now browsing by tag


#cybersecurity | hacker | Rogers’ vendor leaves database open

Source: National Cyber Security – Produced By Gregory Evans

A third-party service provider to Rogers Communications left open a database used for marketing purposes, exposing customer PII.

The Canadian telecom provider did not name the firm involved, nor the number of people affected, but reported that the incident was uncovered on Feb. 26, 2020 and involved the service provider leaving a database open to the public for an unspecified amount of time.

The third-party vendor, which handles promotional offer fulfillment for Rogers, exposed customer names, addresses, account numbers, email addresses and telephone numbers. No payment card information nor login credentials were involved.

The data that was exposed can cause a great deal of harm to its owners as cybercriminals can use it to create well-crafted phishing emails from which they may be able to extract even more valuable personal data.

Original Source link

The post #cybersecurity | hacker | Rogers’ vendor leaves database open appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | VPNs: Not a cybersecurity slam dunk for telecommuters in the age of COVID-19

Source: National Cyber Security – Produced By Gregory Evans

CISOs and cybersecurity teams around the world are watching their threat surface multiply as millions of staffers find themselves working from home for the first time in order to help constrain the spread of Coronavirus.

The removal of these people from the safe and controlled working environment found in their offices and tossing them into the wild, so to speak, means a greater dependence on VPNs, which may prove problematical as most large enterprises are not prepared to host the majority of their workforce online, and smaller companies may not be set up at all for this type of access.

Then there is the additional threat posed by workers operating outside the direct oversight of IT and security teams possibly making catastrophic decisions that could endanger the entire organization.

Stan Lowe, global CISO for Zscaler, noted that most businesses have enough VPN hardware to generally handle between 20 percent and 30 percent of their workforce working remotely. However, now that entire corporations have been forced to send their employees home with their laptops this is proving not to be anywhere near enough.

It is also no simple nor inexpensive matter to go out and purchase additional equipment, at least the type needed by larger firms that require a high degree of security, Lowe said. Zscaler is a provider of a cloud-based, remote access software.

“If you need more equipment, it takes time—you have to buy it, wait for it to ship and arrive then deploy it, update the hardware and keep it updated. And that’s just the VPN stack. Trying to scale VPNs and other legacy remote access technology, adding tens of thousands of users, can take months and break a corporate network,” he said, adding three to five months is a good guesstimate for such an upgrade.

For those companies that cannot increase their VPN capacity it might become necessary to put their workers onto shifts so the VPN capability that is on hand is spread out, Lowe said.

Even companies well-equipped to handle an influx in VPN usage face the daunting task of bringing those who normally occupy office space up to speed on how to use their VPN and make sure their home network can handle the added bandwidth.

“IT must be sure to educate their users, so they are aware of the impact on everyone and to limit their bandwidth-heavy activity, like Netflix streaming, to outside of office hours. This will ensure that productivity doesn’t drop and that users don’t try to forgo the VPN altogether, which could have dire consequences for the security of the business,” said Justin Jett, director of audit and compliance for Plixer.

Another unique situation that needs to be addressed, Jett said, is that not only are employees at home, but so is the rest of their family. A person attempting to do work at the kitchen table is competing with their spouse who is working from the den and their kids who may be gaming or streaming video in another room. All of these demands need to be balanced so work can get done, perhaps requiring the kiddies to limit themselves to board games during the day and steaming when office hours are over.

Then there is the cybersecurity aspect of this new reality. Using a VPN does not by itself make working from home more secure. Lowe pointed out that with people linking in from all over the world, possibly through an insecure router, a company’s attack surface is vastly increased. Even those with a safe connection can cause problems as cybercriminals are working overtime right now to come up with new phishing lures designed to grab login credentials from all the individuals who are now telecommuting full time.

“A VPN only secures the communication channel between the employee’s workstation and the corporate network. However, as a massive amount of home workers now start to use their personal workstations to access corporate assets, it’s only a matter of time until we see a soaring number of cyberattacks that originate from these personal devices that can be easily breached,” said Tal Zamir, co-founder and CTO of Hysolate.

