Geeks for your information - G DATA Security Blog

An honest mistake - and a cautionary tale

Thu, 27 Feb 2025 12:28:16 +0000

An honest mistake - and a cautionary tale

Never trust the judgment of a sandbox (sandbox analysis)...yes? no? G DATA Security Evangelist's Tim Berghoff shares an explainer and caution below.

Quote:We all make mistakes. That is only natural. However, there are cases in which these mistakes can have unexpected consequences. A Twitter user recently found this out the hard way. The ingredients: a cheap USB-C adapter with a network connection, an internet connection and a sandbox.

Sandboxes that automatically analyze files are good tools and aids that can help with malware analysis. However, they should be used with caution, as they often lead to false conclusions, as G DATA malware researcher Karsten Hahn knows. “Many of the criteria are not meaningful for laypersons and are sometimes even misleading,” he says.

This is exactly what happened in a recent case. According to a tweet, an inexpensive network adapter with a USB-C port contained malware. Attached: a link to a sandbox analysis.

The supposed malware find was announced on X (formerly Twitter). The original post is now protected, but can still be found online.

Foregone conclusion

Anyone who only sees these results will potentially come to the conclusion that something is not right here and that the examined file is definitely harmful. The sandbox output is a frightening read. Various criteria are listed one after the other, sorted into categories such as “Suspicious” and “Malicious”.
Among other things, it is rated as “malicious” that the EXE file stored on the device contains a system driver and creates a process that is started in “sleep mode” (“suspended”). The sandbox also found signs that the application is specifically looking for signs that it is running on a virtual machine (VM) and is trying to hide from it.

The fact that the application file can delete files and update the user profile seems at least suspicious to the sandbox. It also senses attempts to prevent reverse engineering by the application also looking for debuggers. Other criteria follow, such as the ability to perform file system actions, such as creating and deleting folders, accessing the registry and much more.

Summary of the automated sandbox scan
The author concludes that this is clearly malware. Anyone without the required specialist knowledge would - understandably so - come to the same conclusion.

The only problem here is:
This conclusion is completely wrong. This is because criteria have been misinterpreted and not all of the criteria mentioned are suitable for making a statement about whether a file is harmless or malicious.

Context is king

Data from a sandbox must always be embedded within an overall context. Without this context, it is easy to investigate in the wrong direction. This is why an automatic sandbox report is not a suitable replacement for a malware scanner. To illustrate why this is the case, here is a counter-example. Same sandbox, same procedure.
The uploaded file is a game called “Space Fighter Rebellion”. The version that was placed in the sandbox does not contain any malware and is definitely “clean”.

What we have here, however, paints a different picture:

Without a deeper understanding and without further context, we could easily arrive at the conclusion that this is spyware that wants to spy on what we do on the computer. The fact that the program reads our mouse movements as well as our keystrokes would be typical of spyware with a keylogger function.

But if we remember that the file is a game, it may also become clear why keystrokes and mouse movements could be of interest to a program: Without them, you couldn't play the game at all. So we can see that not everything that looks suspicious at first glance actually is. Behind some sinister-sounding descriptions, there is potentially a completely normal and legitimate activity.

What malware is (and isn't)

Malware is also “just software” that performs a specific task on a system and uses the functions provided by the operating system to do so. This fact alone is not surprising - which is why it is important to carefully select the criteria that make a file appear malicious.

To put it in a more tangible example: Feeding a hypothetical alarm system for a house with criteria designed to indicate a burglar, such as “wears shoes”, “has a bag with them” or “has a woolly hat on” or “moves around the home after dark” would not be effective. These criteria would be too general and would apply to so many people with a legitimate reason to stay that this hypothetical system would be completely worthless. Of course, each of these criteria also applies to burglars - but also to very many people who are not burglars. For example, under the above conditions, the homeowner who comes home from work at 7pm on a bitterly cold winter evening and puts his bag down would be recognized as a burglar.

Sandboxes often detect programs that create data backups as malicious and suspect that they are ransomware. This is because they have far-reaching system authorizations and therefore access rights to the file system. They contain encryption components and generate a great deal of file system activity - i.e. creating, moving, copying and deleting files. It is very easy to come to the wrong conclusion here if there is no context.

Fixation error

This case has caused quite a stir, not least due to the current geopolitical situation. And as there have already been reports of devices from Asia being manipulated “ex works” in the past, it was reasonable to assume that this could be another such case. In addition, the person who first reported the alleged malware had no experience in the field of malware analysis. They relied on publicly available tools such as an online sandbox without being able to correctly classify their results.

Once again, an automated sandbox is not a malware scanner - nor does it claim to be. As a layperson, however, it is easy to draw the wrong conclusion. And where the results seem to speak such a clear language, people quickly stop looking for evidence or signs of other possible theories or even actively ignore them. After all, in their own perception, the result is already abundantly clear. Experts refer to this as a fixation error.

....Never trust the judgment of a sandbox....

More information in full article HERE

Data and info derived/lifted from GDATA Security Blog with permission

Malware from fake recruiters

Thu, 27 Feb 2025 12:23:01 +0000

Malware from fake recruiters

Fake recruiters have been around on the hunt for possible identity theft and the like but 'malware' beiung used to test a candidate's skills is a bit new. G DATA Security Evangelist's Tim Berghoff shares this information below.

Quote:Fake recruiters are currently on the hunt for CVs – and also your data. Reports have emerged about malware being put into work assignments that supposedly test a candidate’s technical skills.

Recruiters are in a constant struggle to find matches for their job openings. Be it via classic job ads online, or via DM on platforms like LinkedIn.

We have recently discovered a report by several users on Reddit who says that they have been contacted by a recruiter and given a task to create a work sample. This practice is not uncommon, though it has been claimed in the past that some companies use this tactic to take advantage of applicants and get production work done for free. But on the whole, companies want to see that you are capable of doing what your resume says. This case, however, was interesting. From the fact that you are reading this post on the blog of a company that fights malware, you can probably guess where this is going. But let’s not get ahead of ourselves.

Shady Repository, weird warnings

Reddit user huggesh_nair reported that he was given access to a private repository on Github, where they were to download application data for the assignment. The installation failed, and subsequently the system asked permission to install a Python package (Python is a scripting language that is commonly used by developers to automate and facilitate certain tasks). Not recalling any reason why this should be happening, the user grew wary and turned to Reddit for advice. They were told that this seemed extremely suspicious, and that the best course of action was probably to reset the system. This was not bad advice, because it turns out that this assignment came with a little extra.

Most prominently, there are a few heavily obfuscated scripts among the downloaded data from the repository. These, as it turns out, steal data from a variety of browsers. Session Tokens, stored password and crypto wallets are what those malicious scripts are after.

A Familiar Tactic

This tactic sounds familiar – stealing this type of data is pretty common and we have seen cases that involved DMs on social media platforms before. And those types of attacks cost victims not only their accounts, but potentially a whole lot of money. In the case of these fake job adverts / work samples or “technical tests”, as they are sometimes called, the job “applicant” (using inverted commas here because they technically did not apply for a job actively, but were contacted by a supposed “recruiter”) is expected to submit a CV. Again, common practice for any hiring process, and therefore not immediately suspicious. But in this case, a legitimate CV, where we can assume that the information is correct, complete and up to date, is being sent to a criminal organization. You can use your own imagination to think about what criminals can do with such information. One scenario that springs to mind is creating fake job applications for positions that involve remote work. This is something that has also happened before – North Korean actors have been known to successfully infiltrate companies, posing as real applicants doing real work. And while some fake applications are easily spotted, AI technologies are being actively used to create very convincing fakes that even hold up to scrutiny during a video call.

