Takeaways from the $566M BriansClub breach

Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and which bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added and when existing inventory is removed (sold).

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — representing almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Image: Gemini Advisory.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.

Image: Gemini Advisory

One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $106 million. Of those, almost 940,000 were sold, grossing over $16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.

“For context, the collective price for the entirety of exposed BriansClub records was $566 million, while the total dollar amount of all sold records exceeded $162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”

Image: Gemini Advisory

All the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.

Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.

But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale retail checkout systems.

The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub data by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.

Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence to the banking sector is causing much of stampede for re-issuing cards.

Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.

Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.

“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”

I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly care of Yours Truly), but issued the following statement:

“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.

“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””

Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.

One final note: Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.

The BriansClub admin, defending the honor of his stolen cards shop after a major breach.

“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”

The report continues:

“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”

How AdLoad macOS Malware Continues to Adapt & Evade

Incidents of the aggressive AdLoad macOS malware have been increasing over the last few months as the malware continues to evade built-in macOS security and many third-party security solutions. AdLoad is certainly not new; it’s been around in one form or another since at least late 2017, but the developers have continued to adapt not only to avoid detection on installation but also to resist attempts to remove their malware. In this post, we take a deeper look into how AdLoad adapts and evades many macOS AV solutions as well as discuss how to properly detect and remove AdLoad malware.

image of adload

What is AdLoad?

AdLoad is an aggressive adware infection that installs a Man-in-The-Middle web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

AdLoad is a malware that installs under a variety of different names: Kreberisec, Apollo, Aphrodite SearchDaemon and many others. The names are not entirely random. Most follow a pattern along the lines of

SearchDaemon
Lookup
DataSearch
Results

or some combination thereof.

Some of the more recent names used include ‘ElementarySignalSearchDaemon’, ‘ArtemisSearchDaemon’, ‘GlobalQuestSearchDaemon’, ‘TrustedMacResultsSearchDaemon’, ‘NetSignalSearchDaemon’, ‘SimpleSearchAppDaemon’, ‘SearchQuestDaemon’ and – breaking the mould a little – ‘SearchQuest’ and ‘ResultSync’ among many others.

Here’s a partial list of some of the most common names circulating at the moment.

AphroditeLookup
AphroditeResults
ApolloSearch
ApolloSearchDaemon
ArtemisSearch
ArtemisSearchDaemon
ElementaryDataSearch
ElementarySignalSearchDaemon
FindData
GlobalConsoleSearch
GlobalQuestSearch
GlobalQuestSearchDaemon
Kreberisec
NetSignalSearchDaemon
ResultSync
SearchQuest
SearchQuestDaemon
SimpleFunctionSearch
SimpleSearchAppDaemon
TrustedMacResultsSearchDaemon
WebSearchStride

This malware has been known for some time, with at least two variants known to Apple’s XProtect definitions from November 2017 or earlier. Despite that, versions of AdLoad are still being reported in the wild by macOS users on Apple Support Communities forums.

image of asc complaints

Unfortunately for many macOS users, neither XProtect nor many other simple static engines detect it.

image of adload virustotal detection

This rule from Apple’s current XProtect definitions effectively requires the scanned binary to contain the string “getSafariVersion” in order to trigger a detection.

image of adload xprotect detection

image of hex to string translation

Alas, malware authors have long since refactored their code and current variants no longer contain that string. That breaks XProtect’s ability to detect the malware with the above rule, since the rule specifies that string as necessary, though not sufficient, for a detection.

In order to avoid simple static detections, the files have different hashes, though they are often of similar size.

image of AdLoad Hashes

Hitting on distinctive method names shows the files to be variants of the same malware:

Interestingly, XProtect’s “Mughthesec” definition gets closer to current AdLoad static signatures.

image of mughthesec

image of mughthesec yara rule

This definition requires, among other things, that the binary contains strings including the substring fallback as well as BerTaggedData. As we’ll see later, that suggests a close link between AdLoad and Mughthesec malware, but it still fails to catch the AdLoad malware which, while it does use BerTaggedData, it does not contain the substrings with fallback.

And clearly while static signature detections on BerTaggedObject and other static features of the binary might be good while they last, like Apple’s XProtect signatures they won’t last long. Malware authors will soon refactor once their success-to-detection rate starts to tumble in the wrong direction. We’ll see how to more effectively detect and protect against this kind of malware below.

AdLoad Dropped Files

Victims of AdLoad will find that the malware drops files in both some of the usual, easy to find places used by macOS malware as well as some much lesser known areas that can be hard to detect. The adware typically presents an authorization dialog that asks for an admin password. On collecting the password, the malware uses the credentials to drop a number of files in both the user and local computer domains. First, it will drop not only a LaunchAgent in the local user Library but also two LaunchDaemons in the local domain Library.