If just one person makes a mistake a malicious actor could gain the information needed to access a corporate network. Placing even more pressure on the individual is the fact that there is nobody from the company’s IT department or security team within earshot to ask if an email is malicious or legit.

“If devices are infected with malware, even workers who use a VPN client cannot evade attackers who can ride their VPN connection to raise havoc in enterprise networks. The more users are working from home, the greater the risk. Organizations should instruct employees to use trusted dedicated workstations to access sensitive corporate assets and avoid using their multi-purpose personal devices,” Tamir said.

A VPN breach is about as bad as you can get, the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy, said Aaron Zander, Head of IT at HackerOne.

Companies able to add VPN capacity are not safe but must takes several extra measures to ensure errors are not made in their haste to deploy the new hardware.

“Triple check all of your network configurations, ACL’s, firewall rules, etc. Without a doubt in 9 months from now, we’ll be looking at news stories about two impacts resulting from COVID-19 — all the babies being born, and all the breaches that have happened because of negligent infrastructure,” Zader said.

Original Source link

The post #cybersecurity | hacker | VPNs: Not a cybersecurity slam dunk for telecommuters in the age of COVID-19 appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Microsoft Patch Tuesday finds 115 vulnerabilities patched, 26 critical

Source: National Cyber Security – Produced By Gregory Evans

March 2020 Patch Tuesday released saw the company rollout patches for 115
vulnerabilities with 26 rated critical, however, in a rare event Adobe is
taking this month off publicizing no updates.

This is the second
month in a row that Microsoft has busy Patch
. In February the company patched 99 vulnerabilities, including one
zero day. One analyst piggy-backed on to today’s roll out to note that a
vulnerability included in February’s release, CVE-2020-0688, is being actively
exploited in the wild and even though a large number of new updates have been
issued, admins should prioritize taking care of his older CVE if they have not
done so already.

The critical
issues fixed by Microsoft this month include 58 elevation of privilege flaws
with Satnam Narang, principal research engineer at Tenable listing CVE-2020-0788,
CVE-2020-0877 and CVE-2020-0887 as the most severe. Microsoft agrees listing
them as most likely to be exploited.

“These are
elevation of privilege flaws in Win32k due to improper handling of objects in
memory. Elevation of Privilege vulnerabilities are leveraged by attackers
post-compromise, once they’ve managed to gain access to a system in order to
execute code on their target systems with elevated privileges,” he said.

Jay Goodman,
Automox’s strategic product marketing manager, cherry picked CVE-2020-0833,
CVE-2020-0824 and CVE-2020-0847 for added attention. The first two are remote
code execution vulnerabilities that could corrupt system memory giving an
attacker access in the role of the user.

is also a remote code execution vulnerability, this time in VBScript. VBscript
is a scripting language used by Microsoft. It allows system admins to run
powerful scripts and tools for managing endpoints and will give the user
complete control over many aspects of the device,” he said.

is also a corrupt memory system issue with threat actors generally using
phishing or browser attacks to first gain entry.

In addition
to last month’s issue, Recorded Future’s Liska highlighted CVE-2020-8050,
CVE-2020-8051, CVE-2020-8052 and CVE-2020-8055. All are remote code execution
vulnerabilities in Microsoft Word that take advantage of how the software
handles objects in memory. A malicious actor would have to send and then
convince a victim to click on a malicious document to initiate an attack. However,
CVE-2020-8052 is even more dangerous and can be launched through an Outlook preview
page without the need to click on the document.

“As Recorded
Future has previously noted, Microsoft Office is among the most popular attack
vectors for cybercriminals. We expect one or more of these vulnerabilities will
be weaponized sooner rather than later,” he said.

Animesh Jain, from Qualys’ expert vulnerability management research team, pointed out that even some issues that Microsoft considers less likely to be exploited should still garner admin attention and concern. CVE-2020-0905 is a remote code execution vulnerability effecting effects the Dynamics Business Central client that falls into this category, but Jain said the fact that this is likely to reside on a critical server makes it important to patch.