Who did it?

As to who is behind these attacks – there is one theory going that North-Korean based group Lazarus is behind this. That would make sense as this group has been known for siphoning off data from computers and draining bank accounts and cryptrowallets in order to fill the coffers of the North Korean regime. It has been estimated by Chainalysis that North Korea has raked in over 1 billion USB from the theft of cryptocurrency alone.

How to protect yourself from criminals posing as recruiters?

Read on below for the full article.

More information in HERE

Data and info derived/lifted from GDATA Security Blog with permission

Virus Bulletin Conference #31: Is it "Fool Us”, or is it “Us Fools”?

Sun, 03 Oct 2021 07:48:23 +0000

Quote:

The annual Virus Bulletin International Conference has been running since 1991 and is one of the highlights in the calendar of events for IT security experts. I attended the Virus Bulletin Conference for the first time 26 years ago, this year it’s time again to participate with an interesting paper and presentation.

My favourite conference

For me the Virus Bulletin conference is one of the most important events of the year when it comes to threat intelligence and research for researchers, analysts, product managers and CISOs from all over the world. The VB Conference has always been the perfect match between networking, interesting talks and great content. If you never attended it, try to watch the conference this year online as it is a second time free event (due to Corona) packed with a lot of special features. A lot of colleagues of G DATA will be attending the event of course this year virtually. I will be presenting at this year’s virtual conference as well and together with my good friends experts we reserved already a semi-virtual (partly at my home, partly online) gala dining table, as always, on Thursday evening.

This has been always my favourite conference to attend each year. The content is always good, the organization is one of the best and you always walk away with more knowledge than you had when you went in. I love it how it how they bring deep technical talks for researchers but also offer useful information for enterprises. COVID restrictions notwithstanding, in the past you always can have more deep conversations with the best security experts in the world, making VB even more worthwhile attending.

You probably noticed by now that I love this conference which I’ve attended for the past 25 years. I wrote a nice G DATA blog about it last year how I remember the beginnings of VB.

Speaking and writing

I spoke several times at this conference and wrote several whitepapers for it like:
"Teach your children well (Paper)".Virus Bulletin Conference 2005. (co-authored by David Harley, Eddy Willems and Judith Harley.)

"Attacks from the Inside (Paper)". Virus bulletin Conference 2010.(co-authored by Eddy Willems and Righard Zwienenberg.)

"Oops! It happened again! (Paper)". Virus bulletin Conference 2019.(co-authored by Eddy Willems and Righard Zwienenberg.)

Remember that it is fairly common in the security industry to work together on a whitepaper with several other researchers from other security companies or academia. Even though we all might work for different organizations, the security industry has always understood that sharing and pooling expertise is the best way forward for everyone involved.

“Fool Us”, or is it “Us Fools!”?

Eleven years ago, me and my good friend and veteran researcher Righard Zwienenberg, gave a presentation titled “Attacks from the inside…” at the Virus Bulletin 2010 Conference in Vancouver. We outlined and provided examples of a variety of possible scenarios for internal attacks. We concluded with a top nine problems of “in-the-cloud services”. Now, 11 years later, both of us were surprised that our warnings seem to have been completely ignored, even though each and every one of our predictions had materialized.

In this presentation, we will “relive” our 2010 presentation, while illustrating with recent examples that our message and warnings are as current and relevant as they were then. Nothing changed, except that internal attacks now also come from the outside!

Due to the COVID-19 pandemic the corporate world changed, with “home office” meaning inside and outside becoming mixed. In a recent incident, eight of the top nine problems we identified 11 years ago were present, and all were foolishly ignored by professionals working from home. We considered naming the presentation “Attacks from the inside, by the outside…”, but as lessons learned and advice given in 2010 by “Us Fools!” seem to be ignored, must we assume that no one cares and really thinks “Fool Us!”?

We genuinely hope that our message, combined with recent real-life examples, will not go unheeded (again). So if you want to hear and see more about the never ending inside attacks and cloud problems, this presentation is a must for you!

Here ‘s the link to our presentation on the Virus Bulletin’s conference website (co-authored by Righard Zwienenberg (ESET) and Eddy Willems (G DATA) “Fool Us”, or is it “Us Fools!”? … 11 “Fools” years later….

After the presentation our paper and the video will become available online as well.

You will be surprised ‘how’ we created the presentation, just watch! I really hope to be there next year ‘in real life’ again post-Corona.
...

All your hashes are belong to us: An overview of malware hashing algorithms

Sun, 03 Oct 2021 07:45:12 +0000

Quote:

VirusTotal's "Basic Properties" tab alone lists eight different hashes and supports even more to use them for queries and hunt signatures. Hashes are important for malware analysis, as well as identification, description and detection. But why do so many of them exist and when should you use which hash function?

Cryptographic hashes: MD5, SHA-1, SHA-256

Cryptographic hashing algorithms are a mathematical function that produces an alphanumeric string that is unique for a specific file or data input, making it an unalterable identifier. Unlike encryption, cryptographic hashing is a one-way function and only works in one direction. It is designed to be practically infeasible to compute the original input based on the hash value alone. Even changing a single byte in the input will result in a different hash value. That way an adversary cannot see if their input sample is anywhere close to producing the desired hash value.

All of these hashes have a fixed length. For the standard implementation of MD5 it is 128 bits (16 bytes), for SHA-1 160 bits (20 bytes) and for SHA256 the length is in the name: 256 bits (32 bytes).

The main purposes of these hashes are identification and blocklisting of samples. Using them for blocklisting makes sense because an attacker will have difficulty to design a malware with the same hash value as a clean file. They are ideal for identification because cryptographically secure hashes are meant to make collisions unlikely.

MD5 and SHA-1 should not be used anymore because they have been broken [fisher20][kashyap06]. E.g. for MD5 people can create hash collisions in a way that allows control over the content [kashyap06]. But both are still sometimes used in hash listings of malware articles and some detection technologies might still work with MD5 hashes because computing them is fast and the values don't need much storage space. Therefore it is an important and common search option for sample databases.

Fuzzy Hashes: dcfldd, ssdeep, TLSH, mvHash-B

Fuzzy hashes are also called Similarity Preserving Hash Functions (SPHF). Unlike cryptographic hashes their goal is to provide a comparison or similarity measure. Fuzzy hash functions are further categorized into four types [p.1, martinez14]:
Block-Based Hashing (BHB), e.g., the program dcfldd by Harbour creates hash values via BHB

Context-Triggered Piecewise Hashing (CTPH), of which the most popular example is ssdeep

Statistically-Improbable Features (SIF), e.g., sdhash

Block-Based Rebuilding (BBR). e.g., mvHash-B

BHB creates a hash for every fixed-sized block of the input data. The larger the input data, the longer the resulting hash value will be. A similarity is determined by counting all blocks with the same hash value. BHB is used in forensics (dcfldd is a forensics tool) but not so much for sample analysis. Maybe because the arbitrary and potentially large size of the hash value makes it impractical for signatures and storage.

CTPH uses trigger points instead of fixed-sized blocks. Everytime a specific trigger point hits, the algorithms calculates a hash value of the current chunk of data. The conditions for the trigger points are chosen in such a way that the final hash value doesn't grow arbitrarily in size with increased input data size. E.g., ssdeep has a desired number of 64 chunks per input file, so the trigger point is dependent on the size of input data. To compare two files, ssdeep uses an edit distance algorithm: The more steps it takes to transform one ssdeep hash value to the other, the less similar the files are.