The following uses SearchQuest as the example name, but of course this may be replaced with any one of the names and patterns mentioned above.

First, the LaunchAgent is dropped at
/Users/aUser/Library/LaunchAgents/com.SearchQuest.plist

and targets the following executable in its Program Arguments:
/Users/aUser/Library/Application Support/com.SearchQuest/SearchQuest

Next, the first of two LaunchDaemons is dropped at
/Library/LaunchDaemons/com.SearchQuestDaemon.plist

which targets a corresponding item in:
/Library/Application Support/com.SearchQuestDaemon/SearchQuest

The second LaunchDaemon, in this example, lands here:
/Library/LaunchDaemons/com.SearchQuestP.plist

and targets a hidden item in /var/root:
/var/root/.SearchQuest/SearchQuestDaemon

This item itself calls a python script in the same folder:
/var/root/.SearchQuest/SearchQuest --mode socks5 --showhost -q -s /var/root/.SearchQuest/SearchQuest.py

image of running processes

SearchQuest is an instance of mitmpoxy, and is used here to run the python script SearchQuest.py in “quiet” mode in order to open a connection with a remote host.

image of mitmproxy

The SOCKS Proxy is enabled for localhost:8080 in Network Settings and is persistent across restarts.

AdLoad, a Malware That Doesn’t Give Up

AdLoad doesn’t stop with a LaunchAgent and two LaunchDaemons in its attempt to maintain persistence. It also installs a user cron job and an executable in a subfolder of the user’s Library Application Support folder. The sub folder has a UUID-like hex pattern of 8-4-4-4-12 characters, and the executable inside it has a name with a different UUID-like hex with the same 8-4-4-4-12 pattern.

This is just a random example, the UUID numbers are unique to each user and are likely used as part of campaign tracking.

30 */2 * * * /Users/aUser/Library/Application Support/712B5686-92B3-919D-DD36-13A5745D87D2/74C08AE4-8ACE-51CA-54F7-0ED0A530ECAA h >/dev/null 2>&1}

This code runs every 2hrs and 30 minutes. The target of the cronjob is a Macho executable that imports Apple’s JavaScriptCore framework, which allows the binary to evaluate JavaScript scripts and likewise make available native objects, methods and functions to the JavaScript environment.

Optional Extras: AdLoad & Friends

In every infection I’ve seen of this malware to date, there’s always a number of others that appear to be brought along to the party. Tests in both VMs and ‘bare metal’ lab machines have proved inconclusive to date as to whether these additional installations are payloads directly dropped by AdLoad itself or are subsequent infections. We have seen a number of cases where a Pay-per-Install PUP installer delivers adware, which in turn delivers other PPI installers and further adware. The ties between the players in this game of monetizing unwanted downloads and browser hijacks seem to be becoming increasingly closer.

Adding to the variance in what gets installed is the way campaigns tailor payloads depending on local settings, which are usually harvested at install time. These include the geolocation of the victim, device make and model, operating system version and language settings.

Nevertheless, AdLoad is often frequently found alongside other adware/PUP installations variously known as “Mughthesec”, “SurfBuyer”, “Souter”, “MyShopcoupon”, “MMInstall” and “MMProt”. All use a similar infection mechanism, which begins with a redirect to a scam website that invites the user to download a “needed” Flash Player or other media player component. These are typically unsigned and the user is provided instructions on how to open the application by bypassing Apple’s built-in Gatekeeper and XProtect safeguards.

image of installer

Other IOCs to watch out for that we’ve seen on some occasions with this threat, albeit not consistently for reasons mentioned above, are

  1. modified sudoers file
  2. installation of the attackers SSH known_hosts key in ~/.ssh
  3. A configuration Profile to lock down browser settings (in System Preferences > Profiles)
  4. Browser extensions such as “AnySearch”, “SearchIt” and similar names
  5. Creation of folder /User/aUser/Applications and malicious files dropped therein

Detecting and Protecting Against AdLoad

SentinelOne customers are protected against AdLoad, which is detected as a threat and blocked when it tries to execute – regardless of how the malware is coded internally – as the AI behavioral engine detects the malicious behaviour rather than relies on static signatures.

For those who are not yet protected by SentinelOne, manual removal may be something of a race against time. With multiple persistence agents – launch agents, daemons, cron jobs and processes running in memory out of /var/root – it can sometimes take several attempts to beat all of these before one of them manages to re-write the deleted components back to disk. Somewhat like the malware itself, however, persistence does pay off. As long as you have identified all the malicious processes and persistence agents, repeatedly removing them will eventually beat the race.

