Author Archives: Cheryl Biswas

Unknown's avatar

About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

Update: WannaCry Ransomware

Posted on by
Reply

 

pewmap

real time botnet tracking map by http://www.malwaretech.com

The number of countries impacted is over 1 00. We are expecting version 2.0 to hit by Monday, because that’s the nature of  these attacks: the attackers know when they have their victims over a barrel, and the maximize the opportunity. Microsoft has issued patches. But what everyone can and must do, over and above applying these specific patches, is this:

  • Ensure you have full, and working backups that are offline and removed from the network.
  • Have a Disaster Recovery/Business Continuity plan that specifically addresses cyber events like this one
  • Be ready with a crisis communications designated spokesperson and prepared statements. If you’ve been hit, and things are going terribly wrong, then you don’t want to be dealing with that and trying to say the right things to press, staff, stakeholders
  • Check in with and listen to your network and sysadmins. They know what’s going on out there. They’ve seen the sh*t that happens, what breaks, and why
  • Don’t evade or deflect this topic. Don’t underplay it, and of course don’t focus on the fear. Have honest discussions with your staff because this is how you creating lasting awareness and create change in behaviours that will better secure your organization

I follow these two experts on the risks to specialized systems, notably ICS or Industrial Control Systems and SCADA, Supervisory Control and Data Acquisition. Note that medical facilities, mass transit, manufacturing and utilities all rely on these specialized systems that are proprietary;  are often set up with hard coded or default passwords that are NOT secure; and with older equipment that just can’t be upgraded so is left to run unpatched until it fails. There is so much more we need to address.

Here is a global snapshot (per CTV news):

russiatrain

Russian Train Control Center Ransomwared

EUROPEAN UNION: Europol’s European Cybercrime Centre, known as EC3, said the attack “is at an unprecedented level and will require a complex international investigation to identify the culprits.”
BRITAIN: Britain’s home secretary said the “ransomware” attack hit one in five of 248 National Health Service groups, forcing hospitals to cancel or delay treatments for thousands of patients — even some with serious aliments like cancer.
GERMANY: The national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to help customers.
RUSSIA: Two security firms — Kaspersky Lab and Avast — said Russia was hit hardest by the attack. The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the “ransomware,” which typically flashes a message demanding payment to release the user’s data. Spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. Russia’s health ministry said its attacks were “effectively repelled.”
UNITED STATES: In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware. Other impacts in the U.S. were not readily apparent.
TURKEY: The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack. Omer Fatih Sayan said the country’s cyber security centre is continuing operations against the malicious software.
FRANCE: French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
BRAZIL: The South American nation’s social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
SPAIN: The attack hit Spain’s Telefonica, a global broadband and telecommunications company.

 

No Accidental Hero Here – Amazing!

Posted on by
Reply

There are many in our community of extraordinary souls who do amazing things at the hardest of times. This is one of those stories. Thank you!

And because he tells the story so much better than I ever could, please read his blog post as linked here. You can copy and paste the URL provided in your browser to be extra safe. 

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

It’s THAT Bad

Posted on by
Reply

PATCH YOUR STUFF! Ms17-010, that fun little exploit leaked by the most recent ShadowBrokers dump, has been making the rounds in the worst way. WannaCry ransomware is everywhere. Get your backups in place. NOW! And don’t put them on the same network.

Countries around the globe have been hit by a massive ransomware attack  that has already earned 100 bitcoins. It started early this morning when hospitals in the UK were struck. There were confirmations that a telecom and businesses in Spain were also hit. 

Two hours ago, judging by the tweet storm, Russia, Israel, the US and 70 other countries were all infected.

Kevin Beaumont or @gossithedog on Twitter has recommended, in addition to patching your stuff, because Microsoft had this patch available before this happened and we know, WE KNOW, that attacker move this fast:

Make a group policy for the Windows firewall. Block SMB between all endpoint PCs. Limit between servers that need. So that way if you miss a patch in future ( but you won’t after today will you?) or if AV doesn’t work, then you can really make it harder for the ransomware to spread. Buying you time to control and contain.

Which prompts me to ask: How is your IR plan? Is it geared to cyber events like this? And oh yeah, do you have DR/ BCP cuz you sure as heck are going to need that ready to roll out. And – have you set up a policy on who says what for crisis communications? Because you really want to control how that happens too.

If you answered no to any of the above, just get on it now. Because you don:t know who is gonna get hit next on this round of rushin’ roulette.

