The Good, the Bad and the Ugly in Cybersecurity – Week 43

/0 Comments/in /by

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Upgrading legacy systems is a huge headache. Anyone involved in IT and systems engineering knows that. People involved in such processes are so reluctant to upgrade working (albeit ageing) systems that organizations hold on to legacy systems for years. When the systems in question manage the launch of nuclear missiles, the concerns are of different magnitude. That’s why we were delighted to learn that the US Airforce will stop using Floppy Disks for nuclear launch coordination. The Airforce currently uses an 8-inch floppy disks in a ’70s computer to receive orders from the President. According to the U.S. military, this antiquated system has been replaced by a “highly-secure solid-state digital storage solution.”

Anyone one who is old enough to remember the utter misery of working with these antiquated storage devices must be delighted that such a sensitive system is no longer reliant on 1980’s technology.

image of command data center

The Bad

The famous saying “there’s no honor among thieves” is apparently true for cyber espionage groups. The combined efforts of the UK National Cyber Security Centre (NCSC) and the NSA revealed that a Russian APT group “piggybacked” an Iranian APT infrastructure and tools to target 35 countries in an effort to obtain sensitive information. The APT group, nicknamed “Turla”, “Waterbug” or “VENOMOUS BEAR”, regularly collects information by targeting government, military, technology, energy and commercial entities.

Their latest trick involved the reuse of Iranian tools and infrastructure to disguise the origin of their activity. This is a dangerous step in the already escalating cyber warfare domain – the fact that one nation can masquerade as another can trigger a series of cyber operations that may lead to a kinetic conflict.

image of NSA cyber security centre

The Ugly

No one can afford to be lax on security, particularly companies that offer security-related services. That is the reality of doing business nowadays. But for a security-related company to get hacked and to delay disclosing the information to its clients for more than a year and a half is dismal.  

NordVPN, a virtual private network provider that promises to “protect your privacy online,” was breached back in March 2018.

“One of the data centers in Finland we are renting our servers from was accessed with no authorization,” a NordVPN spokesperson said.

The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based data center installed on a server NordVPN leased. The breach was made public in a series of Tweets, exposing the fact that NordVPN keys had leaked.  

image of nord vpn breach

Although the company insists that no personal information was compromised, a log suggests that the hackers had root access, meaning they had almost complete control over the server and could read or modify just about any data stored on it.

In addition, it seems that two additional VPN services, TorGuard and VikingVPN, also experienced breaches that leaked encryption keys. 

These types of incidents raise serious concerns about the vendor’s credibility – were they aware of the hack but opted to keep that a secret? Or were they unaware of it for so long? Even worse, this is a service billed as one providing greater security and privacy for their customers, and it seems they did not deliver on their promise.  

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

How TrickBot Hooking Engine Targets Windows 10 Browsers

/0 Comments/in /by

The Zero2Hero malware course continues with Vitali Kremez revealing how TrickBot’s hooking engine targets Chrome, Firefox, Explorer and Edge in Windows 10

image of trickbot hooking engine

Background & Summary

TrickBot banking malware remains one of the more interesting and continually developing malware on the financial crimeware landscape. It employs multiple means and methods to exploit compromised machines of interest. The focus of this post is to cover in-depth some of its Windows 10 Microsoft Edge and other browser hooking engine functionality. We will focus on the internals, and how TrickBot leverages these browsers to set up hooks for API calls of interest. The ultimate goal of the malware browser hooking is predominantly to intercept online banking credentials before they become SSL encrypted. The stolen credentials can subsequently be used for account takeover (ATO) fraud.

image of trickbot hooking

Since Windows 10 came with a new browser, “Microsoft Edge”, TrickBot operators needed their banking malware to operate on that software. To implement form-grabbing and web injections in the Windows 10 Edge browser, TrickBot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe is the parent process of the Microsoft Edge browser on Windows 10 machines. 

TrickBot Browser Process Injection Technique “Reflective Loader”

In order to hook browser functions, TrickBot malware injects the payload into the browser of choice via the so-called “ReflectiveLoader” methodology. 

The TrickBot process injection function targets four browsers from Microsoft Edge to Google Chrome and one Microsoft Edge related process.

image of trickbot browser injection

TrickBot injects the malware targeting the following processes:

  • chrome.exe
  • iexplore.exe
  • firefox.exe
  • microsoftedgecp.exe
  • runtimebroker.exe

The malware also “relaxes” browser security and write changes files locally before injection occurs.

image browser target

TrickBot’s reflective injection works as follows:

  • Open target process and allocate memory address in remote process via VirtualAllocEx
  • Copy function WriteProcessMemory into the allocated memory space
  • Copy shellcode WriteProcessMemory into the allocated memory space
  • Call FlushInstructionCache API to make sure our changes are written right away
  • Call inject RemoteThread function call
  • Call ResumeThread
  • Else, call undocumented API function RtlCreateUserThread to start execution in the remote process, using the offset address of the reflective loader function as the entry point.

