We Live Security

Articles from We Live Security Magazine

Remote access flaws found in popular routers, NAS devices

Source: We Live Security Magazine On:

Read On

In almost all tested units, the researchers achieved their goal of obtaining remote root-level access

Security researchers have uncovered a total of 125 security flaws across 13 small office/home office (SOHO) routers and network-attached storage (NAS) devices that may leave them vulnerable to remote attacks.

The devices ranged from units intended for the general public to high-end enterprise-grade devices, according to the research conducted by a US-based company called Independent Security Evaluators (ISE). The experts routed their focus primarily on devices from well-known and reputable vendors, meaning that the problem may ultimately affect millions of units. (The list of the devices and additional details are available here.)

“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries,” reads the study. All devices had been updated to the then-latest firmware and were tested in their out-of-the-box configurations.

Each of the 13 devices was found to contain at least one web application vulnerability such as cross-site scripting, operating system command injection or SQL injection that could be leveraged by an attacker to get remote access to the device’s shell or admin panel. Once compromised, the device may be used as a stepping stone for further attacks inside a home or enterprise network.

Other common flaws included authentication and authorization bypasses. In 12 devices, the researchers reached their goal of obtaining remote root-level access. Six units could be remotely exploited without authentication.

ISE reported the vulnerabilities to the affected vendors and praised most of them for getting to work promptly in order to mitigate the issues. (Whether any security updates are eventually installed is another matter, however, as consumers often don’t give much thought to updating their routers and are often not aware of the vulnerabilities therein.) Worryingly, some vendors failed to respond to the reports entirely.

The project, called SOHOpelessly Broken 2.0, built on the company’s research in 2013, which also involved a look under the hood of 13 routers and NAS devices and resulted in the discovery of 52 security holes. As seen from the new study, things don’t appear to have improved over the years.

For more especially on router security, please refer to some of our previous articles:

How to secure your router to prevent IoT threats?
New Year’s resolutions: Routing done right
Five ways to check if your router is configured securely
Router reboot: How to, why to, and what not to do

18 Sep 2019 – 06:38PM

Nearly all of Ecuador’s citizens caught up in data leak

Source: We Live Security Magazine On:

Read On

The humongous collection of extensive personal details about millions of people could be a gold mine for scam artists

Almost every single citizen of Ecuador, a country of some 16.6 million people, is believed to have been affected by a new massive data leak, reads a report from vpnMentor.

Two weeks ago, the firm discovered a misconfigured Elasticsearch server that was packed with personal data on most of Ecuador’s citizens, including children. The server – which is hosted in Miami but is believed to be owned by an Ecuadorean consulting company called Novaestrat – was left unsecured for an unknown period of time.

The cache of data weighed in at 18 gigabytes and comprised various personal details, including full names, dates of birth, addresses, phone numbers, ID numbers, family information, financial details, and car registration numbers. As many as 20 million individuals may be impacted, said the researchers, although this count includes duplicate records and records for deceased people.

The leak was eventually plugged on September 11th, but not until Ecuador’s Computer Emergency Response Team (EcuCERT) had to step in. Per ZDNet, which got the scoop on and examined the leak, Novaestrat initially took no action to secure it.

Meanwhile, Ecuador’s telecommunications ministry said (in Spanish) that Novaestrat had obtained the data in an illegal manner. In fact, the country’s interior minister María Paula Romo announced that the firm‘s managing director, identified as William Roberto G., had been detained on Monday.

The information apparently originates from Ecuadorean government sources, as well as from a local automotive association called AEADE and a state-owned bank known as BIESS.

It’s unclear whether or not the unsecured database was accessed by bad actors before being spotted by the researchers. The personal details could be immensely useful for all manner of scammers, who could leverage them for convincing and highly targeted social engineering campaigns.

Data exposures caused by leaky servers are certainly not uncommon, but this security and privacy lapse is notable for its sheer breadth and depth. In fact, it may bring echoes of an incident in Chile from just weeks ago that had the personal data of 80% of the country’s population exposed in another ‘nationwide leak’, also courtesy of an unsecured Elasticsearch cluster.

Meanwhile, a data breach at credit bureau Equifax two years ago saw hackers steal extensive personal data on half the US population, as well as hundreds of thousands of Canadians and Brits. In Bulgaria, bad actors recently breached the country’s tax agency and made off with personal data on almost all of the country’s taxpayers.

