Week in security with Tony Anscombe

ESET discovers Wslink – Why secure-by-design is a must – Staying cybersecure this Halloween and beyond – Operation Dark HunTOR

In this edition of Week in security, Tony looks at these topics:

ESET’s discovery of Wslink, a previously undescribed malicious loader for Windows binaries that, in contrast to other such loaders, runs as a server Why secure-by-design should be the norm and organizations need to develop a strong security culture from top to bottom Halloween is a great time to remind ourselves and our kids of risks lurking online – here’s what parents can do to make sure their children stay safe (not only) this Halloween.

All this – and more – on WeLiveSecurity.com. Connect with us on FacebookTwitterLinkedIn and Instagram.

Week in security with Tony Anscombe

ESET discovers Wslink – Why secure-by-design is a must – Staying cybersecure this Halloween and beyond – Operation Dark HunTOR

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

5 tips for parents for a cybersecure Halloween

What are some of the key dangers faced by children online and how can you help protect them from the ghosts, ghouls and goblins creeping on the internet?

Halloween, the scariest day of the year, is upon us. That can mean only one thing: children donning costumes of either their heroes or the scariest thing they can think of, and running door to door trying to gather as many sweets from their neighbors as they can. However, while some of the ghosts and ghouls, warlocks and witches on the streets are imaginary, the ones that can be found in cyberspace are all too real.

In this article, we’ll look at some of the key risks faced by children online and share tips that’ll help you keep them safe this Hallow’s eve, both on and off the internet.

Giving the device the heebie-jeebies

On Halloween, most people go all out – thought out costumes, decorated houses, spooky candy. And kids might take it a bit further decking out their smartphones with all manner of Halloween cheer – spooky ringtones, scary themes, or even Halloween-themed apps that make scary noises, or scary games.

However, kids probably won’t be willing to dive into their allowance to purchase these fun apps outright and will rather look for workarounds or freebies. That may include looking for goods on unofficial app stores, clicking on possibly malicious ads, or downloading apps from questionable developers. Any of these could lead to their devices being compromised with malware.

Beyond using a reputable security solution to protect their devices, you should probably have a discussion with your kids about proper cybersecurity habits such as sticking to official sources, when downloading any type of media, be it ringtones, themes, or apps.

Specters stalking cyberspace

While kids would prefer to pretend that monsters are limited to make-believe, and people in costumes to Halloween, adults know that monsters can be all too real; especially in the digital realm. They, too, wear costumes, sometimes donning the disguise of a friendly stranger, other times hiding behind the mask of a peer, but always for nefarious reasons.

The monsters hiding behind these made-up identities engage in the act of grooming – where they prey on the innocence of their victims and try to gain their trust and gradually try to lower their inhibitions. They do this by using various techniques including psychological manipulation and persuasion, with the ultimate goal being to abuse their victims in various ways.

So how do you go about teaching your kids about the dangers looming in the shadows of the internet? The first step is to have a frank and open conversation about it, make them feel safe and understand that they can trust you and come to you with any problem. The second piece of advice is one that has been heard many times over: “don’t talk to strangers”. Especially online! Finally, although attitudes to parental controls differ, employing them to monitor your kids’ internet activities and what they put on social media. However, that should be done with your kids while teaching them the importance of privacy.

Stealing can-dentity from a child

As with every holiday season, scammers will be trying to trick targets with specially themed phishing campaigns and so part them from their credentials. And while adults may be able to distinguish faux emails from the real deal, kids, who are more trusting, can be duped more easily.

The scammers can customize the phishing campaign to be anything like an email warning of unauthorized access to a social media account or Halloween-themed heavy discounts. Your children could receive a message purportedly linking to a steeply discounted pair of coveted sneakers, but by clicking on the link they either infest their devices with malware or are redirected to a phishing website. On this website, they’ll be asked to sign in with their social media credentials to begin the claims process and by the end of it, they’ll probably have to type in their payment card data too. And just like that, their identities and payment information have been purloined by the cybercriminals, actually stealing candy from a children.

While most phishing emails will be caught by spam filters, some still manage to wriggle through the net; so, it is important to teach your children how to protect themselves against phishing and to notice the signs that they’re dealing with a scam. This includes spelling mistakes, evoking a sense of urgency, requesting too much personal information or the email coming from a dubious domain. Using two-factor authentication can also add an extra layer of security.

Scaring the IT out of you

Night has set, your kids have finished trick-or-treating and they’re about to gear up for dreary, scary, and spooky movie night with their friends. Usually, that entails brainstorming and picking from a list of scary classics up to modern-day remakes.

