What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-11-07 13:36:51 | Vietnamese APT32 group is one of the most advanced APTs in the threat landscape (lien direct) | >According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated. Researchers at Volexity has been tracking the threat actor since […] | APT 32 | ||
 |
2017-10-12 16:00:27 | Labs report: summer ushers in unprecedented season of breaches (lien direct) |
In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams.
Categories:
Malwarebytes news
Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods
(Read more...)
|
Equifax APT 32 | ||
 |
2017-09-22 17:56:58 | PODCAST: Cyphort helps companies translate an ocean of network logs into actionable intelligence (lien direct) | By Byron V. Acohido More companies are deploying cyber defenses to alert employees when possible threats to data and networks are detected. That's a good thing. What's not so good is that these tools and components can raise alarms so often, a company's tech team is in a constant state of high alert. I had […] | APT 32 | ||
 |
2017-09-19 10:47:28 | DigitalOcean Warns of Vulnerability Affecting Cloud Users (lien direct) | DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well. | APT 32 | ||
 |
2017-08-23 11:04:28 | California City Stops Online Utility Bill Payment System amid Breach Fears (lien direct) | A California city has temporarily shut down its online utility bill payment system amid fears that the portal suffered a breach. On 22 August 2017, the City Manager’s Office of Oceanside, CA announced a possible security incident affecting its online bill payment system that residents can use to pay their utility (water, sewer, and trash) […]… Read More | APT 32 | ||
 |
2017-08-16 13:00:00 | GlobeImposter Ransomware on the Rise (lien direct) |
Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time.
If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0.
Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection.
GlobeImposter Ransomware at a Glace
Distribution Method: Malicious email attachment (MalSpam)
Type: Trojan
Target: Windows systems
Variants: many (see below)
How GlobeImposter Works
The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file.
Sample email subject lines include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950
Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised.
Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time.
You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here.
GlobeImposter Variants on the Rise
What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file e |
NotPetya Wannacry APT 32 | ||
|
2017-06-29 13:00:00 | Data Carving in Incident Response - Steps Toward Learning More Advanced DFIR Topics (lien direct) |
Introduction
I have been in information security since March 2010, when I got out of the Navy after navigating nuclear submarines for almost 7 years. Little did I know that with this change of career, I was about to be in for the ride of my life.
I have been steadily progressing as a "blue teamer" or enterprise defender this whole time and have undertaken learning one of (what I believe to be) the most difficult blue team trades: reverse engineering malware. The purpose of this blog is to allow readers to follow along if they want to get into the trade as well as to force me to take actual notes periodically.
Background: The Beginning
To understand my background, here is a graphic showing my career progression:
I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well.
I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'."
As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience.
Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta.
Background: 2013 to Mid-2017
When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things.
As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner.
As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my |
Wannacry APT 32 | ||
 |
2017-06-24 11:00:10 | (Déjà vu) Palo Alto Networks News of the Week – June 24, 2017 (lien direct) | Did you miss any of this week's Palo Alto Networks action? Don't worry – we've rounded up our top news and views right here: This week Unit 42 shared two new pieces of research Decline in Rig Exploit Kit The New and Improved macOS Backdoor from OceanLotus We helped you get to the bottom of cloud security in this week's Cyberpedia post. Learn more about the new cloud-based Palo Alto Networks Logging Service. The Cybersecurity Canon has a new book review: Artificial Intelligence: A Modern Approach We shared this infographic … | APT 32 | ||
|
2017-06-22 17:00:15 | The New and Improved macOS Backdoor from OceanLotus (lien direct) | Unit 42 discovers a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date. | APT 32 | ||
|
2017-05-24 11:37:10 | How APT32 Hacked a Global Asian Firm With Persistence (lien direct) | In a cyber intrusion dubbed Operation Cobalt Kitty, the OceanLotus hacking group -- otherwise known as APT32 -- played cat-and-mouse with a security firm that was tracking its every move. | APT 32 | ||
|
2017-05-19 19:00:00 | Diversity in Recent Mac Malware (lien direct) |
In recent weeks, there have been some high-profile reports about Mac malware, most notably OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile piece of Mac malware making the rounds is Mac.Backdoor.Systemd.1.