17 Sep 2019 – 04:33PM

A vulnerability in Instagram exposes personal information of users

Source: We Live Security Magazine On:

Read On

The bug, which has already been fixed by Facebook, allowed access to private user information that could be abused by malicious actors.

A security flaw that allowed an attacker to access account information, such as a user’s full phone number and real name of Instagram users was found. Facebook, who previously confirmed the existence of the vulnerability, has already fixed the flaw.

The discovery of this bug occurred in August and is the work of the researcher @ZHacker13. According to the social network itself, the exploitation of the bug could have allowed a malicious actor to associate phone numbers with user details and make abusive use of this information, which posed a risk to users. The only thing an attacker could have needed to affect a user would have been to link this data.

Coincidentally, in early September, a misconfigured database was discovered, containing a list of phone numbers and user names made up of 419 million Facebook users from around the world. And about a week ago, researcher ZHacker13 explained to Forbes journalist Zak Doffman that he had detected a vulnerability in Instagram that would evade the platform’s security mechanisms. It would furthermore allow access to a database type similar to the one known recently, which would enable a malicious actor to abuse this information consisting of a long list of phone numbers, user IDs, usernames and real names.

The researcher explained to the media that an attacker could take advantage of this security breach and evade the mechanisms that protect this data by using an army of bots and processors to create an accessible and attackable users’ database.

The problem was with the platform’s contact importer, which when combined with a brute-force attack on its login form exposed the existence of the vulnerability, the article explains. According to a Facebook spokesman, the company modified the contact importer in Instagram to prevent any abuse of the bug.

To understand the magnitude of the finding, the investigator shared with the journalist details of how the vulnerability could be exploited and assured that with sufficient processing power it would be possible to create a database composed of telephone numbers and data from millions of Instagram users.

In turn, the journalist shared the information with ESET investigator Lukas Stefanko, who validated the explanation and confirmed that it was possible.

Initially, Facebook told the investigator that while the vulnerability was serious, the company was already aware of the bug and would not be rewarded for its bugbounty program. The social network however reversed its steps and reconsidered its decision and will eventually reward @ZHacker13 for reporting the bug.

12 Sep 2019 – 11:31PM

Selfies for kids – A guide for parents

Source: We Live Security Magazine On:

Read On

Are you – and especially your children – aware of the risks that may come with sharing selfies?

Social media sites are brimming with instant self-portraits, and children and teens are especially adept at taking and sharing images of themselves online. But it can be just as safely assumed that tweens and teens, and not only them, are far less aware of the risks that profuse and thoughtless sharing of selfies and group selfies can entail.

Here’s what you need to know, and teach your kids, before they hold their smartphone at arm’s length (or enlist the help of a selfie stick) and share a photo with the online world. In fact, remember that even sending a picture privately may result in unintended consequences, as once it’s shared, you have no control over what happens to it.

Tech-savvy cybercriminals can glean enough information from a photo, and your child or their pals needn’t even make any revealing comments after the image goes public.

For one thing, if the phone has geolocation enabled, your child may be giving away his or her whereabouts, since the current location is saved and shared along with the photo. Combined with other seemingly innocuous details from the image or the child’s social media profile, this can be misused by thieves, sexual predators and other ill-intentioned individuals.

Also, even if geolocation is disabled, small details in the background, such as street names or landmarks, may reveal sensitive information about your child’s – and your entire family’s – location or other sensitive things such as precious belongings. This can put all of you in physical danger in the real world.

There are also hazards, such as cyberbullying, that may unfold within the confines of the online world, but with effects that can be far too palpable. A child who appears in an image in a potentially embarrassing pose or situation – without necessarily posting it online themselves – can become a target for (cyber)bullies at school and around the world. Being the subject of public mockery can be devastating not only for the target’s online persona.

In fact, selfies can haunt a person years after they were posted and when their subjects are ready to fend for themselves. The internet doesn’t forget and, if worst comes to worst, an ill-considered selfie can stand in the way of a person’s admission to college, application for a scholarship, or landing a dream job. Many employers openly admit to getting the scoop on their applicants’ online presence, and an unflattering image from a booze-soaked party may not help advance one’s education or career.

So, what are some easy ways to help instill safe selfie habits in your kids?

