This week I spent performing analysis about a significant malware outbreak.
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts
Thursday, October 26, 2017
Saturday, October 22, 2016
Dangerous and getting worse: Ransomware Corporate Crime
Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)
Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)
Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.
Tuesday, November 12, 2013
Fixing Internet Explorer
Ever get sick of Internet Explorer thinking it needs to run? Windows forcing a substandard (more like anti-standards from a web standards point of view) browser on you?
Here at SecsAndCyber I have a solution for you! This one registry patch will solve all of your Internet Explorer issues in a single double-click! (and accompanying UAC prompt if you have kept your system secure) I give you... FixIE.reg!
Enjoy!
Humor aside, the technique used in this joke is a serious target for malware persistence.
The fine authors over at SysInternals, Mark Russinovich and Bryce Cogswell, have built detection of this into their tool Autoruns for Windows. The "Image Hijacks" tab looks for executables that are being grabbed like this. Try it out and keep yourself safe!
Thursday, September 19, 2013
Honeypots: When and when not
Under what conditions should you consider implementing a honeypot? And, under what conditions should you not operate a honeypot?
Honeypots make excellent research tools for tracking spam and worm propagation. Tang and Chen suggest a worm detection strategy of using two honeypots, one that receives data from the network and one that only can receive data from the first. They first hypothesize, then support, that such a setup can be used to automate the detection and collection of even unknown worms. By limiting the traffic seen on the second machine to being 100% malicious, traffic signatures can be developed automatically. (2005)
A situation where a honeypot should not be used is one where you are unable to control outgoing packets. Since the purpose of the honeypot is to allow attackers to exploit it, the server can be re-purposed as an attack platform if not properly controlled. Hallberg et al describe how poorly protected honeypots pose a serious vulnerability to your network. They discuss the vulnerability being so severe that re-purposed honeypots could likely be seen as making the operator liable for downstream damages launched utilizing the platform. (2009)
Hallberg, C., Kabay, M. E., Robertson, B., & Hutt, A. E. (2009). Management Responsibilities and Liabilities. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.
Tang, Y., & Chen, S. (2005, March). Defending against internet worms: A signature-based approach. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE (Vol. 2, pp. 1384-1394). IEEE.
Thursday, November 1, 2012
Mitigating an insider threat
Topic - One of the biggest risks that companies face is advanced persistent threats. Discuss the most effective way to implement policies that mitigate the chance of an insider either taking part in or facilitating an advanced persistent threat. Integrate the concept of separation of duties into your discussion.
Separation of duties requires that there be limits on access and checks on actions. When one person is responsible for overseeing their own work then there is not any oversight. A failure to sufficiently implement this principle fails to prevent a situation such that “a single individual cannot subvert a critical process”(Swanson & Guttman, 1996, p 27).
In the event that an inside actor has the ability to avoid or compromise procedural safeguards, they have a great deal of power to impact any of the three major security traits: confidentiality, integrity, or availability. Kabay and Robertson tell about a disgruntled system administrator that resigned from UBS Paine Webber, but before he left he released a malicious logic bomb of his creation (2002). Since the malicious code deleted files and generally caused chaos in the network, it damaged both the integrity of the data on the network and interfered with the availability of the systems it disrupted.
Such an attack could have been entirely prevented if the saboteur had his accesses properly compartmentalized with mandatory oversight. Disallowing him the ability to both generate code and to release it onto the production systems would have forced an accomplice to be involved, or stolen credentials. Gregg et al recommend not even having compilers available on production systems, which prevent the creation of low level malware on them. (2012) This is not a perfect protection by a long stretch because interpreted scripting languages, like Python, Perl, or Bash, can be used to create malicious scripts directly on the live systems.
Gregg, J., Nam, M., Northcutt, S. & Pokladnik, M. (May 5th, 2012) Separation of Duties in Information Technology. Sans Security Laboratory. Retrieved from http://www.sans.edu/research/security-laboratory/article/it-separation-duties
Kabay, M. E. & Robertson, B. (2002). Employment Practices and Policies. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.
