Post Content
The post Network Security News Summary for Thursday July 15th, 2021 appeared first on Malware Devil.
Many claim that “ransomware” is due to cybersecurity failures. It’s not really true. We are adequately protecting users and computers. The failure is in the inability of cybersecurity guardians to protect themselves. Ransomware doesn’t make the news when it only accesses the files normal users have access to. The big ransomware news events happened because ransomware elevated itself to that of an “administrator” over the network, giving it access to all files, including online backups.
Generic improvements in cybersecurity will help only a little, because they don’t specifically address this problem. Likewise, blaming ransomware on how it breached perimeter defenses (phishing, patches, password reuse) will only produce marginal improvements. Ransomware solutions need to instead focus on looking at the typical human-operated ransomware killchain, identify how they typically achieve “administrator” credentials, and fix those problems. In particular, large organizations need to redesign how they handle Windows “domains” and “segment” networks.
I read a lot of lazy op-eds on ransomware. Most of them claim that the problem is due to some sort of moral weakness (laziness, stupidity, greed, slovenliness, lust). They suggest things like “taking cybersecurity more seriously” or “do better at basic cyber hygiene”. These are “unfalsifiable” — things that nobody would disagree with, meaning they are things the speaker doesn’t really have to defend. They don’t rest upon technical authority but moral authority: anybody, regardless of technical qualifications, can have an opinion on ransomware as long as they phrase it in such terms.
Another flaw of these “unfalsifiable” solutions is that they are not measurable. There’s no standard definition for “best practices” or “basic cyber hygiene”, so there no way to tell if you aren’t already doing such things, or the gap you need to overcome to reach this standard. Worse, some people point to the “NIST Cybersecurity Framework” as the “basics” — but that’s a framework for all cybersecurity practices. In other words, anything short of doing everything possible is considered a failure to follow the basics.
In this post, I try to focus on specifics, while at the same time, making sure things are broadly applicable. It’s detailed enough that people will disagree with my solutions.
The thesis of this blogpost is that we are failing to protect “administrative” accounts. The big ransomware attacks happen because the hackers got administrative control over the network, usually the Windows domain admin. It’s with administrative control that they are able to cause such devastation, able to reach all the files in the network, while also being able to delete backups.
The Kaseya attacks highlight this particularly well. The company produces a product that is in turn used by “Managed Security Providers” (MSPs) to administer the security of small and medium sized businesses. Hackers found and exploited a vulnerability in the product, which gave them administrative control of over 1000 small and medium sized businesses around the world.
The underlying problems start with the way their software gives indiscriminate administrative access over computers. Then, this software was written using standard software techniques, meaning, with the standard vulnerabilities that most software has (such as “SQL injection”). It wasn’t written in a paranoid, careful way that you’d hope for software that poses this much danger.
A good analogy is airplanes. A common joke refers to the “black box” flight-recorders that survive airplane crashes, that maybe we should make the entire airplane out of that material. The reason we can’t do this is that airplanes would be too heavy to fly. The same is true of software: airplane software is written with extreme paranoia knowing that bugs can lead to airplanes falling out of the sky. You wouldn’t want to write all software to that standard, because it’d be too costly.
This analogy tells us we can’t write all software to the highest possible standard. However, we should write administrative software (like Kaseya) to this sort of standard. Anything less invites something like the massive attack we saw in the last couple weeks.
Another illustrative example is the “PrinterNightmare” bug. The federal government issued a directive telling everyone under it’s authority (executive branch, military) to disable the Printer Spooler on “domain controllers”. The issue here is that this service should never have been enabled on “domain controllers” in the first place.
Windows security works by putting all the security eggs into a single basket known as “Active Directory”, which is managed by several “Domain Controller” (AD DC) servers. Hacking a key DC gives the ransomware hacker full control over the network. Thus, we should be paranoid about protecting DCs. They should not be running any service other than those needed to fulfill their mission. The more additional services they provide, like “printing”, the larger the attack surface, the more likely they can get hacked, allowing hackers full control over the network.
Yet, I rarely see Domain Controllers with this level of paranoid security. Instead, when an organization has a server, they load it up with lots of services, including those for managing domains. Microsoft’s advice securing domain controllers “recommends” a more paranoid attitude, but only as one of the many other things it “recommends”.
When you look at detailed analysis of ransomware killchains, you’ll find the most frequently used technique is “domain admin account hijacking”. Once a hacker controls a desktop computer, they wait for an administrator to login, then steal the administrators credentials. There are various ways this happens, the most famous being “pass-the-hash” (which itself is outdated, but good analogy for still-current techniques). Hijacking even restricted administrator accounts can lead to elevation to unrestricted administrator privileges over the entire network.
If you had to fix only one thing in your network, it would be this specific problem.
Unfortunately, I only know how to attack this problem as a pentester, I don’t know how to defend against it. I feel that separating desktop admins and server/domain admins into separate, non-overlapping groups is the answer, but I don’t know how to achieve this in practice. I don’t have enough experience as a defender to know how to make reasonable tradeoffs.
In addition to attacking servers and accounts, ransomware attackers also target networks. Organizations focus on “perimeter security”, where the major security controls are between the public Internet and the internal organization. They also need an internal perimeter, between the organization’s network and the core servers.
There are lots of tools for doing this: VLANs, port-isolation, network segmentation, read-only Domain Controllers, and the like.
