https://www.linkedin.com/hp/update/6240979895925768192

Just adding this here as a heads up to keep watch over. Necurs has built itself out as a lucrative vehicle to deliver Locky ransomware and Dridex banking malware, along with an effective Spam campaign. 

What is interesting is that DDoS destroys the bots in the army, which would not serve the interests of those running Necurs. We know that cybercrime really is an ideal model of business efficiency. 

Nonetheless, we need to keep watch over Necurs, and be aware of all its capabilities. Cuz pivots happen. Fast. And this year my prediction is we are going to see banking malware do what ransomware did last year.

Nomoreransom was set up to help anyone in need. They may have the decryption you are looking for. Check the site. Right now they offer Crysis, Marsjoke/Polyglot, Wildfire, Chimera, Coinvault, Teslacrypt, Shade, Rhannoh, Rakhni
http://www.nomoreransome.org/

And you can track ransomware developments on my page Ransomware

We all needed this page at one point. Or more. I know I did and thank you to the people in our community who had stuff like this for me to find. My turn to pay it forward

“Do that thing which scares you”

I know. It seems so difficult. Feels so scary. But the best advice I can give you as you start out is this:  give a talk. And CFP or Call for Presentations season is now in full swing, meaning deadlines and duedates need to be tracked. Deadlines can be 5 months before the Conference takes place. Don’t let this opportunity pass you by.

You may be able to start small, with a local meetup group. Someplace you feel comfortable, where you can talk for 20 minutes or more, on something you are excited to share and would love to explain.

Why talk? Why not just write or post? Well, a talk is more than just words on a screen. We get to see and hear your passion, which elevates your concept to another level. And we get to see – you! In a community of introverts, facetime is powerful. We love to learn by watching videos of talks given. Like yours. The other plus is that you get to attend a Con, which if you have read any of my posts, is both incentive and reward.

Where to even begin? Here. So relax and just start by reading to see what it is all about. There are people to reach out to in our community if you want to do this, like me. I am happy to be of help. @3ncr1pt3d on twitter :).

Watch the vidoes of past presenters from where you want to speak. Or those who talk about what you want to talk about. Know what has already been covered so you can bring something new. Or get a sense of what is trending. Plus, you can see how people deliver a talk. How slidedecks are put together. What humour works. An incredible resource is this site: http://www.irongeek.com . Adrian Crenshaw records talks at so many conferences. You’ll find whatever you need here.

Here are some terrific online resources to guide you:

https://thesweetkat.com/blog/.  Kat Sweet has both given talks and evaluated them. Trust her. She is friendly, so smart, and very good at talks. Great starting place.
https://danielmiessler.com/blog/build-successful-infosec-career/#cfp. What you need to know about putting together a good talk. It starts with an idea that develops far beyond words on a page. You want to make sure you knkw about format, deadlines, requirements etc.
https://defcon.org/html/links/dc-speakerscorner.html#nikita-cfp. Now you are ready to hear the hard truth. Let’s make that paper stand out in a sea of submissions. You can be among the chosen, but only if you make your talk worthy.

https://www.helpnetsecurity.com/2016/03/30/how-to-get-your-talk-accepted-at-black-hat/  And then there is Black Hat.  Why not aim high? Here are some suggestions to help you get noticed from one of the top-tier conferences, and Stefano Zanero, attendee and reviewer.

Is this your first time? Don’t be shy. We all had a first talk. And BSidesLV offers Proving Ground, a fantastic program at the start of their CFP phase to invite new speakers and pair them with a mentor. I know. That is how I started and it was amazing. Even better are the relationships you build here which carry forward, along with the learning. Because InfoSec is a community and our strength is in our people. Take a look here: https://bsideslv.org

Okay. Pep talk. You are good enough, smart enough and one of us. We want to hear what you have to say and we are willing to help you do it. Go for it!

You can find this under Learning

Last week I tracked a story about attacks on Polish banks. What was interesting was that attackers came for the data, not the money. As well, the attack itself was described as sophisticated. Those reporting the story were concerned, and remarked that this was one of the most serious cyber attacks on banks Poland had suffered.

We know that cybercrime is actually one of the most efficient business models there is. The attackers have refined their tactics and techniques to maximize gain and minimize effort. Sophisticated involves time, money and effort – the purvue of nationstates usually, and the realm of APTs or Advanced Persistent Threats, like Stuxnet.

In this case, several polish banks  reported they noticed  unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of,  and unauthorised files on key machines in the network. Further investigation confirmed malware infections.The attack was not a quick hit and run but sophisticated, gaining control over critical servers in the bank’s infrastructure:

“the malware used in this attack has not been documented before. It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available AV solutions.  The final payload has the functionality of a regular RAT”

As of last Thursday, when I shared what I found, there was a suspicion  infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body. today, it was confirmed.  The site of the regulator for Polish banks was indeed contaminated with malware by some foreign source. The malware was responsible for data exfiltration, reconnaissance, and other undesirable activities.  This is why we need to be paying close attention to what comes next:

This particular malware appears to be a new strain of nasty software which has never seen before in live attacks and has a zero detection rate on VirusTotal.