Conclusion

We have seen an increasing number of reports of attempted AdLoad infections and increasing concern among macOS users. AdLoad is extremely difficult to remove for individual users, and even some 3rd party solutions that detect it after-the-fact are unable to outrun the malware’s multiple persistence mechanisms. Hopefully, this post has provided some insight in how to detect and remove the AdLoad malware. If you’d like to see how SentinelOne can autonomously protect your Mac users from this kind of threat, please contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Stealthy search startup Searchable.ai snags $2M seed

Searchable.ai wants to solve an old problem around search in the enterprise. The stealthy startup announced a $2 million seed round.

Defy Partners led the round with a slew of other participants, including Paul English, co-founder of Kayak; Wayne Chang, co-founder of Crashlytics; Brian Halligan, co-founder and CEO of HubSpot; Jonathan Kraft, president and COO of the Kraft Group and the New England Patriots; MIT Prof. Edward Roberts; Eric Dobkin, founder and chairman emeritus of Goldman Sachs Global Equity Capital Markets; and Susquehanna International Group.

The prestigious group of investors saw that Searchable.ai is trying to solve a big problem around findability. Company co-founder Brian Shin says that knowledge workers have been struggling for years trying to find a way to better utilize all of the information that exists within an organization.

“The problem we’re really solving is that there are a trillion documents created every year in Microsoft Office, Google Docs, etc., and it’s really difficult if you’re a knowledge worker to find what you need in terms of either a document, an asset like a slide or worksheet within a document or the actual answer to a question that you have,” Shin said.

The questioning part could be particularly valuable because it lets you ask a natural language question and find a specific piece of information within a document, rather than just the document itself. “Let’s say you have a giant spreadsheet, you could actually ask a question of all your spreadsheets and find the atomic unit of knowledge that you’re actually looking for,” he said.

The product itself is not quite ready for the big reveal, but if it works as described, it will be a huge boost to knowledge workers who have continually struggled to find a nugget of information they know is out there across the myriad documents in an organization.

Shin is an experienced entrepreneur who has helped launch and sell three companies. He reports he has raised $100 million in venture capital and most recently has worked as a venture capitalist himself, but he saw this opportunity and decided to jump back into the development side of things.

He admits he’s giving up a lot to go back to the startup lifestyle, but he and his co-founders decided this was worth it. “You know the draw, the compulsion to do another startup is is really what this is about. So my three other colleagues and I have have all started companies before and we’re all giving up big jobs to do this, and I’m so excited about the team and the massive opportunity.”

He promised more details about the company and the solution would be coming early next year.

Kandji announces $3.375M seed for sophisticated Apple MDM solution

Kandji, a new Apple MDM solution that promises to go far beyond Apple’s base MDM protocol and other solutions on the market, emerged from stealth today with a $3.375 million seed investment. The product is also publicly available for the first time starting today.

The round, which closed in March, was led by First Round Capital with help from Webb Investment Network, Lee Fixel, John Glynn and other unnamed investors.

Company co-founder and CEO Adam Pettit says the company’s founders have a deep knowledge in Apple. They all worked at Apple before leaving to run an Apple IT consultancy for more than 10 years.

He said that while they were at the consultancy, they developed a proprietary stack of tools to help with highly sophisticated Apple device deployments at large organizations, and it occurred to them that there was an unserved market opportunity to turn that knowledge into a new product.

Two years ago they sold the consultancy, took that knowledge and built Kandji from the ground up. Pettit says the new product gives customers access to a set of management tools that they would have charged six figures to implement at that their old firm.

One of the key differentiators between Kandji and other MDM solutions, or even Apple’s base MDM functionality, is a set of one-click compliance tools. “We’re the only product that has almost 200 of these one-click policy frameworks we call parameters. So an organization can go in and browse by compliance framework, or we have pre-built templates for companies that don’t necessarily have a specific compliance mandate in mind,” he said.

The parameters have all of the tools built-in to automatically deploy a set of policies related to a given compliance framework without having to go through and manually set all of those different switches yourself. On the flip side, if you want to get granular and create your own parameters, you can do that too.

He says one of the reasons he and his partners were willing to give up the big-dollar consultancy was because they saw a huge opportunity for firms that couldn’t afford those kind of services, but still had relatively large Apple device deployments. “I mean there’s a big need outside of just the specific kind of sophisticated compliance work we would do [at our previous firm]. We saw this big need in general for an Apple MDM solution like ours,” he said.

After selling their previous firm, the founders bootstrapped for a year while they developed the initial version of Kandji before seeking funding. Today, the company has 16 employees and a set of initial customers that have been testing the product.