Figure 1: Systemd pretending to be corrupted and un-runnable.
There have been no public reports as to who is behind these attacks and only little information about their targets. OSX/Dok is reported to have targeted European victims, while users of HandBrake were the victims of Proton.B. One corporate victim of Proton.B was Panic, Inc. which had its source code stolen and received a ransom demand from the attackers.
Each of these malware variants is designed to take advantage of Macs, but analysis shows that they are actually drastically different from each other, showing just how diverse the Mac malware space has grown. Let’s dive into some of the technical details (but not too technical ;) of each piece of malware to learn more about what they do and how they work.
OSX/Dok
OSX.Proton.B
Mac.BackDoor.System.1
Functionality
HTTP(S) proxy
Credential theft (potentially other RAT functionality)
Backdoor/RAT
Language
Objective-C (with heavy use of shell commands)
Objective-C (with heavy use of shell commands)
C++ (with a handful of shell commands)
Persistence
Launch Agent
Launch Agent
Launch Agent
Launch Daemon
Startup Item
Uses chflags to make files read-only
Distribution
Phishing emails
Compromised software download
(presumably) Phishing
Anti-Analysis
None
Anti-debugger (PT_DENY_ATTACH)
Closes Terminal and Wireshark Windows
None
Binary Obfuscation
Newer variants are packed with UPX
Password protected zip archive
Encrypted configuration file
Encrypted configuration file
XOR encrypted strings in binary
Detection Avoidance
Signed App bundle
Installs trusted root certificate
Modifies sudo settings to prevent prompting
Checks for security software
Infected legitimate software
Use of “hidden” dot files
Uses chflags to hide files from UI
Use of “hidden” dot files
C2
MiTM proxy (no separate C2)
HTTPS
Custom 3DES
Functionality
Dok is very basic in its functionality – it reconfigures a system to proxy web traffic through a malicious h |
Wannacry APT 32 | ||
 |
2017-05-17 08:33:49 | Le cyber-espionnage continue à proliférer : Menace d\'APT32 pour les multinationales (lien direct) |  Des acteurs de cyber-espionnage, désignés par FireEye sous le nom d'APT32 (Groupe OceanLotus), mènent activement des intrusions au sein d'entreprises privées dans de multiples industries, et ont également ciblé des gouvernements, des dissidents et des journalistes. |
APT 32 | ||
 |
2017-05-14 17:00:00 | Le cyber-espionnage est bien vivant: APT32 et la menace pour les sociétés mondiales Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations (lien direct) |
Les acteurs de cyber-espionnage, désormais désignés par Fireeye comme APT32 (Oceanlotus Group), effectuent des intrusions dans des sociétés du secteur privé dans plusieurs industries et ont également ciblé des gouvernements étrangers, des dissidents et des journalistes.FireEye évalue que l'APT32 exploite une suite unique de logiciels malveillants entièrement tracés, en conjonction avec des outils disponibles commercialement, pour mener des opérations ciblées qui sont alignées sur les intérêts de l'État vietnamien.