Get involved

The single most important thing is to be involved, although this doesn’t (necessarily) mean putting your foot down. Instead, explain to your children why privacy matters and help them set up privacy settings safely throughout their social media profiles, and review the settings on a regular basis.

When it comes to selfies, show your children how to go over the images with a fine-toothed comb so they can find the smallest sensitive details that bad actors could use. Perhaps you could even make this a game – who can detect the most clues? Teach them about the risks of the internet and especially of social media sharing, ensuring that they’re aware of the kinds of situations that may put them and others at risk.

Walk the talk

The “Do as I say, not as I do!” admonition is unlikely to work. Let’s face it: Words alone may not bring the desired outcome unless they’re supported by actions. Since children are more likely to do what their elders do rather than what they say, you will need to become a role model.

In other words, if you can’t resist the urge to post portraits of yourself and your family or friends, you cannot expect your children to behave differently. Naturally, the same goes for excessive sharing of personal information on social sites. Lead by example.

Trust but verify

At the end of the day, it’s important to have an understanding of what kids are up to online. There are dedicated and reputable apps that give you some control over children’s devices and their online activities, so that you can help them stay away from trouble. In a nutshell, parental control features can filter and block age-inappropriate content, restrict what kind of information is shared, and keep tabs on kids’ screen time. They can also keep activity logs, giving you an insight into what kind of online content your children have accessed.

At any rate, remember to stay engaged with your kids and keep all lines of communication open. Just like in other areas of life, education and communication are vital to preventing trouble.

To learn more about dangers faced by children online as well as about how not only technology can help, head over to https://saferkidsonline.eset.com.

11 Sep 2019 – 11:30AM

ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group

Source: We Live Security Magazine On:

Read On

ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East

Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon.

Based on these two reports referring to the same targets and attacks, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.

Figure 1.  Claudio Guarnieri has connected Stealth Falcon with Project Raven

Some technical information about Stealth Falcon has already been made public – notably, in the already mentioned analysis by the Citizen Lab.

The key component in the attack documented in the Citizen Lab report was a PowerShell-based backdoor, delivered via a weaponized document that was included in a malicious email.

Now, we have found a previously unreported binary backdoor we have named Win32/StealthFalcon. In this article, we disclose similarities between this binary backdoor and the PowerShell script with backdoor capabilities attributed to the Stealth Falcon group. We consider the similarities to be strong evidence that Win32/StealthFalcon was created by this group.

The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country. How the backdoor was distributed and executed on the target systems is beyond the scope of this investigation; our analysis focuses on its capabilities and its C&C communication.

C&C communication

In its communication with the C&C server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), a rather unusual technique. BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications. It is commonly used by updaters, messengers, and other applications designed to operate in the background. This means that BITS tasks are more likely to be permitted by host-based firewalls.

Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy. The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system rebootMoreover, because BITS adjusts the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion.

Win32/StealthFalcon can switch the communication between two C&C servers whose addresses are stored in a registry key, along with other configuration values, and can be updated by one of the backdoor commands. In case the backdoor fails to reach out to its C&C servers, the backdoor removes itself from the compromised system after a preconfigured number of failed attempts.

Capabilities

Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.

Command nameFunctionality
KUninstall itself
CFGUpdate configuration data
RCExecute the specified application
DLWrite downloaded data to file
CFPrepare a file for exfiltration
CFWExfiltrate and delete files
CFWDNot implemented/no operation

Table 1. Backdoor commands

For example, the backdoor’s key capability, downloading and executing files, is achieved via regular checks for libraries named “win*.dll” or “std*.dll” in the directory the malware is executed from, and loading these libraries.

Furthermore, Win32/StealthFalcon collects files and prepares them for exfiltration by storing an encrypted copy with a hardcoded prefix in a temporary folder. It then regularly checks for such files and exfiltrates them automatically. After the files have been successfully exfiltrated, the malware safe-deletes all log files and collected files – before deleting the files, it rewrites them with random data – to prevent forensic analysis and recovery of the deleted data.

The configuration values are stored in the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell Extensions registry key. All values are prefixed by the malware’s filename (without extension).