There is no confirmation as to who is responsible, or what data was taken. One year ago, Polish banks were hit by Goznym, in a series of targeted attacks. While this isn’t Goznym, we should be looking for patterns and ties. This serves are a major heads up. What are we seeing? Where aren’t we looking?

https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/

http://thehackernews.com/2017/02/bank-hacking-malware.html

Exploit. Angler. Nuclear. Doesn’t matter what they’re called, they always deliver.  We should be prepared for the fact that these die down then reappear, with renewed code and vigor.  Here’s a current representation of strains. And to that we add Zeus Sphinx.

As banking malware goes, Sphinx  “combined elaborate fraud tactics to steal credentials and one-time passwords”. Sphinx was originally identified in 2015, but the Brazilian variant appeared hot on the heels of Zeus Panda in Aug 2016,  attacking Brazilian banks, specifically the online banking and Boleto payment systems (Boleto fraud is highly lucrative and deserves its own post). That this occurred at the same time as the Olympics is no coincidence.  Activity died down until recently. IBM X-Force has identified new, targeted attacks against online users of banks and especially credit unions in Canada and Australia. In this article written by malware hunter Limor Kessem, these are “low-volume testing, not full-blown infection campaigns. The malware’s operators appear to be looking very carefully to determine which geographies offer the paths of least resistance.” According to X-Force, the attackers are using the same attack servers that facilitated the Zeus Citadel and Ramnit attacks in 2016. As well, the webinjections share similar code patterns with other banking Trojans. Sphinx uses two distribution methods: email loaded with a malicious VBA loader, and malvertising.

Note how Credit Unions are the major target, as they apparently are low-hanging fruit from a security standpoint.  For Australia, the mix is 40 major banks, credit unions and payment providers. NOTE: This also targets some US banks.

Per the X-Force Exchange site:

Zeus Sphinx is used for the theft of online banking authentication elements such as user credentials, cookies and certificates. These elements are subsequently used by fraudsters in illicit online transactions typically performed from the user’s own device. Connection to the endpoint is facilitated via backconnect hidden virtual network computing (VNC), which means the infected endpoint will initiate a remote-access connection to the criminal’s endpoint. This feature allows the attacker to gain user-grade access to the device even through firewall protection.

https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/

https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Here’s my catch of the day for you: Monday Jan 23 2017

Massive Twitter Botnet Discovered: We know this can’t be good.  Two researchers have found a huge but dormant Twitter botnet of 350,000 bots. Active, this could spread spam or malicious links, or be used to spread – gasp – fake news. The researchers claim to have found an even larger botnet of over 500K. Just think of the Mirai botnet and outages along the eastern seaboard. While details on that are not being released just yet, the Twitter botnet was apparently created in 2013 and stayed hidden til recently. The content consists of harmless quotes from Star Wars and no URLs are involved. The users attached to the bots seem believably human and unaggressive. The researchers are encouraging people to research these bots, and have created two Twitter accounts to report bots: @thatisabot and @website.  https://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/

Locky Ransomware – Awaken the Kraken?:  2016 started with a ransomware bang and ended with a botnet boom. The pairing of ransomware and botnets should make anyone nervous. And the minds at Cisco are warning that we should expect a massive spam campaign with a return of the near-dormant Locky ransomware.   Locky was spread via the Necrus botnet, which had 500K devices under its control to deliver spam, which contained the unbreakable Locky payload. Researchers are seeing a subtle increase in attacks via Necrus and Locky this month. It is possible attackers are exercising caution rather than risk getting caught.  I say batten down those hatches.  http://www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/

How to Secure Your Bank – in 3 Easy Steps!: OK. It’s not that easy. But these are good principle for any organization to follow, including banks. After last year’s massive financial attacks and heists, and the return of Carbanak, financial organizations need to get their houses in order to face the year ahead. And it isn’t just the gold or currency that holds value in the vault. It’s all. That. Data. Those mainframes are no longer as segregated as they once were. And banks are more at risk of Advanced Persistent Threats and targeted attacks. Recommendations are to train everyone on security practices and awareness.  Then, make sure controls are in place and that people are aware of them. Finally, make sure that all outside parties, or trusted partners, understand and adhere to these rules to maximize security.   http://www.networkworld.com/article/3157555/security/new-game-new-rules-3-steps-to-secure-your-bank-in-the-digital-age.html#tk.twt_nww