Once they settle on something, perhaps Stephen King’s “It”, they’ll probably try to find somewhere to stream it online and optimally for free. However, pirate streaming websites open up a whole can of worms. First of all, most free streaming websites teeter on the edge of legality, which might get them in hot water. And secondly, these websites usually spam users with popup ads or adware that in most cases are trying to generate revenue but can sometimes be infested with malware. Some of them even use scare tactics to convince people that their devices have been compromised. Kids who can easily be duped by these ads can then click on them and download the malware to their devices, compromising them for real.

Most of the adware can be caught by the safety net of trusted ad-blocking extensions you can add to your browser. But the best effect is teaching your kids to avoid visiting dubious websites that use similar tactics. You can rent most movies online or use official streaming services.

Losing your way

Kids are a curious bunch, and they like to explore and discover things. However, an

5 tips for parents for a cybersecure Halloween

What are some of the key dangers faced by children online and how can you help protect them from the ghosts, ghouls and goblins creeping on the internet?

The post 5 tips for parents for a cybersecure Halloween appeared first on WeLiveSecurity

Dark HunTOR: 150 arrested, $31 million seized in major dark web bust

The police sting spanned three continents and involved crackdowns in nine countries

Law enforcement agencies from Europe, the United States and Australia have teamed up to arrest some 150 people who are believed to have sold and bought illegal drugs and other illicit goods on the dark web.

“More than €26.7 million (USD 31 million) in cash and virtual currencies have been seized in this operation, as well as 234 kg of drugs and 45 firearms. The seized drugs include 152 kg of amphetamine, 27 kg of opioids, and over 25 000 ecstasy pills,” according to Europol.

🕸️🔎 The dark web is no longer as dark as criminals would like!

150 suspects have been arrested as a result of #DarkHunTOR targeting the vendors & buyers of illicit goods on the #darkweb@Europol @Eurojust 🇺🇸 🇩🇪 🇬🇧 🇮🇹 🇳🇱 🇫🇷 🇨🇭 🇧🇬 🇦🇺

More details: https://t.co/mgbYBNqSs4 pic.twitter.com/lhzcmrWadu

— Europol (@Europol) October 26, 2021

The international bust, dubbed Dark HunTOR (possibly a wordplay on ‘hunter’ and the Tor anonymity network), consisted of a series of separate yet complementary operations that took place in Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom, and the United States. Europol and Eurojust – the European Union’s law enforcement and judicial agencies, respectively – were responsible for the coordination efforts.

The arrests build upon the success of last year’s DisrupTor operation and the takedown of DarkMarket in January, the world’s then-largest illicit darknet marketplace. Back then, Germany’s law enforcement apprehended DarkMarket’s suspected operator and seized the bazaar’s IT infrastructure, which provided other law enforcement agencies from around the globe with mountains of evidence.

Europol’s European Cybercrime Centre (EC3) has used the information to identify key players, which now led to the arrest of no fewer than 150 people in Europe and the US, including some “High Value Targets”.

“Operation Dark HunTor prevented countless lives from being lost to this dangerous trade in illicit and counterfeit drugs, because one pill can kill. The Department of Justice with our international partners will continue to crack down on lethal counterfeit opioids purchased on the Darknet,” said US Deputy Attorney General Lisa Monaco, lauding the success of the operation.

During the operation, Italian law enforcement shut down two other dark web bazaars. The takedown of the ‘DeepSea’ and ‘Berlusconi’ marketplaces, which between them boasted more than 100,000 offers of illegal goods, led to the arrests of four administrators and the seizure of €3.6 million (some US$4.2 million) worth of cryptocurrencies.

Thinking of buying stuff on the dark web? Think again

If you think of buying products or services on a dark web marketplace, perhaps out of sheer curiosity, then be aware that you may ultimately get more than you bargained for – this includes getting scammed out of money through to having your devices infested with malware, Europol warned.

Dark HunTOR: 150 arrested, $31 million seized in major dark web bust

The police sting spanned three continents and involved crackdowns in nine countries

The post Dark HunTOR: 150 arrested, $31 million seized in major dark web bust appeared first on WeLiveSecurity

Wslink: Unique and undocumented malicious loader that runs as a server

There are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor

ESET researchers have discovered a unique and previously undescribed loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. We have named this new malware Wslink after one of its DLLs.

We have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North America, and the Middle East. The initial compromise vector is not known; most of the samples are packed with MPRESS and some parts of the code are virtualized. Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group.