Original Source link

The post #cybersecurity | hacker | Microsoft Patch Tuesday finds 115 vulnerabilities patched, 26 critical appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates

Source: National Cyber Security – Produced By Gregory Evans

Beginning today, Let’s Encrypt is revoking more than 3 million of its Transport Layer Security (TLS) certificates, following the discovery of a bug that affects the way it rechecks CAA (Certificate Authority Authorization) records.

“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days,” explained Jacob Hoffman-Andrew, Let’s Encrypt engineer, in a Feb. 29 post on the on-profit certificate authority’s website. However, in cases where cert issuance is delayed for more than eight hours, Let’s Encrypt must recheck CAA records, even though the records were originally checked during the domain control validation process. That’s where the vulnerability comes into play.

Hoffman-Andrew described the bug, which was introduced on July 25, 2019, as follows: [W]hen a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

Altogether, 3,048,289 certificates are infected, or roughly 2.6 percent of the approximately 116 million active certificates issued by Let’s Encrypt, which is operated by the San Francisco, Calif.-based Internet Security Research Group. One million of these are duplicates of certificates that typically are reissued on a frequent basis, Hoffman-Andrew further explained on the Bugzilla website as well as in an FAQ page on the Let’s Encrypt site.

Let’s Encrypt identified its CA software vendor is Boulder. The cert authority said the bug was originally reported by a Let’s Encrypt community member on February 18 and was fixed on Feb. 29. Let’s Encrypt has since created a tool for users to determine if they are affected by the vulnerability. Affected subscribes are encouraged to renew and replace their impacted certificates.

Original Source link

The post #cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Election integrity preserved in fictitious city of Adversaria during Operation Blackout tabletop exercise

Source: National Cyber Security – Produced By Gregory Evans

On a sunny day last week during RSA 2020, a group of
journalists huddled in a vault in the San Francisco Mint, plotting to wreak
havoc and sow doubt on Election Day in the fictitious city of Adversaria.

Despite taking over traffic cameras, the governor’s Facebook account, the mayor’s Twitter account, plotting cyberattacks, developing deepfakes and crafting social media-base disinformation campaigns the Red Team: Kill Organized Systems (K-OS) hacktivist group’s efforts were successfully spurned by a team of competent do-gooders on the Blue Team: Adversaria Task Force, who were also gathered in a vault in the mint.

It was all part of a tabletop exercise organized by
Cybereason, a mini version of the three-hour event the company typically runs in
cities around the world to alert law enforcement, government officials and
first responders – who typically populate the Blue Team – to the many ways
hackers can disrupt elections and prepare them to respond at whatever attacks
might come their way.

“Recent times have seen election tampering by special interest groups and foreign powers in the United States, Europe and Asia. With looming 2020 elections across the world the goal of Operation Blackout California was to examine and advance the organizational responsiveness of government entities to a hacking group’s attempts to undermine democratic institutions and systems of governance in the republic,” said Cybereason CSO Sam Curry, who led the Operation Blackout exercise. “Most election hacking discussions and exercises focus on the mechanics and minutiae of hacking election equipment or contaminating and violating the integrity of voter rolls. Cybereason’s exercise instead focused on everything else in the electoral system.”

The teams took five-minute turns, in which they were allowed
two actions and a development. Actions for the Red Team included gaining access
to city cameras, taking over social media accounts and news broadcasts while
development is a capability the team wants developed out during the course of the
exercise, such as the creation of a bot network to disseminate and amplify
disinformation. On the Blue Team, actions included assigning police officers to
a task; perhaps, deploying them to polling stations. The team’s development
might be spinning out a capability such as gaining assistance from a federal agency.

While the Red Team in the RSA exercise successfully created a troll network as well as disrupted traffic signals, made a plausible threat of a terrorist attack. Effectively used social media and developed deep fake videos showing voting machine malfunctions, the Blue Team countered along the way, shutting down construction sites, deploying police officers to polling stations and reclaiming social media. In the end, the White Team adjudicating the exercise, determined that the Blue Team won the day, thwarting the Red Team’s malicious efforts.

“Overall, the red team of hackers hijacked a news station and took control of other social media channels in the city, but the blue team of law enforcement officials was able to restore order. A press release was issued by the mayor and police chief dispelling fake news and disinformation,” said Curry. “While the red team did create some chaos, however, it wasn’t lasting damage and the blue team successfully defended the elections.”

