in the cloud had already reached $150 billion, a number that is only expected to continue to rise over the next several years as more companies and government agencies like the DoD move more of their workloads to the cloud.

For complete TechCrunch JEDI coverage, see the Pentagon JEDI Contract.

Ransomware Hits B2B Payments Firm Billtrust

Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups.

With more than 550 employees, Lawrence Township, N.J.-based Billtrust is a cloud-based service that lets customers view invoices, pay, or request bills via email or fax. In an email sent to customers today, Billtrust said it was consulting with law enforcement officials and with an outside security firm to determine the extent of the breach.

“Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services,” the email reads. “Out of an abundance of caution, we cannot disclose the precise ransomware strains but will do so as soon as prudently possible.

In an interview with KrebsOnSecurity on Monday evening, Billtrust CEO Steven Pinado said the company became aware of a malware intrusion on Thursday, Oct. 17.

“We’re aware of the malware and have been able to stop the activity within our systems,” Pinado said. “We immediately started focusing on control, remediation and protection. The impact of that was several systems were no longer available to our customers. We’ve been fighting the fight, working on restoring services and also digging into the root cause.”

A report from BleepingComputer cites an unnamed source saying the ransomware strain that hit Billtrust was the BitPaymer ransomware, but that information could not be confirmed.

One of Billtrust’s customers has published a day-by-day chronology of the attack and communications from the company here (h/t @gossithedog).

Pinado said Billtrust had restored most of its systems, and that it was in the process now of putting additional security measures in place. He declined to discuss anything related to the ransomware attack, such as whether the company paid a ransom demand in exchange for a key to unlock files scrambled by the malware, although he allowed Billtrust does have cybersecurity insurance for just such occasions.

Billtrust recently teamed up with Visa to launch the Billtrust Business Payments Network, an effort to digitize payments between businesses.

Cloud service providers are a favorite target of attackers who deal in ransomware. In August, Wisconsin-based PerCSoft paid a hefty ransom to get out from beneath an attack that separated hundreds of dental offices from their patient records.

In July, attackers hit QuickBooks cloud hosting firm iNSYNQ, holding data hostage for many of the company’s clients. In February, cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

APT and the Enterprise – FUD or Real Threat?

It is a well known fact that cybercrime is on the rampage. More organizations are being hit by financially-motivated cyber attacks during 2019 than ever before. And yet, as scary as cybercrime might be, it is not nearly as ominous as the word “APT”. The term, which stands for Advanced Persistent Threat group, was coined in the early 2000s and made popular after Mandiant’s APT 1 report, revealing the activities of one of China’s elite cyber espionage units. Since then, there has been countless exposés of nation-state campaigns against governments, journalists and ethnic groups. 

image of APTs

These cyber attacks are of the highest sophistication, often utilizing purpose-built, never-seen-before tools and elaborate TTPs for realizing the attacker’s nefarious goals. The combination of the (very prominent) threat-actors, their motives and targets have caused the general, corporate population to consider APT threats to be of lesser importance. After all, why should the Chinese/ North-Koreans/Russian/ Iranians care to attack a ‘regular’ corporate entity like ourselves? And if they did, what could we do about it, anyway? The very notion of an APT seems to generate a general feeling of apathy in the face of overwhelmingly sophisticated and powerful threat actors.

But lately, as more and more APT campaigns have become exposed, it seems that the traditional notion of what an APT is, the potential risks it can pose to enterprises and the defensive options available to enterprise is starting to change. 

What Are The Motives of APTs?

Let’s take a deeper look at the motives of nation-state hackers:

Diplomatic/ Political – Nation-state hackers operate to execute diplomatic and political policies of their countries. As such, they will target opposing states, dissidents, political leaders in exile and ethnic minorities in order to collect information or interfere with their activities. 

Military – In a similar fashion, offensive cyber activities are carried out in order to obtain intelligence, interfere with the opponents’ military operations in order to deter them from acting in the kinetic domain. 

Economic – Cyber attacks can be used to hurt enemy states financially. Iran has waged a destructive campaign against US banks and then against the Saudi oil industry. The explicit goal of such attacks is to cause financial losses to their targets. 