The development of ssdeep was a milestone at the time. New hashing algorithms which improve certain aspects of ssdeep have been created since. E.g., SimFD has a better false positive rate and MRSH improved security aspects of ssdeep [breitinger13]. The author's website states that ssdeep is still often preferred due to its speed (e.g., compared to TLSH) and it is the "de facto standard" for fuzzy hashing algorithms used for malware samples and their classification. Sample databases like VirusTotal and Malwarebazaar support it.

TLSH stands for Trend-Micro Locality Sensitive Hash, which was published in a paper in 2013 [oliver13]. According to their paper TLSH has better accuracy than ssdeep when classifying malware samples [p.12, oliver13]. Just like ssdeep it is a CTPH. TLSH is supported by VirusTotal.

The idea of SIF hashing is to find features of a file that are unlikely present by chance and compare those features to other files. Sdhash uses entropy calculation to pick the relevant features and then creates the hash value based on them. That also means sdhash cannot fully cover a file and modifications to a file may not influence the hash value at all if they are not part of a statistically-improbable feature. Sdhash shows better accuracy than ssdeep when classifying malware samples [p.12, oliver13][roussev11]. However, its strong suit is the detection of fragments and not comparison of files [p.8, breitinger12].

BBR uses auxiliary data to rebuild a file. mvHash-B for instance maps every byte of the input file to either 0xFF or 0x00 by comparing it to its neighbors via a majority voting. If most of the neighbors are 1, the byte becomes 0xFF, otherwise 0x00. Afterwards the byte sequences are compressed to form a hash value.

Other examples are the algorithms discussed in the section Image similarity: aHash, pHash, dHash
...

Web shells: How can we get rid of them and why law enforcement is not really the answ

Thu, 15 Jul 2021 08:03:22 +0000

Quote:

Microsoft has recently seen many attacks by hackers using so-called web shells. The number of web shell attacks between August 2020 and January 2021 doubled compared to the same period a year earlier. But what are they exactly and how can you fight them?

Microsoft recorded a total of 144,000 web shell attacks between August 2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a future attack. A web shell allows hackers to execute standard commands on web servers that have been compromised. Web shells use code such as PHP, JSP or ASP for this purpose.

When the web shells are successfully installed, the hackers are able to execute the same commands as the administrators of the website can. They can also execute commands that steal data, install malicious code and provide system information that allows hackers to penetrate deeper into networks.

Difficult to discover

Web shells are also a permanent form of a 'backdoor' that continues to affect compromised servers. They are notoriously difficult to discover, partly because they have different ways of executing commands. Hackers also hide these commands in user agent strings and parameters that are exchanged between attackers and the attacked websites. Furthermore, web shells can be piled up in media files or other non-executable file formats.

To find out if web shells are present on a server there are some indicators which might help you: unknown connections in the logs of the server, abnormal high server usage, files with an abnormal timestamp and a lot of other indications. But even with these indicators it remains very difficult to discover them.

Tips for fighting web shell attacks

To combat attacks using web shells, there are a number of possible solutions. These include discovering these programs by identifying and resolving vulnerabilities and misconfigurations in web applications and web servers through the use of threat and vulnerability management.

In addition, attacks can be prevented by proper segmentation of the perimeter network, so that attacked web servers do not cause further damage in networks. Furthermore, companies must always install antivirus protection on the servers as this can prevent the malware from being installed on the machines. We have already been made aware of cases where only email protection was in place on these servers. Those of course offer no protection against malware on the actual server or against certain types of targeted attacks.

Furthermore, companies should audit and view the logs of their web servers more frequently. This will give them more awareness of which systems might be exposed to the Internet.

Law enforcement to the rescue?

During the Hafnium attack and recent other MS Exchange attacks among other things, web shells were used to install ransomware on the compromised servers and to steal data. Now suddenly the FBI took some action by itself. A couple of weeks ago, the American investigation service announced that it had removed web shells from hundreds of compromised servers via a court order. The removed web shells belonged to a group that took advantage of Exchange vulnerabilities at an early stage to gain access to the networks of US organizations and companies. These web shells each had a unique path and file name, making it potentially more difficult for the server owners to find and remove them.

In this initiative, spearheaded by the FBI, hundreds of Microsoft Exchange servers infected with malware in the United States were cleaned up. However, the fact that affected organizations were only made aware of this after the fact, has garnered mixed reactions from security experts and security companies.

"The FBI is breaking into American computers to remove malware - and is breaking the law to do so," said whistleblower Edward Snowden. Experts told SecurityWeek that the action sets a dangerous precedent of giving law enforcement agencies broad permission to break into computers suspected of being compromised. However, there are also experts who agree with the FBI's action, as it protects companies with possibly no good technical background.

Questionable helpfulness

A security researcher with the alias The Grugq states in a reaction that the infected Exchange servers that have been cleaned up will probably be compromised again. There are also legal questions about the method being used. "This warrant is a very powerful and potentially dangerous tool that gives the government permission to access the computers of innocent people to delete files without notice," says Kurt Opsahl of the US civil rights movement EFF told The Washington Post.

While there are a lot of doubts if this action was ethically reasonable in this case, the good news is that the FBI at least is informing all owners and administrators of the servers from which it has removed the web shells. If the contact details are public, the US investigation service sent an e-mail. If the contact details are not known, the FBI informed the provider of the owner concerned, who in turn alerted the infected and cleaned-up client. The question remains if an action like this would have been possible in the EU.

Of course although the web shells have been successfully removed, the underlying vulnerabilities in the Exchange server have not been patched. It is also possible that other malware is still present on the system. Companies should definitely double check their servers for malware. The fact that the FBI has removed one particular thing from compromised system does not constitute a clean bill of health for the machine in question.

An ethical dilemma

The affair leaves one uncomfortable question lingering, which goes back to Mr Opsahl’s statement: If law enforcement is allowed to step in and make changes to a system, doesn’t this leave open a lot of potentially undesirable options? Could this be a precedent to issuing carte blanche to any and all investigators to just go and gather supposed evidence in a “no holds barred” way, even if no crime has been committed? Or worse, surreptitiously plant evidence there? This is a dangerous path to go down. There is lots of potential for irreparable damage, not only to the data that companies handle and that they were entrusted with, but also the trust of people in the authorities, which in some areas is not great to begin with.

This move forward could not have come at a worse time. Germany, always a stalwart defender of privacy, has just greenlit a new piece of national law that would force providers to assist law enforcement in planting surveillance software on a suspect’s devices, even if no crime may have been committed (yet). All opposition and well-founded criticism was shot down, drafts were submitted with only days to examine and provide feedback. This will no doubt have a signaling effect.
...

Microsoft signed a malicious Netfilter rootkit

Sun, 27 Jun 2021 08:21:27 +0000

Quote:

What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?

Last week our alert system notified us of a possible false positive because we detected a driver[1] named "Netfilter" that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system.

Drivers without a Microsoft certificate cannot be installed by default.

In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.

String decoding

The first thing I noted after opening the strings view are some strings that looked encoded or encrypted. While this is not necessarily a sign of a malicious file, it is odd that a driver obfuscates a part of their strings.

I decoded the strings using the following Python snippet.

Similar samples

Searching for this URL as well as the PDB path and the similar samples feature on Virustotal we found older samples as well as the dropper[2] of the netfilter driver. The oldest sample[3] signatures date back to March 2021. Virustotal queries to find similar samples via URL and PDB path are listed below.

Additionally the following Yara rule will find samples via retrohunting.Dropper and installationThe dropper places the driver into %APPDATA%\netfilter.sys. Then it creates the file %TEMP%\c.xalm with the following contents and issues the command regini.exe x.calm to register the driver.
...