TrickBot Hooking Engine

When the TrickBot banker hooks the API function, it enters the new hooked one and checks to make sure the process is microsoftedgecp.exe while passing control to the original one when the hooked function concludes.

image of trickbot create hook main function

The basic TrickBot banking API hooking template is as follows:

"CreateHook_API" Function Template ->

{ int CreateHook_API(LPCSTR DLL_name, int original_function_name,

	int myHook_function,	int address_of_original_function) }


By and large, TrickBot hooking engine works via overwriting the basic API with the redirect functions with the 0xe9 opcode, which is the call for a jump with 32-bit relative offset. TrickBot uses a trampoline function and the write hook call with the VirtualProtectEx API to make sure that the function has the 0x40 (PAGE_EXECUTE_READWRITE) property. Additionally, it attempts to conceal detection of this hooking technique via prepending NOP and/or RETN.

The exact TrickBot hook pseudo-code is as follows:

////////////////////////////////////////////////////////////////////
/////////////// TrickBot Hook Install Function ///////////////////////
///////////////////////////////////////////////////////////////////
signed int __cdecl TrickBot_Hook_Install(int myHook_function, int *function_address)
{
	char *original_function;
	char *current_func_id_thread;
	int v5;
	char jump_len;
	signed int result;
	SIZE_T v8;
	void *trampoline_lpvoid;
	int v10;
	int v11;
	unsigned __int8 jmp_32_bit_relative_offset_opcode;
	int relative_offset;
	DWORD flOldProtect;
	original_function = func_name;
	current_func_id_thread = func_name + 0x24;
	iter_func(func_name + 0x24, 0x90, 0x23);
	if ( function_address )		// Attempts to prepend "0x90" (nop) or "0xC3" (retn) to jump length to avoid basic hooking detect
		jump_len = walker_byte_0(*(_BYTE **)(original_function + 1), (int)current_func_id_thread, v5);
	else
		jump_len = 5;		// jump_length_trampoline -> 5

	original_function[5] = jump_len;

	if ( !jump_len )
		goto LABEL_12;		// Setting up the trampoline buffer
		write_hook_iter((int)(original_function + 6), *(_BYTE **)(original_function + 1), (unsigned __int8)jump_len);

	if ( function_address )
		*function_address = (int)current_func_id_thread;
	
	relative_offset = myHook_function - *(_DWORD *)(original_function + 1) - 5;
	v8 = (unsigned __int8)original_function[5];
	trampoline_lpvoid = *(void **)(original_function + 1);
	jmp_32_bit_relative_offset_opcode = 0xE9u;		// "0xE9" -> opcode for a jump with a 32bit relative offset

	if ( VirtualProtectEx((HANDLE)0xFFFFFFFF, trampoline_lpvoid, v8, 0x40u, &flOldProtect) )	// Set up the function for "PAGE_EXECUTE_READWRITE" w/ VirtualProtectEx
	{
		v10 = *(_DWORD *)(original_function + 1);
		v11 = (unsigned __int8)original_function[5] - (_DWORD)original_function - 0x47;
		original_function[66] = 0xE9u;
		*(_DWORD *)(original_function + 0x43) = v10 + v11;
		write_hook_iter(v10, &jmp_32_bit_relative_offset_opcode, 5); // -> Manually write the hook
		VirtualProtectEx(		// Return to original protect state
			(HANDLE)0xFFFFFFFF,
			*(LPVOID *)(original_function + 1),
			(unsigned __int8)original_function[5],
			flOldProtect,
			&flOldProtect);
	result = 1;


For instance, TrickBot malware sets up its own custom myCreateProcessA function prototype after the hook on CreateProcessA. The idea is to catch any instance of microsoftedgecp.exe execution to intercept it for subsequent injection. This function ultimately returns the flow back to CreateProcessA after intercepting and collecting necessary process execution information.

image hooked process

The following four API calls being hooked are in the child Microsoft Edge via rogue rtlbroker.dll, allowing TrickBot operators to intercept and manipulate Microsoft Edge calls:

  • CreateProcess
  • CreateProcessW
  • CreateProcessAsUserA
  • CreateProcessAsUserW

TrickBot hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:

  • HttpSendRequestA
  • HttpSendRequestW
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • InternetWriteFile
  • HttpEndRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA
  • InternetSetOptionW
  • HttpOpenRequestA
  • HttpOpenRequestW
  • InternetConnectA
  • InternetConnectW 

The malware hooks Mozilla Firefox Browser in nspr4.dll library API calls:

  • PR_OpenTCPSocket
  • PR_Connect
  • PR_Close
  • PR_Write
  • PR_Read 

It hooks Chrome in chrome.dll library API calls:

  • ssl_read
  • ssl_write

Reference

injectDll32.dll C546D40D411D0F0BB7A1C9986878F231342CDF8B
rtlbrokerDll.dll 0785D0C5600D9C096B75CC4465BE79D456F60594
testnewinj32Dll.dll D5F98BFF5E33A86B213E05344BD402350FC5F7CD

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cybersecurity automation startup Tines scores $4.1M Series A led by Blossom Capital

/0 Comments/in /by

Tines, a Dublin-based startup that lets companies automate aspects of their cybersecurity, has raised $4.1 million in Series A funding. Leading the round is Blossom Capital, the venture capital firm co-founded by ex-Index Ventures and LocalGlobe VC Ophelia Brown.