APT32 et Réponse communautaire de Fireeye \\
Au cours des enquêtes sur les intrusions dans plusieurs sociétés ayant des intérêts commerciaux au Vietnam
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. APT32 and FireEye\'s Community Response In the course of investigations into intrusions at several corporations with business interests in Vietnam |
Threat | APT 32 APT 32 | ★★★★ |
|
2017-03-24 13:21:06 | I thought everyone knew this by now (lien direct) | But apparently not. I just saw some “Security Awareness Training†that gave the bad old advice of “look for the padlock†in your web browser. Here's my answer to that:  In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn't that easy, we need to teach better. Also, “don't click stuff†really defeats the point of the web, so while I understand the sentiment, it is not practical advice. The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn't assure you that the traffic isn't being decrypted, inspected, and re-encrypted. Or maybe it isn't encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn't prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock†we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn't entirely true if we are going to oversimplify this I think we're better off telling folks that the padlock doesn't mean a damn thing anymore, if it ever did. While we're on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you wantâ€. I did find a few things which made me think of typical browser warnings:  This means it's OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean. And this, you know what it means, but what does it say?  That's right, it says don't P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me. |
APT 32 | ||
 |
2017-02-17 11:01:37 | DigitalOcean Launches Public Bug Bounty Program (lien direct) | Cloud computing platform DigitalOcean announced the public availability of its bug bounty program, after successfully running it in private mode. | APT 32 | ||
 |
2017-02-08 19:32:39 | Cloud Metadata Urls, (Wed, Feb 8th) (lien direct) | This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form. Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, public ip addresses, private addresses, public keys configured and event rotating secret keys. The userdata can contain everything like initialization scripts, variables, passwords etc. The metadata urls will vary per cloud provider, Ive written a few down together with their metadata url and a link to the documentation. Google http://169.254.169.254/computeMetadata/v1/ https://cloud.google.com/compute/docs/storing-retrieving-metadata Amazon http://169.254.169.254/latest/meta-data/hostname http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Openstack http://169.254.169.254/2009-04-04/meta-data/instance-id https://blogs.vmware.com/openstack/introducing-the-metadata-service/ Dreamhost http://169.254.169.254/metadata/v1/hostname https://developers.digitalocean.com/documentation/metadata/ Azure http://169.254.169.254/metadata/v1/maintenance The configuration and userdata is used by scripts, automating tasks and applications, but the danger is that it can be abused to leak information about the current instance. Information an attacker needs to elevate privileges or move laterally. This information can contain usernames, passwords, configuration, keys or scripts. When your application accepts remote urls as data like a proxy server, vpn server or a web application (think about wordpress plugins for embedding remote content, web screenshotting applications and many more), you need to be sure the metadata url is not accessible. If you install a default squidproxy for example, just executing this command: $ http_proxy=proxy:3128 curl http://169.254.169.254/latest/dynamic/instance-identity/document { devpayProductCodes : null, privateIp : 172.31.9.215, availabilityZone : eu-west-1c, version : 2010-08-31, region : eu-west-1, instanceId : i-*****, billingProducts : null, pendingTime : 2017-02-03T20:21:11Z, instanceType : m3.medium, accountId : *****, architecture : x86_64, kernelId : null, ramdiskId : null, imageId : ami-e31bab90 } This will return all metadata of the proxy server. Anyhow the metadata contains information you dont want to disclose. Youll be safe when the private ip has been blocked, but this is not always possible (in the case of the rotating secret keys for example). Blocking the requests can be done using good old iptables: $ iptables -A OUTPUT -m owner ! | APT 32 | ||
|
2017-01-03 14:00:00 | Top 12 AlienVault Blogs of 2016 (lien direct) | Wow, 2016 was quite a year, which provided the AlienVault team and our guest bloggers with plenty of topics to blog on from InfoSec best practices to OceanLotus to Reverse Engineering to building a home malware lab! We are looking forward to providing more educational and useful blogs in 2017. As in 2016, we welcome and support guest bloggers who have contributions to make to the Infosec community. If you are interested in being a guest blogger, please contact me at kbrew@alienvault.com. Lastly, please subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl | Medical | APT 38 APT 32 | |