Even after Microsoft wins, JEDI saga could drag on

The DoD JEDI contract saga came to a thrilling conclusion on Friday afternoon, appropriately enough, with one final plot twist. The presumptive favorite, Amazon, did not win, stunning many, including likely the company itself. In the end, Microsoft took home the $10 billion prize.

This contract was filled with drama from the beginning, given the amount of money involved, the length of the contract, the winner-take-all nature of the deal — and the politics. We can’t forget the politics. This was Washington after all, and Jeff Bezos does own The Washington Post.

Then there was Oracle’s fury throughout the procurement process. The president got involved in August. The current defense secretary recused himself on Wednesday, two days before the decision came down. It was all just so much drama, even the final decision itself, handed down late Friday afternoon — but it’s unclear if this is the end or just another twist in this ongoing tale.

Some perspective on $10 billion

Before we get too crazy about Microsoft getting a $10 billion, 10-year contract, consider that Amazon earned $9 billion last quarter alone in cloud revenue. Microsoft reported $33 billion last quarter in total revenue. It reported around $11 billion in cloud revenue. Synergy Research pegs the current cloud infrastructure market at well over $100 billion annually (and growing).

What we have here is a contract that’s worth a billion a year. What’s more, it’s possible it might not even be worth that much if the government uses one of its out clauses. The deal is actually initially guaranteed for just two years. Then there are a couple of three-year options, with a final two-year option at the end if it gets that far.

The DOD recognized that with the unique nature of this contract, going with a single vendor, it wanted to keep its options open should the tech world shift suddenly under its feet. It didn’t want to be inextricably tied to one company for a decade if that company was suddenly disrupted by someone else. Given the shifting sands of technology, that part of the strategy was a wise one.

Where the value lies

If the value of this deal was not the contract itself, it begs the question, why did everyone want it so badly? The $10 billion JEDI deal was simply a point of entree. If you could modernize the DoD’s infrastructure, the argument goes, chances are you could do the same for other areas of the government. It could open the door for Microsoft for a much more lucrative government cloud business.

But it’s not as though Microsoft didn’t already have a lucrative cloud business. In 2016, for example, the company signed a deal worth almost a billion dollars to help move the entire department to Windows 10. Amazon too, has had its share of government contracts, famously landing the $600 million to build the CIA’s private cloud.

But given all the attention to this deal, it always felt a little different from your standard government contract. Just the fact the DoD used a Star Wars reference for the project acronym drew more attention to the project from the start. Therefore, there was some prestige for the winner of this deal, and Microsoft gets bragging rights this morning, while Amazon is left to ponder what the heck happened. As for other companies like Oracle, who knows how they’re feeling about this outcome.

Hell hath no fury like Oracle scorned

Ah yes, Oracle; this tale would not be complete without discussing the rage of Oracle throughout the JEDI RFP process. Even before the RFP process started, they were complaining about the procurement process. Co-CEO Safra Catz had dinner with the president to complain that the contract process wasn’t fair (not fair!). Then it tried complaining to the Government Accountability Office. They found no issue with the process.

They went to court. The judge dismissed their claims that involved both the procurement process and that a former Amazon employee, who was hired by the DoD, was involved in the process of creating the RFP. They claimed that the former employee was proof that the deal was tilted toward Amazon. The judge disagreed and dismissed their complaints.

What Oracle could never admit was that it simply didn’t have the same cloud chops as Microsoft and Amazon, the two finalists. It couldn’t be that they were late to the cloud or had a fraction of the market share that Amazon and Microsoft had. It had to be the process or that someone was boxing them out.

What Microsoft brings to the table

Outside of the politics of this decision (which we will get to shortly), Microsoft brought to the table some experience and tooling that certainly gave it some advantage in the selection process. Until we see the reasons for the selections, it’s hard to know exactly why the DoD chose Microsoft, but we know a few things.

First of all there are the existing contracts with the DoD, including the aforementioned Windows 10 contract and a five-year $1.76 billion contract with DoD Intelligence to provide “innovative enterprise services” to the DoD.

Then there is Azure Stack, a portable private cloud stack that the military could stand up anywhere. It could have great utility for missions in the field when communicating with a cloud server could be problematic.

Fool if you think it’s over

So that’s that right? The decision has been made and it’s time to move on. Amazon will go home and lick its wounds. Microsoft gets bragging rights and we’re good. Actually, this might not be where it ends at all.

Amazon, for instance, could point to Jim Mattis’ book where he wrote that the president told the then Defense Secretary to “screw Bezos out of that $10 billion contract.” Mattis says he refused, saying he would go by the book, but it certainly leaves the door open to a conflict question.