Original Source link

The post #cybersecurity | hacker | Election integrity preserved in fictitious city of Adversaria during Operation Blackout tabletop exercise appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | The hottest topic: Ransomware | SC Media

Source: National Cyber Security – Produced By Gregory Evans

The attacks that transpired last year alone
arguably made ransomware the hot topic of the year and most likely a leading contender
for 2020, as well, but a new element that cropped up late last year – attackers
adding a layer of blackmail to the threat of locking a target’s computer system
– solidified its standing.

The evolution, if one could apply such a lofty term, to blackmail stems from companies’ recent strides in better deflecting ransomware attacks.

Although the well-known threat actor The Dark
Overlord was a pioneer, several groups have been implementing this tactic,
including Maze, Sodinokibi and Nemty, since late last year, an indicator to
many security pros that the bad guys are responding to improved security
practices on the part of their intended victims.

“The attacker threatening, or going ahead with,
disclosure of the stolen data is their way of forcing even those companies that
have backup in place to reconsider paying the ransomware,” says Ilia
Kolochenko, founder and CEO of ImmuniWeb.

Over the last several weeks Maze has wielded
Sodinokibi ransomware as a lever to try and pry millions of dollars in ransom payments
from a series of targets, most recently Medical Diagnostic Laboratories and the
Gedia Automotive Group. Maze demanded 200 bitcoins from the former and when it
refused to pay up allegedly posted stolen data to several dark web forums.
Gedia also ignored the threat and had data revealed. Previously, Pensacola,
Fla., and Travelex have also been involved in this type of attack.

Maze’s is so brazen that it has created a public
website where it’s data stolen from companies that refuse to pay up.

The possibility that sensitive data could be
released certainly preys upon the mind of most ransomware victims. In almost
every case where a company, municipality or school district was hit, one of the
first things those in charge mention is that they do not believe any data has
been removed. This was generally a safe comment to make as attackers had not
previously made a habit of stealing data prior to encrypting a system.

The addition of blackmail now removes their ability
to throw out that particular safety net nor can they hide what happened if the
stolen data is made public.

“By threatening public exposure, attackers can add
layers of pressure to their ransom demands, in addition to the potential fines
from data protection acts like GDPR,” says Alex Guirakhoo, strategy and
research analyst at Digital Shadows. “Even empty threats of exposure can be
enough to elicit payment.”

If an organization pays the ransom that does not
mean the bad guys will comply and not make further use of the stolen
information. The people behind ransomware attacks are criminals and not to be
trusted always has been one of the primary reasons law enforcement has been
against paying a ransom. It guarantees nothing.

“Stealing data simply gives them additional
leverage to extort payment and, perhaps, other options for monetization –
selling the data to other criminal groups or competitors, for example,” says
Brett Callow, a threat analyst with Emsisoft.

Moshe Elias,
director of marketing at Cymulate, notes criminals were forced to go in this direction
in order to maintain their cash flow as fewer companies were opting to pay. In
one sense these malicious actors were hoisted upon their own petard as the huge
number of ransomware attacks gained a great deal of public exposure thus
raising awareness.

“Awareness has grown and companies are employing
better protection against ransomware and better recovery methods from a
successful ransomware attack,” he says, which has led to victims not paying
despite not being able to recover their data – in some cases because they had
cyber insurance to cover any loss.

Deciding to not pay has led to another plot twist.
Over the last four months the size of the average ransom payout has
dramatically increased for those who choose to give in to the demand.

The security firm Coveware recently reported that
in the fourth quarter of 2019, the average ransom payment increased by 104
percent to $84,116, up from $41,198 in the third quarter of 2019.

The report specifically cited the ransomware groups
now known for threatening to release data as one of the drivers of this higher

“Some variants such as Ryuk and Sodinokibi have
moved into the large enterprise space and are focusing their attacks on large
companies where they can attempt to extort the organization for a seven-figure
payout,” Coveware says.