Value name suffixContent
-FontDispositionRandomly generated, 4-byte victim ID
-MRUDataRC4-encrypted C&C domain
-MRUListRC4-encrypted C&C domain
-IconPositionFlag determining which of the C&C domains should be used
-IconDispositionNumber of seconds to sleep after each iteration of contacting the C&C server
-PopupPositionCounter of failed attempts to reach the C&C servers

Table 2. Configuration data stored in registry

Possible trick to evade detection

Of interest is a function that is executed before any malicious payload is started, and which seems redundant. It references 300+ imports, but does not use them at all. Instead, it always returns and continues with the payload afterward, without condition checks that would suggest it is an anti-emulation trick.

Figure 2. A function referencing hundreds of unused imports, possibly added to avoid detection of the malware

We don’t know the precise intention of this function, but we suspect it is either some attempt to evade detection, or some leftover from a larger framework used by the malware authors.

Links to Stealth Falcon

Both Win32/StealthFalcon and the PowerShell-based backdoor described in the Citizen Lab analysis share the same C&C server: the address windowsearchcache[.]com was used as a “Stage Two C2 Server Domain” in the backdoor analyzed by the Citizen Lab, and also in one of the versions of Win32/StealthFalcon.

Both backdoors display significant similarities in code – although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID). In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key.

For their C&C server communication, they both use HTTPS but set specific flags for the connection to ignore the server certificate.

Conclusion

We discovered and analyzed a backdoor with an uncommon technique for C&C communication – using Windows BITS – and some advanced techniques to hinder detection and analysis, and to ensure persistence and complicate forensic analysis. Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.

ESET detection name

Win32/StealthFalcon

SHA-1

31B54AEBDAF5FBC73A66AC41CCB35943CC9B7F72
50973A3FC57D70C7911F7A952356188B9939E56B
244EB62B9AC30934098CA4204447440D6FC4E259
5C8F83CC4FF57E7C67925DF4D9DAABE5D0CC07E2

RC4 keys

258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3
2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2
3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6
8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE

Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.

Host-based indicators

Malware file names

ImageIndexer.dll
WindowsBackup.dll
WindowsSearchCache.dll
JavaUserUpdater.dll

Log file name patterns

%TEMP%dsc*
%TEMP%sld*
%TEMP%plx*

Registry keys/values

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell Extensions
X-MRUList
X-MRUData
X-FontDisposition
X-IconDisposition
X-IconPosition
X-PopupPosition
X is the malware’s filename (without extension).

Network indicators

BITS job names

WindowsImages-
WindowsBackup-
WindowsSearchCache-
ElectricWeb

C&C servers

footballtimes[.]info
vegetableportfolio[.]com
windowsearchcache[.]com
electricalweb[.]org
upnpdiscover[.]org

TacticIDNameDescription
ExecutionT1059Command-Line InterfaceMalware uses cmd.exe to execute some commands.
T1106Execution through APIMalware uses CreateProcessW API for execution.
T1085Rundll32Malware uses rundll32.exe to load the backdoor DLL.
T1053Scheduled TaskMalware schedules rundll32.exe to be executed on each login, and subsequently to load the backdoor DLL.
PersistenceT1053Scheduled TaskMalware establishes persistence by scheduling a task that loads the backdoor on each user login.
Defense EvasionT1197BITS JobsMalware uses BITS file transfer mechanism for network communication, in an attempt to avoid detection.
T1140Deobfuscate/Decode Files or InformationStrings are encrypted with a custom XOR cipher.
Configuration data and log files are encrypted with RC4, using a hardcoded key.
T1107File DeletionMalware deletes files after exfiltration, and rewrites them with random data.
T1036MasqueradingMalware attempts to masquerade itself by using seemingly-legitimate file names.
T1112Modify RegistryMalware stores its configuration in a registry key.
T1027Obfuscated Files or InformationStrings are encrypted with a custom XOR cipher.
Configuration data and log files are encrypted with RC4, using a hardcoded key.
DiscoveryT1063Security Software DiscoveryMalware terminates itself if McAfee Agent binary (cmdagent.exe) is detected.
CollectionT1074Data StagedMalware stores collected data in a temporary folder in files named with a hardcoded prefix.
T1005Data from Local SystemMalware has a command to collect/steal a file from the compromised system.
Command and ControlT1008Fallback ChannelsMalware is able to communicate with two C&C servers, it also supports switching to a different C&C server using a backdoor command.
T1105Remote File CopyMalware uses BITS Jobs for C&C communication.
T1032Standard Cryptographic ProtocolMalware encrypts C&C communication using RC4 with a hardcoded key.
ExfiltrationT1020Automated ExfiltrationMalware automatically exfiltrates files in a temporary folder in files named with a hardcoded prefix.
T1022Data EncryptedMalware encrypts the collected data using RC4 with a hardcoded key, prior to exfiltration.
T1041Exfiltration Over Command and Control ChannelMalware exfiltrates data over the C&C channel.