Swanson, M., & Guttman, B. (1996). Generally accepted principles and practices for securing information technology systems (pp. 800-14).
Mobile Device Impact on Network Analysis
Topic - As new technology becomes adopted by organizations, standards must also adapt to meet the change. Using mobile device technology as an example, discuss the differences that will need to be addressed for penetration testing. What about vulnerability assessments?
The changing landscape of technology with regard to mobile computing requires a reassessment of potential access points into a network. Wireless access points were already dangerous, as they extended the accessibility of your network outside of the relative safety of your walls. Connecting a mobile phone to the wireless network is directly creating a bridge between the network and the Internet by way of the cellular data connection.
Such a bridge opens up new pathways, and expands existing ones, to be tested via penetration testing.
- New pathway: ARM Malware. Mobile devices with ARM processors are miniature computers that cannot run the executable binaries which are created for traditional Intel-compatible x86 and x64 processors and desktop operating systems. Such malware requires a toolset designed for analyzing mobile applications to be analyzed. Malware for popular mobile operating systems, iOS and Android, are in the wild and on the rise (Schmidt, et al, 2009).
- Expanded pathway: Social Engineering. Because the mobile device doubles as a phone three additional vectors of social engineering attacks are made available.
- The most straightforward is simply asking an employee to use their phone to make a phone call.
- Spear phishing via SMS can send links to malicious web servers. Due to the reduced character count, there is less room for explanation with the link, which can lead to users being less suspicious of concise messages containing links.
- QR Code exploits and links to malicious web servers. Due to the opaque nature of QR codes, a user does not know where they point until they scan them. A malicious QR code sticker can be placed on any number of signs, objects, or such where a target is likely to go (Kieseberg, et al, 2010).
- Expanded pathway: Man in the Middle. The data connection of the phone to the cell network can be attacked Man-in-the-Middle style by an actor impersonating a cellular base station (Meyer & Wetzel, 2004).
Vulnerability assessments are impacted because it can become very difficult to inventory the systems on the network and to assess their potential vulnerability if the network is suddenly and unexpectedly no longer homogeneous (Bace, 2009). An easy-to-see example of this is a fully managed windows domain. All of the expected systems run Windows 7, so the VA tools utilized are designed for identifying and scanning Windows 7 systems. When an Android device is connected it changes the network make-up. Now the VA tools fail to identify all the devices or, even worse, fail to even find all the devices if discovery was being done by reading the expected devices via Active Directory.
Bace, R.G. (2009). Vulnerability assessment. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.
Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010, November). Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). ACM.
Meyer, U., & Wetzel, S. (2004, October). A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM workshop on Wireless security (pp. 90-97). ACM.
Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S., & Yildizli, C. (2009, October). Smartphone malware evolution revisited: Android next target?. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 1-7). IEEE.
Friday, October 19, 2012
Think like a Hacker
As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic – Think like a Hacker
Select an e-business. Thinking like a hacker, describe a hypothetical scenario on how you go about breaking into their system and acquire assets.
Next, describe how the attack could have been prevented.
From March 16, 2012.
I enjoy music, especially when I can get it cheap, like from iTunes or the Amazon Cloud.
First, I will select a busy area with free wi-fi, like a Starbucks at lunch time. (Starbucks, 2011) Next, use a tool like Arpspoof to establish a man-in-the-middle session with each user attached to the network by pretending to be the network gateway. (Arpspoof) I monitor traffic for email addresses, especially email addresses used as logins and the associated password. Any email addresses I get will be sent phishing emails with attached document exploits to install keyloggers that call back to a server I have set up. Any email, password pairs will be used to attempt to log into various services. I will use a script to test the pair against numerous social networking sites like Facebook, MySpace, Linkedin and others. Successful access will be used to spread my keyloggers. I will continue this pattern until I net an email, password pair that successfully log into either iTunes or the Amazon Cloud. Once successful, I will use the access to download all the purchased music on the account. If there is an outstanding balance on the account, I will buy digital goods with it and download that too. All direct access to the victim business will be performed through a proxy, probably one of the machines I am keylogging.
