Trend

now browsing by tag

 
 

#cybersecurity | Following A New Trend in Ransomware League

Source: National Cyber Security – Produced By Gregory Evans

Estimated reading time: 5 minutes

Ransomware authors keep exploring new ways to test their strengths against various malware evasion techniques. The ransomware known as “Ouroboros” is intensifying its footprint in the field by bringing more and more advancements in its behavior as it updates its version. This analysis provides the behaviour of version 6, few earlier variants of it and some insights on the recent Version 7. This Ransomware not only applies conventional methods but also adopts some new techniques making it very difficult to analyze.

Infection Vector
Ouroboros has been around from a year now and it spreads through RDP Bruteforce attacks, deceptive downloads, and through Server Message Block (SMB), which is generally used for file sharing and some administrative tasks on Windows endpoints connected over a network.

Technical Analysis
During analysis, we found that initially, it stops SQL process ( SQLWriter, SQLBrowser, MSSQLSERVER, MSSQL$CONTOSO1, MSDTC, SQLSERVERAGENT, MySQL etc ) in order to encrypt those files which are open in a database by creating process cmd.exe with “net stop” command as shown in fig below.

Fig.1 Code snippet for stopping SQL process through cmd

It also stops some other sql process like sqlserver.exe, sqlagent.exe etc but uses another method to terminate.

Fig.2 Adopting different method to stop other SQL processes

Resemblance To LockerGoga
It forms 0x40 bytes key stack consisting of 0x20 key bytes generated from CryptGenKey Crypto API and combines it with 0x20 bytes which are already present in the file. Then it performs AES operations on them similar to LockerGoga. Ouroboros and LockerGoga use crypto++ library which makes the analysis difficult. While steps for encrypting the data is same, both use different encryption modes. LockerGoga uses AES in CTR mode, while Ouroboros uses AES in CFB mode.
Both the samples are using aesenc/aesenclast instructions, which are part of the AES-NI Instruction Set introduced by Intel around 2009.

Fig.3 Instruction set used by malware

Encryption Procedure
As explained above, after making 0x40 bytes key stack, it expands the key using Rijndael key expansion from 0x20 (256 bit) to 240 bytes by performing 15 rounds of various mathematical expressions.

Fig.4 Expanded key Using Rijndael Expansion

It builds initial block cipher using the instruction set shown in (fig.3) by using expanded key and IV.

Fig.5 Initialization Vector

After forming the initial block cipher of 0x40 bytes, it is used to encrypt file data by reading bytes from a file and performing operations on them. These encrypted bytes are stored in memory and then copied to file by using WriteFile API.

Fig.6 XORing block cipher bytes with file bytes and storing them

This ransomware keeps 0x100 bytes PEM encoded RSA public key in a file. It encrypts AES key with this RSA public key and appends it at the end of the file as shown in (Fig.7).

Fig.7 Appending key at the end of file

Ransom Note
On host machine, files are encrypted with extension [original file name].Email= [*.com]ID=[XXXXXXXXX].odveta

     Fig.8 Extension Format

Fig.8 Extension Format

After encryption, it drops Unlock-Files.txt in each folder as a ransom note.

Fig.9 Ransom note

Network Analysis
Before connecting to CnC server, it performs DNS query on sfml-dev.org and makes HTTP Get Request to url /ip-provider.php and receive victim’s host/system public IP in response as shown in below figures.

Fig.10 DNS query to get the public address of sfml

Fig.11 Query to get public of host

It then initiates a connection to CnC (IP: 92.222.149.118) over port 18 but may not connect due to a closed port.
“There was no response from the server when we tried to connect via telnet over port number 18, but as we were trying to connect over other ports, it gave successful response for port number 22 (SSH) .”

The network connection happens before encryption starts and in earlier versions, it was not clear what malware intends to achieve. But in version 7, we have observed that after a successful connection to CnC (though IP address is different), it sends locally generated RSA private key over CnC which might be the case of version 6.

Evoloution of Ouroboros

Analysis of Ouroboros version 7
In this version, CnC ( 80.82.69.52 ) was live , so we were able to perform network analysis.

Before it establishes the connection, it checks for ids.txt, if it is already present in ProgramData then it skips the connection and does the encryption with an offline key.
But if ids.txt is not present, it connects with CnC and resolves the public address of the host, same as in version 6.

After resolving public address of the host, it generates RSA key, not using any kind of library for its generation but it has implemented the whole algorithm and has locally generated the public and private key.