TED talk: A Tale of Two Floppies - The Basics of Cyber Security

Sun, 27 Jun 2021 08:01:49 +0000

Quote:

I was thrilled when I was approached and asked to give a talk at TEDx in Leuven - in this talk I am sharing some anecdotes that have influenced my own career significantly.

What is TED?

First off, here is what TED say about themselves:

"TED is a global community and online platform that welcomes people from every discipline and culture who seek a deeper understanding of the world. TED passionately believes in the power of ideas to change attitudes, lives and ultimately the world. On TED.com we're building a clearinghouse of free knowledge from the world's most inspired thinkers — and a community of curious souls to engage with ideas and each other, both online and at TED and TEDx events around the world, all year long."

In my opinion, TED or TEDx is also one of the best platforms to find very good and especially inspiring speakers and amazingly interesting topics.

So naturally, I was thrilled when I received a call from TEDx organizer TEDxKULeuven in Belgium in March 2021, asking me to give a TEDx talk in mid-May.

Unfortunately due to the Corona pandemic, the format was a bit different from the normal TEDx talks but to be honest I didn't mind too much.

I've spoken at many security related conferences, large and small events and I'm used to a very diverse audience, but still, TED(x) is always a little different.

It's about conveying an inspiring idea to a very diverse audience: the world. And that is certainly not an easy task, even for experienced speakers.

The talk

What have the first ransomware, an airport, 2 diskettes and cybersecurity in common?

Some people want to become pilots, some people want to be doctors. We all have our own dreams. But what if your dream actually comes true? This lecture will take you back to a pivotal stage in the life of Eddy Willems more than 30 years ago. Eddy will tell you two stories of how two different diskettes changed his life forever. The first one, the AIDS Information diskette, even turns up in history books and museums from time to time. The second one infected his mind in some way and drove him into his daily job of helping people by communicating (and giving lectures about) the cyberdangers around us, alerting us to all kinds of risks to the public in general and ultimately trying to make the world a safer and maybe better place. These diskettes could maybe change your life in the future.

The topic

I suppose the abstract made at least clear that some events caused a serious change in my life but that wasn’t the only thing. By travelling and helping several companies and organizations worldwide with their security implementation and policy I found out that we are always confronted with basically the same problems during the past 3 decades. So I created a formula out of it and defined what I call the basics of cyber security, a formula which is easy to understand by anybody:

CSP = TF × MF

Translated to English, this means: "A Cyber Security Problem is the result of Technical Factors multiplied by Human Factors"

In other words, almost any cybersecurity issue is a direct result of a combination of technological and human factors. Most malware would not stand a chance without naivety, curiosity, or other human weaknesses. The only way to resolve this in my opinion is to change our online human behaviour completely which is not always that easy. We are all creatures of habit after all. However by improving our security awareness we may lower the cyber attack range considerably. And yes of course it’s not always the user who needs training but sometimes also the IT administrators. The latter fact often seems less obvious. The best way to improve security awareness is by following interactive and repetitive security awareness courses. (eg. See also G DATA Security Awareness Trainings ) In the long run, however, there is clearly a need to put this inside the basic education worldwide. I wonder if we ever will succeed in this.

I suppose you all guessed by now where my inspiration for the title ‘A Tale of Two Floppies’ came from?
...

Scraping: Is it good, bad or something in between?

Thu, 17 Jun 2021 06:52:19 +0000

Quote:

There has been a lot said about data scraping. Here is a breakdown of what it is, why it might be problematic and how we might deal with it going forward.

For a recent example of abusive data scraping, we do not have to go too far back in time: In April 2021, researchers discovered a database containing the personal details of more than 500 million Facebook users, which was circulating on hacker forums. Not much later, similar news reports surfaced about a LinkedIn database dataleak. Analysis of both incidents showed that hackers did not even need to attack the servers of the social media platforms to get hold of the data. They made use of a handy trick called "data scraping". How does this technique work and how big is the danger of data scraping for Internet users?

Screen scraping and web scraping

Data scraping is essentially a way of transferring data from one system to another. But it differs from more conventional data transfer methods. The main difference is in the output. The scraped data does not serve as input for another computer program, but is intended for display to the end user. Data scraping is therefore a very crude technique that will only be used when there is no other way to extract data from a system, such as an operating system that is no longer compatible with modern hardware. The output is often very unstructured because things like formatting, binary data and other additional information are not transferred. This can even cause programs to crash during data scraping.

There are different technical variants within data scraping. The oldest form is screen scraping. With screen scraping, a special tool is connected to an obsolete computer system. The scraping tool pretends to be a user and simulates the key commands to navigate through the system interface. The tool then extracts the data from the system and passes it on to the new system. This method of working inspired more modern automation tools that work on the same basis.

In addition to screen scraping, there is also web scraping, which is used to extract data from web pages. The principle is more or less the same. Again, you usually need a scraping tool to make the web page believe that you are a web administrator who is going to modify the page. Most websites today have built-in security algorithms to detect such tools and deny them access. So large-scale scraping incidents like those at Facebook are really very rare – at least as far as we know so far.

Dangerous or not?

Data scraping is not in itself an illegal practice. Recognised cloud providers such as Amazon AWS offer secure web scraping tools in the form of free APIs. Like any computer program, data scraping only becomes dangerous when the tools fall into the wrong hands. As happened at Facebook, to refer back to that incident.

In the Facebook scraped dataleak incident the database did contain personal data such as phone numbers and email addresses. If cybercriminals get hold of this data, they can use it for phishing and other types of fraud. So it is true that data scraping is initially a lot less intrusive than hacking into someone's account and you will probably not be directly affected by a scraping attack. But in the long run, it can make you more vulnerable to phishing attacks. The recent LinkedIn scraped data leak seems less intrusive and showed less interesting data however every kind of data can always be interesting for every cybercriminal or hacker. Data scraping can open the door to spear phishing attacks; hackers can learn the names of superiors, ongoing projects, trusted companies or organizations, etc. Essentially, everything a hacker could need to craft their message to make it plausible and provoke the correct response in their victims.

How to protect yourself from scraping?

As a user of a website, there is basically not much you can do against a scraping attack, except carefully manage what information you share about yourself on that website. With Facebook as an example, therefore do a regular privacy check to find out what you actually share or not. Ultimately, the responsibility lies in what you share yourself. And that’s probably not always that easy looking to all the problems we see these days. Also, bear in mind that the effects that result from someone accessing your personal information might not manifest for a long time.

By the point someone abuses your data, you might already have forgotten that you even shared it with the network at some point.

Advice for website owners and builders

You must keep in mind that everything that is visible and accessible on your website to human visitors is possibly also visible to scrapingbots.

There are also some technical tricks that can be applied to secure the content. However, these tricks often have their limitations. You can often recognise a scraping attempt by a high number of requests sent to your website from a single IP address (not to be confused with a DDoS attack, which also relies on this technique). You can then exclude that suspicious IP address. In other cases, locking content with login details can go a long way. The scraper then has to expose a piece of itself in order to get access to the content. Regularly changing your HTML can confuse scrapers to such an extent that they do scrape elsewhere. The downside of this is that this approach can also lead to confusion among your own web developers. The use of CAPTCHAs or lots of media files can also discourage scraping attempts by shady individuals. Bots are sometimes coded to explicitly break specific CAPTCHA patterns or may employ third-party services that utilize human labor to read and respond in real-time to CAPTCHA challenges. On the legal side: companies need to take action against data scrapers and warn them against the process.

This can be included in the terms of service. Of course this doesn’t do anything against scraping by itself but it can be used during lawsuits.

