Gradually, then suddenly

There’s a passage in Ernest Hemingway’s novel The Sun Also Rises in which a character named Mike is asked how he went bankrupt. “Two ways,” he answers. “Gradually, then suddenly.”

The world’s southernmost security conference

When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because it was only for the sake of sports and free from commercial sponsoring and commercial interests. I have this same feeling about computer security conferences, because they attract people who really seek knowledge, both to receive and to share it.

Heartbreaking Emails: “Love You” Malspam, (Thu, Jan 10th)

Introduction

Malicious spam (malspam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cyber criminals to distribute malware.  I’ve written diaries discussing such malspam in July 2015, September 2015, and February 2016.  I’ve run across plenty of examples since then, but I’ve focused more on Microsoft Office documents instead of .js files.  I last documented .js-based malspam in May 2018.

How Cybercriminals Are Getting Initial Access into Your System

This article covers the main techniques cybercriminals use at the initial stage of attacks against enterprise networks.There are several dangerous phases of cyberattacks targeting the corporate segment. The first one encountered by businesses boils down to getting initial access into their systems. The malefactor’s goal at this point is to deposit some malicious code onto the system and make sure it can be executed further on.Drive-by downloadsDescription: The gist of this technique is to dupe the victim into opening a website hosting various browser and plugin exploits, obfuscated frames or malicious JavaScript files that can be downloaded to the target system beyond the user’s awareness.How to protect yourself:Use up-to-date web browsers and plugins and run an antimalware solution. Microsoft recommends using Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard (WDEG.)Exploiting public-facing applicationsDescription: This method involves known glitches, bugs and vulnerabilities in applications with open network ports (SSH network services, web servers, SMB2, etc.) The top 10 web application vulnerabilities are being regularly published by OWASP.How to protect yourself:Use firewalls.Perform network segmentation with DMZ.Follow safe software development practices.Avoid issues documented by CWE and OWASP.Scan the network perimeter for vulnerabilities.Monitor logs and traffic for anomalous activity.Hardware additionsDescription: Computers, network appliances and computer accessories may go with covert hardware components tasked with providing initial access. Both open-source and commercial products may include features for stealth network connection, MITM (man-in-the-middle) attacks implementation for encryption cracking, keystroke injection, reading kernel memory via DMA, adding a new wireless network, etc.How to protect yourself:Adopt policies for network access control such as certificates for devices and IEEE 802.1X standard.Restrict the use of DHCP to registered devices only.Block network interaction with unregistered equipment.Disable the addition of unknown external devices using host protection mechanisms (endpoint security agents for device monitoring.)Removable mediaDescription: This technique leads to the execution of rogue code via autorun feature. To deceive the user, the attacker may modify or rename the “legit” file beforehand and then copy it onto a removable drive. The malware can also be embedded in the firmware of removable media or executed via the initial formatting tool.How to protect yourself:Disable the autorun feature in Windows.Restrict the use of removable media at the level of your company’s security policy.Use antivirus software.Spear-phishing – attachmentsDescription: This mechanism presupposes the distribution of viruses attached to phishing emails. The email body typically contains a plausible-looking reason why the user should open the attached file.How to protect yourself:Use IDS (intrusion detection system) along with an antivirus suite that scans emails for malicious attachments and removes or blocks them.Configure a policy to block certain formats of email attachments.Train your personnel how to identify and avoid phishing.Spear-phishing – linksDescription: Cybercriminals may send emails with links leading to malware.How to protect yourself:Check the received emails for URLs leading to known malicious websites.Use IDS and antivirus software.Conduct phishing awareness training of your staff.Spear-phishing via serviceDescription: In this case, the threat actors send booby-trapped messages via social networks, personal email accounts and other services that are beyond the company’s control.They may use fake social network profiles to send job offers or similar eye-catching messages. This allows them to build trust and later ask the targeted employee about policies and software used in the enterprise and convince the victim to click malicious links and attachments. As a rule, the malefactor first establishes contact and then sends the malicious entity to the email address that the employee uses at their workplace.How to protect yourself:Consider blocking access to personal email accounts, social networks, etc.Use application whitelisting, IDS and antivirus software.Set up a personnel awareness program focused on anti-phishing.Supply chain compromiseDescription: This method comes down to injecting various backdoors, exploits and other hacking instruments into software and hardware at the supply stage. The possible attack vectors are as follows:Manipulating software development tools and environments,Abusing source code repositories,Interfering with software update and distribution mechanisms,Compromising and contaminating OS images,Modifying legit software,Sale of counterfeit\modified products andInterception at the shipment stage.Cybercriminals usually focus on compromising software distribution and update channels.How to protect yourself:Implement SCRM (supply chain risk management) and SDLC (software development life cycle) management systems.Run continuous contractors’ reviews.Strictly limit access within your supply chain.Use procedures to control the integrity of binary files.Scan distribution kits for viruses.Test all software and also updates prior to deployment.Physically examine the hardware being purchase as well as the media containing software distribution kits and support documentation for signs of forgery.Trusted relationshipDescription: Malicious agents can take advantage of organizations that may access the infrastructure of the target enterprise. Companies often use a less secure practices while interacting with trusted third parties than for regular access from the outside. Trusted third parties may include IT service contractors, security vendors and infrastructure maintenance contractors. Furthermore, the accounts used by trusted parties to access the company can be hacked and leveraged for initial access.How to protect yourself:Use network segmentation and isolate critical IT infrastructure components that shouldn’t be widely accessible from outside the organization.Manage accounts and privileges used by trusted third parties.Check security procedures and policies of the contractors that need privileged access.Monitor the activity of third-party vendors and trusted individuals.Using valid accountsDescription: Criminals can steal the credentials for a specific user’s account or service account or retrieve credentials in the course of reconnaissance with the help of social engineering. Compromised credentials can then be used to get around access management systems and get access to remote systems as well as external services, such as remote desktops, VPNs and Outlook on the web, or to obtain elevated privileges in specific systems and areas of the network. If this attempt turns out successful, the perpetrators can decide not to use malware and thereby complicate detection. Also, the attackers may create new accounts to maintain access in case the other techniques fail.How to protect yourself:Stay away from credential overlapping across different services and systems.Adopt a password policy and follow enterprise network administration guidelines to restrict the use of privileged accounts.Monitor domain and local accounts and their privileges to identify the ones that can allow an adversary to get wide access to the network.Keep track of account activity using security information and event management (SIEM) solutions.Of course, cybercriminals need initial access into your IT infrastructure for a reason. It depends on the objectives of the compromise. If the adversary is after industrial espionage, they will steal proprietary information. In case you are confronted with an unscrupulous competitor’s shenanigans, the digital raid may lead to disruption of your business and ruin your company’s reputation.One way or another, the intrusion proper is merely the first step typically followed a number of common stages. These include malicious code execution, establishing persistence, escalating privileges, defense evasion, credential access, lateral movement within enterprise environment, data collection, exfiltration and finally command and control.Since the impact stemming for initial unauthorized access can be critical, it’s a good idea to focus on proactive protection mechanisms. Automated systems like WDEG, EMET, IDS, SCRM, SDLC and SIEM aren’t just fancy acronyms and are certainly worth their salt, but keep in mind that human factor is very often the weakest link in an organization’s security. Therefore, security awareness training of your personnel is among the fundamentals of attack prevention.