Obtaining knowledge and IP – Some nations are infamous for stealing intellectual property. As Defense Secretary Mark Esper recently noted, “The PRC is perpetrating the greatest intellectual property theft in human history”. This now involves mostly cyber means, and targets any corporate or institution with IP that could be relevant to the development of Chinese industry. That includes any IP from academia to telecom, defense industries and aviation. 

Financial – A rather new motive, currently linked to North Korea’s struggles to obtain sufficient foreign currencies to support its advanced weapons program. As part of these efforts, the North-Koreans have reportedly stole almost $3 Billion in cyber attacks against financial institutes according to a secret UN report. Lately, they have shifted their efforts towards obtaining payment card details from ATMs in India

Sometime It’s Unclear – Recent evidence indicates that the lines between nation-state hackers and “simple” cybercriminals is blurring. Sometimes nation-state hackers will masquerade as cybercriminals in order to hide their true targets and goals – governments, manufacturing, energy, and utilities. 

Are Enterprises Being Targeted by APTs?

As we’ve seen, nation-state hackers can attack businesses, either directly (for financial gain or to steal IP) or as a form of “collateral damage”. The latter is a recent development stemming from the complex structure of today’s supply chains. Nation-state hackers can now work their way up the supply chain, starting from smaller enterprises, compromise these and move on to bigger, more lucrative targets. An attack in this fashion was identified recently by the French cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), which alerted the European aerospace giant Airbus to a series of attacks that targeted its suppliers in their search for commercial secrets. Security sources told AFP that they suspected the attack was linked to a Chinese APT group. These suppliers are not necessarily from the defense or aviation industries themselves and as such are not under the same strict regulations that demand robust cybersecurity systems in place for companies such as Airbus. 

Similarly, another attack targeted Saudi IT firms in order to obtain access to more secure targets. 

What Can You Do About APT Threats?

Indeed, a nation-state campaign targeting your enterprise, whether directly or indirectly, is a pretty scary affair. But a deeper look at the tools and tactics used by these hackers reveals that, however proficient, they use similar TTPs to all hackers. They perform routine reconnaissance activities like network scanning, employ social engineering to obtain credentials, deliver their payloads via emails (usually hidden within documents or images) and infect endpoints in order to obtain access to data and then exfiltrate it. Regarding the Airbus attack mentioned above, ANSSI stated the attackers gained initial access to the target networks by exploiting security vulnerabilities at endpoints. Once in, they laterally spread across the network to meet their operational objectives. 

Or, for another example, consider the North Korean campaign that targeted the 2018 Olympics. An extremely sophisticated and prolonged campaign that started with a malware-laden Word document that supposedly contained a list of VIP delegates to the games, had likely been emailed to Olympics staff as an attachment. The attachment included a macro script that planted a backdoor on the victims’ PCs. These attacks should have been identified and stopped at an earlier stage, if only the victims had had robust security systems (such as email and endpoint security) in place.

APTs: Separate the Fact From the FUD

A number of myths have built up around APTs from the inevitable FUD created by blazing media headlines. Accepting these beliefs uncritically can lead managers into adopting a kind of fatalistic apathy about their security posture. This is not only dangerous, it is unnecessary. Let’s take a look at them.

Myth 1: You can’t stop a determined attacker from getting in; the best you can do is make it as difficult as possible.

Reality: Anyone committed to this belief is committed to it based on faith, not fact. Facts require evidence. Of course, we only ever hear about threat actors’ successes and suspected attributions in the news headlines. “Fancy Bear Fails Again” isn’t a headline we’re likely to see, but the truth is that thousands of attempted and unattributed attacks are stopped on a daily basis. Believing that APT groups never fail and cannot be made to fail when it comes to your own organization is, first, just that: an unsupported belief; and second, a recipe for disaster. As we’ve argued elsewhere, you own your endpoints. And with the right approach, there’s no reason to concede that battleground to external entities.

Myth 2: Nation-state APTs have all the resources necessary to defeat any security.