A glimpse into the future

Diverse actors leverage web scraping bots, including nefarious competitors, internet upstarts, cybercriminals, hackers, and spammers, to effortlessly steal whatever pieces of content they are programmed to find, and often mimic regular user behavior, making them hard to detect and even harder to block. Web scraping pose a critical challenge to a website’s brand, it can threaten sales and conversions, lower SEO rankings, or undermine the integrity of content that took time and resources to produce. But there is even a bigger problem behind it which lies in the growth of the phishing attempts or ransomware attacks which could be based on the stolen and scraped data of the users of the attacked website. That’s the reason why webdesigners and social media companies should be thinking twice about using the necessary actions against this kind of attacks in the future. Understanding the intrusive nature of today’s web scraping danger not only raises awareness about this growing challenge, it also allows website owners to take action in the protection of their proprietary and the privacy of their users! Let’s hope they all read this blog.
...

Commentary: Plans for iOS15 put victims of stalking and abuse at risk

Thu, 17 Jun 2021 06:48:01 +0000

Quote:

Apple has announced some innovations for iOS 15 that are a cause for concern among victims of abuse and organizations that support survivors. Among other things, it will be possible to locate devices that are switched off. This is a disaster for people who are being spied on by their own partner.

I use the "Find my" function in Apple's devices at least once a week when I have misplaced my smartphone again. That's a practical thing - I can have the device beep or locate it if I'm not sure whether I haven't forgotten it at my parents' house (again).

On paper, the innovations planned for iOS 15 make perfect sense. Among other things, there a plant to enable device owners to locate devices that are turned off. If a device is stolen, thieves often try to sell it on, for example at flea markets or on Internet platforms like eBay. To make it more difficult to resell stolen devices such as iPhones have an activation lock. Perpetrators can neither use nor resell the stolen device - it's about as useful as a brick. Thieves usually turn off a stolen device immediately after the theft to prevent tracking. This option is now eliminated because devices can be located even when they are turned off. And even if a thief resets the device to factory settings, I could still locate it as long as it is not deleted from my Apple account.

The Other, Darker Side of the Coin

However, there is one area where these changes have dire consequences and can have serious side effects. For example, in cases where women have moved to a shelter due to domestic violence. If the partner can locate the device that has been turned off, they can also find out its whereabouts. This is - to put it mildly - unsettling, because there are good reasons why the addresses of women's shelters and similar facilities for people in need are not public. Locating a device that has been switched off would render such protective measures obsolete.

Apple also expands the AirTag technology, which has already met with criticism for similar reasons: Warnings can be set up when someone is no longer near a device. In the worst case, a jealous partner could deposit an AirTag in a suitable place to receive a warning when they leave the house. This effectively turns the technology into an electronic ankle bracelet for those affected.

To their credit, at least Apple listened to the criticism of experts shortly after the launch of the AirTags and retrofitted a function that warns users when an unknown AirTag is in the vicinity. This would at least cover some cases where a jealous partner hides an AirTag in a (jacket) pocket or in the car.

Privacy by Design vs. Comfort and Ease of Use

Now, I want to make one thing clear, so nobody gets the wrong idea: I am not saying that Apple knowingly and consciously pushes the misuse of technology. After all, the idea behind some of the functions has merit. However, I think that the developers simply haven't given this the degree of thought that would have been appropriate. Whenever a company - whether it's Apple or any other technology provider - breaks new ground in their product portfolio, there always has to be the question of how a new product can be misused.

If a device generates data whose use could pose an immediate danger to other people, a rethink is required. On this topic, there are currently also initial efforts to draft guidelines for development, for example via the IEEE (Institute of Electrical and Electronics Engineers). IBM has also drafted design principles that shed light on technological development specifically with a view to domestic abuse. Especially when it comes to devices, which for many people are communication platforms, proof of identity, and means of self-representation. For most smartphone owners, the device is one of the most private things one can have. The internationally operating Coalition against Stalkerware has also dedicated itself to the topic of technology-driven abuse and provides extensive information material and practical assistance for those affected and for aid organizations.
...

Picture this: Malware Hides in Steam Profile Images

Fri, 11 Jun 2021 07:06:18 +0000

Quote:

SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam. The developers seem to have a few more ambitious goals.

Suspicious steam profile images

Researcher @miltinhoc tweeted in May 2021 about new malware[1][2] that uses Steam profile images to hide itself inside them.

The low quality image (see picture below) shows three frames of the "white guy blinking" meme alongside the words January, a black screen, and September. The image content itself does not seem to make sense.

Common online EXIF tools don't show anything interesting about the image except for a warning that the length of the ICC profile data is not valid. That's because instead of an ICC profile the malware is placed in encrypted form inside the PropertyTagICCProfile value. The ICC profile's purpose is to map colors correctly for output devices like printers.

Implications and Affected Users

While hiding malware in an image file's metadata is not a new phenomenon, using a gaming platform such as Steam is previously unheard of. From attacker's point of view, this approach makes sense: Replacing the malware is as easy as just replacing a profile image file. There is also a huge number of legitimate accounts - and blocklisting the Steam platform outright would have many undesired side effects.

It should be noted that in order to become a target for this method, no installation of Steam - or any other game platform - is required. The Steam platform merely serves as a vehicle which hosts the malicious file. The heavy lifting in the shape of downloading, unpacking and executing the malicious payload is handled by an external component which just accesses the profile image on one Steam profile. This payload can be distributed by the usual means, from crafted emails to compromised websites.

The Steam profile image is neither infectious nor executable. It serves as carrier for the actual malware[2]. It needs a second malware[1] to be extracted.

This second malware sample[1] is a downloader. It has the hardcoded password "{PjlD\\bzxS#;8@\\x.3JT&<4^MsTqE0" and uses TripleDES to decrypt the payload from the image.

I found newer samples[3][4] of this malware via Virustotal retrohunt. The downloader uses a different Steam profile but the very same technique to hide malware in images. Below is the output of another online EXIF extraction tool.

Payload Functionality

The sample first queries Win32_DiskDrive for VMWare and VBox and terminates if any of those exist.

It will then check if it has administrator rights and attempt privilege escalation via cmstp.exe

On the first run it copies itself to the LOCALAPPDATA folder using the name and extension specified in the configuration. In sample[2] the filename is uNoFGmsEX.txt

SteamHide persists itself by creating the following key in the registry: \Software\Microsoft\Windows\CurrentVersion\Run\BroMal

The mutex is named Global\ were GUID is the globally unique identifier for a certain class in the malware.

SteamHides initial command-and-control server IP is saved in a specific pastebin paste.

The malware can update itself via a given Steam profile. Just like the downloader it will extract the executable from the PropertyTagICCProfile data in an image of the Steam profile. The configuration allows to change the ID for the image property and the search string to find the correct image on Steam. That means other image properties might be used in the future to hide malware on Steam.

The future of SteamHide

SteamHide currently lacks functionality and seems to be in active development. There are a few code segments in the binary that aren't used by now.

The malware checks if Teams is installed by looking for the existance of SquirrelTemp\SquirrelSetup.log, but there isn't anything done with this information. The method is called EnumerateVulnerable and possibly serves to check installed applications on the infected system, so they can be abused for exploits.

There is a method stub named ChangeHash(), but it is not implemented yet. It seems the malware developer plans to include polymorphism in future versions.

It has a CodePieceManager, which can compile source code to MSIL assemblies. It might be used to add functionality on the fly or to apply metamorphism.

Futhermore there is a method that allows sending Twitter requests, which might in the future enable the malware to either receive commands via Twitter or to act as a Twitter bot.