Founded in February 2018 by ex-eBay, PayPal and DocuSign security engineer Eoin Hinchy, who was subsequently joined by former eBay and DocuSign colleague Thomas Kinsella, Tines automates many of the repetitive manual tasks faced by security analysts so they can focus on other high-priority work. The pair have bootstrapped the company until now.

“It was while I was at DocuSign that I felt there was a need for a platform like Tines,” explains Hinchy. “We had a team of really talented engineers in charge of incident response and forensics but they weren’t developers. I found they were doing the same tasks over and over again so I began looking for a platform to automate these repetitive tasks and didn’t find anything. Certainly nothing that did what we needed it to, so I came up with the idea to plug this gap in the market.”

To that end, Tines lets companies automate parts of their manual security processes with the help of six software “agents,” with each acting as a multipurpose building block. Therefore, regardless of the process being automated, it only requires combinations of these six agent types configured in different ways to replicate a particular workflow.

“I wanted there to be as few agent types as possible, to simplify the system, and I haven’t discovered a workflow in which tasks sit outside of these agents yet,” says Hinchy. “Once a customer signs up they can start automating their own workflows immediately, and most of our customers see value from day one. If they need a hand, my team works with them to establish how they currently manually carry out tasks, such as identifying and dealing with a phishing attack. Each step of dealing with the attack — from cross-checking the email address with trusted contacts or a blacklist, to scanning attachments for viruses or examining URLs — will be performed by one of the six agent types. This means we can assign these tasks to an agent to create the workflow, or as we call it, the “story.”

So, for example, once a phishing email triggers the first agent, the following steps in the “story” are automatically carried out. In this way, Tines might be described as akin to IFTTT, “but an exceptionally powerful, enterprise version of the IFTTT concept, designed to manage much more complex workflows.”

Competitors are cited as Phantom, which last year was acquired by Splunk, and Demisto, which was bought by Palo Alto Networks. However, Hinchy argues that a key differentiator is that Tines doesn’t rely on pre-built integrations to interact with external systems. Instead, he says the software is able to plug in to any system that has an API.

Meanwhile, Tines says it will use the new funding to hire engineers in Dublin who can help improve the platform through R&D, as well as grow its customer base with companies in the U.S. and in Europe. Notably, the startup plans to expand beyond cybersecurity automation, too.

“Our background is in security, so with Tines, we’ve initially focused on helping security teams automate their repetitive, manual processes,” says Hinchy. “What makes us different is that nowhere does it say we can’t expand beyond this, to help other teams and sectors automate tasks. The advantage of our direct-integration model is that Tines doesn’t care if you’re talking to a security tool, HR system or CRM, it treats them the same. In the next 18 months, we plan to expand Tines outside security, hire more talent and increase the product team from 8 to 20.”

Grafana Labs nabs $24M Series A for open source-based data analytics stack

/0 Comments/in /by

Grafana Labs, the commercial company built to support the open-source Grafana project, announced a healthy $24 million Series A investment today. Lightspeed Venture Partners led the round with participation from Lead Edge Capital.

Company CEO and co-founder Raj Dutt says the startup started life as a way to offer a commercial layer on top of the open-source Grafana tool, but it has expanded and now supports other projects, including Loki, an open-source monitoring tool not unlike Prometheus, which the company developed last year.

All of this in the service of connecting to data sources and monitoring data. “Grafana has always been about connecting data together no matter where it lives, whether it’s in a proprietary database, on-prem database or cloud database. There are over 42 data sources that Grafana connects together,” Dutt explained.

But the company has expanded far beyond that. As it describes the product set, “Our products have begun to evolve to unify into a single offering: the world’s first composable open-source observability platform for metrics, logs and traces. Centered around Grafana.” This is exactly where other monitoring and logging tools like Elastic, New Relic and Splunk have been heading this year. The term “observability” is a term that’s been used often to describe these combined capabilities of metrics, logging and tracing.

Grafana Labs is the commercial arm of the open-source projects, and offers a couple of products built on top of these tools. First of all it has Grafana Enterprise, a package that includes enterprise-focused data connectors, enhanced authentication and security and enterprise-class support over and above what the open-source Grafana tool offers.

The company also offers a SaaS version of the Grafana tool stack, which is fully managed and takes away a bunch of the headaches of trying to download raw open-source code, install it, manage it and deal with updates and patches. In the SaaS version, all of that is taken care of for the customer for a monthly fee.

Dutt says the startup took just $4 million in external investment over the first five years, and has been able to build a business with 100 employees and 500 customers. He is particularly proud of the fact that the company is cash flow break-even at this point.

Grafana Labs decided the time was right to take this hefty investment and accelerate the startup’s growth, something they couldn’t really do without a big cash infusion. “We’ve seen this really virtuous cycle going with value creation in the community through these open-source projects that builds mind share, and that can translate into building a sustainable business. So we really want to accelerate that, and that’s the main reason behind the raise.”

Stewart Butterfield says Microsoft sees Slack as existential threat

/0 Comments/in /by

In a wide ranging interview with The Wall Street Journal’s global technology editor Jason Dean yesterday, Slack CEO and co-founder Stewart Butterfield had some strong words regarding Microsoft, saying the software giant saw his company as an existential threat.