Attackers still target smaller businesses,
primarily using Dharma, Snatch and Netwalker ransomware but with demands as low
as $1,500 – compared to the six- and seven-figure fees demanded from large

As with any adversarial relationship one side
generally comes up with a new weapon or methodology and it is then countered by
the opposing side. Since the criminal element has now brought in to play a
further level of blackmail defenders must adapt. Moshe Elias, Cymulate’s
director of product marketing, points out that there are already tools
available that can inform a targeted firm that data is being exfiltrated.

“What’s most surprising about this attack (Medical Diagnostic Laboratories) is that any fully functioning Data Loss Prevention solution should assist in detecting unwanted data that’s been accessed and sent out of the organization. Such a large amount of data, such as a 100GB, should at least raise a flag if not completely kill the communication channel for exfiltration,” he says, adding, “As ransomware has shifted to exfiltrating data and then encrypting it on the customer side, it’s imperative that all network security controls are optimized at all times to avoid these type of gaps.”

Whether or not Medical Diagnostic Laboratories had the internal staff in place to handle this attack is something only the company knows, but Bret Padres, CEO, Crypsis Group, says companies that find themselves in this position can turn to what is another hot topic: Cyber insurance. Such coverage will not only help defray any financial loss, but insurance firms can also help smaller or less tech savvy firms possibly recover from an attack.

Original Source link

The post #cybersecurity | hacker | The hottest topic: Ransomware | SC Media appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Equifax CISO touts company’s transparency it as seeks breach redemption

Source: National Cyber Security – Produced By Gregory Evans

Fresh off a financial settlement over its 2017 data breach that affected roughly half the U.S. population, Equifax is forging ahead with a $1 billion-plus investment in a new security plan — and CISO Jamil Farshchi was eager to tout the credit reporting agency’s progress so far in a session this week at the RSA Conference in San Francisco.

Farshchi, who was hired as CISO in February 2018 after previously helping Home Depot clean up its security practices following its own breach, said that moving forward, the company is focusing on three key pillars: assurance in its data and controls, automation and generating security awareness among senior leadership, as well as lower-level employees, who will be scored on their security practices.

Farshchi asserted that Equifax has already succeeded in improving its corporate culture, controls and compliance, while also partnering with customers and industry organizations to share lessons learned. Indeed, he was particular effusive about the company’s openness about its recovery efforts so far.

“[I]t is extraordinarily rare for an organization to be transparent about what they’re doing and the initiatives that are underway to be able to transform after that breach,” said Farshchi. “Most organizations, you put your head down, you grind it out and that’s that. The problem what that approach, in my opinion, is that it doesn’t afford the opportunity for everyone else to learn from the things that you’ve gleaned trough that crisis event.”

Since the breach, the company has hired more than 1,000 employees in IT and cybersecurity, despite a shortage of talent in this field. The company also had to regain its compliance certifications after losing them as a result of the incident.

“[I]t is infinitely more difficult to be able to regain a certification once you’ve lost it than it is to get it in the first place and certainly to renew it on an annual basis. So we went through a huge effort to do that,” noted Farshchi, who had undergone the experience perviously with Home Depot.

Farshchi spent a bulk of his presentation further detailing plans and objectives for improving assurance, automation and awareness.

The assurance component involves maintaining focus on basic fundamentals and regularly testing data controls and the entire security stack to make sure the company is not making false assumptions about its security profile. In essence, Farshchi wants multiple data points that offer a multi-layered view of the network environment, rather than relying on a single source of truth that might be unreliable.

Farshchi cited the company’s migration to the cloud using the Google Cloud Platform, noting the company has instituted assurance on top of its controls there. “So as of today, we can measure around 120 of our controls in that space — and the beauty of it is, unlike an on-prem environment, everything is standardized, so I can know real time, all the time, the effectiveness of every single one of those controls across the entire estate, which is really, really powerful…”

Meanwhile, Equifax’s effort to increase automation — in areas such as risk-scoring and remediation of network weaknesses, for example — is intended to streamline activities and get controls in place faster by relieving IT employees of burdensome, time-consuming manual processes. Farshchi asserted that the company is not trying to displace employees or downsize, but rather optimally leverage its employees.