I am confident that we will see this malware emerge soon in the wild just like it happened with other in-development families that we covered, e.g., StrRAT, SectopRAT
...

Perform simple security tests yourself - using Metasploit Framework and nma

Thu, 27 May 2021 07:21:02 +0000

Quote:

Even with little effort, the security of your own network can be put to the test. We present two tools that make this possible. The best thing about it: the tools are freely available.

The Metasploit Framework from Rapid7 is one of the best-known frameworks in the area of vulnerability analysis, and is used by many Red Teams and penetration testers worldwide. It is freely available and can be extended individually, which makes it very versatile and flexible. It is often used in combination with a port scanner such as nmap, one of the most prominent tools in this area, which is also freely available.

In this article we give a small insight into both tools. For this, we will show a short example to demonstrate how you can perform simple tests against your systems yourself.

Please note that you may only perform attacks against systems where the owner has given you permission. Failure to do so could result in criminal penalties, depending on the legislation in your country. Moreover, make sure that you coordinate your tests and do not unexpectedly interfere with or block a service that other people are using.

Quote:Prerequisites - Installation

Prerequisites

The Metasploit Framework is a console application and nmap is executed from the command line. Therefore you should have basic knowledge in this area (e.g. bash).

Installation

You can download the Metasploit Framework from here and install it afterwards.

Caution: Antivirus softwares and firewalls sometimes detect the files as malware, because they contain code that is also found in malicious software.

Therefore, you should either disable these protection components or configure them so that they do not prevent the use of the Metasploit Framework.

When installing the Metasploit Framework, related tools (including nmap) are also installed, so no further installation is needed for our example.

Alternatively, you can use Kali Linux, a Linux distribution that has many offensive security tools pre-installed. The Metasploit Framework and nmap are among them. When using Kali Linux, be aware that some EDR solutions are sensitive to the default hostname of a Kali system and trigger an alarm.

Convenient: Kali Linux is available as a virtual machine for VirtualBox or VMware, so you do not have to install a whole new system.

Metasploit Framework

The Metasploit framework has a modular structure. The modules can be divided into different categories, which are combined in various ways.

Three of the categories are briefly explained below:

1. Auxiliaries: This includes auxiliary tools such as scanners, fuzzers, etc., which are used to detect which services are running on a target system and whether vulnerabilities are present.

2. Exploits: Exploits, like the name says, include all modules that can be used to exploit vulnerabilities. These range from denial-of-service exploits that block a service to remote code execution exploits that allow an attacker to execute arbitrary code on the target system.

3. Payloads: Payloads can be used in exploits to execute code and establish a connection between the attacker and the target system. This is usually done via shell. Payloads can be used to control which type of shell is used in which way. There are two basic distinctions:

3.1 Staged vs. non-staged payload

For some exploits, the size of the usable payload is limited. This can imply that a staged payload has to be used. In this case, only a small piece of code (stager) is transmitted to the target system. Then a connection back to the attacker is established via the stager. Finally, further payloads (stages) are received and executed.

Non-staged payloads, on the other hand, are self-contained and come with all the required code. Therefore, they are larger, but at the same time more stable, i.e. they function more reliably because no further dependencies exist.

The two different types can be easily recognized by the module name. Staged payloads contain one "/" more, while non-staged payloads have an underscore "_" at the corresponding position.

Examples:

staged: windows/x64/shell/reverse_tcp
non-staged: windows/x64/shell_reverse_tcp

3.2 Bind or reverse Shells

When a bind shell is used, a service that listens on a specific port is started on the target system. The attacker then connects to this system via the specified port.

Depending on the configuration of the target system, firewalls block incoming network traffic so that the connection cannot be established via bind shell. In addition, if the attacker and the target system are not on the same network, the target system's (private) IP address and ports may be changed by NAT, which also prevents the usage of a bind shell.

If, on the other hand, a reverse shell is chosen, a service is started on the attacker's device that listens on a specific port. The target system then connects back to the attacker.

Examples:

bind shell: windows/x64/shell_bind_tcp
reverse shell: windows/x64/shell_reverse_tcp
...

11 Biggest cyber security threats in 2021

Fri, 07 May 2021 07:42:04 +0000

Quote:

Cyber security threats persist and continue to emerge during the last years. By now you probably heard about phishing, but did you know about polyglot files yet? This article covers a unique insight to the 11 biggest cyber security threats in 2021.

1. Phishing meets COVID-19

In a phishing attack, a digital message is sent to fool people into clicking a link inside of it. There are several possibilities for malicious actors to use such campaigns. Depending on the intention of the actor, harmful malware is installed or sensitive data is exposed.

During the current Corona crisis, the people are are at home more often. Adding to that, employees are working from home more than ever before. This presents itself as great breeding ground for cyber criminals.

Phishing attacks are setup in a way to send the victims to websites with fake information about the Coronavirus. Often times, these sites use the user's system resources to earn cryptocurrency like Bitcoin - All without the approval of the user - Read more.

Be sure to give our security awareness trainings a completely free try, If you feel the healthy need to protect your work better!

2. Clever ransomware?

Due to the profitability, ransomware was present in 2020 and won't fade away anytime soon. Ransomware encrypts files on computers and ask the user for a ransom in return of the original files. The rise of a cryptocurrency like Bitcoin surely helped ransomware attacks, as it allows the malicious actor to be more anonymous.

In the case of the Cyrat ransomware, the ransomware was disguised as software to repair corrupted DLL files on the computer. In reality, parts of the system are encrypted during execution.

In 2021 and onwards, it's possible to see more sophisticated attacks going on. Ransomware could ask for a dynamic ransom, depending on the environment in which it's executed. For example, a ransomware running on a Mac could ask for a higher ransom than on a Windows machine. That's because Mac setups usually cost more money than Windows setups. From this, an assumption about the relative net worth of a person behind such a setup can be made.

3. Polyglot files - Just a .JPG, isn't it?

Polyglot files are a valid form of multiple different file types. A file can be both: Opened as image with an image viewer or run like JavaScript within the browser.

This method is used in advertising fraud already. It could get worse once there are no more skills required to build such malware. Specialized services could offer the creation of such files in return for a payment - source.

Polyglot malware isn't limited to the web. In a case, a malicious JAR file was appended to the end of a windows installer file (.MSI). Security solutions that rely on the Microsoft Windows code signing validation can be bypassed with this - source.

4. IoT attacks and the growing impact

The Internet of Things (IoT) grows in connected devices by every year - source. Forecasts suggest, that in 2025 the number of connected IoT devices will be more than 75 billion - Tripled from the year 2019.

We get it, connected devices makes living more comfortable. It's nice to wake up on an already made coffee, because your alarm clock is connected with the coffee machine. However, to this convenience there comes a catch. If the IoT devices aren't properly secured, they could be open to bad actors.

In 2020, we observed an IoT botnet. The botnet was placed on vulnerable access control systems, which are commonly found in office buildings. You might have entered such a building with the swipe of your keycard before, without the knowledge that the system is infected.

5. Social engineering and cryptocurrency

In an attack that uses social engineering, not only the technology is at focus. Social engineering targets the human aspect. Phishing is a prominent example of it. Social engineering can occur in any form sensitive information can be gathered - In an email, face to face or even via a phone call.

Sim swapping is an attack where the bad actor gains access to the SIM card from the victim. Due to clever social engineering, the mobile carrier is tricked into thinking that the bad actor is the real customer. If successful, the bad actor gets the control of the SIM card and receives the text messages and phone calls. This attack is also used to gain access to social media accounts or cryptocurrency wallets.