The interview took place at the WSJ Tech Live event. When Butterfield was asked about a chart Microsoft released in July during the Slack quiet period, which showed Microsoft Teams had 13 million daily active users compared to 12 million for Slack, Butterfield appeared taken aback by the chart.

Microsoft Teams chart

Chart: Microsoft

“The bigger point is that’s kind of crazy for Microsoft to do, especially during the quiet period. I had someone say it was unprecedented since the [Steve] Ballmer era. I think it’s more like unprecedented since the Gates’ 98-99 era. I think they feel like we’re an existential threat,” he told Dean.

It’s worth noting, that as Dean pointed out, you could flip that existential threat statement. Microsoft is a much bigger business with a trillion-dollar market cap versus Slack’s $400 million. It also has the benefit of linking Microsoft Teams to Office 365 subscriptions, but Butterfield says the smaller company with the better idea has often won in the past.

For starters, Butterfield noted that of his biggest customers, more than two-thirds are actually using Slack and Office 365 in combination. “When we look at our top 50 biggest customers, 70% of them are not only Office 365 users, but they’re Office 365 users who use the integrations with Slack,” he said.

He went on to say that smaller companies have taken on giants before and won. As examples, he held up Microsoft itself, which in the 1980s was a young upstart taking on established players like IBM. In the late 1990s, Google prevailed as the primary search engine in spite of the fact that Microsoft controlled most of the operating system and browser market at the time. Google then tried to go after Facebook with its social tools, all of which have failed over the years. “And so the lesson we take from that is, often the small startup with real traction with customers has an advantage versus the large incumbent with multiple lines of business,” he said.

When asked by Dean if Microsoft, which ran afoul with the Justice Department in the late 1990s, should be the subject of more regulatory scrutiny for its bundling practices, Butterfield admitted he wasn’t a legal expert, but joked that it was “surprisingly unsportsmanlike conduct.” He added more seriously, “We see things like offering to pay companies to use Teams and that definitely leans on a lot of existing market power. Having said that, we have been asked many times, and maybe it’s something we should have looked at, but we haven’t taken any action.”

Cachet Financial Reeling from MyPayrollHR Fraud

/0 Comments/in /by

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks).

Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business.

“We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued:

“Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.”

All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements.

All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans

Deadline for wires is 1 P.M. PST.

This will be the process until further notice. If you need a backup processor, please contact us.

If you require wire instructions, please respond to this email and they will be sent to you.

We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.”

In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted.

“If they aren’t taking money, they’re out of business,” Friedl said of Cachet.

Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank (NASDAQ: TBBK), did not respond to requests for comment.

Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week.

Steve Friedl, an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees.  But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes.

“There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.”

Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank.

“Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.”

Most corporate payroll is handled through ACH transactions, a system that allows financial institutions to push and pull funds to and from checking accounts between banks. ACH is essentially the same thing as writing a check for a good or service, and it typically involves an element of trust because there is a time delay (24-48h) between which the promised funds are released to the receiving bank and the funds are made available to the recipient.

In contrast, a wire transfer takes minutes and the funds are made available to the recipient almost immediately. Wires are also far more expensive for customers, and they earn banks hugely profitable processing fees, whereas ACH transaction fees are minuscule by comparison.

Ultimately, banks may decide that for certain clients they no longer wish to assume the risk of fraudsters exploiting the float period for ACH transactions to steal tens of millions of dollars, as was the case in the MyPayrollHR fiasco.

It’s worth noting that the MyPayrollHR fraud wasn’t the first time Cachet has been tripped up by the demise of a payroll company: In 2016, the collapse of Monterey, Calif. based payroll processor Pinnacle Workforce Solutions left Cachet holding the bag for more than $1 million. Cachet sued to recover the money stuck in Pinnacle’s frozen accounts. From The Monetery County Weekly:

“Cachet’s lawyers also outline possible nefarious action by Pinnacle. ACH companies act as middlemen for processing payroll and other large transactions. Every pay period, Pinnacle would send Cachet a coded file to tell the ACH how to distribute funds. But, on Sept. 21 [2016] Pinnacle had manipulated the code sent to Cachet so the money collected from its clients went directly to Pinnacle instead of being held in the ACH account before being distributed to its clients’ employees, the suit alleges.”

It will be interesting to see how long the fallout from the MyPayrollHR episode will last and how many other firms may get wiped because of it. Shortly after MyPayrollHR closed its doors last month and disappeared with $35 million in payroll and tax payments, the company’s 49-year-old CEO Michael Mann was arrested and charged with bank fraud.

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019. The Times Union reports that Mann and his company are now being sued by Pioneer Bank and a large insurance company over a $42 million loan it gave to Mann and his companies just a month before his payroll business closed up shop.