1 Billion Accounts Breached: Are YOU in here?

Posted on by
Reply

pwndedd

If you haven’t heard, there are currently about 1 billion accounts caught in two massive breaches: Exploit.in and AntiPublic. I’m one of that billion, and so was a family member. So are work colleagues. So that’s why I’m writing this – for the people I want to protect.

Security researcher Troy Hunt has been actively working on these breaches and getting notifications out. Among the key concerns raised was credential stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

As Troy lays out -and we need to be reminded of – this matters to us because:

  • It’s enormously effective due to the password reuse problem
  • It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
  • It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  • There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

You can read his site to see more. So what that leads to is stuff like this:

Exploit.in is 111 text files large at 24 GB, a mountain of email addresses paired with passwords Given Troy’s research do far, of the 593,427,119 unique email addresses contained, there are accurate ie valid creds and data that isn’t already compromised so fresh kill. There are only 222 million duplicates between the lists, so that means 63% of the accounts in Exploit are different from the 457,962,538 addresses in AntiPublic.

The numbers are staggering, but what we need to be “impressed” by is what led to this. It’s the same root causes, known failings and weaknesses and bad habits that have accumulated as data has accumulated. We all know how much easier it is to fix a problem in the early stages.

So the AntiPublic tool verifies how legitimate hacked credentials are, and there are data breach services that pop up to buy and sell these credentials. I have contacts who tell me that everytime these dumps happen they find a significant number of compromises in their regions, regardless of how many recycled creds are in there. Troy gathered some explanations on how this works:

the tool itself is for sale here [redacted]
it’s pretty cheap
it’s mostly used in Russia, but he does sell an english version
most common use-case: someone buys a dump on x forum, uses the tool to verify which ones are legit
similar to sentryMBA and account hitman
you will often see a uniqueness score associated with the sale based on output

I really appreciate the work done by security researcher Troy Hunt and his site HaveIBeenPwned .  This is a quick and easy way for anyone to check the status of their email or username, as well as to receive notifications of when they may be caught up in a breach. Because the sooner you can change your passwords, the better.

 

Guess What I Get to Do Next?!

Posted on by
Reply

INT16_1611016_Speaker_ABOUT_SECURITY-1200x630

Yes indeedy! I’ll be speaking about one of my very favourite things, Threat Intel, with one of my very favourite people, Haydn Johnson. Let’s just say we’ve put everything into this talk. We’ve finessed and enriched all our accumulated knowledge from previous works into something we are so proud to deliver.  Click here to learn more.

If you want to attend, you still can! Register for #InteropITX with my promo code & save 20% off any pass. Go to www.interop.com and use code: https://l.feathr.co/interop-itx-cheryl-biswas-c

Some context on the ShadowBroker’s Dump

Posted on by
Reply

Photo by Tristan Schmurr, Cyberscoop Apr 21

A good friend of mine, with the handle @loneferret, shed some clarity on the massive dump of exploits two weeks back by the ShadowBrokers. I haven’t said my piece here but believe me I shared my thoughts online as things developed. And Double Pulsar, a backdoor implant, is just that gift that keeps on giving as countless systems appear to be infected. John Matherly of Shodan cited finding at least 45k as of April 21. Dan Gentler aka @viss describes it perfectly as “a loading dock for extra malware”. There is much to be said, but I quite liked the way my friend spun things, so without further ado …

Yet another MS17-010 blog post.
However, the more noise that is generated, the more people will update their systems.

About a week ago now, a bunch of exploits were leaked by a group calling themselves “Shadow Brokers”, or “ShadowBrokers”; both spellings are used it seems ¯\_(ツ)_/¯.
These exploits are serious stuff, as they affect almost every version of Windows, both professional and home (what you have at home most likely), as well as, server editions. There are Linux exploits as well but that’s for another post …

Barely a week has passed, and reports of ransomware being delivered using “Eternalblue” are popping up. Reports of systems being compromised by what we can only assume are “script-kiddies” have also surfaced.

Why keep reading? My goal here isn’t to give a technical lesson nor a course in exploitation, but to spread awareness. When these types of vulnerabilities & exploits are made public, havoc isn’t too far behind.

As a pen-tester the news of exploits originating from an NSA dump was exciting. It gives some insight on what sort of tools\exploits the notorious agency has, and ensures some level of job security for me (I know selfish). But what does this mean for the corporate user? What does this mean for the average user? In a nutshell if you haven’t installed the most recent security updates, you risk having your data stolen, deleted, or your hard drive encrypted and held for ransom.