Finally, to improve awareness, Farshchi’s team is instituting measures to better communicate with Equifax’s board of directors and the general workforce.

For the former, the team has developed framework designed to plainly communicate current security goals and posture to senior leadership. The framework includes a control map that details what controls the company has already implemented, as well as the predominant threat vectors Equifax must watch out for. This allows the directors to see where the company is best protected, where risk still exists and how the security team intents to reduce that risk. Equifax plans to open source this framework for other organizations to use.

To address the general workforce, the company is instituting a system to score employees on their security practices much like they rate consumers’ credit scores. For example, if employees click through on a simulating phishing email, that will adversely affect the scorecards they receive on a monthly basis, and hopefully influence more responsible behavior in the future.

“We’re doing this because our DNA in Equifax is obviously credit scoring and so we know how to do analytics… on this and we’re just applying that same skill set to this problem,” said Farshchi.

Original Source link

The post #cybersecurity | hacker | Equifax CISO touts company’s transparency it as seeks breach redemption appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Munson Healthcare data breach exposes PHI

Source: National Cyber Security – Produced By Gregory Evans

The northern-Michigan
based Munson Healthcare group reported several employee email accounts were
hacked and being accessed for two and a half months last year exposing PHI.

The breach was discovered on January 16, 2020 and the investigation into the incident revealed the email accounts in question were being accessed by an outside source between July 31, 2019 and October 22, 2019. The accounts contained PHI that included names, dates of birth, insurance information along with treatment and diagnostic information. In some cases patient financial account numbers, driver’s license numbers and Social Security numbers were involved, Munson reported.

The number
of patients affected and the exact method used to gain access to the email
accounts was not revealed.

incident does not affect all patients of Munson Healthcare and not all
information was included for all individuals. Munson Healthcare is now
notifying affected individuals so that they can take steps to protect their
information,” the healthcare system said.

Next post in Data Breach

Original Source link

The post #cybersecurity | hacker | Munson Healthcare data breach exposes PHI appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Idaho Central Credit Union reports two breaches

Source: National Cyber Security – Produced By Gregory Evans

Idaho Central Credit Union
has started informing some customers of two data breaches that impacted the
financial institution

The first instance cropped
up on November 5, 2019 when some suspicious behavior was noted. A breach was
confirmed three days later, reported BoiseDev.
A data breach notice was sent on February 6, 2020 after a two-month long investigation
found the issue stemmed from a third-party mortgage portal used by the credit
union’s employees. The information compromised included name, date of birth,
Social Security number, financial account information, tax identification
number, and information on borrowers, liability, assets, employment, and income,
BoiseDev said.

The initial investigation then
turned up a second incident associated with a staffer’s email account, which
spurred a second inquiry. The extent of damage created by this breach was not
disclosed, but the company said all those affected by both cases have been notified.

Next post in Data Breach

Original Source link

The post #cybersecurity | hacker | Idaho Central Credit Union reports two breaches appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Malproxying: Leave your malware at home

Source: National Cyber Security – Produced By Gregory Evans

Endpoint protection plays a critical role in
the modern organizational security stack. Yet the very nature of this security
model is fundamentally flawed. Endpoint security solutions, and the malicious
actors trying to breach them, are locked into a perpetual game of cat and
mouse. Each side must continually adapt and react to the tactics of the other.
And, unfortunately for organizational security specialists, the playing field
is radically unbalanced.

Security solutions and professionals need to
maintain perfect endpoint protection; hackers, meanwhile, need only a single
successful attempt to wreak extraordinary damage. Yet security solutions do
have one point in their favor: The most common endpoint security evasion
techniques require constant updating which limits the pool of attackers and the
scale at which attacks are launched.

This leads to a troubling
question — what if a technique existed that allowed attackers to evade defense
mechanisms while requiring little in the way of adjustments to malicious code?
That was the topic of a well-received recent presentation I gave along with my
colleague security researcher Hila Cohen at DEF CON 27 in Las Vegas, Nevada.

Let’s take a closer look at this technique
and its implications for endpoint security.

