Breaking Botnets and Wrestling Ransomware Webcast

Microsoft has an event

Webcast: Microsoft Security Intelligence Report Volume 23—Breaking Botnets and Wrestling Ransomware

The security threat landscape is constantly evolving, and Microsoft has spent over a decade tracking and analyzing software vulnerabilities, exploits, malware, unwanted software, and attacker group methods and tactics via the Security Intelligence Report. As organizations move to the cloud and invest into modern technologies, Microsoft continues its commitment to analyzing and informing the security community with deep insights on the latest threats.
During this webinar, we will discuss learnings from the Security Intelligence Report Volume 23 that include analysis of the top security threat trends we saw in 2017, dive deep into insights on attack vectors, and actionable recommendations from a security industry veteran and a former CISO for your organization to protect and defend itself against these threats. Key takeaways from this webinar include:
  • Learn about the top security threat trends in 2017
  • Gain insight into attack vectors and attacker techniques
  • Hear recommendations and approaches on how to protect your organization from the latest threats

Webcast: Microsoft Security Intelligence Report Volume 23—Breaking Botnets and Wrestling Ransomware
April 10, 2018
1:00 PM ET / 10:00 AM PT


Sat, 17 Mar 2018 14:51:00 +0000

4G LTE Under Attack

Over the past few years, Fourth Generation Long Term Evolution or 4G LTE has become the standard for cellular communications. Security vulnerabilities affecting 4G LTE need to be taken seriously as any disruption to the network can have serious consequences to life in 2018 and beyond. Billions of people around the world depend on the integrity of 4G LTE for daily activities in both their personal and professional lives.
A recent study conducted by a group of researchers from Purdue and Iowa University has uncovered a bundle of vulnerabilities affecting 4G LTE cellular networks. These protocol level vulnerabilities can be exploited for malicious purposes in numerous ways. The researchers have proven that these flaws can allow an attacker to intercept calls and text messages, kick a device off of the network, and even track a user’s location. These may sound like far-fetched scenarios; however eight of the ten attacks discovered have been proven in a testing environment using devices with SIM cards from real US carriers.
The discovery of this set of vulnerabilities may sound like just another security story; however, the potentialfor abuse here is enormous. In addition to tracking an individual’s location, their location can also be spoofed or altered. This presents unique challenges for criminal investigations as criminals can use this to provide false alibis or even frame another person. The research also proves it possible for an attacker to generate and distribute fake emergency alerts. As seen in the recent case of the false alarm for a threat against Hawaii, this could be abused to create massive disruption.
All of these potential attack scenarios are made possible by authentication relay attacks. A successful authentication relay attack will allow an attacker to bypass network authentication defenses without any legitimate credentials and disguise their identity. Once authenticated an attacker has access to the network core where they can essentially block a target device from receiving notifications altogether.
The major cellular carriers have been notified of these flaws and are in the process of releasing fixes. The research team has agreed to not release their proof of concept code until the fixes have been applied. Perhaps the most troubling part of this story is that these types of attacks can be conducted for as little as $1,300, which is negligible to a well-organized criminal effort

Tue, 13 Mar 2018 19:46:00 +0000

Re-purposing Lucrative Exploits

Last month Adobe released a Flash security update to remediate the zero-day Remote Code Execution (RCE) CVE-2018-4878 vulnerability that was most visibly being utilized by the North Koreans to spy upon the south. The South Korean CERT team noted that the exploit was being actively used by the North to target valuable information assets in the south as early as 31, January 2017. The vulnerability, scoring a 9.8 out of 10 base score from the National Vulnerability Database (NVD) was quickly acknowledged by Adobe who posted a bulletin (APSA18-01) with security advisory details for the critical vulnerability including mitigations. The 9.8 base score from the NVD was due to the flaw being exploitable over the internet, requiring low skill to execute the attack, without any privileges on the target machine, and no user interaction with the target. The exploit is realized by a malicious malformed flash object being embedded in Office documents. Once opened the embedded SWF flash file would execute, downloading an additional payload from the web, the Remote Access Trojan ROKRAT.