This type of attacker would be considered a "Script kiddy" as it requires little to no direct technical knowledge and can just use tools downloaded off the internet. (Vacca, 2009, p 296). It can easily be protected against by not utilizing unsecured wireless networks, especially public ones and by not reusing passwords. It can be protected against, somewhat, by the victim company by not using email addresses as the user name, which both Amazon and iTunes do. Anything further the company could do to protect against this will interfere with the ease of use of the site, which makes users less likely to choose their service.
Arpspoof retrieved from http://arpspoof.sourceforge.net/
Starbucks. (2011) Wi-Fi(United States) Retrieved from http://www.starbucks.com/coffeehouse/wireless-internet
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.
Think like an Industrial Spy
As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic – Think like an Industrial Spy
Select a company. Thinking like a industrial spy, describe a hypothetical scenario on how you go about attacking their system and acquiring intellectual property.
Next, describe how the attack could have been prevented.
From March 15, 2012.
Wanting to steal intellectual property, I would search for a high gain, low effort target. Small businesses which do R&D seem like good targets to meet this criteria, since their business model relies on developing intellectual property yet they do not have the employees or likely the budget to perform extensive cybersecurity. To select my target, I read about the Small Business Innovation Research, SBIA, Program which provides grants from the Small Business Administration to companies that meet the following criteria: American-owned and independently operated, For-profit, Principal researcher employed by business, Company size limited to 500 employees. Their criteria for giving grants lines up perfectly with my criteria for targets, and their list of recipients is public record. (SBA)
I able to find a list of FY2011 recipients of the SBIR awards from the Environmental Protection Agency with a breakdown of recipients by environmental category of research. I decided to select a company whose category of research was Homeland Security and so I selected Operational Technologies Corporation of San Antonio, Texas. (EPA, 2012)
To collect intellectual property, I need access to their network. The first step after choosing the company is some minor reconnaissance that is checking over their website. There is a Contact Us page with direct email addresses and names for three employees as well as an information email. The direct person contacts will be the best for a well crafted phish, but the info email has the benefit of having a very small chance of being opened outside of the company network. (OTCorp, 2008)
To gain my actual access I will use Metasploit to craft malicious doc and pdf files containing Poison Ivy RAT payloads. (Vacca, 2009, p 55) Once the documents are opened on a vulnerable computer, the remote administration tool is dropped and executed and it calls back to the server I set up. Once that connection is established, I can browse the internal network at my leisure using the full control of the target system that the Poison Ivy gives me. (Codius, 2007)
This attack could have been prevented by intensive scanning of emailed documents and also by using hard to target workstations. The exploits I would be using are targeting Microsoft Office and Adobe Reader on Windows. If alternative software like FoxIt Reader and Openoffice were used then the exploits would fail to land. Likewise, Linux or Mac workstations would prevent the attack too.
Codius. (2007) Poison Ivy Remote Administration Tool Retrieved from http://www.poisonivy-rat.com/index.php?link=dev
EPA. (2012) Small Business Innovative Research:FY11 Awards: Full List Retrieved from http://cfpub.epa.gov/ncer_abstracts/index.cfm/fuseaction/outlinks.sbir/fullList/Yes/showYear/current
OTCorp. (2008) Contact Us Retrieved from http://www.otcorp.com/home/index.php?option=com_content&task=view&id=19&Itemid=34
SBA. Small Business Innovation Research Program Retrieved from http://www.sba.gov/content/small-business-innovation-research-program-sbir-0
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.
Wednesday, October 3, 2012
Week 1 Graded submission, part 1
Topic - Many cyber security professionals believe the likely application of ‘cyber terrorism’ to be an asymmetric attack against some portion of this nation’s critical infrastructure. Which critical infrastructure do you think to be a likely target and why? Who should be responsible for protecting that infrastructure and why? Would this vary based on who the attacker is – if it is a state actor, a non-government organization, or an individual?