7 Lessons Every CISO Can Learn From the ANU Cyber Attack

/0 Comments/in /by

During November of last year, a highly-skilled — possibly nation state threat actor — penetrated the network of the Australian National University. The dwell time, or length of time the attacker went undetected, was around six weeks. Afforded such an extensive period of time, the actor engaged in lateral movement activities, downloaded bespoke malware, conducted further spearphishing campaigns and exfiltrated an unknown amount of data from a possible 19-year treasure trove of records from Human Resources, financial management and student administration. The details of the attack, discovered in June of this year, have recently been published by the university’s Office of the Chief Information Security Officer. In this post, and based on their thorough report, we review the major lessons every CISO can learn from the ANU cyber attack.

image of 7 lessons from ANU attack

1. Don’t Wait Till It’s Too Late | Replace Legacy AV

Without doubt the most startling lesson for CISOs from the ANU breach is that you cannot wait to update your security if you want to match and defeat the skills of today’s threat actors. 

ANU: “The actor was able to, in several cases, avoid detection by altering the signatures of more common malware used during the campaign. Also, the malware and some tools were assembled inside the ANU network after a foothold had been established. This meant that the downloaded individual components did not trigger the University’s endpoint protection.”

The old legacy AV suites that ANU had been using up until last year were no match for the attacker. Indeed, such systems are regularly bypassed by red team engagements, and bypasses are widely known and traded on hacker forums. Legacy AV suites afford very little protection against anything other than accidental or amateur intrusion attempts and need to be replaced as quickly as possible. 

2. Phishing Is King | Block Bad Behavior, Not Users

Users will always be susceptible to phishing and spearphishing attacks. Enterprises need to stop relying on human behavior to recognize phishing campaigns and instead rely on machine learning to detect and block malicious behaviour on endpoints.

ANU: “The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of staff. Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.”

image of ANU phishing email

Let’s not blame the user, but there’s a reason why phishing was used in the ANU attack and is by far the most common attack vector. People, unlike computers, need to get things done. But the attacker, like the victim, is also a human and to reach their objectives, the tools, tactics and procedures they use to achieve those objectives can be modelled behaviorally.

A no-interaction phishing email raises interesting and worrying questions. In an attempt to protect the public by not going into details that could help other threat actors, ANU have not released details of how that worked. Possibilities include leveraging the loading of remote content, unpatched email client software or perhaps a zero day vulnerability in either that software or the operating system itself. 

The lesson here is that phishing awareness training and other user-level safeguards would not have helped protect the organization against the initial spearphishing attack. That means the importance of a security solution that can recognize and alert on malicious execution regardless of whether the process is trusted or not is the only sure way to deal with the phishing threat.

3. Make the Invisible, Visible | Know Your Network

Understanding what is connected to your network is vital. In the ANU attack, the threat actor sought out and found little-known network devices that had fallen outside of the organization’s security audits.

ANU: “The actor built a shadow ecosystem of compromised ANU machines, tools and network connections to carry out their activities undetected. Some compromised machines provide a foothold into the network. Others, like the so-called attack stations, provided the actor with a base of operations to map the network, identify targets of interest, run tools and compromise other machines.”

image of ANU attack overview

With a vast organization spanning multiple sites and multiple sub-networks, the only effective solution is to ensure you can map the network, and fingerprint devices in such a way that you can not only determine what is connected, but also what is unprotected. Many current network mapping solutions have implementation issues such as consuming too much in the way of resources or requiring “noisy” additional mapping devices. Consider a solution that uses your existing security infrastructure without adding on top another layer of burden.

4. Knock, Knock, Who’s There? | Enforce 2FA & Multi-FA

No matter how strong your password, or how frequently you change it, simply relying on only what someone knows without the supporting evidence of something the authorized user possesses is always going to present an opportunity to attackers.

ANU: “Forensic evidence also shows the extensive use of password cracking tools at this stage. The combination of the bespoke code and password cracking is very likely to have been the mechanism for gaining access to the above administrative databases or their host systems.”

With the almost universal use of smartphones among employees these days, linking account access to authentication through an additional device should be standard practise in the modern enterprise. Though neither foolproof nor always convenient, 2FA with time-limited OTPs delivered through mobile Authenticator apps will secure accounts from most simple credential stuffing and other password hijacking attempts. For even stricter control, consider hardware authentication devices such as YubiKey and similar where appropriate.

5. Mind The Traffic | Use Endpoint Firewall Control

Without policies to control what kinds of traffic you want an endpoint to allow and disallow, attackers will have an opportunity to exfiltrate data at will once they have compromised an endpoint.

ANU: “The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.”

Effective endpoint Firewall controls can block unauthorized transfer of data to and from all your endpoints, both on and off the corporate network. In the ANU attack, the threat actor manipulated a commercial tool to query multiple databases, extract records and then exfiltrate the data by sending it to another machine on the network in PDF file format. 

Deploying firewall controls allows you to reduce the risk of this kind of data leakage by setting explicit policies that either allow or disallow particular kinds of traffic from the endpoint. Such policies could have prevented the kind of unauthorized data transfers as used in the ANU breach.

6. Pick Off Low-Hanging Vulns | Patch For The Win

Patching is a time-honored security defensive measure, but it’s becoming increasingly important with vulnerabilities like BlueKeep and Eternalblue now on the loose.

ANU: “The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.”