Social engineering can also be purely reliant on the social aspect. The service employee to "fix your bad WiFi" might not be who you think it is. Companies usually make appointments with you upfront. It generally makes sense to decline such spontaneous appointments.
...

Creating a safer online world together with the Cybersecurity Tech Accord

Wed, 21 Apr 2021 07:16:55 +0000

Quote:

At G DATA we always are providing our customers with the confidence that our solutions always meet high standards to operate safely throughout their lifecycle worldwide. Our cyber security products has always produced many highlights like Anti-Ransomware, Beast, DeepRay and a lot of other technologies that give our customers a significant advantage.

To make the world a more cyber-secure place for everyone, we always have been working  together with organizations within our industry and beyond. Collaboration between academia and industry is a very important aspect of our approach to cyber security. We expanded our cybersecurity partnership in 2018 with the addition of Cybersecurity Tech Accord to our partner network. A big mile stone for the organization is that they reached in 2021 over 150 members worldwide.

By joining the organization, G DATA committed itself to put the protection of all customers and users in the foreground and to refrain from cyber attacks on citizens and companies. This has been our policy for more than 30 years and we are pleased to be able to renew this promise on an international scale. For us, this also includes comprehensive cooperation with other IT security companies. This has been common practice in the antivirus industry for many years.

Cybersecurity Tech Accord objectives

Through a shared commitment and collective action, signatories of the Cyber Tech Accord aim to more effectively:
Provide their customers, users and the developer ecosystem with information and tools that enable them to understand current and future threats and better protect themselves.

Protect their customers and users everywhere by designing, developing and delivering products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability and severity of vulnerabilities.

Work with each other and likeminded groups to enhance cybersecurity best practices, such as improving technical collaboration, coordinated vulnerability disclosure and threat sharing, as well as ensuring flexible responses for the wider global technology ecosystem.

Oppose efforts to attack citizens and enterprises by protecting against exploitation of technology products and services during their development, design, distribution and use.

G DATA actually is actively participating in every aspect from the beginning as it was indeed part of our G DATA policies in the past 30 years.

Several security side aspects

As there are already several security side aspects very well highlighted on their site like cyber hygiene, IOT security where all members are participating in there seems to be another aspect which really became another Cyber Tech Accord mile stone in 2021. The Cybersecurity Tech Accord’s first principle commits its signatories to design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability. In upholding this principle the group has, from its outset, promoted the adoption of vulnerability disclosure policies by companies throughout the technology industry. In 2019, the Cyber Tech Accord went a step further and committed to having every Cybersecurity Tech Accord signatory work towards having their own vulnerability disclosure policy in place to better protect users and customers. In 2021 over 100 companies created a vulnerability disclosure policy and page on their website.

G DATA’s vulnerability disclosure page

Needless to say that we also developed a vulnerability disclosure policy and page on our website. You can find the English version here and the German version here.

Companies in the technology world develop and implement this policy for resolving known vulnerabilities to keep users and customers safe. Vulnerability disclosure policies are vital because they are at the heart of a collaborative approach to cyber security. No organization can meet cyber security challenges alone, so sharing and accepting information is critical to improving our cyber security measures. Vulnerability disclosure policies create a pathway for organizations or individuals to report vulnerabilities to the relevant entity. And above all, this reporting initiates a process that ensures the vulnerability is addressed and any risks or potential harm to users can be efficiently mitigated. Cyber Security Tech Accord is very proud of the increased adoption of the CVD (Coordinated Vulnerability Disclosure) Policies at it demonstrates the commitment to one of their principles.

A safer online world

As a member of the Cybersecurity Tech Accord, we’re demonstrating our commitment to strengthen cybersecurity and sharing the best practices we’ve developed on how to act securely and to stay safe online. An increasingly connected world needs trusted environments. A system however is only as secure as its weakest link and unfortunately that is mostly the human factor. It’s good to see that with our Security Awareness trainings the awareness of users is really improving. By working together with the Cybersecurity Tech Accord for the next years I’m pretty sure that there will be improvement in both the technical as well as on the human side for the coming years worldwide. And I’m also sure it will finally help to create a safer online world.
...

To patch or not to patch

Wed, 21 Apr 2021 07:13:21 +0000

Quote:

As the infosec world was in turmoil following a total of seven zero-day vulnerabilities in MS Exchange and the so-called Hafnium attack, one thing came to my mind - and it sort of left me thinking: For the past 20 years, patches have been a constantly recurring topic of discussion. And as we all just patched our MS Exchange servers we need to do it again.

This week Microsoft is warning organizations again about two new critical vulnerabilities in Exchange Server 2013, 2016 and 2019 that would allow an attacker to remotely take over vulnerable servers. As far as is known, the security vulnerabilities have not yet been exploited, but Microsoft is taking into account that this will happen. The vulnerabilities, identified as CVE-2021-28480 and CVE-2021-28481, were both rated 9.8 on a scale of 1 to 10 in terms of severity. The US intelligence agency NSA discovered and reported the security flaws to Microsoft. However, researchers at the tech company had also found the vulnerabilities independently of the NSA.

The one constant that keeps reappearing throughout any current discussion on a critical security flaw is the speed with which vulnerable systems are being patched. In the case of Hafnium, tens of thousands of systems all over the world remained unpatched even over a week after the news first broke – and now, a month later, we are only beginning to see the effects of some of the attacks, where ransomware was deployed. Similar reports exist in many of the high-profile security flaws in recent years. The reasons for delays in deploying critical updates have been roughly the same for decades now: The deployment process is non-trivial, patches require testing before going into production or an update is not perceived as being that critical for the organization for various reasons.

In recent years, this situation was not helped by the ever-increasing frequency and volume with which updates and patches are being issued. Much to the chagrin of many administrators, companies like Microsoft have ramped up their activities to two major updates per year. This has lead to situations where administrators have just finished ironing out the kinks that surfaced during the deployment, by which time the next major update is just around the corner.

This would be a challenging situation as it is – but in most organizations, there are loads of other applications that require updates. And this is where the trouble starts: Not every update is compatible with every other update. In most cases IT management just assumes that administrators 'just do updates on the side' and perceive it as part and parcel of the IT team’s daily work. This is often not too far from the truth. But in practice, the job of keeping all software up to date often gets buried under a load of other obligations. And let’s be honest: Installing updates is not the most exciting and fun activity in the world.

IT departments that are consistently understaffed then become the straw that breaks the camel’s back: They simply cannot keep up with the pace.

It’s not only about patching

At this point we need to take a step back. One might gain the impression that security is all about updates and patches. And while those are an undoubtedly critical component in the security chain, they are not everything. Remember, security must have no single points of failure. It is important to realise that patch management is no guarantee for a safe network. In addition to patch management, measures such as multi-factor authentication, Firewalls, IPS, encryption, a well-designed antivirus endpoint security system with the latest AI technologies and repetitive security awareness trainings are indispensable. No one component can guarantee an organization’s security. Security is always the result of a combination of several factors. Equally, a breach in security should always require multiple components to fail. A complete breakdown of security due to one single action or factor is a clear indicator that things have gone seriously awry.

What do we do now?

One of the most important reasons stated for not implementing a patch or update immediately is the lack of a test environment in some organizations. An often-heard problem is that companies have experienced problems in the past when patching a critical application. The result is that they are reluctant to roll out patches quickly and want to test the patches extensively in advance, in order to minimize any negative impact on the everyday business. This seemingly mundane fact underlines one stark reality: Organizations are less afraid of a security breach than they are of things breaking to to issues with a patch or update.