|
2016-11-17 07:14:56 | Example of Getting Analysts & Researchers Away, (Wed, Nov 16th) (lien direct) | It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malwareshave VM evasiontechniques to detect as soon as possible if they are executed in a sandboxenvironment. The same applies for web services like phishing pages or CC control panels. Yesterday, I found a website delivering a malicious PE file. The URL was http://www.[redacted].com/king/prince.exe. This PE file was downloaded and executed by a malicious Office document. Nothing special here, its a classic attack scenario. Usually, when I receive aURL like this one, Im always trying to access the upper directory indexes and also some usual filenames / directories (I built and maintain my own dictionary for this purpose). Playing active-defense" /> The file zz.php is less interesting, its a simple PHP mailer. The dbl directory contains interesting pages that providea fake" /> In this case, attackers made another mistake, the source code of the phishing site was left on the server in the dbl.zip file. Once downloaded and analyzed, it revealed a classic attack trying to lure visitors and collect credentials. Note that the attacker was identified via his gmail.com address present in the scripts. But the most interesting file is called blocker.php"> ...include(blocker.php... Lets have a look at this file. It performs several checks based on the visitors details (IP and browser). First of all, it performs a reverse lookup of the visitor"> $hostname = gethostbyaddr($_SERVER[REMOTE_ADDR$blocked_words = array(above,google,softlayer,amazonaws,cyveillance,phishtank,dreamhost,netpilot,calyxinstitute,tor-exit, paypalforeach($blocked_words as $word) { if (substr_count($hostname, $word) 0) { header(HTTP/1.0 404 Not Found }} Next, the visitorif(in_array($_SERVER[REMOTE_ADDR],$bannedIP)) { header(HTTP/1.0 404 Not Found} else { foreach($bannedIP as $ip) { if(preg_match(/ . $ip . /,$_SERVER[REMOTE_ADDR])){ header(HTTP/1.0 404 Not Found } }} Here is the list of more relevant banned network: Google Digital Ocean Cogent Internet Systems Consortium Amazon Datapipe DoD Network Information Center Omnico"> if(strpos($_SERVER[HTTP_USER_AGENT], google) or strpos($_SERVER[HTTP_USER_AGENT], msnbot) or strpos($_SERVER[HTTP_USER_AGENT], Yahoo! Slurp) or strpos($_SERVER[HTTP_USER_AGENT], YahooSeeker) or strpos($_SERVER[HTTP_USER_AGENT], Googlebot) or strpos($_SERVER[HTTP_USER_AGENT], bingbot) or strpos($_SERVER[HTTP_USER_AGENT], crawler) or strpos($_SERVER[HTTP_USER_AGENT], PycURL) or strpos($_SERVER[HTTP_USER_AGENT], facebookexternalhit) !== false) { header(HTTP/1.0 404 Not Found } Surprisingly, this last"> Wget/1.13.4 (linux-gnu)curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5python-requests/2.9.1Python-urllib/2.7Java/1.8.0_111... Many ranges of IP addresses belongs to hosting companies. Many researchers use VPS and servers located there, thats why they are banned. In the same way, interesting targets for the phishing page are residential customers of the bank, connected via classic big ISPs. Conclusion: if you are hunting for malicious code / sites, use an anonymous IP address (a residential DSL line or cable is top) and be sure to use the right User-Agents to mimic classic targets. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Yahoo APT 32 | ||
 |
2016-10-12 08:31:00 | IDG Contributor Network: A night to remember: Engineering lessons from the Titanic (lien direct) | Some 31 years ago, the RMS Titanic was discovered resting on the ocean floor. The legend of its sinking has been retold many times in books and movies. One compelling aspect of the story is the safety claims made by its creators. Even as reports of the disaster began to filter into New York, the vice president of the White Star Line stated, without qualification, “We place absolute confidence in the Titanic. We believe that the boat is unsinkable.†Obviously reality betrayed those maritime engineers' confidence.What lessons might this famous disaster teach engineers in modern data centers? In particular, how do we prevent hostile attacks-the “icebergs†that lurk on the seas we sail-from causing catastrophic breaches?To read this article in full or to leave a comment, please click here | APT 32 | ||
 |