The following sections contain analysis of the loader and our own implementation of its client, which was initially made to experiment with detection methods. This client’s source code might be of interest to beginners in malware analysis – it shows how one can reuse and interact with existing functions of previously analyzed malware. The very analysis could also serve as an informative resource documenting this threat for blue teamers.

Technical analysis

Wslink runs as a service and listens on all network interfaces on the port specified in the ServicePort registry value of the service’s Parameters key. The preceding component that registers the Wslink service is not known. Figure 1 depicts the code accepting incoming connections to that port.

Figure 1. Hex-Rays decompilation of the loop accepting incoming connections

Accepting a connection is followed by an RSA handshake with a hardcoded 2048-bit public key to securely exchange both the key and IV to be used for 256-bit AES in CBC mode (see Figure 2). The encrypted module is subsequently received with a unique identifier – signature – and an additional key for its decryption.

Interestingly, the most recently received encrypted module with its signature is stored globally, making it available to all clients. One can save traffic this way – transmit only the key if the signature of the module to be loaded matches the previous one.

Figure 2. Hex-Rays decompilation of receiving the module and its signature

As seen in Figure 3, the decrypted module, which is a regular PE file, is loaded into memory using the MemoryModule library and its first export is finally executed. The functions for communication, socket, key and IV are passed in a parameter to the export, enabling the module to exchange messages over the already established connection.

Figure 3. Hex-Rays decompilation of code executing the received module in memory

Implementation of the client

Our own implementation of a Wslink client, described below, simply establishes a connection with a modified Wslink server and sends a module that is then decrypted and executed. As our client cannot know the private key matching the public key in any given Wslink server instance, we produced our own key pair and modified the server executable with the public key from that pair and used the private key in our Wslink client implementation.

This client enabled us to reproduce Wslink’s communication and search for unique patterns; it additionally confirmed our findings, because we could mimic its behavior.

Initially some functions for sending/receiving messages are obtained from the original sample (see Figure 4) – we can use them right away and do not have to reimplement them later.

Figure 4. The code for loading functions from a Wslink’s sample

Subsequently, our client reads the private RSA key to be used from a file and a connection to the specified IP and port is established. It is expected that an instance of Wslink already listens on the supplied address and port. Naturally, its embedded public key must also be replaced with one whose private key is known.

Our client and the Wslink server continue by performing the handshake that exchanges the key and IV to be used for AES encryption. This consists of three steps, as seen in Figure 5: sending a client hello, receiving the symmetric key with IV, and sending them back to verify successful decryption. From reversing the Wslink binary we learned that the only constraint of the hello message, apart from size 240 bytes, is that the second byte must be zero, so we just set it to all zeroes.

Figure 5. Our client’s code for the RSA handshake

The final part is sending the module. As one can see in Figure 6, it consists of a few simple steps:

receiving the signature of the previously loaded module – we decided not to do anything with it in our implementation, as it was not important for us sending a hardcoded signature of the module reading the module from a file, encrypting it (see Figure 7) and sending it sending the encryption key of the module

Figure 6. Our client’s code for sending the module

Figure 7. Our client’s code for loading and encrypting the module

The full source code for our client is available in our WslinkClient GitHub repository. Note that the code still requires a significant amount of work to be usable for malicious purposes and creating another loader from scratch would be easier.


Wslink is a simple yet remarkable loader that, unlike those we usually see, runs as a server and executes received modules in memory.

Interestingly, the modules reuse the loader’s functions for communication, keys and sockets; hence they do not have to initiate new outbound connections. Wslink additionally features a well-developed cryptographic protocol to protect the exchanged data.

IoCs Samples SHA-1ESET detection name 01257C3669179F754489F92947FBE0B57AEAE573Win64/TrojanDownloader.Wslink E6F36C66729A151F4F60F54012F242736BA24862 39C4DE564352D7B6390BFD50B28AA9461C93FB32 MITRE ATT&CK techniques

This table was built using version 9 of the ATT&CK framework.

TacticIDNameDescription EnterpriseT1587.001Develop Capabilities: MalwareWslink is a custom PE

Wslink: Unique and undocumented malicious loader that runs as a server

There are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor

The post Wslink: Unique and undocumented malicious loader that runs as a server appeared first on WeLiveSecurity

Putting cybersecurity first: Why secure‑by‑design must be the norm

Organizations that aim to pull ahead of the competition need to develop a strong security culture from top to bottom

The post Putting cybersecurity first: Why secure‑by‑design must be the norm appeared first on WeLiveSecurity

Putting cybersecurity first: Why secure‑by‑design must be the norm

Organizations that aim to pull ahead of the competition need to develop a strong security culture from top to bottom

From headline-grabbing stories of ransomware to personal experiences of identity theft, cybersecurity is increasingly finding its way into collective consciousness. During the pandemic, an escalation in threat levels also reminded IT and business leaders what’s at stake. Now that we’re gradually entering a new era of hybrid work, it’s vital that teams go a stage further and embed security into every aspect of an organization. Too often, it’s still treated as something of an afterthought. There are also worrying signs that younger staff members in particular are resistant to anything that impacts their productivity.