It’s also worth pointing out that Jeff Bezos owns The Washington Post and the president isn’t exactly in love with that particular publication. In fact, this week, the White House canceled its subscription and encouraged other government agencies to do so as well.

Then there is the matter of current Defense Secretary Mark Espers suddenly recusing himself last Wednesday afternoon based on a minor point that one of his adult children works at IBM (in a non-cloud consulting job). He claimed he wanted to remove any hint of conflict of interest, but at this point in the process, it was down to Microsoft and Amazon. IBM wasn’t even involved.

If Amazon wanted to protest this decision, it seems it would have much more solid ground to do so than Oracle ever had. An Amazon spokesperson would only say that the company “was keeping its options open.”

The bottom line is a decision has been made, at least for now, but this process has been rife with controversy from the start, just by the design of the project, so it wouldn’t be surprising to see Amazon take some protest action of its own. It seems oddly appropriate.

The Good, the Bad and the Ugly in Cybersecurity – Week 43

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Upgrading legacy systems is a huge headache. Anyone involved in IT and systems engineering knows that. People involved in such processes are so reluctant to upgrade working (albeit ageing) systems that organizations hold on to legacy systems for years. When the systems in question manage the launch of nuclear missiles, the concerns are of different magnitude. That’s why we were delighted to learn that the US Airforce will stop using Floppy Disks for nuclear launch coordination. The Airforce currently uses an 8-inch floppy disks in a ’70s computer to receive orders from the President. According to the U.S. military, this antiquated system has been replaced by a “highly-secure solid-state digital storage solution.”

Anyone one who is old enough to remember the utter misery of working with these antiquated storage devices must be delighted that such a sensitive system is no longer reliant on 1980’s technology.

image of command data center

The Bad

The famous saying “there’s no honor among thieves” is apparently true for cyber espionage groups. The combined efforts of the UK National Cyber Security Centre (NCSC) and the NSA revealed that a Russian APT group “piggybacked” an Iranian APT infrastructure and tools to target 35 countries in an effort to obtain sensitive information. The APT group, nicknamed “Turla”, “Waterbug” or “VENOMOUS BEAR”, regularly collects information by targeting government, military, technology, energy and commercial entities.

Their latest trick involved the reuse of Iranian tools and infrastructure to disguise the origin of their activity. This is a dangerous step in the already escalating cyber warfare domain – the fact that one nation can masquerade as another can trigger a series of cyber operations that may lead to a kinetic conflict.

image of NSA cyber security centre

The Ugly

No one can afford to be lax on security, particularly companies that offer security-related services. That is the reality of doing business nowadays. But for a security-related company to get hacked and to delay disclosing the information to its clients for more than a year and a half is dismal.  

NordVPN, a virtual private network provider that promises to “protect your privacy online,” was breached back in March 2018.

“One of the data centers in Finland we are renting our servers from was accessed with no authorization,” a NordVPN spokesperson said.

The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based data center installed on a server NordVPN leased. The breach was made public in a series of Tweets, exposing the fact that NordVPN keys had leaked.  

image of nord vpn breach

Although the company insists that no personal information was compromised, a log suggests that the hackers had root access, meaning they had almost complete control over the server and could read or modify just about any data stored on it.

In addition, it seems that two additional VPN services, TorGuard and VikingVPN, also experienced breaches that leaked encryption keys. 

These types of incidents raise serious concerns about the vendor’s credibility – were they aware of the hack but opted to keep that a secret? Or were they unaware of it for so long? Even worse, this is a service billed as one providing greater security and privacy for their customers, and it seems they did not deliver on their promise.  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

How TrickBot Hooking Engine Targets Windows 10 Browsers

The Zero2Hero malware course continues with Vitali Kremez revealing how TrickBot’s hooking engine targets Chrome, Firefox, Explorer and Edge in Windows 10

image of trickbot hooking engine

Background & Summary

TrickBot banking malware remains one of the more interesting and continually developing malware on the financial crimeware landscape. It employs multiple means and methods to exploit compromised machines of interest. The focus of this post is to cover in-depth some of its Windows 10 Microsoft Edge and other browser hooking engine functionality. We will focus on the internals, and how TrickBot leverages these browsers to set up hooks for API calls of interest. The ultimate goal of the malware browser hooking is predominantly to intercept online banking credentials before they become SSL encrypted. The stolen credentials can subsequently be used for account takeover (ATO) fraud.

image of trickbot hooking

Since Windows 10 came with a new browser, “Microsoft Edge”, TrickBot operators needed their banking malware to operate on that software. To implement form-grabbing and web injections in the Windows 10 Edge browser, TrickBot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe is the parent process of the Microsoft Edge browser on Windows 10 machines. 