2016-09-30 09:07:00 | IDG Contributor Network: Treasures attackers look for in the sea of email (lien direct) | As we dive into October, cybersecurity awareness month, there are lots of strategies to help us all become stronger swimmers in the digital waters. Given that there are 112 billion business emails sent around the world every day, that is one huge ocean that everyone can learn how to better navigate.Since its inception, email has become mission critical, and so many necessities beyond mail service have grown up along with it. Enterprises have become burdened by the complexities of email, which additionally requires the added protections of encryption gateways, spam filters, phishing protections, and much more.In order to attack all of the issues of email security in the age of digital disruption, you first have to know what is beneath the rough seas.To read this article in full or to leave a comment, please click here | Guideline | APT 32 | |
 |
2016-08-27 03:54:01 | TEAM CYMRU: Floating Domains - Taking Over 20K DigitalOcean Domain Names via a Lax Domain Import System http://bit.ly/2bDCPcv pic.twitter.com/uELSfrHeVR (lien direct) | TEAM CYMRU: Floating Domains - Taking Over 20K DigitalOcean Domain Names via a Lax Domain Import System http://bit.ly/2bDCPcv pic.twitter.com/uELSfrHeVR | APT 32 | ||
 |
2016-07-25 16:05:22 | Dan Kaminsky (@dakami) will present the #BHUSA 2016 Keynote on Wednesday, August 3 at 09:00 in Oceanside Ballroom http://ow.ly/CnmE302wu9Q (lien direct) | Dan Kaminsky (@dakami) will present the #BHUSA 2016 Keynote on Wednesday, August 3 at 09:00 in Oceanside Ballroom http://ow.ly/CnmE302wu9Q | APT 32 | ||
|
2016-07-20 18:09:11 | Guest Diary, Etay Nir: Flipping the Economy of a Hacker, (Wed, Jul 20th) (lien direct) | Flipping the economy of a HackerPalo Alto Networks partnered with the Ponemon Institute to answer a very specific question: what is the economic incentive for adversaries?Ponemon was chosen as they have a history of crafting well respected cybersecurity research, including their well know annual cost of a data breach reports. The findings are based on surveys and interviews with Cybersecurity experts, including current or former attacks. These are all individuals who live and breathe security, many of whom have conducted attacks. Nearly 400 individuals were part of the research, across the United States, Germany and the United Kingdom.When you think about security research, most of the focus has been on how attackers get in, and the damage they cause once they are inside. We set out to approach this problem from a completely different angle: understand the economic motivations of an attack, the factors that influence this, and be able to leverage this data to help organizations better respond to attacks. If we can remove the motivation, we can decrease the number of successful attacks. It is as simple as that.You can download the full report from: http://media.paloaltonetworks.com/lp/ponemon/report.html andhttp://www.ponemon.org/library/flipping-the-economics-of-attacksThere are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:The majority of attackers (72 percent) were opportunistic, not wasting time on efforts that do not quickly yield high-value information. While advanced nation state actors employ lots of planning, think about the average attacker as the mugger on the street, versus Oceans Eleven crew that spends weeks planning a complicated high stakes heist. When put into this context, organizations that prioritize making themselves a harder target, will actively deter a significant amount of potential breaches.There is a common notion that they are in for a big payday. This is really the exception, rather than the rule, with average annual earnings from malicious activity totaling less than $30,000, which is a quarter of a cybersecurity professionals average yearly wage. This limited earning power becomes even less attractive when you consider the added legal risks including fines and jail time.Time is the defining factor to change the adversarys arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We found that increasing the time it takes to break into and carry out successful attacks by less than 2 days (40 hours), will deter the vast majority of attacks.Finally, it is all about how you protect yourself. Because attackers are so opportunistic, and their time is so valuable, we can change the attack equation with next-generation security approaches. We found that organizations rated as having excellent security took twice as long to breach, when compared to those rated as typical. Putting the right security in place makes all the difference.To understand how to influence an attackers economic motivation, we must consider what I call the adversary arithmetic, which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the barrier to entry for an attack, and resulted in the increase in attacks we covered in the last slide.Using the survey finding as a guideline, lets walk through what we can do to reverse this trend.It is a random mugging, not a | APT 32 | ||
|