Following is the part where the key gets generated.

Fig.12 Private key locally generated

After forming a private key, it sends the same to CnC and gives the response as “Active”.

Fig.13 Private key send over CnC

Ransom Note in Version 7
After encryption, it drops info.txt and uiapp.exe in C:ProgramData and deletes the pKey.exe.Uiapp.exe is the .Net file is created in order to drop the ransom note.

Fig.14 Ransom note Version 7

Quick Heal provides multilevel protection for this family. It detects and deletes it in real-time scenario as well as in behaviour base detection and ARW module.

Conclusion
Ransomwares are now not only using packers but also using libraries as well as different instruction set to make the analysis difficult. And noticing that other ransomwares (LockerGoga) have also used similar techniques, we can say that this trend will be followed in the future.

IOCs
Version6:

1E73E78E60E3A2255C37D7181ADF16E6
1EA66E610493B9DB3F5AA6DA82CA2CE7
560EE81F4250138CE063FEC3F387690C
B316DB79241100B0E86C11352DD169A0
6330639300E22E956CC50CCBD4FD027E

Version7:
117C3707F4D8DB004A0E7EF86350612B
15F32A4EE7B75AEFA308866B4BD79539

Subject Matter Expert
Manisha Prajapati, Pooja Birajdar | Quick Heal Security Labs

Have something to add to this story? Share it in the

Source link

The post #cybersecurity | Following A New Trend in Ransomware League appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Businesses Will Buy Down Risk With Defense-in-Depth – 2020 Trend #5

Source: National Cyber Security – Produced By Gregory Evans

As 2019 came to an end, Imperva CTO Kunal Anand began working with our global research team, Imperva Labs, to put together a list of the most important cybersecurity issues security leaders should be prepared for in 2020. He published his list in the blog, “Top 5 Cybersecurity Trends to Prepare for in 2020.” Since then, we’ve been digging deeper into each of his five trends in blogs that examine risk and security strategies that can keep your business safe. Today, we’ve arrived at the fifth and final trend to prepare for in 2020:  defense-in-depth. 

Digital Transformation is a Driver

We know that digital transformation is definitely having an impact on every aspect of our business life. Increased efficiencies, higher revenue and improved communication are just a few of the benefits we are starting to see.  But the urge to be online all the time via smartphones, laptops, tablets, smart speaker systems and even IoT devices, is putting a strain on the enterprise. The lines between corporate and personal become blurred as employees use personal devices to access corporate apps in the cloud, check email one last time before going to bed, or log onto the business intranet. And everyone – customers and employees alike – wants consistent, high-speed access to all the websites and applications they need, always and everywhere. 

Unexpected Consequences

Digital transformation has an unexpected side as well, with serious implications for security and performance. 

There is a new weakest link to be aware of: the point at which the enterprise-owned network connects to a third-party network – typically at major Internet hubs. Connections to potentially vulnerable API backends, weak security or older, vulnerable versions of operating systems on personal devices, password re-use, and increasingly sophisticated cyberattacks can spell danger for even the most security-savvy organization. 

DDoS attacks remain attractive to hackers: In 2019 our team saw the largest-ever attacks, five times bigger than any previously seen. At the same time, spear phishing attacks are increasingly successful. They impersonate executives through business email compromise (BEC) to execute unauthorized wire transfers and use publicly available information to trick employees into giving up their credentials. It’s easier than ever to attack mobile devices that connect to corporate assets, converting them into vectors to attack resources, steal data, and slow down access to websites and apps. 

In Search of Comprehensive Security and Efficiency

Traditional defense mechanisms are not able to keep up with the increasing power and agility of cyberattacks. That’s why it’s important to keep attacks as far away as possible from the corporate network and data center. In practice, that means mitigating them close to the point of attack – at the edge. Not only is this more efficient, it can have a positive impact on the user experience as well. This approach requires us to push strong security all the way to the edge, encompassing all devices – especially mobile devices, which are often the target of attacks.  

Still, edge security is not enough. We need to take a much more efficient and comprehensive risk-reduction approach than we have in the past. Traditional approaches involved separate edge security solutions to combat DDoS attacks, provide protection for web applications, detect and deter malicious account takeover attempts, etc. Even worse, there were separate providers and solutions for protecting against external threats, bad bots, hackers, and insiders who have become internal threats. And separate solutions for protecting assets that live on-premises, in the cloud, and in mixed cloud environments – at a time when many organizations are in the process of migrating from one environment to the other. Different platforms, user interfaces, and management consoles lead to inefficient operations, bombarding security analysts with massive amounts of uncoordinated alerts and increasing the management burden. 