Reality: As we noted above, most discovered APT breaches are leveraging well-known and cataloged TTPs and succeed, when they do, more often than not by persistently banging on the same door with relentless phishing campaigns. And even when it turns out that zero days are being traded and horded by certain groups, the fact is that even heavily resourced APTs are constrained by reality. You can’t defeat strong encryption; you can’t hide malicious behavior from a solution that sees everything and whitelists nothing, and you can’t change the fact that if you want to steal data, you have to move it from a device inside the organization to a device outside of it. That transfer is always detectable – at least in principle, and very often in practice. These realities provide defenders with opportunities to actively detect and respond to cyber attacks, even those undertaken by the most advanced APT groups. Remember, almost every APT-scary headline you ever read came about as a result of that APTs activity being detected.

Myth 3: Our enterprise isn’t of interest to APT groups; we’re too small or unimportant to be noticed.

Reality: This is the most dangerous myth of all. It’s analogous to the child’s “if I close my eyes the monster can’t see me” defence. Fortunately, an increasing number of senior executives are learning that in this age of ‘big data’ and machine learning, with its requirement for massive datasets, there are many ‘ordinary’ public actors – from Google to FaceBook to University research departments – that are interested in everything, and everyone. These groups know that information is power, and the same holds even more true for nation-states and the cyber groups that work on their behalf. Be assured, in this digital, connected world, information about your business and its activities is of value to someone, somewhere, no matter what you do.

Conclusion

The Russians ARE coming. So are the Chinese, Koreans, Iranians, and all the rest. There is no use in hiding or pretending that your enterprise is not at risk. On the other hand, there is no need to panic either. Employ sufficient security means, ones that can detect never-seen-before threats and contain them, engage in threat analysis, and develop your incident response plan. Lay solid security foundations, and you will be reasonably well secured even from the foreign spooks. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Veteran enterprise exec Bob Stutz is heading back to SAP

Bob Stutz has had a storied career with enterprise software companies, including stints at Siebel Systems, SAP, Microsoft and Salesforce. He announced on Facebook last week that he’s leaving his job as head of the Salesforce Marketing Cloud and heading back to SAP as president of customer experience.

Bob Stutz Facebook announcement

Bob Stutz Facebook announcement

Constellation Research founder and principal analyst Ray Wang says that Stutz has a reputation for taking companies to the next level. He helped put Microsoft CRM on the map (although it still had just 2.7% market share in 2018, according to Gartner) and he helped move the needle at Salesforce Marketing Cloud.

Bob Stutz

Bob Stutz, SAP’s new president of customer experience (Photo: Salesforce)

“Stutz was the reason Salesforce could grow in the Marketing Cloud and analytics areas. He fixed a lot of the fundamental architectural and development issues at Salesforce, and he did most of the big work in the first 12 months. He got the acquisitions going, as well,” Wang told TechCrunch. He added, “SAP has a big portfolio, from CallidusCloud to Hybris to Qualtrics, to put together. Bob is the guy you bring in to take a team to the next level.”

Brent Leary, who is a long-time CRM industry watcher, says the move makes a lot of sense for SAP. “Having Bob return to head up their Customer Experience business is a huge win for SAP. He’s been everywhere, and everywhere he’s been was better for it. And going back to SAP at this particular time may be his biggest challenge, but he’s the right person for this particular challenge,” Leary said.

Screenshot 2019 10 21 09.15.45

The move comes against the backdrop of lots of changes going on at the German software giant. Long-time CEO Bill McDermott recently announced he was stepping down, and that Jennifer Morgan and Christian Klein would be replacing him as co-CEOs. Earlier this year, the company saw a line of other long-time executives and board members head out the door, including SAP SuccessFactors COO Brigette McInnis-Day; Robert Enslin, president of its cloud business and a board member; CTO Björn Goerke; and Bernd Leukert, a member of the executive board.

Having Stutz on board could help stabilize the situation somewhat, as he brings more than 25 years of solid software company experience to bear on the company.

Microsoft acquires Mover to help with Microsoft 365 cloud migration

Microsoft wants to make it as easy as possible to migrate to Microsoft 365, and today the company announced it had purchased a Canadian startup called Mover to help. The companies did not reveal the acquisition price.

Microsoft 365 is the company’s bundle that includes Office 365, Microsoft Teams, security tools and workflow. The idea is to provide customers with a soup-to-nuts, cloud-based productivity package. Mover helps customers get files from another service into the Microsoft 365 cloud.