Threat actors have the tools to scan for and exploit vulnerabilities in legacy OS like Windows 7 and unpatched Windows 10, Linux and macOS machines. While many departments struggle to replace ageing hardware and software for either operational or budgetary reasons, those departments will remain vulnerable to various threat actors, from cyber criminals motivated by finance to Advanced Persistent Threat groups who may just be hoovering up as much intel as possible while they can.

7. Console Your Clients | Log Devices Remotely 

A good security posture requires not just knowing what is happening on your devices but what happened in the past. Logging device activity to a secure remote location is essential for both threat hunting and incident response.

ANU: “The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.”

The ANU’s incident response team did a great forensic investigation after-the-fact, but they were hampered by the deletion of logs on vulnerable machines. Modern endpoint detection and response should be backed by a centralized device management console where admins and security teams can access logs from all endpoints regardless of what actions are taken on a device locally. 

Similarly, with the correct solution in place such as a tamper-proof agent installed on the local device, the attackers bespoke tools and malware would also have triggered an alert based on their malicious behaviour, regardless of whether they were unknown to signature detection engines that rely on reputation.

Conclusion

The ANU are to be congratulated for making public their detailed Incident Response report. It’s to be hoped that other organizations that suffer breaches take note. Only through this kind of transparency can we share knowledge of how attackers adapt and evade enterprise and organizational security.

ANU weren’t without defenses, and they weren’t without resources. There are many organizations just like them both in the public and private sector. Attackers long ago learned how to defeat the old AV Suite solutions of the past, and that message is something that the ANU report makes clear. A combination of legacy hardware, software and an opaque network structure played into the threat actor’s hands. It is incumbent on us all to learn these lessons and to raise the bar for attackers in light of this report.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Bill McDermott aims to grow ServiceNow like he did SAP

/0 Comments/in /by

Bill McDermott has landed. Two weeks ago, he stepped down as CEO at SAP after a decade leading the company. Yesterday, ServiceNow announced that he will be its new CEO.

It’s unclear how quickly the move came together but the plan for him is clear: to scale revenue like he did in his last job.

Commenting during the company’s earning’s call today, outgoing CEO John Donahoe said that McDermott met all of the board’s criteria for its next leader. This includes the ability to expand globally, expand the markets it serves and finally scale the go-to-market organization internally, all in the service of building toward a $10 billion revenue goal. He believes McDermott checks all those boxes.

McDermott has his work cut out for him. The company’s 2018 revenue was $2.6 billion. Still, he fully embraced the $10 billion challenge. “Well let me answer that very simply, I completely stand by [the $10 billion goal], and I’m looking forward to achieving it,” he said with bravado during today’s call.

It’s worth noting that as the company strives to reach that lofty revenue goal in the coming years, it will be doing with a new CEO in McDermott, as well as a new CFO. The company is in the midst of a search to fill that key position, as well.

McDermott has been here before though. He points out that in the decade he was at SAP, under his leadership the company moved the market cap from $39 billion to $163 billion. Today, ServiceNow’s market cap is similar to when McDermott started at SAP at a little over $41 billion.

He also recognizes that this is going to be a new challenge. “I’ve seen a lot of different business models, and [SAP has] a very different business model than ServiceNow. This is a pure play cloud,” he said. That means as a leader, he says that has to think about product changes differently, how they fit in the overall platform, while maintaining simplicity and keeping the developer community in mind.

Ray Wang, founder and principal analyst at Constellation Research said that ServiceNow is at a point where it needs an enterprise-class CEO who understands tech, partnerships, systems integrators and real enterprise sales and marketing — and McDermott brings all of that to his new employer.

Demodesk scores $2.3M seed for sales-focused online meetings

/0 Comments/in /by

Demodesk, an early-stage startup that wants to change how sales meetings are conducted online, announced a $2.3 million seed investment today.

Investors included GFC, FundersClub, Y Combinator, Kleiner Perkins and an unnamed group of angel investors. The company was a member of the Y Combinator Winter 2019 cohort.

CEO and co-founder Veronika Riederle says that the fact it’s so closely focused on sales separates it from other more general meeting tools like Zoom, WebEx or GoToMeeting. “We are building the first intelligent online meeting tool for customer-facing conversations. So that is for inside sales and customer service professionals,” Riederle explained.

One of the key pieces of technology is what Riederle calls “a unique approach to screen sharing.” Whereas most meeting software involves downloading software to use the tool, Demodesk doesn’t do this. You simply click a link and you’re in. The two parties online are seeing a live screen and each can interact with it. It’s not just a show and tell.

What’s more, in a sales scenario with a slide presentation, the customer sees the same live screen as the salesperson, but while the salesperson can see their presentation notes, the customer cannot.

She said while this could work for any number of scenarios, from customer service to IT Help desks, at this stage in the company’s development she wants to concentrate on the sales scenario, then expand the vision over time. The service works on a subscription model with tiered per user pricing starting at $19 per user, per month.

When they got to Y Combinator, the company already had a working product and paying customers, but Riederle says the experience has helped them grow the business to moew than 100 customers. “YC was extremely important for us because we immediately got access to an extremely valuable network of founders and potential customers, and also just a base for us to really [develop] the business.