9 Sep 2019 – 11:30AM

Week in security

Source: We Live Security Magazine On:

Read On

This week, we present an introduction to the MITRE ATT&CK framework, the review of the mobile threats and vulnerabilities detected for mobile during the first half of 2019, and Firefox 69 new features.

An introduction to the MITRE ATT&CK framework and how it can help organize and classify various types of threats and adversarial behaviors. Review of the mobile threats and vulnerabilities detected for Android and iOS during the first half of 2019. Overview of Firefox new Enhanced Tracking Protection (ETP), launched to offer users better privacy and protection from cryptojacking.

Firefox 69: Third‑Party Tracking Cookies and Cryptomining Now Blocked by Default

Source: We Live Security Magazine On:

Read On

Firefox new Enhanced Tracking Protection (ETP) feature launched to all users of the browser to offer better privacy and protection from cryptojacjing.

Protecting user’s privacy is a long-time preoccupation in IT security, and corporations are also taking action. We saw another example this week with Firefox Version 69.0. Since Tuesday September 3, third-party tracking cookies and cryptominers are now blocked by default for all Firefox users – on desktop as well as Android.

The feature, called Enhanced Tracking Protection (ETP), rolls out stronger privacy protections. The Mozilla Blog explains the specificity of this feature:

  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.

While the announcement is important, we should note that this feature is not exactly new from Mozilla. It was already enable for new users since last June. However, it is now available for all users of the open-source Web browser.

Marissa Wood, Vice President of Product at Mozilla, explains: “Currently, over 20% of Firefox users have Enhanced Tracking Protection on. With today’s release, we expect to provide protection for 100% of ours users by default. “

The new feature targets third-party cookies, which are usually begetting by advertising networks. First-party cookies are not affected by this feature.

The second target of this feature is cryptojacking. In brief, cryptojacking is in brief the usage of a computer or device’ to mine cryptocurrency without the user’s knowledge. Cybercriminals instigate attacks in order to hijack digital currencies, or use compromise computer resources to mine cryptocurrencies unwittingly to the legitimate users of those devices. According to a recent survey, a third of British corporations have been hit this serious threat.

If you want to go further in protecting your privacy online, you might want to read these articles as well:

6 Sep 2019 – 11:28AM

Semi‑annual balance of mobile security 2019

Source: We Live Security Magazine On:

Read On

Malware detections for iOS increased, as did the number of vulnerabilities detected in this operating system, while in the case of Android, the number of reported vulnerabilities decreased, although the number of highly critical bugs reported increased.

Mobile security plays an increasingly important role in protecting information assets for both home and corporate users. In fact, with the advent of the Internet of Things and the thousands of non-traditional devices that are controlled by mobile applications, the security of our phones becomes increasingly relevant to protect the computers they connect to.

Therefore, throughout this publication we will conduct an analysis of the mobile security landscape based on statistics obtained during the first six months of the year, to assess what are the new trends in relation to the 2018 mobile security report.

Android Security

Up to June of this year 86 security bugs affecting Android have been published. In 2018, 611 CVE vulnerability have been listed (for the whole year). With this data, it seems that in 2019 the number of vulnerabilities will decrease abruptly, compared to previous years.

However, 68% of the bugs published in 2019 were deemed critical and 29% of them allowed malicious code to be executed. This is a considerable improvement over the last years, where the percentage of serious bugs was lower. Therefore, it is crucial that users install security patches in time to avoid being affected by serious vulnerabilities such as those patched by Google last July. In particular, much was said about the failure CVE-2019-2107, capable of violating computers by playing videos on the victim computer, a description that reminds us of the past vulnerabilities Stagefright and Metaphor.

In terms of vulnerabilities, it is interesting to note that 90% of Android devices use versions prior to Android Pie, while 74% of Androids do not even run Oreo, according to the Android developer’s platform. This could expose outdated phones to major bugs that require architectural changes to the system to be repaired.