As Jeff Tepper wrote in a post on the Official Microsoft Blog announcing the acquisition, this is about helping customers get to the Microsoft cloud as quickly and smoothly as possible. “Today, Mover supports migration from over a dozen cloud service providers — including Box, Dropbox, Egnyte, and Google Drive — into OneDrive and SharePoint, enabling seamless file collaboration across Microsoft 365 apps and services, including the Office apps and Microsoft Teams,” Tepper wrote.

Tepper also points out that they will be gaining the expertise of the Mover team as it moves to Microsoft and helps add to the migration tools already in place.

Tony Byrne, founder and principal analyst at Real Story Group, says that moving files from one system to another like this can be extremely challenging regardless of how you do it, and the file transfer mechanism is only part of it. “The transition to 365 from an on-prem system or competing cloud supplier is never a migration, per se. It’s a rebuild, with a completely different UX, admin model, set of services and operational assumptions all built into the Microsoft cloud offering,” Byrne explained.

Mover is based in Edmonton, Canada. It was founded in 2012 and raised $1 million, according to Crunchbase data. It counts some big clients as customers, including AutoDesk, Symantec and BuzzFeed.

Avast, NordVPN Breaches Tied to Phantom User Accounts

Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.

Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility.

Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote.

This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version.

Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app.

“We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote.

THE NORDVPN BREACH

Separately, NordVPN, a virtual private networking services that promises to “protect your privacy online,” confirmed reports that it had been hacked. Today’s acknowledgment and blog post mortem from Nord comes just hours after it emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN,” writes Zack Whittaker at TechCrunch.

VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. This can offer a measure of anonymity, but the user also is placing a great deal of trust in that VPN service not to get hacked and expose this sensitive browsing data.

NordVPN’s account seems to downplay the intrusion, saying while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s more than 3,000 servers.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” reads the NordVPN blog post. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

NordVPN said the intrusion happened in March 2018 at one of its datacenters in Finland, noting that “the attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.” NordVPN declined to name the datacenter provider, but said the provider removed the remote management account without notifying them on March 20, 2018.

“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” the company said. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”

This page might need to be updated.

TechCrunch took NordVPN to task on the somewhat dismissive tone of its breach disclosure, noting that the company suffered a significant breach that went undetected for more than a year.

Kenneth White, director of the Open Crypto Audit Project, said on Twitter that based on the dumped Pastebin logs detailing the extent of the intrusion, “the attacker had full remote admin on their Finland node containers.”

“That’s God Mode folks,” White wrote. “And they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.”

ANALYSIS

Many readers are curious about whether they should enshroud all of their online communications by using a VPN. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. For a breakdown on what you should keep in mind when considering a VPN service, see this post.

Forgotten user accounts that provide remote access to internal systems — such as VPN and Remote Desktop services (RDP) — have been a persistent source of data breaches for years. Thousands of small to mid-sized brick-and-mortar businesses have been relieved of millions of customer payment card records over the years when their hacked IT contractors used the same remote access credentials at each client location.

Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished.

The persistent supply chain attack against Avast brings to mind something I was considering the other day about the wisdom of allowing certain software to auto-update itself whenever it pleases. I’d heard from a reader who was lamenting the demise of programs like Secunia’s Personal Software Inspector and FileHippo, which allowed users to automatically download and install available updates for a broad range of third-party Windows programs.

These days, I find myself seeking out and turning off any auto-update functions in software that I install. I’d rather be alerted to new updates when I launch the program and have the ability to review what’s changing and whether anyone has experienced issues with the new version. I guess you could say years of dealing with unexpected surprises on Microsoft Patch Tuesdays has cured me of any sort of affinity I may have once had for auto-update features.