Adobe released a patch for the troubling zero-day on 6 of February to address CVE-2018- 4878 aiming to protect victims from the RCE vulnerability, but attackers found a new way to exploit CVE-2018-4878 as noted by TREND MICRO in their February 27, 2018 report stating "The campaign involves the use of malicious spam - specifically with a spam email that with an embedded link that directs the recipient to a Microsoft Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After the file is downloaded and executed, it will prompt the user to enable editing mode to view what's inside the document. This document is what triggers the exploitation of CVE-2018-4878 - in particular, a cmd.exe window is opened that is remotely injected with a malicious shellcode."
 This reviving of CVE-2018-4878 illustrates not only the classic "cat and mouse" dance between attacker and defender but also the ability and keenness of attackers to adapt methods to keep exploiting lucrative vulnerabilities such as those with high NVD scores.

Sources: exploits/new-campaign-exploits-cve-2018-4878-anew-via-malicious-microsoft- word-documents

Thanks to Peraton CIP report for this information

Sat, 03 Mar 2018 19:24:00 +0000

Malware: The New DRM Solution

Software piracy has been an issue for about as long as there has been software to pirate. Companies are constantly developing new Digital Rights Management (DRM) solutions to protect their products, while software pirates, known as crackers, are constantly finding new ways to bypass these technologies. However, FlightSimLabs (FSLabs) recently thought of a new DRM strategy: place malware within their installer.

FlightSimLabs develops add-ons for Microsoft’s Flight Simulator game. These add-ons allow customers to buy additional planes to fly, expanding the game experience. Some Reddit users noticed a strange file, test.exe, which was extracted into a temporary folder when the A320X add-on was installed. Upon further investigation, the executable turned out to be malware purposefully placed by FSLabs to steal usernames and passwords stored in Google Chrome when a pirated copy is installed.

The malware is designed to run only when a flagged serial number is detected. The application is actually the command-line tool Chrome Password Dump

created by SecurityXploded which retrieves and displays usernames and passwords from Chrome in an easy-to-read format. The .bin file provided with the FSLabs application calls the test.exe file and sends the output to a Log.txt file. As if this wasn’t bad enough, the text file is then encoded with Base64.exe and sent back to an FSLabs site, over an HTTP connection (not even

HTTPS). Security researchers at Fidus Information Security determined that the malware was not called when the application is run with a legitimate serial number.
The founder and owner of FSLabs, Lefteris Kalamaras, states "First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products." The malware was intended to collect information on people using pirated copies only. However, stealing credentials may still violate multiple sections of the Computer Fraud and Abuse Act. Also, even though the malware is not activated by the add-on for legitimate users, it was still extracted and puts their systems at risk of someone else activating it. FSLabs has offered another version of the installer without the test.exe file.

Thanks to Peraton CIP report for this information



Sat, 03 Mar 2018 19:08:00 +0000

National Consumer Protection Week

Original release date: March 02, 2018

March 4–10 is National Consumer Protection Week (NCPW), an event to encourage people and businesses to learn more about avoiding scams and understanding consumer rights. During NCPW, the Federal Trade Commission (FTC) and its partners highlight free resources to help protect consumers.

NCCIC/US-CERT recommends consumers participate in the FTC/Facebook live chats and review the following NCCIC/US-CERT security tips:

Sat, 03 Mar 2018 19:03:00 +0000

Winter Olympics Cyberattack

The Olympic Games have always been a symbol of global unity and cooperation, mixed in with friendly competition of course. However, this can also mark the games as a target for groups that don’t share that worldview. This year, the Winter Olympics opening ceremony was targeted by a cyberattack focused on disruption and destruction of systems. The attack resulted in the official website being offline for roughly 12 hours, preventing attendees from accessing tickets and information, as well as disrupting the Wi-Fi at the stadium and various news coverage feeds.

Security researchers at Cisco’s Talos group analyzed the malware and have dubbed it Olympic Destroyer. While it is still unclear how the systems became initially infected, Talos has disclosed some details of how the malware operates. The malware is contained within a binary file which is responsible for propagation across the network. It checks the Address Resolution Protocol (ARP) table on the system to discover additional targets, as well as using the Windows Management Instrumentation Query Language (WQL) to run the request "SELECT ds_cn FROM ds_computer" to find other systems. These are carried out using legitimate administrative tools included with Windows, PsExec and WMI. The other function of the binary file is to drop 2 modules, the credential stealers.
The stealer modules focus on different types of credentials: a web browser module and a system module. The web browser stealer parses the SQLite file in the registry to access stored credentials for Internet Explorer, Firefox, and Chrome. The system module gathers credentials from the Local Security Authority Subsystem Service (LSASS), a Windows process that enforces security policy for the system. Once credentials have been gathered, the binary file is updated to include the credentials hardcoded in, to be used on newly infected systems for further access.
After reconnaissance, the malware begins a destruction phase to disable the system. Using the Windows command line (cmd.exe), various tasks are carried out to prevent recovery of the system: deletion of all shadow copies on the system, deletion of the wbadmin catalog, using bcdedit to change the boot configuration and disable Windows recovery, and deleting the System and Security Windows Event logs. Finally, the malware stops and disables all Windows services and shuts down the system, preventing it from being restarted in a usable state.