Good news: the number of malware detections has decreased 8% over the first half of 2018 and 10% over the second half of last year. This might be a result of efforts by Google and security researchers to detect threats and prevent their spread.

Graphic 2 – Malware Detection for Android in 2019

Accompanying the decrease in the number of detection, the average of new malware variants for Android has also decreased to 240 new variants per month compared to 300 new variants found in previous years. Another interesting fact is that Android turned out to be the fourth architecture with the most new malware variants, after Win32, MSIL and VBA.

One of the types of malicious code that had experienced the greatest growth during 2018 was cryptocurrency miners. An example is the Android/Coinminer. Detection of this threat have increased of 72% comparatively to last year. Fortunately, detection of this malware family have decreased by 78% in the first half of 2019.

Despite this decrease, cryptocurrencies are still under attackers’ sights. Another of the modalities they use to obtain them is through the theft of credentials to access online wallets through Trojans involved in the Google Play Store, as happened with these recently discovered  fake cryptocurrency apps.

Meanwhile, Android banking malware has also made a name for itself. Since its inception, the number of new variants of mobile spyware and, particularly, Trojans dedicated to the theft of financial data, has been increasing. Variants of Cerberus, a malware that overlay screens to steal bank credentials, was recently sold through social networks.

With respect to this common phenomenon of malware propagation in the official app store, a study developed by ElevenPaths analyzed the length of time malicious apps remained in Google Play and revealed that these malicious apps were available for download 51 days in average before being eliminated. Some of these malicious applications were even available up to 138 days.

For its part, Android ransomware has once again shown an advance in its complexity. From our laboratories we discovered Android/Filecoder.C: a variant that uses both symmetrical and asymmetrical encryption and is spread through SMS to the team’s contact list. This represents a leap in code complexity compared to older ransomware families such as DoubleLocker.

In the first half of 2019, malware detection for Android were concentrated globally in Russia (16%), Iran (15%) and Ukraine (8%). The first Latin American country to appear in the international ranking is Mexico (3%) in sixth place, followed by Peru (2%) in tenth place.

iOS Security

For iOS, 155 vulnerabilities were revealed in 2019, representing a 25% increase compared to 2018 and almost double those found in Android during the current year. We can therefore expect that the number of vulnerabilities for 2019 will exceed the figure obtained in. However, the percentage of high critical failures is lower than Android, around 20%.

On the other hand, malware detection for iOS increased 43% over the first half of last year. The number of new malware variants remains low, indicating that cybercriminal’s interest continues to rest on Android, where the largest number of users are found.

Graphic 4 – Detection of malware for iOS in 2019

As for the geographical distribution of these detection, we can see that they are mainly concentrated in China (75%), India (7%) and Taiwan (4%). In this sense, it is interesting to note the appearance of India among the first positions, displacing Hong Kong from its position.

In this first half of the year, Apple’s mobile phones were also subject to vulnerabilities that endangered their users, such as the deployment of versions that accidentally reopened previously corrected bugs and that allowed the generation of a jailbreak for version 12.4. Another example was the spying bug in the FaceTime app that allowed it to be easily exploited to spy on third parties.

Malware was not absent from this operating system either and massive spyware infections appeared around the world. Occasionally, a variant called Exodus was the one that caused havoc around April of this year, when several users discovered malicious activity on their computers.

In addition to all these threats created for each of the two most widely used mobile operating systems in the world, we must not forget the multiplatform risks associated with the use of third party platforms. The vulnerabilities found in user applications can be as dangerous as those in the OS, as exemplified by the recently discovered WhatsApp flaw which allowed a quoted to be altered in quoted messages.

We also have to mention the Social Engineering attacks that try to seduce users through cyberscams, such as this WhatsApp scam pretending to offer 1000 GB. Trendy applications, like FaceApp, are also used by cybercriminals to spread malware and scams online.

Although mobile systems have been designed with a security perspective and are sometimes safer than traditional technologies, we must not forget that the risks are still latent. Beyond favoritism, we must always keep in mind that no system is invulnerable and that education and prevention are inescapable to use mobile technologies safely.

5 Sep 2019 – 11:30AM

What is MITRE ATT&CK and how is it useful?

Source: We Live Security Magazine On:

Read On

An introduction to the MITRE ATT&CK framework and how it can help organize and classify various types of threats and adversarial behaviors.