Tweeted by @belowzeroday, Cyberscoop, Apr 21

I shall try and put this in perspective, in the most entertaining manner I can. So, sit back, grab your morning Irish coffee and step inside my time machine.

Back in 2003 a computer worm made its way through the Internet. This worm infected thousands of systems, both commercial and personal. It ravaged and pillaged everything it could lay its crummy little paws on. It was finally detected in 2008, and given the name “Conficker”. I remember 2008 well. At the time, I was a system administrator for an IT consulting firm & was called upon many times to stomp this little critter. This worm was good, well coded, and went undetected for 5 years! It merged so well with Windows, it really didn’t affect the system’s performance. It was also very good at reproducing itself… kinda like George Forman.

Why was it so successful? How did it manage to get into so many systems? It was a flaw in Windows, much like the flaw leveraged by the exploits in the “ShadowBrokers” dump. Essentially… it’s 2008 all over again. Which begs the question, how long did the NSA have this exploit? Also, were they the only ones? If it took 5 years to catch “Conficker”, one can assume this flaw (and exploit) has been around for at least the same amount time (give or take a year).

So, I beg you, please don’t fear the Windows update window.
Let it run… Embrace it, enjoy it, whisper sweet nothings into its ear.
Because if you don’t, you only have yourself to blame if your browser history ends up on pastebin.

A message from you friendly neighbourhood hacker @loneferret

Ps. This flaw, and others, were fixed back in March of 2017. This piece was written in April 2017.

It Really Was the Lazarus Group, in North Korea with SWIFT

Posted on by
Reply

swift

Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.

kimbo

Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.

sectorslide

FIN7 Spear Phishing, Carbanak and the SEC

Posted on by
Reply

FinSec is a thing. It’s rather become my thing, when I delve deeper and find the connections and patterns that emerge. This week, FireEye published a post on a campaign known as FIN7. They identified a spear phishing campaign in late February that targeted people who were filing with the US SEC. FIN7 is described as a

“financially motivated instrusion set that selectively targets victims and uses spear phishing to distribute its malware.”

Sectors identified as targets are in the US but have a global spread and include:

  • Financial services
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

Often they target retail and hospitality through POS malware.  Here’s the play by play:

  • Malicious documents drop a VBS script and install a PowerShell backdoor. No question that PowerShell is now the tool of choice for attackers. Set up your IDS to look for signs.
  • The backdoor is a new malware family dubbed POWERSOURCE. It’s based on a tool that is publicly available, DNT_TXT_Pwnage.  What they’ve done is modify it especially in terms of obfuscation. If you can’t find it …
  • FIN7 uses DNS TXT records for the Command and Control. And this DNS TXT – it’s been trending because of how hard it makes detection and hunting for threats around command and control
  • But wait! There’s a second backdoor, installed by POWERSOURCE. This second stage PowerShell backdoor is known as TEXTMATE. It’s fileless malware – yes, that’s a thing now too – that stays memory resident, so you can’t find it easily, and lets the attacker play hide and seek better.
  • There have been instances of a Cobalt Strike Beacon payload.
  • That same domain hosting the Cobalt Strike Beacon also hosted – get ready for it – a CARBANAK backdoor sample that was recently compiled. We know how pervasive CARBANAK is, and that it has recently made a major pivot into the hospitality sector. And, as it happens, something that FIN7 has used in past.

While FireEye says they have not yet determined the objective of FIN7 in this current campaign, I think it’s safe to say they are in it for the money.

Sources: https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

New Apache Struts 0Day Exploit

Posted on by
Reply

(March 8, 2017) Cisco Talos group has identified attacks against a 0Day vulnerability in Apache Struts, which is a popular Java app framework. An advisory was issued Monday, stating the problem exists in the Jakarta Multipart parser. An attacker could perform a RCE attack with a malicious contenttype value. Users were advised to upgrade or switch to a different implementation of the parser. Numerous attacks appeared to be taking advantage of a publicly released proof of concept to run assorted commands. Struts was previously compromised by Chinese hackers in 2014, who exploited known vulnerabilities to install a backdoor. Message here: keep patches current.

Source: http://www.csoonline.com/article/3178744/security/cisco-and-apache-issue-warnings-over-zero-day-flaw-being-targeted-in-the-wild.html#tk.twt_cso