2016-06-27 15:58:00 | Reverse Engineering Malware (lien direct) | The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it.Here are some of the approaches and tools and techniques they use for reverse engineering malware, which may be helpful to you in your own malware hunting endeavors. Please watch the webcast they did recently with Javvad Malik on reverse engineering malware and hear details and examples of how the Labs team investigated OceanLotus, PowerWare and Linux malware in recent situations.Approaches in reverse engineering a malware sampleReverse engineer: The most obvious approach is to completely reverse engineer a piece of malware. This obviously takes a great amount of time, so other approaches are more practical.Exploitation techniques: Another approach you can take is to focus on the exploitation techniques of a piece of malware. Occasionally you will see a piece of malware that is using a new exploitation technique, or is exploiting a zero-day vulnerability. In this case you may be interested only in the specific exploitation technique so you can timebox your analysis and only look at the exploitation mechanisms.Obfuscation: Malware will often obfuscate itself and make itself difficult to analyze. You might come across malware that you have seen before without obfuscation. In that case you may only want to focus on reverse engineering the new parts.Encryption methods: A common type of malware these days is ransomware. Ransomware essentially encrypts the victim's files and locks them up so that they can't be accessed or read. Oftentimes the authors of ransomware will make mistakes when they implement the encryption mechanisms. So if you focus your research on the encryption mechanisms you might be able to find weaknesses in their implementation and/or you might be able to find hard-coded keys or weak algorithms.C&C communication: This is something that is pretty commonly done when looking at malware. Analysts often want to figure out what the communication protocol is between a piece of malware on the client's side and the server on the command and control side. The communication protocol can actually give you a lot of hints about the malware’s capabilities.Attribution: Murky area - kind of like a dark art. It usually involves a lot of guesswork, knowledge of malicious hacking teams and looking at more than one piece of malware.Categorization and clustering: You can reverse engineer malware from a broader point of view. This involves looking at malware in bulk and doing a broad-stroke analysis on lots of different malware, rather than doing a deep dive.TechniquesNow, let’s look at techniques that can be utilized while analyzing malware.First of all, we use static analysis. This is the process of analyzing malware or binaries without actually running them. It can be as simple as looking at metadata from a file. It can range from doing disassembly or decompilation of malware code to symbolic execution, which is something like virtual execution of a binary without actually executing it in a real environment.Conversely, dynamic analysis is the process of analyzing a piece of malware when you are running it in a live environment. In this case, you are often looking at the behavior of the malware and looking at the side effects of what it is doing. You are running tools like process monitor and sysmon to see what kinds of artifacts a piece of malware produces after it is run.We also use | APT 32 | ||
 |
2016-05-25 16:25:48 | Anonymous group takes aim at Fla. Gov. Rick Scott (lien direct) | In a video on Facebook, a figure in a Guy Fawkes mask accused Florida Gov. Rick Scott of a "collusion of corruption" following the dumping of polluted water from Lake Okeechobee into the Atlantic Ocean. |
APT 32 | ||
|
2016-03-21 13:00:00 | OS X Malware Samples Analyzed (lien direct) | By Eddie Lee and Krishna KonaA couple of months ago, as we rang in 2016, we thought it would be interesting to take a quick look back at some OSX malware from 2015 and 2014. As reported by the team at Bit9+Carbon Black [1], 2015 marked “the most prolific year in history for OS X malware”. We collected a few samples of malware named in that report, along with some samples of other notable OSX malware, with the intention of learning more about them and fill in any gaps in our detection mechanisms (NIDS and Correlation rules). Although our primary objective was to capture network traffic from the malware samples, we were also interested in other aspects of the malware like persistence mechanisms (if any) that they utilized, so we documented that activity as well.To start off with, we reviewed Flashback, one of the most infamous pieces of OS X malware that reminded everyone to the fact that OS X is not immune to malware. After that, we played with KitM, which is spyware, and LaoShu, a RAT. Then we analyzed Mask, a sophisticated malware that was used for cyber espionage. We also looked into CoinThief malware that steals bitcoins from the infected machine and the WireLurker malware that is capable of infecting iPhone devices connected to the compromised machine. Finally, we analyzed OceanLotus that was discovered May