MITRE is a not-for-profit company set up in 1958 whose mission is to “solve problems for a safer world”. This goal is being fulfilled, in part, via the organization’s new curated knowledge base known as MITRE ATT&CK, which stands for “Adversarial Tactics, Techniques, and Common Knowledge”. It is a platform that organizes and categorizes various types of tactics, techniques, and procedures (TTPs) used by threat actors in the digital world, helping organizations pinpoint gaps in their cyber-defenses.

All the information that is collected about attacks is presented in various matrices, such as enterprisemobile and pre-attack matrices. The Enterprise Matrix, for example, includes the following categories (or tactics):

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

Each category is divided into specific sub-categories (or techniques) corresponding to each type of attack. Also included are details about the technique, examples, references (showing which platforms can be attacked, dates on which the incidents were detected, etc.) and suggestions for the mitigation and detection of the threat.

For example, the Spearphishing Link section within Initial Access contains an explanation of what this method of initial access involves. At the time of writing, this section includes 19 examples of threat actors using the technique (Figure 1 shows the entry for Ocean Lotus, aka APT32). Needless to say, this number will increase over time with new reports, complete with explanations and recommendations for how to mitigate these threats and which detection techniques are needed to stay safe(r).

Figure 1. Profile of the Ocean Lotus (aka APT32) group

The platform provides a range of information that is useful for analysis of the entire lifecycle of a cyberattack, including the reconnaissance of the target, attack vectors, the actual intrusion, and post-breach actions.

This type of repository is extremely useful to information security professionals helping to keep them updated on new attack techniques and to prevent attacks from happening in the first place.

Organizations can leverage the framework to create a map of their defense systems. While the framework does primarily describe adversarial behavior, enterprises – specifically those that design security mechanisms – can make the necessary adjustments, taking into account possible attack scenarios and, if necessary, training their staff.

ATT&CK provides details about a large number of actors and groups, including the techniques and tools which they are known for, based on open-source reporting. By enabling hostile behavior to be described in a standardized way, the ATT&CK framework can also be useful for providing intelligence about cybersecurity threats. The framework provides a guide that security teams can compare with existing operation controls with the aim of establishing strengths and identifying weaknesses before threat actors can leverage them.

Creating entries in the MITRE ATT&CK Navigator for specific actors is a good way of visualizing the strengths and weaknesses of one’s environment relating to these actors or groups. It can also be used to categorize tests carried out on an organization’s internal systems, together with their results. This navigator can be used online or downloaded for more stable and long-term use.

Figure 2. View of the MITRE ATT&CK Navigator and the options for categorizing and organizing the tests conducted and their results

There are additional resources that are linked to ATT&CK and that provide mechanisms to test attack techniques in simulated environments. For example, companies like VerodinSafeBreach, and AttackIQ provide the ability to carry out an attack simulation. There are some open-source options such as MITRE CalderaUber MettaRed Team Automation (RTA), or Atomic Red Team, to name just a few, which enable attack simulations to be carried out and are also linked to ATT&CK. As always, extreme care must be taken when carrying out these kinds of tests in production networks where the extent of the possible ramifications isn’t fully known. It’s always advisable to use controlled environments that are separated as much as possible from networks with production equipment holding real company data.

In summary, MITRE ATT&CK includes a raft of tools and resources to complement any security strategy. The framework provides organizations with threat intelligence and gives them an idea of how prepared they are to detect and respond to intrusions. That way, they’re able to meet their cybersecurity needs and be ready if or when bad actors strike.

Needless to say, ESET Research decided earlier this year to include MITRE ATT&CK matrices in most published malware analyses.

3 Sep 2019 – 04:21PM

Cyberbullying: What schools and teachers can do

Source: We Live Security Magazine On:

Read On

How schools and educators can address and help prevent abusive behavior on the internet

These days, the internet is woven into people’s everyday lives, and children’s lives are no exception. For all its benefits, the technological evolution has also brought, or magnified, some problems, and cyberbullying is one of the most pervasive threats that youth face online. In fact, when a kid starts to be bullied at school, the harassment usually continues on social networks, messaging apps, and elsewhere on the internet. Educational institutions may think that the issues of the digital world lie outside the scope of schooling or that they don’t warrant scrutiny. However, online abuse and harassment often have a bigger impact on the victims than in-person bullying – and yet they may be ignored until it’s too late.