TrickBot Browser Process Injection Technique “Reflective Loader”

In order to hook browser functions, TrickBot malware injects the payload into the browser of choice via the so-called “ReflectiveLoader” methodology. 

The TrickBot process injection function targets four browsers from Microsoft Edge to Google Chrome and one Microsoft Edge related process.

image of trickbot browser injection

TrickBot injects the malware targeting the following processes:

  • chrome.exe
  • iexplore.exe
  • firefox.exe
  • microsoftedgecp.exe
  • runtimebroker.exe

The malware also “relaxes” browser security and write changes files locally before injection occurs.

image browser target

TrickBot’s reflective injection works as follows:

  • Open target process and allocate memory address in remote process via VirtualAllocEx
  • Copy function WriteProcessMemory into the allocated memory space
  • Copy shellcode WriteProcessMemory into the allocated memory space
  • Call FlushInstructionCache API to make sure our changes are written right away
  • Call inject RemoteThread function call
  • Call ResumeThread
  • Else, call undocumented API function RtlCreateUserThread to start execution in the remote process, using the offset address of the reflective loader function as the entry point.

TrickBot Hooking Engine

When the TrickBot banker hooks the API function, it enters the new hooked one and checks to make sure the process is microsoftedgecp.exe while passing control to the original one when the hooked function concludes.

image of trickbot create hook main function

The basic TrickBot banking API hooking template is as follows:

"CreateHook_API" Function Template ->

{ int CreateHook_API(LPCSTR DLL_name, int original_function_name,

	int myHook_function,	int address_of_original_function) }


By and large, TrickBot hooking engine works via overwriting the basic API with the redirect functions with the 0xe9 opcode, which is the call for a jump with 32-bit relative offset. TrickBot uses a trampoline function and the write hook call with the VirtualProtectEx API to make sure that the function has the 0x40 (PAGE_EXECUTE_READWRITE) property. Additionally, it attempts to conceal detection of this hooking technique via prepending NOP and/or RETN.

The exact TrickBot hook pseudo-code is as follows:

////////////////////////////////////////////////////////////////////
/////////////// TrickBot Hook Install Function ///////////////////////
///////////////////////////////////////////////////////////////////
signed int __cdecl TrickBot_Hook_Install(int myHook_function, int *function_address)
{
	char *original_function;
	char *current_func_id_thread;
	int v5;
	char jump_len;
	signed int result;
	SIZE_T v8;
	void *trampoline_lpvoid;
	int v10;
	int v11;
	unsigned __int8 jmp_32_bit_relative_offset_opcode;
	int relative_offset;
	DWORD flOldProtect;
	original_function = func_name;
	current_func_id_thread = func_name + 0x24;
	iter_func(func_name + 0x24, 0x90, 0x23);
	if ( function_address )		// Attempts to prepend "0x90" (nop) or "0xC3" (retn) to jump length to avoid basic hooking detect
		jump_len = walker_byte_0(*(_BYTE **)(original_function + 1), (int)current_func_id_thread, v5);
	else
		jump_len = 5;		// jump_length_trampoline -> 5

	original_function[5] = jump_len;

	if ( !jump_len )
		goto LABEL_12;		// Setting up the trampoline buffer
		write_hook_iter((int)(original_function + 6), *(_BYTE **)(original_function + 1), (unsigned __int8)jump_len);

	if ( function_address )
		*function_address = (int)current_func_id_thread;
	
	relative_offset = myHook_function - *(_DWORD *)(original_function + 1) - 5;
	v8 = (unsigned __int8)original_function[5];
	trampoline_lpvoid = *(void **)(original_function + 1);
	jmp_32_bit_relative_offset_opcode = 0xE9u;		// "0xE9" -> opcode for a jump with a 32bit relative offset

	if ( VirtualProtectEx((HANDLE)0xFFFFFFFF, trampoline_lpvoid, v8, 0x40u, &flOldProtect) )	// Set up the function for "PAGE_EXECUTE_READWRITE" w/ VirtualProtectEx
	{
		v10 = *(_DWORD *)(original_function + 1);
		v11 = (unsigned __int8)original_function[5] - (_DWORD)original_function - 0x47;
		original_function[66] = 0xE9u;
		*(_DWORD *)(original_function + 0x43) = v10 + v11;
		write_hook_iter(v10, &jmp_32_bit_relative_offset_opcode, 5); // -> Manually write the hook
		VirtualProtectEx(		// Return to original protect state
			(HANDLE)0xFFFFFFFF,
			*(LPVOID *)(original_function + 1),
			(unsigned __int8)original_function[5],
			flOldProtect,
			&flOldProtect);
	result = 1;