That’s why one of the key themes during this year’s Cybersecurity Awareness Month is “Cybersecurity First.” It’s a simple idea, but one that may take some effort to operationalize. Security must be built in rather than bolted on – but not necessarily at the expense of business growth and innovation.

When employees rebel

We all know what happened during the pandemic. With mass remote work and digital transformation came an expanded corporate attack surface, and new gaps in protection ruthlessly exploited by threat actors. They hit unpatched Virtual Private Network (VPN) services and Exchange servers, hijacked Remote Desktop Protocol (RDP) endpoints protected by weak or breached passwords, target misconfigured cloud systems, and much more. In this context, driving a secure-by-design culture would do much to eliminate the gaps so frequently exploited by attackers.

Yet there is resistance. In new research, three-quarters (76 percent) of global IT leaders admit that security took a backseat to business continuity during the pandemic. That may have been justifiable at the time, but not now that operational risk is receding. Yet younger workers appear to be ignorant of policies, apathetic towards security in general, and increasingly frustrated at having their productivity “restricted.” Almost half (48 percent) of those aged 18-24 years old claimed security tools were a hindrance, and nearly a third (31 percent) said they’d tried to circumvent corporate policies to get work done.

Cybersecurity First will, therefore, require careful planning and execution to avoid a user backlash.

When security is an afterthought

There must be progress, because bolted-on security is failing organizations everywhere. A classic example is in the world of DevOps, where processes are geared towards time-to-value rather than risk mitigation. The result is often software that’s shipped with vulnerabilities that end up being exploited in attacks. One recent study claims that upstream attacks, in which threat actors inject new vulnerabilities into open source code, surged 650% year-on-year.

The costs of patching, plus the reputational damage that comes attached to a serious incident, can far exceed those associated with building better security into the CI/CD pipeline. There are many more examples. Just consider the huge financial and reputational fallout from the 2017 Equifax breach, said to have affected nearly half of all US adults. It could have been prevented by prompt patching. Or the 2019 Capital One breach that hit 100 million consumer credit applicants. Closer monitoring for cloud misconfigurations may have saved the bank’s blushes.

We need to get cybersecurity to a point where safety is now in the car industry. In this sector, safety teams are closely involved in the design and rollout of virtually every new feature in vehicles. It’s why we now have high-performance braking, shatter-resistant windshields, roll bars, air bags and many other technology innovations as standard in most cars today. And the operators of these vehicles are trained and tested to use them in a safe and compliant manner. Cybersecurity must be the same.

Putting security first

Secure-by-design is a key principle of the GDPR, widely regarded as a standard-setter in global privacy regulation. Building in rather than bolting on also just makes sense, from a risk mitigation and a cost perspective. So what does it look like in practice? Here are some suggestions:

Data minimization and encryption everywhere can help to reduce data security risks and information exposure Continuous IT asset management and control across the entire environment will help you understand what you have, and then protect it Regular staff training and awareness sessions can turn a weak link in the security chain into a formidable first line of defense, and help create a culture of security first Close consultation with users will ensure that when policies are redesigned for the hybrid workforce, they’re done in a way that minimizes disruption to staff A focus on access management, following the principle of least privilege and featuring two-factor authentication by default, could prevent 90 percent of attacks Automated, risk-based patching programs can drive major improvements in cyber-hygiene to reduce the size of the corporate attack surface Logging, monitoring and detection and response are also critical to finding and mitigating any breaking attacks across the environment Continuous monitoring and vetting of the supply chain will also help to proactively address a major source of cyberrisk A Zero Trust security strategy is an increasingly popular way to head off risk through continuous authentication and other controls

The bottom line is that Cybersecurity First is all about turning security from a reactive to a proactive stance. And if you’re struggling to find the budget to undertake lasting change, remember to position it as an enabler. Brakes aren’t there only to slow down the vehicle, but also to ensure it can safely travel faster. That’s why secure-by-design organizations innovate faster, and ultimately pull ahead of their rivals. They have the confidence to drive ambitious digital transformation projects, because they’re built on a secure foundation.