Importantly, on the internet everything can become more powerful. A social media post can reach hundreds or even thousands of people in a matter of minutes and before you know it, all those people may be talking and expressing opinions about the post or image. The impact of abusive content on the victim is magnified when there’s an increase in the number of people seeing, liking, sharing, and/or commenting on the post. Indeed, if the content has gone viral, it’s impossible to stop or delete it, even if the aggressors come to regret their actions.

On a related note, the sense of decreased inhibition afforded by screens and social networks due to the sense of anonymity may make many kids feel empowered enough to say and do things in the digital world that they would never do in the physical world.

Against this backdrop and as way to encourage a proactive approach in tackling cyberbullying and other types of online harassment, here are four principles that every school and teacher can apply in order to deal with this problem:

1. Educate students to be good digital citizens

Since the digital world is part of our real lives, the rules that apply on the internet should be the same as those we are already familiar with in the physical world. When teaching kids about respect and social conventions, it’s important to include the realm of the internet and ensure that they are also taught how to behave and communicate through digital media.

Subjects like civic education and citizenship should go beyond traditional boundaries to touch also on ethics, morality and respect in the digital world. Team exercises and activities are another powerful way to get groups to work together as one. The purpose of such activities is to get all the members of the class to work together toward a common goal, using all their individual strengths and valuing each person’s abilities to complete a task.

2. Prioritize awareness-raising over banning

Awareness is very powerful, not least because it changes social perceptions. Rather than creating panic over the use of technology or spreading misunderstandings, awareness allows a positive atmosphere to emerge.

Many schools choose to ban the use of technology, which can actually backfire in that pupils and students will use their phones on the sly. Young people identify with technology and adapt it to fit into their daily lives. That’s why it’s important to show students how they can use technology for the common good, such as to share knowledge or to support one another. Furthermore, by bringing technology into the classroom, teachers can focus on its ethical use.

3. Collective solidarity in reporting cyberbullying

A report by the Safe2Tell initiative found that, in 81% of cases of bullying at school, some group of students would have known about an attack, but would have decided not to report it. In most of these cases, the silence is mainly due to the fear of becoming the next victim or of facing punishment by adults. In these cases, children need to know that the problem is not technology, but rather people using it for the wrong ends. Promoting free-flowing dialogue and providing a space for listening also contributes to children knowing who to turn to if faced with abusive behavior.

On the other hand, online abuse can, and should, be reported on the platforms themselves. All social networks have the option to report posts, comments and even profiles that harm or harass someone. This is the only way to eliminate abusive content on social networks, because after a series of reports are received, the post or profile is deleted. These reports are completely anonymous, so there is no need to fear retaliation.

4. Dialogue: the basis for all support

Students need to know who they can reach out to before a problem arises. And in this area, trust is the key to open a dialogue. A recent survey (in Spanish) found that 25% of children and teenagers believe their elders know less than they do about technology. This perception makes them feel that their online problems are played down and not understood. What happens on the internet is viewed by children as very serious. Their digital identities are essentially the same for them as their real-world identities. For that reason, if a student approaches a teacher or other responsible adult with an online problem, the teacher needs to take it as seriously as a similar real-world issue and seek out the resources to deal with it.

It’s important to remember that while youngsters know a lot about how technology is used and how it works, adults have more real-life experience. With this in mind, exploring topics like technological risks, safety on the internet and appropriate online behavior are vital to encouraging dialogue. And it’s essential to break the silence around bullying and cyberbullying, by talking about instances of cyberabuse and their solutions. In doing so, teachers need to be clear and empathetic and to communicate openly with their students.

In conclusion, if we view digital communication as part of each person’s own little world, we can apply these thoughts expressed by Eleanor Roosevelt:

Where, after all, do universal human rights begin? In small places, close to home – so close and so small that they cannot be seen on any maps of the world. Yet they are the world of the individual person; the neighborhood he lives in; the school or college he attends; the factory, farm, or office where he works. Such are the places where every man, woman, and child seeks equal justice, equal opportunity, equal dignity without discrimination. Unless these rights have meaning there, they have little meaning anywhere. Without concerted citizen action to uphold them close to home, we shall look in vain for progress in the larger world.

Suggested further resources:

What is cyberbullying and how to defend against it?
Stop Cyberbullying Day: Advice for victims and witnesses
More curious, less cautious: Protecting kids online

23 Aug 2019 – 11:30AM