For instance, TrickBot malware sets up its own custom myCreateProcessA function prototype after the hook on CreateProcessA. The idea is to catch any instance of microsoftedgecp.exe execution to intercept it for subsequent injection. This function ultimately returns the flow back to CreateProcessA after intercepting and collecting necessary process execution information.

image hooked process

The following four API calls being hooked are in the child Microsoft Edge via rogue rtlbroker.dll, allowing TrickBot operators to intercept and manipulate Microsoft Edge calls:

  • CreateProcess
  • CreateProcessW
  • CreateProcessAsUserA
  • CreateProcessAsUserW

TrickBot hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:

  • HttpSendRequestA
  • HttpSendRequestW
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • InternetWriteFile
  • HttpEndRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA
  • InternetSetOptionW
  • HttpOpenRequestA
  • HttpOpenRequestW
  • InternetConnectA
  • InternetConnectW 

The malware hooks Mozilla Firefox Browser in nspr4.dll library API calls:

  • PR_OpenTCPSocket
  • PR_Connect
  • PR_Close
  • PR_Write
  • PR_Read 

It hooks Chrome in chrome.dll library API calls:

  • ssl_read
  • ssl_write

Reference

injectDll32.dll C546D40D411D0F0BB7A1C9986878F231342CDF8B
rtlbrokerDll.dll 0785D0C5600D9C096B75CC4465BE79D456F60594
testnewinj32Dll.dll D5F98BFF5E33A86B213E05344BD402350FC5F7CD

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cybersecurity automation startup Tines scores $4.1M Series A led by Blossom Capital

Tines, a Dublin-based startup that lets companies automate aspects of their cybersecurity, has raised $4.1 million in Series A funding. Leading the round is Blossom Capital, the venture capital firm co-founded by ex-Index Ventures and LocalGlobe VC Ophelia Brown.

Founded in February 2018 by ex-eBay, PayPal and DocuSign security engineer Eoin Hinchy, who was subsequently joined by former eBay and DocuSign colleague Thomas Kinsella, Tines automates many of the repetitive manual tasks faced by security analysts so they can focus on other high-priority work. The pair have bootstrapped the company until now.

“It was while I was at DocuSign that I felt there was a need for a platform like Tines,” explains Hinchy. “We had a team of really talented engineers in charge of incident response and forensics but they weren’t developers. I found they were doing the same tasks over and over again so I began looking for a platform to automate these repetitive tasks and didn’t find anything. Certainly nothing that did what we needed it to, so I came up with the idea to plug this gap in the market.”

To that end, Tines lets companies automate parts of their manual security processes with the help of six software “agents,” with each acting as a multipurpose building block. Therefore, regardless of the process being automated, it only requires combinations of these six agent types configured in different ways to replicate a particular workflow.

“I wanted there to be as few agent types as possible, to simplify the system, and I haven’t discovered a workflow in which tasks sit outside of these agents yet,” says Hinchy. “Once a customer signs up they can start automating their own workflows immediately, and most of our customers see value from day one. If they need a hand, my team works with them to establish how they currently manually carry out tasks, such as identifying and dealing with a phishing attack. Each step of dealing with the attack — from cross-checking the email address with trusted contacts or a blacklist, to scanning attachments for viruses or examining URLs — will be performed by one of the six agent types. This means we can assign these tasks to an agent to create the workflow, or as we call it, the “story.”

So, for example, once a phishing email triggers the first agent, the following steps in the “story” are automatically carried out. In this way, Tines might be described as akin to IFTTT, “but an exceptionally powerful, enterprise version of the IFTTT concept, designed to manage much more complex workflows.”

Competitors are cited as Phantom, which last year was acquired by Splunk, and Demisto, which was bought by Palo Alto Networks. However, Hinchy argues that a key differentiator is that Tines doesn’t rely on pre-built integrations to interact with external systems. Instead, he says the software is able to plug in to any system that has an API.

Meanwhile, Tines says it will use the new funding to hire engineers in Dublin who can help improve the platform through R&D, as well as grow its customer base with companies in the U.S. and in Europe. Notably, the startup plans to expand beyond cybersecurity automation, too.

“Our background is in security, so with Tines, we’ve initially focused on helping security teams automate their repetitive, manual processes,” says Hinchy. “What makes us different is that nowhere does it say we can’t expand beyond this, to help other teams and sectors automate tasks. The advantage of our direct-integration model is that Tines doesn’t care if you’re talking to a security tool, HR system or CRM, it treats them the same. In the next 18 months, we plan to expand Tines outside security, hire more talent and increase the product team from 8 to 20.”