The electric grid is a very visible target and the loss of it is very noticeable. Just this past summer those of us in Maryland got to experience a (natural) disruption to the grid. No air conditioning, no lights, no traffic lights (come on, Maryland. No traffic light means a four way stop, not ‘Ehmagawd!’) and no refrigeration. Obviously an attack on the grid is significant.
An attack on the grid is even possible, at least for those well funded shops that can afford to spend the time and manpower to research industrial equipment. Critical infrastructure has been under assault since before late 2010 when Fleming reported on Stuxnet sabotaging Iranian centrifuges.(2010) The worm is reported to target Siemens SCADA (supervisory control and data acquisition) systems. A look at job postings for Baltimore Gas and Electric (BGE) shows that they use SCADA systems, “...integration of the various BGE Supervisory Control and Data Acquisition (SCADA) systems such ...” (BGE, 2011) If Iranian SCADA systems are targetable, it stands to reason our electric grid ones could be to.
Who should be responsible for protection is a complicated issue. As our utilities are run by private companies, the current responsibility falls to the utility companies to protect their infrastructure. They have to protect their infrastructure because it is protecting their investment and their bottom line profitability. On the other hand, a disruption of the electric grid may hurt the utility company’s bottom line, but it literally means life and death for the diabetic customer that needs to keep their insulin refrigerated during a heatwave. When it comes to protecting the general populace from bodily injury and death, that responsibility falls to the government. Outsourcing the security concerns to DHS though would provide such a budgetary windfall to the utilities though that the reasonable next step would be full government control over the utility in question. That option is rarely considered a good idea with the US population.
Since an interruption of power would be so devastatingly disruptive, it would most definitely be a target for a military, or nation state organization supporting the military, to attack as an immediate lead-up to a kinetic action.
If the goal was to just be human death, which is the likely goal of an infrastructure attack from an independent actor or organization, then [thoughts on a specific way that cyber mass murder could be possible]. If, like Stuxnet, the compromises also affected the monitoring reports, then it wouldn’t get caught until the first few victims showed symptoms. Which would be far too late for many others. (Fleming, 2010)
Matthew
BGE (June, 7 2011) BGE Job Descriptions. Retrieved 26 September 2012 from: http://www.bge.com/myaccount/billsrates/ratestariffs/Documents/BGEJobDescriptions.pdf
Fleming, R. (December 2, 2010). Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams. Retrieved 26 September 2012 from: http://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/
Tuesday, October 2, 2012
Choose your own fail
Week one, a chance to learn what my second Cybersecurity course is going to be like. Wanting to get started on the right foot, I decided to work through their Flash driven module. Yeah, yeah, yadda, yadda... until page three had a mini survey for me. Select an answer and get their "expert’s feedback."
I find the “expert’s feedback” extremely close-minded and wrong. My selection was the second option, feeling it was the best of three bad choices.
The feedback is “Not really. Launching malicious code is unethical and unlawful even if it does not cause any damage. It is still a breach of privacy and security.”
I interpreted “Launching viruses or malicious code” as including the use by penetration testers and grey hat researchers. These users of malicious code utilize it against systems being tested for vulnerabilities or systems set up for the purpose of being targeted. Also, malicious code may be utilized by law enforcement agents acting under warrant.
The primary reason I selected that answer was through process of elimination. Specifically, I excluded the “correct” answer immediately, which the system called the third.
There is such an extreme prejudice included in this answer that there is no way I would ever select it. First, malicious code is a too vague term to be able to apply any absolutes about the ethical nature of its creation. Coders are malicious, but code, especially the individual blocks, are just tools.
I have personally developed a background keystroke logger as in intellectual exercise. The experience was valuable and the knowledge gained is helpful. I never deployed it, and the development was not unethical. The techniques that I learned in the exercise can now be used to develop legitimate, non-malicious tools like a system-wide hot-key tool like AutoHotKey. The same techniques and code blocks that would build a web snooping implant also can make a parental monitoring tool. Anti-virus tools hook functions, inject DLLs, monitor network activities, consist of rootkits, and the list goes on and on. Honestly, the only difference between an antivirus tool and malware is the method of delivery and the intentions of the distributors.
Subscribe to:
Posts (Atom)