Olympic Destroyer used well-known Sysinternal tools included with Windows, implying the attacker knew the targets were Windows-based. Talos also suggested the attacker knew a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and
obviously password.”

Sources: yeongchang-2018-winter-olympics.html

and The CIP from Peraton

Thu, 22 Feb 2018 21:39:00 +0000

Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information

NIST Computer Security Division Releases the Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information

NIST Computer Security Division releases the Final Public Draft of Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information is now available for public comment.  See below for further details.

Learn about the updates to the Final Draft SP 800-171A on the NIST CSRC website at:

Below is the link to the Draft SP 800-171A publication record where links to the document, the comment template and other supplemental information is available:

Deadline to submit comments to draft SP 800-171A: March 23, 2017

Email comments or questions about this draft document to:

Thu, 22 Feb 2018 21:33:00 +0000

Tips for Tax Time

A 2017 Identity Fraud Study by Javelin Strategy & Research revealed that nearly one in three consumers notified that their data has been breached become victims of identity fraud. With the recent Equifax cyberattack still fresh in our minds, more than 145 million Americans’ names, addresses, birthdates, Social Security numbers and other sensitive information may be at risk. Cybercriminals are crafty and continuously looking for ways to steal your personal information. The Internal Revenue Service (IRS) indicates that phishing schemes continue to lead its “dirty dozen” list of 2017 tax scams. So what is the average American to do? The National Cyber Security Alliance (NCSA) and the Identity Theft Resource Center (ITRC) have once again joined forces to help consumers keep safe during tax season with tips for identifying cyber scams, actionable online safety steps and what to do if you fall victim to tax identity theft.
Mon, 12 Feb 2018 21:14:00 +0000

The ten immutable laws of security administration revisited and updated

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Phishing scams, link bait, hacked software, hacks for software, keygens, screensavers, games, codecs, media files… the list goes on and on. Search for anything online you might wish to download, and odds are extremely good that you will find the majority of the links on the first page of your search results will go to downloads that are for anything other than what you really want to download. Check out torrent sites or other sources for what includes binaries of questionable origin, and I guarantee you that most of those downloads are crawling with badness. Everyone wants something for nothing, and the bad guys are happy to use that to their advantage. Set aside the morality and the legality of downloading copyrighted content without paying for it… is it really worth the risk that your computer won’t be yours anymore?

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Consider how many “fixes” are “documented” online to correct this behavior or to patch that bug. How many posts consist of “download this file from my site to fix that error” and how many of those sites have nothing at all to do with the vendor of your operating system? This is NOT just a problem for Windows users, so don’t think that all repos can be trusted. When you are considering patching, upgrading, or recompiling your operating system, whether it’s a binary or new source you want to compile from scratch… if you cannot read and understand the code yourself, and it’s not coming from the maker directly, don’t trust it. If it is coming from the vendor, make sure that either the digital signatures or the checksums of the downloads check out okay or abandon the file(s) as bad.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

If they can touch it, they can own it. Any system a bad guy has direct physical access to is his or hers to do with as they please. Don’t leave your computer unlocked when you are away from it. Don’t leave it out in the open in a hotel room when you travel. Ensure your workplace provides adequate physical security for all systems. You know that PC the receptionist uses that is sitting in the elevator lobby which anyone can walk up to? Yeah, if your building is not locked down so you need a badge to even get onto your floor, then that PC needs to be locked away every day at the end of the shift.

Law #4: If you allow a bad guy to run active content on your website, it’s not your website any more.

Limit what can and cannot be uploaded to your website or forums. Quarantine and scan any files that are uploaded by users. Regularly and frequently run security scans of your website and all content, and ensure it cannot be exploited by injection or cross-site scripting. One of the most common ways end users’ machines are infected is by visiting a trusted site that is unaware it is hosting bad things.

 Law #5: Weak passwords trump strong security.