Grafana Labs nabs $24M Series A for open source-based data analytics stack

Grafana Labs, the commercial company built to support the open-source Grafana project, announced a healthy $24 million Series A investment today. Lightspeed Venture Partners led the round with participation from Lead Edge Capital.

Company CEO and co-founder Raj Dutt says the startup started life as a way to offer a commercial layer on top of the open-source Grafana tool, but it has expanded and now supports other projects, including Loki, an open-source monitoring tool not unlike Prometheus, which the company developed last year.

All of this in the service of connecting to data sources and monitoring data. “Grafana has always been about connecting data together no matter where it lives, whether it’s in a proprietary database, on-prem database or cloud database. There are over 42 data sources that Grafana connects together,” Dutt explained.

But the company has expanded far beyond that. As it describes the product set, “Our products have begun to evolve to unify into a single offering: the world’s first composable open-source observability platform for metrics, logs and traces. Centered around Grafana.” This is exactly where other monitoring and logging tools like Elastic, New Relic and Splunk have been heading this year. The term “observability” is a term that’s been used often to describe these combined capabilities of metrics, logging and tracing.

Grafana Labs is the commercial arm of the open-source projects, and offers a couple of products built on top of these tools. First of all it has Grafana Enterprise, a package that includes enterprise-focused data connectors, enhanced authentication and security and enterprise-class support over and above what the open-source Grafana tool offers.

The company also offers a SaaS version of the Grafana tool stack, which is fully managed and takes away a bunch of the headaches of trying to download raw open-source code, install it, manage it and deal with updates and patches. In the SaaS version, all of that is taken care of for the customer for a monthly fee.

Dutt says the startup took just $4 million in external investment over the first five years, and has been able to build a business with 100 employees and 500 customers. He is particularly proud of the fact that the company is cash flow break-even at this point.

Grafana Labs decided the time was right to take this hefty investment and accelerate the startup’s growth, something they couldn’t really do without a big cash infusion. “We’ve seen this really virtuous cycle going with value creation in the community through these open-source projects that builds mind share, and that can translate into building a sustainable business. So we really want to accelerate that, and that’s the main reason behind the raise.”

Stewart Butterfield says Microsoft sees Slack as existential threat

In a wide ranging interview with The Wall Street Journal’s global technology editor Jason Dean yesterday, Slack CEO and co-founder Stewart Butterfield had some strong words regarding Microsoft, saying the software giant saw his company as an existential threat.

The interview took place at the WSJ Tech Live event. When Butterfield was asked about a chart Microsoft released in July during the Slack quiet period, which showed Microsoft Teams had 13 million daily active users compared to 12 million for Slack, Butterfield appeared taken aback by the chart.

Microsoft Teams chart

Chart: Microsoft

“The bigger point is that’s kind of crazy for Microsoft to do, especially during the quiet period. I had someone say it was unprecedented since the [Steve] Ballmer era. I think it’s more like unprecedented since the Gates’ 98-99 era. I think they feel like we’re an existential threat,” he told Dean.

It’s worth noting, that as Dean pointed out, you could flip that existential threat statement. Microsoft is a much bigger business with a trillion-dollar market cap versus Slack’s $400 million. It also has the benefit of linking Microsoft Teams to Office 365 subscriptions, but Butterfield says the smaller company with the better idea has often won in the past.

For starters, Butterfield noted that of his biggest customers, more than two-thirds are actually using Slack and Office 365 in combination. “When we look at our top 50 biggest customers, 70% of them are not only Office 365 users, but they’re Office 365 users who use the integrations with Slack,” he said.

He went on to say that smaller companies have taken on giants before and won. As examples, he held up Microsoft itself, which in the 1980s was a young upstart taking on established players like IBM. In the late 1990s, Google prevailed as the primary search engine in spite of the fact that Microsoft controlled most of the operating system and browser market at the time. Google then tried to go after Facebook with its social tools, all of which have failed over the years. “And so the lesson we take from that is, often the small startup with real traction with customers has an advantage versus the large incumbent with multiple lines of business,” he said.

When asked by Dean if Microsoft, which ran afoul with the Justice Department in the late 1990s, should be the subject of more regulatory scrutiny for its bundling practices, Butterfield admitted he wasn’t a legal expert, but joked that it was “surprisingly unsportsmanlike conduct.” He added more seriously, “We see things like offering to pay companies to use Teams and that definitely leans on a lot of existing market power. Having said that, we have been asked many times, and maybe it’s something we should have looked at, but we haven’t taken any action.”