A Better Way

Businesses need security solutions that protect applications regardless of where they live, that are integrated to share important data, that can analyze complex attacks and find patterns, and that make life easier for scarce talent like security analysts. Solutions that reconcile the often-conflicting requirements for speed, performance, scalability, and protection. 

The best way to accomplish this is through security that provides true defense-in-depth from the edge to inside the application itself. The ideal scenario is a“layered” security model where malicious actors must pass through multiple gates in order to execute an attack, without introducing latency or jeopardizing essential business processes.

Imperva Application Security

At Imperva, we take a security-first approach that ensures an optimal user experience while managing risk. Our global network of full-stack PoPs ensures protection at the edge while guaranteeing optimal performance and speed. 

The Imperva WAF inspects all traffic destined for customer websites and mitigates malicious traffic at the nearest PoP, allowing legitimate traffic to continue on its way. Our powerful DDoS protection stops attacks of any size in three seconds or less – an industry first (and best) SLA. Our content delivery network optimizes website delivery, improving performance while reducing bandwidth costs. Our bot management provides protection against all OWASP automated threats. Our Runtime Application Self-Protection (RASP) offers security by default against known and zero-day vulnerabilities. And Attack Analytics gives analysts a prioritized set of actionable security insights to improve productivity.  

The Imperva Application Security suite delivers all this in a simple, flexible, and predictable licensing approach that lets you deploy regardless of whether your devices are in the cloud, on-premises or in a hybrid model.  

Featured Webinar: Take on 2020 with Vision. Imperva CMO David Gee sits down with Imperva CTO Kunal Anand to discuss all the trends you should watch for in 2020. Watch here.

 

The post Businesses Will Buy Down Risk With Defense-in-Depth – 2020 Trend #5 appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Kim Lambert. Read the original post at: https://www.imperva.com/blog/buy-down-risk-2020-trend-5/

Source link

The post #cybersecurity | #hackerspace |<p> Businesses Will Buy Down Risk With Defense-in-Depth – 2020 Trend #5 <p> appeared first on National Cyber Security.

View full post on National Cyber Security

The #shocking #trend of people #breaking into each others’ #social media #accounts

Source: National Cyber Security – Produced By Gregory Evans

The #shocking #trend of people #breaking into each others’ #social media #accounts

Spouses hack each others’ Facebook messages, parents track their offspring’s cellphone movements and lovers crack lovers’ private messages.

To most of us, EFF leader Julius Malema’s recent claim that his e-mail account was attacked by government backed hackers left a bit of a Spy vs Spy taste in the mouth.

Particularly after SA Communist Party bigwig Solly Mapaila made the same claim two days later.

But I don’t think it is so farfetched that politicians’ confidential correspondence can be targeted by cyber attackers. Just ask Hillary Clinton.

The shocking trend, however, is that ordinary citizens are breaking into each others’ social media accounts left, right and centre.

It is those closest to people who break into their personal accounts and spy on their correspondence.

Spouses hack each others’ Facebook messages, parents track their offspring’s cellphone movements and lovers crack lovers’ private messages behind their naked backs.

The worst of all is that you don’t have to be a Russian hacker or cyber geek to breach somebody’s social media. People don’t need coding skills.

If you have the skills to use Twitter, you can hack Twitter. What about WhatsApp’s encoded message technology? Even a rookie hacker can choose from a variety of techniques to break into the messaging service account.

The most popular seems to be software which allows a hacker in after just a few minutes with the target’s phone, such as Copy9 and a host of others.

Or he doesn’t even have to touch your phone – sniffer software allows him to hack your WhatsApp account from a distance if you’re on the same WiFi network. And Facebook? The classical techniques are rather unrefined, because it locks the user out of his or her account, which means the hacking attempt will be noticed.

More stealthily, though, are software or hardware keyloggers, which records every keystroke the user makes on a computer including passwords.

Or the hacker can use software such as FaceGeek or Spyzie or Hyper Cracker. And Twitter? Software such as Twitterhacker is abundant.

Of course it is completely illegal to hack someone’s social media account under the Electronic Communications Act. You can even go to jail for it.

Perhaps our modern world needs more than laws.