Riederle founded the company with CTO Alex Popp in 2017 in Munich. Prior to this seed round, the founders mostly bootstrapped the company. With the $2.3 million, it should be able to hire more people and begin building out the product further, while investing in sales and marketing to expand its customer base.

Behind Enemy Lines | Looking into Ransomware as a Service (Project Root)

/0 Comments/in /by

Ransomware-as-a-Service (RaaS) offerings have been a staple of the “underground” for many years now. From TOX to SATAN to Petya and beyond, we have seen services continue to appear and thrive. Often times they are short-lived, but that is not always the case. Services like DataKeeper and Ranion have been available for over two years now. These ‘services’ are an attractive way for enterprising criminals to create, distribute, and manage their ransomware (and subsequent profits) with almost no barrier to entry. That is, they require zero prior coding or development knowledge. They also offer instant results and are cheap to launch. Typically, these services either require an “up front” payment or a share of the profits once the victims pay. In this post, we take a journey into the dark web and explore a new RaaS offering that appeared for the first time earlier this month known as ‘Project Root’.

image project root

Ransomware As A Service: Meet Project Root

We recently came across a new offering known as ‘Project Root’. This service, like many others, requests a low, “up front” fee to get started. From there, clients can generate ransomware binaries on-demand. Both Windows and Linux are supported (for 32-bit and 64-bit architectures). 

image of project root site

Project Root payloads are written in Golang, and thus resemble previous (similar) threat families like LockerGoga. Payloads written in Golang are often able to bypass both traditional signature-based detection as well as some static machine-learning detection engines given how few samples (and therefore extractable features) are found in the wild.

image of project root banner

Project Root: How Much Does It Cost?

Project Root is available in two versions. The ‘standard” version (initially) costs $150 USD up front, payable in bitcoin (BTC), and allows for unlimited generation of “basic” payloads via their portal, along with the management and key distribution components. Updates to this version are ‘free’ for 6 months. Over the course of the last two weeks, the standard version price has fluctuated between $50 and ‘Free’. A “Pro” version exists which

allows for better ‘support , longer term of free updates, and increased evasion options. Buyers will also have full access to the source code for increased “customization options”.’

image of project root pro

The “Pro” version has been advertised all along but appears to have officially “launched” as of October 17th.

image of project root price plans

How To Build Ransomware Binaries

For users of the service, building binaries is very straightforward. The RaaS customers need only specify the desired architecture (x86 or x64) along with the platform (Linux or Windows). It should be noted that an Android version is promised for the future. Along with the above options, the user needs to supply a contact email address for the victim, along with a customized recovery key associated with the campaign.

image of project root builder window

image of project root win binary

This builder interface is also used to access specific decrypters for either Linux or Windows platforms (also provided in x86 and x64 varieties)

image of project root decrypter menu

The “How to Use” section also serves as the service’s FAQ section. While seemingly straightforward, it does reveal that the actor behind this is most likely not a native English speaker.

image of project root FAQ

Teething Trouble or Scamming the Scammers?

It is also interesting to note that until recently (on or around October 14th), the ransomware payloads we analyzed did not work. All the samples we investigated prior to October 14th did not proceed past the initial execution phase. No further activity occurs and the victim’s files are not encrypted. This was true across x86 and x64 samples. This is an interesting phenomenon that maybe does not get enough attention. All malware authors have a varying degree of skill, and their ability to ‘QA test’ their creations is equally idiosyncratic. It is possible that, during the early stage of the service’s launch, they were still working out kinks. Despite that, it appears that the service was happy to continue ‘selling stuff” and accepting payments from hopeful criminals.

There is quite a large ‘scam the scammer” market on the ‘Deep Web’ and other dark corners of the threat landscape. There are scammers out there that deliberately target lesser-skilled scammers to make a quick buck. There are many examples of this in recent history (Aspire Crypter and INPIVIX RaaS come to mind).  Also, for every ‘legitimate’ service, there are dozens or more clones/phish sites that just serve to mine credentials, account data, and more. Even the relatively well-known ransomware services like DataKeeper, Ranion, and MegaCortex are shadowed by a confusing vortex of copy-cat sites which blur the line between the scammy sites and the legit services.  

When we first encountered these executables, and located the corresponding portal for the RaaS service, this was our first thought. However, it turns out, if you are patient enough, sometimes the scams turn out to be ‘real’. Starting around October 14th onwards, the Windows and Linux payloads that we have been able to intercept and analyze are functional, so this does not appear to be an outright scam, which seemed like a distinct possibility early on.  

Inside The Ransomware Payload

The generated Ransomware payloads are written in Golang.   

image of project root strings

Project Root’s payloads follow in the footsteps of other, similar, ransomware families also written in Golang such as LockerGogoa and shifr .

The samples we have analyzed to date are delivered in an unpacked state. Golang binaries tend to be somewhat large (over 1MB) and therefore you often see them mutated or compressed via a packer. Such is not the case with those generated by Project Root, and the size of the analyzed binaries range from 5MB to 6MB.