This is not a good situation. Organization need to establish clear guidelines about what to patch and how – and also when. The CVSS system is a good starting point. Based on this, any updates that are critical for security can (and should) be fast-tracked in every way possible. While I do not suggest foregoing testing altogether for critical patches, the time that an organization takes to test a patch should be kept as short as possible. Ultimately, the goal should be to deploy critical patches within a couple of days maximum. In the meantime, any workarounds or remediation strategies that can be utilized should be evaluated and put in place if at all possible.

Tools, techniques and procedures

Unfortunately, there is also the fact that especially small companies just don’t have the necessary tools at hand to see which patches are available. For example, they can see that a patch is available for Windows, but they might not be aware that patches have been released for other applications. This requires a lot of manual adjusting and more legwork than should be required. Some of this can be remediated by acquiring the right tools, in the shape of a patch management solution.

Yet, even if tools and priorities are taken care of, there are still opportunities for wrenches being thrown into the works: Shadow IT. The term includes any “nonstandard” software, i.e. programs that are not on the roster of programs otherwise used by the organization. Those might be programs on employee devices, which were installed by the employees themselves. And even if they are worthwhile and useful programs to have: If the IT department is not aware of it, patches of that software are just missed – including patches that might turn out to be critical. So if a “nonstandard” program is useful enough and has a valid reason to be used, it might be a good idea to add it to the organization’s software catalog.

Future of patching

For the foreseeable future, humans will remain involved in programming and will therefore be making mistakes in the billions of lines of software code. We will therefore also continue to see patching as the necessary evil. However: I do see an increase in automatic patching, even for critical patches, as a possible solution within the coming years for every OS. That will not resolve the problem of zero-day vulnerabilities as this could become maybe the bigger problem in the coming years. Now that maybe millions of programming code were stolen in the Hafnium and the Solarwinds attacks we can’t really deny that zero-day weaknesses could become a bigger trend that warrant a lot quicker action than many companies today are set up to deliver.
...

SIM swapping: The danger inside your phone

Fri, 16 Apr 2021 07:07:07 +0000

Quote:

SIM swapping targets people from various areas of life. A taxi driver is technically not less vulnerable to this attack as a business owner. In this article we cover how it works, offer prevention measures and present tips if you're being SIM swapped right now.

What is SIM swapping?

SIM swapping is also known as SIM hijacking and SIM splitting. It's a method where malicious actors takeover a variety of accounts by tricking mobile carriers. The actor uses social engineering to gather information about the victim.

Here is how it works: Once the fraudster collected enough information, the victim's mobile carrier is contacted. During the conversation, it's typical that the fraudster presents themself as a victim. The crook asks to port the victim's phone number to a SIM card under the control of the crook. A presented reason to the mobile carrier could be the lost access to the phone. The security questions asked by the mobile carrier employee are answered by the fraudster with the previously gathered information about the victim.

In the final step, the crook needs to get access to the new SIM card sent out by the mobile carrier. This is either done by the use of further social engineering to change the victims address or being physically at the victims place to catch incoming post from the postman.

After the whole procedure is done, the actor now receives the victims calls and text messages. The victim loses access to the phone number.

Note: The feature to port a telephone number to a different SIM is a convenient feature when a customer has lost the device or simply wants to switch the service to a new phone. The feature is not fraudulent per se!

Am I being SIM swapped?Do you feel that you're a victim of a SIM swap attack? Then you should act quickly by contacting your mobile carrier and resolve the issue together. Sometimes this isn't easy to spot as we're all busy with our daily lives.

Here are 3 signs that may tell if you might be SIM swapped:

Calls and texts don't work: You don't receive the planned call by your relative that night. Furthermore, you don't receive the "Sorry, I'm late" message and can't contact the relative on your own either. This is a huge warning sign.

Unusual activity: You may get mail notifications about logins from new devices by services like Google and Facebook. You want to prevent further damage here first (call your mobile carrier)!

Lost account access: Login to a service like Facebook isn't possible anymore? Final warning sign, but better late than never.

Cases of SIM swapping attacks

Twitter's CEO Jack Dorsey: The actor successfully took over the Twitter account of Jack Dorsey. After the takeover, offensive messages about Nazi Germany were seen on the account. The actor approximately had 20 minutes of control over the account and was able to see private messages as well - Everything the real owner is usually able to - source.

5000 victims: A sim swap scam targeted over 5000 victims in Brazil. The scam affected citizens, politicians and even governors. Online banking customers reported losses of up to 50'000$ from their bank accounts. - source.

24'000'000$ lost: In the case of Michael Terpin, the actor took over crypto wallets with the help of a SIM swap attack on the service provider AT&T. In a lawsuit, AT&T argued that there is no clear connection about his subscription and the theft. Up until today, the case is still open. - source.

Case study: When targeting crypto asset owerns, SIM swapping can be very lucrative. In a blog post of Chainalysis, the flow of the funds after a SIM swap fraud is shown. The funds partially ended up on exchanges with regulations in place. This means that those exchanges have information about the customers who received those funds, which is very valuable information in a law suit.

8 men arrested: This story happened more recently on the 11. February 2021. Criminals hijacked social media accounts from well-known people. The intention was to steal money, cryptocurrency and address books. - source.

What can I do in case I was SIM swapped?

The most important thing is to act fast. If you have reason to believe that you have been SIM-swapped, speed is of the essence. Since your phone number often effectively doubles as a password, any accounts that are linked to your phone number should be deactivated to prevent abuse. Here is a number of things you might want to do immediately:
From a trusted device, log on to all the accounts you have in any way linked to your phone number. Locate and use the "log out of all active sessions", if the option is at all available.

Change passwords to those accounts immediately.

Remove the phone number from your account, e.g. if you have enabled 2 factor authentication via text message.

If you are using any mobile banking, contact your bank and ask them to deactivate online or mobile banking for your account. Make sure you explicitly state that your SIM card may have been compromised. Failing that, a last resort might be to deliberately perform multiple failed logins on your online banking platform. This usually leads to access to the account being locked until you contact your bank. At the very least you will get a temporary lockout.

Contact your mobile carrier. It is usually best to walk into a brick-and-mortar store to settle this. Make sure to bring a valid photo ID and - if possible - a copy of your latest monthly invoice.

How to prevent a SIM swap attack?

SIM swap attacks can be prevented if you limit information you share online. If you don't share your complete name, telephone number or address, fraudsters have a hard time completing your security questions when calling the service carrier you're using. Another useful tip here: You do not necessarily need to provide "real" information to your security questions. For instance, you could put in your favourite holiday destination instead of your city of birth.

Sure, using the real information makes it easier to remember. But with the huge wealth of data that is to be found online these days, it is not always that hard to find things like a pet's name or your mother's maiden name or your place of birth etc. The downside is: you have to keep tabs on which information you provided where. Conveniently enough, you can use a password manager to do that. Some even have a dedicate "secure notes" function for exactly this sort of thing. And using a password manager is also generally a good idea.

We advise to stop using phone calls or sms for the two-factor-authentification. Sure, it is better than nothing - but both text messages as well as calls can be faked easily. The gold standard would be to use authentification apps or hardware based authentification devices. With that you're making sure that you don't rely on another party to authorize yourself.

Be aware of phishing. You already stopped to share too much sensitive information online? Good. The next discipline to master is to be cautious of mails requiring personal information of you. In that case It's best to check for the real number of the service the mail is from and call them about this issue directly. And remember: information that might have leaked online already has to be considered "public", at least to a degree. Anyone with enough motivation can find it - sometimes months or even years down the line. After all, how often do you change your phone number? So putting in additional safeguards is a wise thing to do.

If you follow all this advice, you should be a lot safer!
...