There is no variant of P@ssw0rd or p@$$word or Password1 or even b70w$$@q that hasn’t been used by someone enough times that it won’t be in the first 10,000 passwords tried by a brute force attack. And since it will take less than .007 seconds to go through those 10,000 passwords using even the underpowered processing capabilities of a discount tablet, you really want better. I’m going to let you in on a little secret. All passwords are weak. There is no such thing as a strong password, at least when you measure it up against the strength of a dedicated adversary determined to crack it.
The best thing you can do is use multifactor authentication, period. Whether you use a smart card, or a token, or an app on your mobile phone, even if someone does guess a user’s password (or tricks them into giving it away) without that second factor of authentication, it’s of no use to them. You can even go with biometrics if you have the budget for it, but 2FA using a mobile device can be used from any system, and doesn’t have the SciFi creep factor associated with it!

Law #6: A computer is only as secure as the administrator is trustworthy.

Reference checks, employment checks, credit checks, criminal record checks, background investigations… how far does your HR team take their responsibility of looking into new hires? You may not need to do a full scope background investigation on the receptionist or the delivery driver, but IT sysadmins have access to everything that is on the network. They can read the CEO’s emails, pull the payroll history for anyone in the company, learn just what the secret recipe of the Colonel’s chicken is that makes you crave it fortnightly! Ensure that anyone with privileges to any system is fully checked out before hiring.

Law #7: Encrypted data is only as secure as its decryption key.

Which means if the key exchange is weak, or the key itself is, then your encryption is at risk. The only thing worse than an insecure key is using a proprietary algorithm. Stick with commercially recognized encryption protocols, and if you must use and exchange a pre-shared key, do so out of band to the data exchange. In other words, don’t email someone the password to decrypt the file you just emailed them! Call them, text them, send them smoke signals, anything but sending the password using the same method as you sent the data.

Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.

I always go one further than this and say it’s worse. If I am on a machine that has no antimalware, I won’t download or install anything that I am not absolutely sure of. I’d say most others would feel the same way. But if antimalware is on the machine, I may not be as circumspect, opting instead to count on the antimalware to keep me safe. Of course, if it is out of date, it’s useless, but that won’t stop me from being stupid!

Law #9: Absolute anonymity isn’t practically achievable, online or offline.

Sure, you can live in a cave and bounce your signal off a neighbor’s insecure Wi-Fi, routing it through three different TOR networks and an open web proxy, then through a Ukrainian satellite before you reach your goal… but wait, this isn’t a Hollywood spy thriller so that isn’t practical or even realistic. There is always a log somewhere, and anything you do online you should assume will stay online forever, and eventually be seen by your grandmother. Don’t be stupid, don’t be rude, and don’t do something your meemaw would be ashamed of!

Law #10: Technology is not a panacea.

There is no firewall that cannot be bypassed. There is no hardening procedure that is bulletproof. There does not exist encryption that cannot be broken given enough CPU cycles, nor is there code written without vulnerabilities. Technology is not a panacea and there is no one solution that can make you 100% guaranteed secure. Work on the human aspect, minimize the opportunities for attackers to find something to exploit, keep up to date on patching and malware definitions, and use a layered defense to do the best you can.

Learn them. Live them. Love them. Make them a part of who you are, and help instill in your users, your friends, and your family an awareness of the same. These ten laws are not just for sysadmins, they are for anyone using technology. But stay tuned!

In future post in this series, we are going to take a look at a related set of laws laid down by Microsoft Director  Scott Culp – The 10 Immutable Laws of Security Administration.

Tue, 06 Feb 2018 22:43:00 +0000

BlueHat IL 2018 - David Weston - Windows: Hardening with Hardware Video

The security features of modern PC hardware are enabling new trust boundaries and attack resistance capabilities unparalleled in software alone. These hardware capabilities help to improve resistance to a wide range of attacks including physical attacks against DMA and disk encryption, kernel and remote code exploits, and even application isolation through virtualization. In this talk, we will review the metamorphosis and fundamental re-architecture of Windows to take advantage of emerging hardware security capabilities. We will also examine in-depth the hardware security features provided by vendors such as Intel, AMD, ARM and others, and explain how Windows takes advantage of these features to create new and powerful security boundaries and exploit mitigations. Finally, we will discuss the new attack surface that hardware provides and review exploit case studies, lessons learned, and mitigations for attacks that target PC hardware and firmware.

Link to Video
Tue, 06 Feb 2018 22:37:00 +0000