The post The #shocking #trend of people #breaking into each others’ #social media #accounts appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Worrying trend in hackers using steganography

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Researchers at the security firm Kaspersky Lab have identified a new, worrying trend: malicious hackers are increasingly using steganography, a digital version of an ancient technique of hiding messages inside images, to conceal the tracks of their malicious activity on an attacked computer. A number of […] View full post on AmIHackerProof.com | Can You Be Hacked?

School exit exams urged in Connecticut, despite US trend – Education Week

View full post on Education Week: Bullying







#pso #htcs #b4inc

Read More

The post School exit exams urged in Connecticut, despite US trend – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online

Jaden Smith, Angelina Jolie, Sylvester Stallone Dead: Celebrity Suicide Hoaxes New Hacker Trend?

7588423560_bf88d0bc79_k-e1472793943807

Source: National Cyber Security – Produced By Gregory Evans

Jaden Smith, Angelina Jolie, Sylvester Stallone Dead: Celebrity Suicide Hoaxes New Hacker Trend?

Internet does not seem to have enough of celebrities like Jaden Smith, Angelina Jolie and Sylvester Stallone. Celeb suicide hoaxes is the “in thing” currently. It has become a trend among hackers to kill a celeb to create a furor

The post Jaden Smith, Angelina Jolie, Sylvester Stallone Dead: Celebrity Suicide Hoaxes New Hacker Trend? appeared first on National Cyber Security.

View full post on National Cyber Security

Charter school trend slows as NC increases scrutiny for 2017 – Education Week

View full post on Education Week: Bullying







#pso #htcs #b4inc

Read More

The post Charter school trend slows as NC increases scrutiny for 2017 – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online

Latest Trend In Online Dating: Matches Don’t Last Forever

WASHINGTON POST – Nov 28 – Hinge is the latest dating app to add time limits; after a match, users have 24h to start a conversation or the match disappears. Read More….

The post Latest Trend In Online Dating: Matches Don’t Last Forever appeared first on Dating Scams 101.

View full post on Dating Scams 101

New Trend Described As ‘Organized Crime’ In High School

Source: National Cyber Security – Produced By Gregory Evans

COLUMBUS, Ohio – When classes begin at Reynoldsburg City Schools on Monday, Officer Nikki Riley says there is one thing every kid should leave at home is their cell phone. “We spend so much time investigating stolen phones,” says Riley, who has served as the high school resource officer for the past several years.  “Probably every day we have a kid that lost a phone or the phone was stolen.” Sources from Hilliard, Westerville and Gahanna tell Crime Tracker 10 that stolen cell phones are common issues they deal with almost every day at their school campuses. In Reynoldsburg, Officer Riley says for every theft ring they break up, another one pops up by the next day.  “Unfortunately, by the time we get a report of it, things have been handed off 4-5 times within the hour and our recovery rate is really low,” explains Riley. What’s more concerning for Reynoldsburg is a new crime trend that surfaced a year ago of kids trading cell phones for high-end shoes and sneakers.  “They’ll trade that phone for maybe a phone they’ll like better — and then a pair of shoes,” says Riley. She says it’s not uncommon to see kids bringing […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post New Trend Described As ‘Organized Crime’ In High School appeared first on National Cyber Security.

View full post on National Cyber Security

MCPF wants cops to stop trend of juvenile criminals

ASA_0564_c1339764_15226_348

Source: National Cyber Security – Produced By Gregory Evans

KUALA LUMPUR: The involvement of juveniles in crime is a new trend which the police and society must give special attention, said Malaysian Crime Prevention Foundation (MCPF) vice-chairman Tan Sri Lee Lam Thye. “We want the non-governmental organisations to have campaigns on crime prevention with interesting activities to get the young generation to participate. “The crime prevention club has also been set up in many schools to make the pupils more aware of the dangers of juvenile crimes,” he said when launching a crime prevention campaign at the Pudu Ulu recreational park in Cheras today. He added there was also a need for more counselling teachers in schools to tackle the problem of juvenile crimes. Lee said that most cases of juvenile crimes was a result of negative peer influence and involvement in gangsterism. According to federal police crime statistics index, from January to October, last year, 9,509 criminal cases involving children were reported compared to 7,647 cases during the same period in 2013 – an increase of 24.3%. The campaign was organised by the MCPF in cooperation with the police, Cybernetics International College of Technology and several other organisations. source: http://www.thesundaily.my/news/1340411

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post MCPF wants cops to stop trend of juvenile criminals appeared first on National Cyber Security.

View full post on National Cyber Security