The Good, the Bad and the Ugly in Cybersecurity – Week 42

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

After only a partially successful attempt to get security researchers hacking on voting machines at DEF CON 2019, several hundred US military and National Guard cyber security troops have this week been training for Election Day 2020 at AvengerCon. The two-day event, which is only open to US Cyber Command employees, aims to test both voting machines and the people responsible for protecting them in the event of an Election Day cyber attack. Participants at the con will get their hands on the actual voting machines scheduled to be used in next year’s election and will also run drills to test responses to attacks on the electric grid and other voting machine infrastructure. The organizers are also hoping to raise wider public awareness of the vulnerabilities in voting machine technology, which could be used to erase votes or prevent legitimate voters from participating by deleting their details from databases. To that end, they are also promoting the recently formed Election Integrity Foundation, which interested readers can follow on Twitter at @ElectionInteg.

image of election integrity

The Bad

If you’ve been lucky enough not to have received one of the many sextortion spam emails that have been circulating in increasing numbers over the last few years, congratulate yourself on having a fine set of spam and junk mail filters. Fingers crossed that they keep up the good work, though, as the half a million-strong Phorpiex aka Trik botnet turns its attention away from ransomware like GandCrab and cryptomining to deliver millions more of the blackmail payment demands. According to researchers, the botnet is now using its network of infected devices to run sextortion campaigns at a massive scale. It’s estimated that a single Phorpiex spam bot can generate up to 30,000 spam emails per hour. The bot downloads one of over a thousand database files, each containing up to 20,000 email addresses, from its C2 server. The researchers suggest that a single campaign could potentially target 27 million individual email inboxes.

image of sextortion code

The Ugly

Who knew it could be so easy? Well, Samsung do now, along with the rest of the world. After a British couple accidentally discovered that the fingerprint reader in their Galaxy S10 would grant access to anyone if covered with a plastic screen protector, people all around the world were able to confirm that the fingerprint reader was easily defeated by nothing more than a thin film of plastic.

image of fingerprint unlock

The issue appears to revolve around the fact that, unlike smartphones from almost all other manufacturers, the affected Samsung devices use an unconventional ultrasonic sensor rather than an optical reader. It seems common plastics disrupt the ultrasounds sent out by the sensor and the unexpected readings cause the underlying software to unlock the device.

The same bug also affects the Galaxy Note 10, and users are being advised to switch off the fingerprint-recognition option, particularly if using mobile banking or other apps that contain confidential data. Meanwhile, Samsung say they are aware of the “malfunctioning fingerprint recognition” and will issue a software patch soon.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Edge computing startup Pensando comes out of stealth mode with a total of $278 million in funding

Pensando, an edge computing startup founded by former Cisco engineers, came out of stealth mode today with an announcement that it has raised a $145 million Series C. The company’s software and hardware technology, created to give data centers more of the flexibility of cloud computing servers, is being positioned as a competitor to Amazon Web Services Nitro.

The round was led by Hewlett Packard Enterprise and Lightspeed Venture Partners and brings Pensando’s total raised so far to $278 million. HPE chief technology officer Mark Potter and Lightspeed Venture partner Barry Eggers will join Pensando’s board of directors. The company’s chairman is former Cisco CEO John Chambers, who is also one of Pensando’s investors through JC2 Ventures.

Pensando was founded in 2017 by Mario Mazzola, Prem Jain, Luca Cafiero and Soni Jiandani, a team of engineers who spearheaded the development of several of Cisco’s key technologies, and founded four startups that were acquired by Cisco, including Insieme Networks. (In an interview with Reuters, Pensando chief financial officer Randy Pond, a former Cisco executive vice president, said it isn’t clear if Cisco is interested in acquiring the startup, adding “our aspirations at this point would be to IPO. But, you know, there’s always other possibilities for monetization events.”)

The startup claims its edge computing platform performs five to nine times better than AWS Nitro, in terms of productivity and scale. Pensando prepares data center infrastructure for edge computing, better equipping them to handle data from 5G, artificial intelligence and Internet of Things applications. While in stealth mode, Pensando acquired customers including HPE, Goldman Sachs, NetApp and Equinix.

In a press statement, Potter said “Today’s rapidly transforming, hyper-connected world requires enterprises to operate with even greater flexibility and choices than ever before. HPE’s expanding relationship with Pensando Systems stems from our shared understanding of enterprises and the cloud. We are proud to announce our investment and solution partnership with Pensando and will continue to drive solutions that anticipate our customers’ needs together.”

