Monthly Archives: March 2016

Canadian hospital under attack

26 March 2016

Reports on cyber-attacks don’t come to an end. Cyber-criminals seem to focus in particular on hospitals this year. In the case of the Norfolk General Hospital attackers modified the hospital’s homepage to serve the Teslacrypt ransomware to clueless visitors. The ransomware is delivered by drive-by download when the page is opened – you won’t even need to click on something on the page.

However, this does not mean that spear-phishing with malicious attachments is no longer modern. Cyber-criminals use a range of attack methods, and outdated application middleware on a server, which is connected to the Internet, is a worthwhile destination.

On Tuesday I got two spear phishing emails directly in my inbox. A short hack on VirusTotal showed that this were two zero days.

Two hours later, now at home, I analyzed the attachments in more details. Both attachments contained the same ransomware, but in different document formats. The attachments were now detected by 6 of 56 anti-malware systems on VirusTotal, e.g. by TrendMicro as W2KM_DRIDEX.YYSSH or by Avira as W2000M/Dldr.Agent.19573. That’s a reasonable result for classic anti-malware systems, although it means, that the anti-malware systems left the users unprotected for about 4 hours.

The VBA project with the auto-open macro was password protected. But LibreOffice writer was able to display the macros; it simply overrides the obviously weak VBA project protection functions of Microsoft Office.

W2KM_DRIDEX.YYSSH Code Sample

W2KM_DRIDEX.YYSSH Code Sample. Click to enlarge.

The auto-open macro creates a file dsfsdfsdf.vbe, submits the file to the C&C server, downloads an executable named Fuckyourself.ass and runs it. Fuckyourself.ass is detected as e.g. by Microsoft as Backdoor:Win32/Drixed, by ESET as Win32/Dridex.AA.

COMODO File Execution Message

COMODO File Execution Warning.

A next-gen endpoint protection solution would have containerized or blocked at least the critical event of executing dsfsdfsdf.vbe. An infection with Dridex would have been prevented. And this without any delay for updating malware patterns.

Happy Easter!

Is ‘Assume you have been breached’ really the best Cybersecurity Strategy?

19 March 2016

I watched webinar ‘The Best Cybersecurity Strategy: Assume You Have Been Breached’ this week. The summary in the email invitation sounded really interesting, thus I registered, and had to compromise the integrity of my computer once again. Why on earth presents SC Magazine all content in this security nightmare Flash Player?

Young-Sae Song, Vice President Marketing, Arctic Wolf, quotes the Gartner advice ‘Shift Cybersecurity Investment to Detection and Response’ of January this year:

Experts recommend more focus on detecttion

Experts recommend to shift focus on detection and response

Is this advice meant seriously? I don’t think so. The Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study: Global Analysis’ the mean time to identify at 206 days with a range of 20 to 582 days (based on a sample of 350 companies). And this, despite the increasing number of SIEM installations in the past years.

CISOs are well advised to make sure, that the existing cyber defense measures, including their SIEM system, work effectively before they follow this advice.

A ray of hope is Invincea’s Advanced Attack Challenge Simulator. The simulator allows to test the effectiveness of defensive measures against a variety of adversaries. For more details, please see Anup Ghosh’s post ‘Take the Advanced Attack Challenge’. I tried to cut the number of possible defense measures as far as possible. The results are really interesting. Of course only in the context of this model?

Have a good weekend, and good luck with the simulation.

Cyber criminals use password protected archives to conceal malware

15 March 2016

Worm:Win32/Gamarue.F is an old friend. Directly attached to an email, e.g. as ‘Ihre-Rechnung.exe’, the worm is detected by 31 of 56 virus scanners now. Even if wrapped in a zip or rar archive the malware is detected by most of the antivirus scanners. From an economic point of view, it’s waste of energy to start a new campaign with Win32/Gamarue.F today.

Yesterday morning, I got 2 emails with password protected rar-archives attached. Packaged this way anti-malware scanners cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body:

Password for opening rar Attachment in email body

Password for opening the rar attachment in the email body

This is a new, so far unbreakable way of delivering malicious software. The number of false positives will go up dramatically. Users may force the mail proxy administration to relax policies. In the worst case, zero-day malware, against which we are completely defenseless, is delivered to the endpoint.

In my opinion, it is about time to start the evaluation of next generation endpoint protection systems…

Have a good day!

IRS Suspends Identity Protection Tool after Fraudulent Logins

12 March 2016

The IP PIN is an effective means to solve the identity theft problem that caused the IRS data breach in 2015. An IP PIN is not as good as a physical second factor, e.g. a FIDO security key or a grid card, but better than easy to break identity verification questions. Moreover, IP PINs are easy to rollout by mail, and the effort for implementation is moderate.

Unfortunately, sometimes they get lost and must be recovered. This means that we need a method for the unambiguous identification of a person. For this the IRS uses easy-to-guess identity verification questions. On Krebs on Security we read:

‘The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.’

One could get crazy!

Dear IRS,

the White House wants YOU to #TurnOn2FA! For more details, please see the Cybersecurity National Action Plan published on 9 February 2016:

‘Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security.  By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.’

Have a good weekend.

Policies are an effective means for dealing with malware

5 March 2016

This week I was flooded with spear phishing emails in the office. Most of them dealt with late payment of invoices. In any case the attackers requested to study an attached file and to take immediate action to avoid the accrual of penalties.

Fortunately, the anti-virus scanner on the email gateway removed the payload from the attached zip files and filed the emails in the junk folder:

--------Begin Virus scanner message-----------------------------------------------
The company security policies do not allow to transfer file attachments of the specified type.
Removed attachment(s): B56d48d430000.000000000001.0004.mml; invoice_kOUEsX.js
--------End Virus scanner message-------------------------------------------------

It is important to note that the virus scanner removed the attachments because the company policy does not allow the transfer of such files with email. For the exchange of JavaScript files with a partner other secure communication channels must be used.

With this, the inherent risk of classic anti-malware systems is reduced. Unwanted attachments are removed even if they have not yet been identified by the anti-malware system.

Sending the payload in nested zip files is an often used technology to outsmart antivirus systems. Therefore, it is very important to let the antivirus system do in-depth scans on all attachments, even though many users will complain about this because in-depth scans delay the delivery of emails by some seconds. In the case an antivirus system cannot deal with nested archives just remove any content from the outer archive. Some more false positives are better than rebuilding hundreds of computers in the company network.

The malicious JavaScript attachment invoice_kOUEsX.js is identified by 33 of 55 antivirus systems on VirusTotal.com. Microsoft Defender identifies the file as TrojanDownloader:JS/Nemucod. And as always, the few relevant lines of code are hided in a mess of statements.

Have a good weekend.