The Race to Develop the World’s Best Quantum Tech

Advertisement

Editor’s Picks

A few days before Christmas, U.S. President Donald Trump signed a bill into law that devotes more than US $1.2 billion to a national effort dedicated to quantum information science over the next 10 years. The National Quantum Initiative Act represents a bipartisan U.S. government push to keep up with China and other countries in developing technologies such as quantum computing, quantum cryptography, and quantum communication—all of which have some potential to upset the balance of economic and military power in the world.

Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters

On Tuesday, Motherboard revealed that major American telcos T-Mobile, AT&T, and Sprint are selling customer location data of users in an unregulated market that trickles down to bounty hunters and people not authorized to handle such information. In our investigation, we purchased the real-time location of a cell phone from a bail industry source for $300, pinpointing it to a specific part of Queens, New York.

Google Search Results Listings Can Be Manipulated For Propaganda

A feature of the Google search engine lets threat actors alter search results in a way that could be used to push political propaganda, oppressive views, or promote fake news. From a report: The feature is known as the “knowledge panel” and is a box that usually appears at the right side of the search results, usually highlighting the main search result for a very specific query. For example, searching for Barack Obama would bring a box showing information from Barack Obama’s Wikipedia page, along with links to the former president’s social media profiles. But Wietze Beukema, a member of PwC’s Cyber Threat Detection & Response team, has discovered that you can

hijack these knowledge panels and add them to any search query, sometimes in a way that pushes legitimate search results way down the page