Writing Malware Traffic Decrypters for ISFB/Ursnif

The Zero2Hero malware course continues with Daniel Bunce explaining how to decrypt communication traffic between an attacker’s C2 and an endpoint infected with ISFB/Ursnif malware.

Carrying on from last week’s topic of writing malware configuration extractors for ISFB/Ursnif, this week we will be taking a look at writing a traffic decrypter for ISFB. Our aim is to pass a binary and PCAP as an argument and decrypt the traffic to get access to downloaded payloads, received commands, and more. 

Traffic Decrypters are very useful when dealing with a prior infection as they allow the analyst to understand what data was received from and sent to the C2 server. The only downside is a packet capture is obviously required to get a full overview of what occured. 

In this post, I will be using the Ursnif payload and corresponding PCAP from the Malware Traffic Analysis site which you can find here

Summary of the Network Protocol

In this post, I won’t be covering the reverse engineering of the network protocol; however, I will sum it up.

  1. The payload sends an initial GET request to the C2, typically pointing to the directory /images/ with a long string of Base64 encoded, Serpent-CBC encrypted data containing information about the PC and implant.
  2. If the C2 is online, it will reply with a chunk of Base64 encoded and Serpent-CBC encrypted data. The last 64 bytes, however, are not Serpent-CBC encrypted and are in fact encrypted using RSA. Upon decoding and decrypting this using the RSA key embedded in the executable (pointed to by the JJ structure we discussed last time), we are left with data following a similar structure as seen below.

    image of struct last block 64
  3. Using the Serpent-CBC key, MD5, and Size, the sample will decrypt the response and validate it using the MD5 sum. What the sample does next depends on what was received.
  4. Typically, this is used to download the final stage of ISFB, which will be executed after being downloaded.

So, with that covered, let’s take a look at writing a script to extract and decrypt responses!

Writing main() For Our Traffic Decryptor

So the main function only needs to do two things – accept the PCAP and filename as arguments (which can be done very easily with argparse), and then call the functions responsible for gathering packets, extracting the necessary keys, and then decrypting the packets. 

image of main function

With that function complete, let’s move onto scanning the PCAP for suspicious packets that could be responses from the C2 server.

Parsing PCAP Files With parse_packet()

In order to parse the given PCAP I will be using the Scapy module as it contains tools allowing us to easily locate and identify whether a packet is from a possible C2. We can read in the PCAP using rdpcap(), which will store each packet in a list allowing us to loop through it, checking each packet for certain signs. 

Firstly, we can filter for the packets that contain some form of raw data inside them. We can then load this raw data into a variable for further parsing. 

The raw data contains the headers of the packet, and the chunk of data sent/received, so we can split it using the n delimiter to search specific lines for values. In the first loop seen in the image, we are checking for GET requests pointing to the /images/ directory, and if the packet matches the condition, the destination IP address is appended to the list suspect_c2. Due to some false positives I had in this script, specifically packets containing the strings “GET” and “/images/” due to google searches contaminating the PCAP, I added an additional check for the string “google.com” to prevent false IP’s being added to the list.

image of parse packet function

With a list of suspicious IPs in hand, we can now use these to get the C2 responses. These two loops can be compressed into one; however, I have separated them to improve readability. So, this next loop will once again loop through each of the packets; however, it will only search for packets that are from any of the IPs inside of the suspect_c2 list. 

If a valid response is found, it will be loaded into the variable response, and then split once again using n. Using this, we check for the HTTP 200 response, meaning the C2 is online. We then search for the string “PHPSESSID” inside the headers, as this is usually present in most ISFB responses (at least for version 2). 

We then check for whether or not a null byte is present in the C2 response – this is to prevent overlapping responses. Looking at the PCAP, once the first GET request is made to the C2 server and a response is received, the sample then queries favicon.ico, which contains raw binary data that is not part of the previous response. If we did not search for a null byte in the packet, then the raw binary data would simply be appended to the base64 encoded data – due to the fact that “PHPSESSID” is not present in the packet headers. The reason we append data if it doesn’t have the correct headers is because the response is extremely large, meaning it is sent in chunks of data which we must append together to get the full response.

image of http response

Once a list of packets has been created, we return from the function, but before doing so, we add whatever is stored in data to the responses list. This is done as the final packet that matches all the conditions will not be added to the list as the loop will simply exit.