Here’s my catch of the day for you: Friday Jan 6 2017

There’s a New APT in town: BaneChant or “MM Core,” was discovered in April 2013 by FireEye researchers who then noticed some of its interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access. New versions have been identified recently in the Middle east, Asia, Africa and US. Targets are media, government, telecommunications and energy. Keynotes: this malware evades sandboxing by detecting mouse clicks. As well, it has a shortened URL to avoid blacklisting. To be expected it has shared certificates, likely stolen. According to Forcepoint’s Nicholas Griffin, “Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered”. What’s also interesting – the name Bane comes from, yes, Bane from Batman, because of where the URL is supposedly tied to.Per Fireeye, the malware attempts to:

1. Evade sandbox by detecting human behaviors (multiple mouse clicks);
2. Evade network binary extraction technology by performing multi-byte XOR encryption on executable file;
3. Social engineer user into thinking that the malware is legitimate;
4. Avoid forensic and incidence response by using fileless malicious codes; and
5. Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.

https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html

http://www.securityweek.com/new-mm-core-apt-malware-targets-united-states

FireCrypt Ransomware:  Would you like a side of DDoS with that? This is another recent discovery as ransomware continues to evolve.  This variant launches a DDoS attack against a URL hardcoded in the source code by continuously connecting to the URL and downloading junk from it to fills up the machine’s %Temp% folder.  Features: this code can be disguised under PDF or DOC icons; attackers can slightly modify the binary for a different hash; this can create polymorphic malware that evades AV.  Note that this is very similar to the “deadly with a good purpose” ransomware released in Oct 2016.  The opinion is that this is that variety just rebranded.  DDoS activities appear to currently target Pakistan’s Telco Authority. However, the attack is relatively ineffective in this configuration as DDoS requires massive mobilization.

http://www.securityweek.com/firecrypt-ransomware-packs-ddos-code

Ransomware on Android Smart TVs: You can’t change the channel
This is not the added feature you were looking for. Ransomware has been on Android phones for a few years, so this is the extension, and was discovered a year ago in the wild. This Christmas, it was reported when someone downloaded ransomware with a movie-watching app on a three year old TV. And the screen locker does not work the same on TVs as it does on phones and computers. So any attempt to click and comply to free the screen doesn’t work. In this story, LG was able to give the victim a solution that worked, and the ransomware only was a screenlocker, not a file encrypter.  But Smart tv’s have USB ports so folks can load pics and personally valuable files. These can become infected through that connection.

http://www.networkworld.com/article/3154161/security/ransomware-on-smart-tvs-is-here-and-removing-it-can-be-a-pain.html

FTC files suit against D-Link – Strike 1 IoT:  There has been much talk about trying to regulate the lack of security released with the ever-growing Internet of Things. Now, we may have a precedent. The US FTC has filed a lawsuit against well-known manufacturer D-Link, whose SOHO devices are in many homes. The charge is that D-Link put “thousands of customers at risk of unauthorized access by failing to secure its IP cameras and routers”. And there have been plenty of security issues written up for their products. The suit claims the company “repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws”.

http://www.zdnet.com/article/ftc-files-lawsuit-against-d-link-for-router-and-camera-security-flaws/

The Evolution of Wiper Malware into Ransomware

All eyes should be on the Ukraine for more reasons than one. ESET claims they believe that BlackEnergy, the group responsible for attacks against the energy sector in the Ukraine, has morphed into Telebots, and are responsible for a series of attacks against “high value targets” in the financial sector in the Ukraine. The group utilized backdoor trojans and malicious emails. The TeleBots malware is distinctive “because it uses the Telegram protocol to communicate with its operators”.  The attackers rendered computers unbootable and hid their tracks using Killdisk to delete critical system files, replace files, and rewrite file extensions. The ESET article offers a very detailed and comprehensive analysis with IOCs, file extensions etc. which I won’t copy over here but highly recommend you look at.

According to Tripwire, “TeleBots is also an evolution of Sandworm, a Russian espionage gang which exploited CVE-2014-4114 to attack NATO and other Western organizations in 2014 and used KillDisk against several Ukrainian power companies in December 2015.” This includes ICS targets in the US in 2014.

And it gets better. Guess what they’re using? Killdisk wiper malware. Because wiper malware means never having to say you’re sorry.  But wait – there’s more.  It appears Telebots has helped the Killdisk evolve from wiper malware into ransomware, according to researchers with CYberX, a security firm specializing in ICS SCADA. We can expect lucrative extortion attacks against industries, because those are systems that cannot easily be secured or defended.   Per Catalin Cimpanu of Bleeping Computer,  “KillDisk’s ransomware component makes it easier for the gang to hide its tricks. It also means the group can extort industrial organizations, targets which can’t afford to not access their data or shut down their networks to scrub them of malware.

The ransoms asked are roughly $215,000.  Never mind what comes next. Buckle up guys, we’re in for a rough ride.
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

https://www.tripwire.com/state-of-security/latest-security-news/killdisk-wiper-malware-evolves-ransomware/

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/