Google Demanded T-Mobile, Sprint to Not Sell Google Fi Customers’ Location Data

On Thursday, AT&T announced it was stopping the sale of its customers’ real-time location data to all third parties, in response to a Motherboard investigation showing how data from AT&T, T-Mobile, and Sprint trickled down through a complex network of companies until eventually landing the hands of bounty hunters and people unauthorized to handle it. To verify the existence of this trade, Motherboard paid $300 on the black market to successfully locate a phone.

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

What The Potential 2020 Candidates Are Doing And Saying, Vol. 1

Welcome to a new weekly collaboration between FiveThirtyEight and ABC News. With 5,000 people seemingly thinking about challenging President Trump in 2020 — Democrats and even some Republicans — we’re keeping tabs on the field as it develops. Each week, we’ll run through what the potential candidates are up to — who’s getting closer to officially jumping in the ring and who’s getting further away.

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Mjag dropper: Using decoy documents to drop RATs

Mjag dropper Mjag dropper is compiled in the Microsoft .NET framework, and its original binary is obfuscated using SmartAssembly. The installation path and other details are stored in encrypted form using AES encryption (Fig. 1), and the decryption key is hardcoded. Fig. 1: AES decryption function The payload and decoy PDF is encrypted and stored in the resource section, and a custom encryption method has been used. The decryption key is hardcoded (Fig. 2). Fig. 2: Extracting decoy PDF and payload The decoy document claims to be an India Overseas Bank NEFT transaction statement. It lures users to click the “Click here to view full document” link, which points to a malicious website hosting a copy of the Mjag droppper payload. (Fig. 3). Fig. 3: Decoy PDF document   Installation Copies itself in “%APPDATA%\FolderN\name.exe”  location Creates startup key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load” with values as “%APPDATA%\FolderN\name.exe.lnk” Copies “C:\Windows\Microsoft.NET\Framework\\msbuild.exe” to “%TMP%\svhost.exe” Starts svhost.exe in suspend mode and injects the final payload (Fig. 4) Fig. 4: Process injection using Windows APIs However, the injected payload does not run properly and displays an error message (Fig. 5). Fig. 5: Unhandled exception popup This error is due to the injector code not being able to inject the overlay part of the payload, the part that contains the command-and-control (C&C) server details. As shown in the injection code snapshot below, it allocates memory in a target process similar to the size of image length defined in the PE header of payload (Fig. 6). This means Mjag will not be able to properly inject payloads (like Punisher RAT) that contain important data in the overlay.   Fig. 6: Injector code For the purpose of this blog we patched the memory mapping issue and continued our analysis of the infection cycle involving Punisher RAT. Analysis of Punisher RAT Punisher RAT is packed and written in .NET. The Punisher RAT builder is publicly available and can be configured with a range of features. In the builder (Fig. 7), you can configure the server IP, name, password, and listening port. The RAT will communicate on the given server IP and send all the information stolen from the victim’s machine. There is also a feature to add more functionality in binary, including anti-VMware, anti-AV, sandbox detection, and USB spread for further infection, among others. Fig. 7: Punisher RAT builder During analysis, we saw various functions of this malware, including: 1. Password stealing module The malware hunts for various application data and steals the credentials. Here (Fig. 8), it is trying to steal the stored login credentials for the Chrome browser. The stolen information will look like: |URL| |USR| username or e-mail |PWD| userpassword Fig. 8: Stealing module The Punisher RAT attempts to steal sensitive data from the following applications on the infected system: Filezilla, No-IP Dynamic Update Client, Dyn DNS, Paltalk, FireFox, Chrome, Hotmail, Yahoo, Opera, and Internet Explorer. 2. Anti-task manager The malware checks for the following applications’ processes, and does not allow these applications to terminate any other processes running on the user’s system. Process Explorer Process Hacker Task Manager This allows malware author to ensure that the malware processes cannot be terminated. Fig. 9 shows that while attempting to kill ‘a.exe’ process using the Process Explorer, the “OK” button will be replaced by an “Error” button. Fig. 9: Anti-task manager   3. Keylogging  The malware can capture keystrokes (Fig. 10) and store the data into the %AppData%/{random digits}.log file. Fig. 10: Capturing keystrokes   4. Persistence  The malware copies itself in the startup folder and creates a run key of this location. HKCU\\software\\microsoft\\windows\\currentversion\\run   5. Spreading vector It looks for a removable drive and CD-ROM for infection and creates an .lnk file. Below (Fig. 11) depicts the spreading mechanism through a USB device. Fig. 11: USB spread   6. AV checks The Punisher RAT checks for installed AV software (Fig. 12) and updates to the server. Fig. 12: Checking AV Network activity The hardcoded C&C information (Fig. 12) is extracted from the payload, and it will split the data with the delimiter “abccba.” Fig. 13: C&C server information   It also collects the information about the multiple running processes: AW|BawaneH|Process Explorernj-q8 AW|BawaneH|Notepadnj-q8 The table consists of extracted C&C information from the payload. This RAT uses “BawaneH” as a delimiter to split the server response data. It performs various actions based on received commands. There were a total of 59 commands used by the server, shown in the following table: Fig.14: Received commands IOCs Md5: 0a459c18e3b8bdef87a6fb7ea860acdb Filename: NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe Download URL: tenau[.]pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe C&C: Sandbox Report   Fig. 15: Zscaler Sandbox report        

AT&T to Stop Selling Location Data to Third Parties After Motherboard Investigation

On Tuesday, Motherboard revealed that T-Mobile, AT&T, and Sprint were all selling their customers’ phone location data that ultimately ended up in the hands of bounty hunters, as well as people unauthorized to handle it at all. We found this by purchasing the capability to locate a phone from the black market for just $300. In response, several senators called for the Federal Communications Commission (FCC) to investigate, and brought up the prospect of greater regulation of the telecommunications industry.

The pre-seed diligence framework

By now it’s clear that seed is the new Series A. Seed rounds have tripled in size and companies have been around for 2.4 years before they raise a seed round. A new stage called pre-seed has emerged to fill the gap.

Malware Found Preinstalled On Some Alcatel Smartphones

An anonymous reader quotes a report from ZDNet: A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs. The app, named “Weather Forecast-World Weather Accurate Radar,” was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands. The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users –where it had been downloaded and installed more than ten million times. But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week. The app reportedly harvested users’ data and sent it to China. It collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL.

Upstream, a UK-based mobile security firm, also found that “the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users’ phone bills,” reports ZDNet. “All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn’t been blocked.”

Cyber Deception Today: Tony Cole – Enterprise Security Weekly #121

Tony Cole is the Chief Technology Officer at Attivo Networks and is a cybersecurity expert with more than 30 years’ experience, a bachelor’s degree in computer networking and is a CISSP. Tony discusses the cyber deception in the enterprises today and gives a brief history of deception and it’s applicability to cybersecurity.