Now that we have a list of suspicious packets, let’s move over to extracting both the RSA key and Serpent key from the executable!

How to Extract RSA & Serpent Keys

This function will be very similar to the configuration extractor due to the fact that the RSA key is stored in one blob of data and the serpent key is stored in another, both of which are pointed to by the JJ structures we looked at last time. This is a bit different as we are looking at extracting and parsing the configuration, so I will focus on that. 

Once we have located the offsets of the blobs and extracted them, the size of each blob is checked to see if it is equal to 132 bytes (0x84). The reason for this is that this is the typical length of the RSA key stored in the binary. If the length is not equal, then we call the function parse_config(), and pass the APLib decompressed blob as an argument.

image of extract key from executable function

The config parser function is fairly simple. The configuration stored in the binary (after decompression) contains information such as C2 addresses, any DGA URLs, DNS servers to utilize, and also a Serpent key which is used to encrypt the packets sent out. In this case, as we are not looking at decrypting any of the GET requests, it is not vital to have, although if we wanted to see what data was transmitted to the C2, it is required. An example of the config can be seen below. 

image config hexdump

Looking at the image, you’ll notice the strings in the bottom half of the configuration, but you might be wondering what the top half is supposed to be. Well, this is actually a lookup table used by the sample to retrieve specific values. The first two DWORDs in the image shown above are skipped, and then the table begins. The structure of the lookup table values can be seen below and is fairly simple. We are mainly interested in the first three DWORDs as those are the important values. 

image of lookup table struct

Essentially, what happens here is we loop through the lookup table, unpacking the four (includes the UID) DWORDs into four different variables, and using the value in Flags to determine whether the value is a direct pointer to the string or if it must be added to the current position. 

From there, it will check if the CRC hash stored in Name is found in the dictionary containing CRC hashes, which can be seen below. If it is located in the dictionary, it will check the value and see if it matches the string “key“. If it does, the value will be returned and used as the Serpent-CBC key. Otherwise, it will continue to parse the table. More information about this routine and ISFB in general can be found in this paper written by Maciej Kotowicz.

image of parse_config function

image of crc table struct

Now, with both the extracted RSA key and Serpent-CBC key, we can start decrypting the packets!

Functions for Decrypting Suspicious Packets

We’ll now write the final three functions we need to complete our malware traffic decrypter script. The decrypt_communication() function is fairly simple. First, we check to see if each packet in the list of suspicious packets is base64 encoded by checking for padding at the end.

image of decrypt communication function

If it is, we base64 decode it and store the last 64 bytes in a variable, which is then passed into RSA_Decrypt_Last_Block().

image or rsa decrypt last block function

The packet is then stripped of the last 64 bytes as they are no longer needed. Then, the size returned by the RSA decrypt function is converted to an integer, and if it is less than 3000, the size is altered to be the full size of the packet. The reason for this is on the smaller packet sent from the C2 server, the decryption script fails to decrypt the entirety of the data, so to fix this we can simply choose to decrypt the entire packet. 

From there, we pass the data into the Serpent_Decrypt_Packet, which will decrypt the data, and then MD5 hash it, comparing the resulting hash to the hash in the RSA decrypted block.

image of serpent decrypt packet function

Regardless of whether or not the hashes match, it will dump out the data to a file.

Executing the Traffic Decrypter Script

Upon executing the script (as long as no issues are raised), the payloads should have successfully been dumped! 

Interestingly, one of the packets failed to decrypt, and performing an RSA decryption of the final 64 bytes yielded a strange result, completely different to the first decrypted packet. This could be due to it coming from a different sample of Ursnif, or due to a parsing issue from my script, although in that case there would be issues with the first and third packet, which there was not.

output of function

output of function 2

Wrapping Up…

So! That brings us to an end to this blog post. I hope you have been able to learn something new from it! If you are interested in trying to replicate this decrypter yourself, you can find the Python implementation of Serpent-CBC encryption/decryption here. If you’ve completed the traffic decrypter for this version of ISFB, why not try writing one for version 3? You’ll have to change up the extraction a bit as they use a more complex method of storing it, but it’ll be a good challenge!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security