last year and found to be attacking Chinese government infrastructure. Below is a summary of our findings from analyzing the samples in a sandbox – the findings include links to fully executable samples, IDS signatures, persistence mechanisms and C&C details.OS X Malware DetailsFlashbackDescription: Flashback masquerades as Adobe Flash player update or a signed-java applet. Downloads/installs Web Traffic Interception component to inject ads into HTTP/HTTPS streams [4].Sample: https://www.virustotal.com/en/file/58029f84c3826a0bd2757d2fe7405611b75ffc2094a80606662919dae68f946e/analysis/Persistence mechanism: Installs a malicious file in user's home directory with the filename starting with a ‘dot' to hide itself and installs a LaunchAgent in ~/Library/LaunchAgents to refer to the created malicious file.C&C communication: Uses DGA for CnC domain names and twitter hashtags to decode the address of CnC server.AlienVault Detections:IDSExisting SIDs: 2014596, 2014597, 2014598, 2014599, 2014534, 2014522, 2014523, 2014524, 2014525System Compromise, Trojan infection, FlashbackKumar in the Mac (KitM)Description: KitM is a signed malware that can take screenshots, download and install programs, and steal data [5].Sample: https://www.virustotal.com/en/file/07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce/analysis/Persistence mechanism: Adds a Login Item at ~/Library/Preferences/com.apple.loginitems.plistC&C server: liveapple[dot]eu (down)AlienVault Detections:IDS rules: https://github.com/AlienVault-Labs/AlienVaultLabs/blob/master/malware_analysis/OSX_Malware/snort_kitm.rulesSystem Compromise, Trojan infection, KitM | APT 32 | ||
|
2016-02-17 14:00:00 | OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update (lien direct) | In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months ago. Curiously, as of February 8th, 2016, none of the 55 anti-virus solutions used by VirusTotal are detecting the sample as malicious. As such, we thought it would be interesting to take a closer look at the OS X version of OceanLotus.AnalysisOceanLotus for OS X is packaged as an application bundle pretending to be an Adobe Flash update. Although there are other files in the bundle, the files of interest are:FlashUpdate.app/Contents/MacOS/EmptyApplicationFlashUpdate.app/Contents/Resources/en.lproj/.en_iconFlashUpdate.app/Contents/Resources/en.lproj/.DS_StoresThe LoaderAs you can see below, EmptyApplication is a universal binary that can run on both i386 and x86_64 architectures. It is a fairly simple program that ROL3 decodes the "hidden" files .en_icon and .DS_Stores then executes them.$file EmptyApplicationEmptyApplication: Mach-O universal binary with 2 architecturesEmptyApplication (for architecture x86_64): Mach-O 64-bit executable x86_64EmptyApplication (for architecture i386): Mach-O executable i386For obfuscation, EmptyApplication uses XOR encryption with the key "xc" to obfuscate strings within the binary. Below is the simple decryption function. In the 64-bit version, strings shorter than 8 bytes are stored as integer values. Encrypted strings longer than 8 bytes are stored in adjacent variables and the decrypting function reads past the variable's 8 byte boundary. As you can see below, &v34 is passed to the decrypting function, but the function actually decrypts the combination of v34 and v35. After decoding .en_icon, EmptyApplication writes it to a temporary directory with the name "pboard" (presumably to mimic the OS X paste board daemon) and executes the binary. EmptyApplication then deletes itself, decodes .DS_Stores, and writes the decoded binary as "EmptyApplication" – replacing the original EmptyApplication executable. Finally, the new EmptyApplication is relaunched with a call to NSTask.launch(). The decrypted .DS_Stores binary does almost the same thing as the original EmptyApplication, except it does not look for .DS_Stores.The TrojanEncrypted StringsThe decoded .en_icon file is the main Trojan. It has anti-debugging capabilities and handles the connection to the command and control servers. As we'll discuss later, the Trojan takes advantage of several OS X specific commands and API calls, so it's clear that this Trojan was tailor-made for OS X rather than a port from another operating system.Again, most strings in the binary are XOR encrypted but this binary uses multiple keys and the keys themselves are XOR encrypted. In fact, the first thing the Trojan does is to decrypt several XOR keys. It is interesting to note that the code that sets up the decryption keys is executed before the "main" entry point by using C++ static constructors. This code is referenced in the __mod_init_func section of mach-o binaries. As you can see from the image above, the primary decryption key used throughout the executable is "Variable". However, there are several different instances of the "Variable" string, a |
APT 32 |
To see everything:
Our RSS (filtrered)