The Current State of Endpoint Security

Existing security solutions use three
mechanisms to maintain protection:

  • Static signatures — these can be a simple hash from a sequence
    of bytes in a file. Signatures sign file segments (or memory blocks), enabling
    a check against common IOCs (Indicators of Compromise) to see if the file is
  • Heuristic rules — these rules can inspect the imported
    function list, executable uses, its sections sizes and structure, and many more
    properties including entropy. Heuristic rules attempt to discern properties
    that are common among malicious files yet don’t exist in safe executables. They
    are not based on IOCs and don’t examine binary sequences or hashes included in
    the static signature category.
  • Behavioral signatures –these
    signatures attempt to identify, evaluate and block all malicious activity.
    Because of the limitations of static signatures and heuristic rules, infected
    files are often miscategorized as safe. Behavioral signatures take a different
    approach, as they are based on an operational sequence executed in the system,
    rather than the implementation of malicious logic.

As mentioned above, endpoint protection
solutions have a variety of weaknesses. Attackers can change the IOCs,
properties and behavior of malicious files, allowing them to evade detection
and quarantining. However, these techniques are highly manual and require significant
expertise, making it difficult for attackers to implement at scale.

There is, however, another approach enabling
the circumvention of endpoint security without the need for extensive labor or
expertise: Malproxying.

How Malproxying Works

The core operational model of endpoint
security solutions is simple: Identify and analyze code, then classify and
(potentially) block. Yet what if an attacker could obscure that code entirely?

That’s the premise of the malproxying
technique, which avoids deploying malicious code on target machines and
therefore separates that code from any interaction with the target operating
system. Here’s how it works:

A piece of code interacts with its operating
system and environment through a set of API calls. The attacker redirects those
API calls, and instead of running them on his operating system, he proxies them
over the network to the target machine. So, the malicious code resides on the
attacker side, where it is not monitored by any security solution (as the
attacker completely controls the environment), but the actions performed by
that malicious code actually interact with the target environment, allowing it
to bypass common endpoint security protection mechanisms. The malicious code,
meanwhile, cannot tell that it has not been executed on the targeted machine.

On a deeper level, the technique involves two
key components: attacker and target stubs. The attacker code loads and executes
malicious instructions, controls its API function calls and redirects them over
a network tunnel to the target stub.

The target code appears innocent and has no
malicious activity pre-coded. It receives the API requests and parameters,
executes those requests and returns the results back to the attacker stub.
These results are returned to the malicious code, in the exact way they would
be returned if the malicious code had called the API functions locally. The
malicious code is totally unaware of the long journey the response went through
until it arrived at its destination.

Countering Malproxying

The malproxying technique is designed to
evade the primary mechanisms used by endpoint detection solutions. The target
stub contains no malicious logic in its base form, rendering it hard to
identify and easy to modify if caught. Static signatures and heuristic rules
are easily bypassed.

Behavioral signatures, however, are another
matter. In the bottom line, a “malicious” sequence of API calls must be
executed on the target machine to achieve the attacker’s malicious goals. A
sophisticated monitoring tool can detect that malicious flow and trigger an
alarm. This merely invites another protracted cat and mouse battle, as the
attackers have to find new ways to make it very hard for monitoring tools to
assemble the trace of their malicious actions.

For example, an attacker could trigger each
API function call in a different thread, making it harder for security
solutions to identify a single code flow to check whether it is malicious or
not. Second, the attacker could bypass the detection points, where the security
solution tracks the activity of our process. Once those detection points are
bypassed, the security solution is blind to any API-based activity.

Continual improvement and refinement of
behavioral detection capabilities represent a better option. Actions triggered
by malicious logic can be tracked using various techniques to ensure that calls
are fully tracked. By building a more robust log of executed system function
calls — and the signatures that define malicious behavior — organizations can
develop a more viable line of defense against this novel attack technique.

Amit Waisel, Senior Technology Lead in Security Research, XM Cyber

The post Malproxying: Leave your malware at home appeared first on SC Media.

Original Source link

The post #cybersecurity | hacker | Malproxying: Leave your malware at home appeared first on National Cyber Security.

View full post on National Cyber Security