Functionally, there is nothing ground-breaking or novel about the executables generated via Project Root. Upon execution, the code will perform a few checks in an attempt to evade analysis. The executables are ‘sandbox-aware” and will fail to run in both VMware and Oracle VirtualBox. In addition to the local system/host checks, the ransomware binary will attempt to reach out remotely to verify network connectivity by contacting the following IP address:

ec2-3-18-214-41[.]us-east-2[.]compute[.]amazonaws.com (3[.]18[.]214[.]41).   

If successful, the executable will communicate a base64 encoded string to the remote host. The encoded string contains identifiable details of the infected system. This is for tracking as well as infection/payment reporting on the portal side.

image of project root key value pairs

Files are encrypted using AES-256. The samples we have analyzed only appear to target the following 195 specific file types for encryption.

odt, ods, odp, odm, odc, csv, odb, doc, docx, docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, xf, dxg, wpd, rtf, wb2, mdf, dbf, psd, pdd, pdf, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrwref, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, c, cpp, txt, jpeg, png, gif, mp3, html, css, js, sql, mp4, flv, m3u, py, desc, con, htm, bin, wotreplay, unity3d , big, pak, rgss3a, epk , bik , slm , lbf, sav , lng ttarch2 , mpq, re4, apk, bsa , cab, ltx , forge ,asset , litemod, das , upk, bar, hkx, rofl, DayZProfile, db0, mpqge, vfs0 , mcmeta , m2, lrf , vpp_pc , ff , cfr, snx, lvl , arch00, ntl, fsh, w3x, rim ,psk , tor, vpk , iwd, kf, mlx, fpk , dazip, vtf, 001, esm , blob , dmp, menu, ncf, sid, sis, ztmp, vdf, mcgame, fos, sb, itm , wmo , itm, map, wmo, sb, svg, cas, gho,iso ,rar ,mdbackup , hkdb , hplg, hvpl, icxs, itdb, itl, sidd, sidn, bkf , qic, bkp , bc7 , bc6 ,pkpass, tax, gdb, qdf, t12,t13, ibank, sum, sie, sc2save ,d3dbsp, wmv, avi, wma, m4a, 7z, torrent


Once encryption occurs, affected files are given a .Lulz extension. The desktop background is changed to an image which instructs the victim to refer to ‘Fuck.txt’ for instructions on how to proceed with decryption.

The background image is pulled from the following URL:

hxxps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg

image of project root splash

The ransom note simply provides instructions on whom to email for details on decryption along with a corresponding uniquely identifying key. At that point, it is up to the attacker to respond, accept payment, and provide details on how to proceed.

image of project root ransomware note

The threat also attempts to clear out local event logs (Windows version), as well as attempts to install a new root certificate. The certificate installation appears to still be problematic as we were unable to reproduce or observe that behavior during our analysis.  

Defending Against Project Root and RaaS

SentinelOne Endpoint Protection is capable of fully preventing malicious binaries generated by the Project Root service across platforms. In scenarios where the threat has been able to make malicious changes, those can be fully reversed via SentinelOne’s “Rollback” feature.

Of course, aside from having a strong security solution in place, user education and a well-established Disaster Recovery Plan/Business Continuity Play (DRP/BCP) will go a long way here, too.

Conclusion

It is always good to stay aware and keep up to date with the types of malware and ransomware services that are currently available, as well as the efficacy of them. While there are many that launch as either deliberate scams or are simply poorly written, there are also many that function quite well and present a real threat to users. This service, Project Root, straddles the line between those two extremes.

Indicators of Compromise (IOCs):

ade0d7fbdcb34d7cbd220beb9c3c2484f7ce05c11043bd5ed64df239f5039ba7 Ransomware sample (x86)
930b10c9413156bc91aafd0d3dd88e927b1c938707349070b35d2700a1b37f2f Ransomware sample (x64)
432ebc85724f52ff1bbe205b22c68c15675a0f03321a9abae04c87415f10fa37 Ransomware sample (Linux)
576ce4198bd883a01f50535588109a0a78b5af2ce3a1ee69842a34b237bfeed5 Decryption Tool (x86)
7292dd52392e36826a48f15be0e185a4d34a4716e4bed8e77704fb1c05aa8b48 Decryption Tool (x64)
70c518fd0bf8ba099b9e87c951e2b72f79a637334e981140f7e0d0616d0c6905 Decryption Tool (Linux x86)
ff4b1f56244d0887d3fbc62956b742cb4b43048c92f68f4aa09bb54b8a415d12 Decryption Tool (Linux x64)
h t t ps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg Network / HTTP Request
prootk6nzgp7amie[.]onion RaaS Portal (TOR)
ec2-3-18-214-41.us-east-2.compute.amazonaws.com RaaS Portal Mirror (Clearnet)
6dd74824ce2f34df13ccba4b6567b00bfdf42daeecc9a12196eee4c8ade29224 Ransomware sample (x64)
b226c3b4d8634f9ede3d526c5ee287287c20cf7173154c4db64ec5235800ddcd Ransomware sample (x86)

MITRE ATT&CK

  • T1130 – Install Root Certificate
  • T1486 – Data Encrypted for Impact (Ransomware)
  • T1089 – Disabling Security Tools
  • T1497 – Virtualization/Sandbox Evasion

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security