As an attacker, I see the lack of these techniques. I don’t know why defenders doin’t use them more. There might be good reasons. I suspect the biggest problem is inertia: networks were designed back when these solutions were hard, and change would break things.
In summary, I see the major problem exploited by ransomware is that we don’t protect “administrators” enough. We don’t do enough to protect administrative software, servers, accounts, or network segments. When we look at ransomware, the big cases that get splashed across the news, its not because they compromised a single desktop, but because they got administrative control over the entire network and thus were able to encrypt everything.
Sadly, as a person experience in attack (red-team) and exploiting these problems, I can see the problem. However, I have little experience as a defender (blue-team), and while solutions look easy in theory, I’m not sure what can be done in practice to mitigate these threats.
I do know that general hand-waving, exhorting people to “take security seriously” and perform “cyber hygiene” is the least helpful answer to the problem.
The post Ransomware: Quis custodiet ipsos custodes appeared first on Security Boulevard.
The post Ransomware: Quis custodiet ipsos custodes appeared first on Malware Devil.
Spain’s Ministry of the Interior has announced the arrest of 16 individuals connected to the Grandoreiro and Melcoz (also known as Mekotio) cybercrime groups. Both are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.
Grandoreiro is a banking Trojan malware family that initially started its operations in Brazil. Similarly to two other malware families, Melcoz and Javali, Grandoreiro first expanded operations to other Latin American countries and then to Western Europe. We have witnessed Grandoreiro’s campaigns since at least 2016, with the attackers regularly improving techniques, striving to stay undetected and active for longer periods of time. Based on our analysis of campaigns we have seen Grandoreiro operate as a Malware-as-a-Service (MaaS) project.
Since January 2020, our telemetry shows that Grandoreiro has attacked mostly Brazil, Mexico, Spain, Portugal, and Turkey.
On the other hand, Melcoz (also known as Mekotio) is a banking Trojan family developed by the Tetrade group which has been active since at least 2018 in Brazil, before they decided to expand overseas. We found the group attacking assets in Chile in 2018 and, more recently, in Mexico. There are also likely victims in other countries, as some of the targeted banks have international operations. Generally, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. This malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module.
Our telemetry confirms that since January 2020, Melcoz has been actively targeting Brazil, Chile, and Spain, among other countries.
If we compare Grandoreiro and Melcoz in terms of proliferation, it’s clear that Grandoreiro is more aggressive when targeting victims worldwide.
What can we now expect after the arrest of 16 individuals in Spain? The work carried out by the Guardia Civil of Spain in actioning these arrests is remarkable. However, since both malware families are from Brazil, the individuals arrested in Spain are just operators. In other words, the creators of Grandoreiro and Melcoz will likely remain in Brazil where they may develop new malware techniques and recruit new members in their countries of interest.
Kaspersky technologies detect both families as Trojan-Banker.Win32.Grandoreiro and Trojan-Banker.Win32.Melcoz.
We recommend that financial institutions stay vigilant and watch the threats that are part of the Tetrade umbrella closely while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. Detailed information about Tetrade with full IOCs and Yara rules and hashes of these threats is available to our Financial Threat Intel services users.
The post Arrests of members of Tetrade seed groups Grandoreiro and Melcoz appeared first on Malware Devil.
Our thanks to BSidesNoVA for publishing their outstanding videos on the organization’s YouTube channel.
The post BSidesNoVA 2021 – Clint Kehr’s & Mark Schmidt’s ‘XXE And The Cloud: The Sky IS Falling’ appeared first on Security Boulevard.
The post BSidesNoVA 2021 – Clint Kehr’s & Mark Schmidt’s ‘XXE And The Cloud: The Sky IS Falling’ appeared first on Malware Devil.
via the Comic Noggins of Nitrozac and Snaggy at The Joy of Tech®!
The post The Joy of Tech® ‘The Commercialization Of Space!’ appeared first on Security Boulevard.
The post The Joy of Tech® ‘The Commercialization Of Space!’ appeared first on Malware Devil.
The gang is using a new brute-forcer – “Diicot brute” – to crack passwords on Linux-based machines with weak passwords.
Read More
The post Linux-Focused Cryptojacking Gang Tracked to Romania appeared first on Malware Devil.
Phil Richards, vice president and CSO at Ivanti, explains how organizations can design DevOps processes and systems to thwart cyberattacks.
Read More
The post Apps Built Better: Why DevSecOps is Your Security Team’s Silver Bullet appeared first on Malware Devil.
The attackers have spruced up the ‘vncDll’ module used for spying on targets and stealing data.
Read More
The post Trickbot Malware Rebounds with Virtual-Desktop Espionage Module appeared first on Malware Devil.
We’ve said it before, and we’ll say it again: don’t be in too much of a hurry for those home deliveries you’re expecting!
Read More
The post Home delivery scams get smarter – don’t get caught out appeared first on Malware Devil.
Our thanks to BSidesNoVA for publishing their outstanding videos on the organization’s YouTube channel.
The post BSidesNoVA 2021 – Sophia Fadli’s, Brad Schonhorst’s, Jeremiah Osburn’s And Steve Helfen’s ‘Panel: SOC Life’ appeared first on Security Boulevard.
The post BSidesNoVA 2021 – Sophia Fadli’s, Brad Schonhorst’s, Jeremiah Osburn’s And Steve Helfen’s ‘Panel: SOC Life’ appeared first on Malware Devil.
New state privacy laws are popping up with increasing speed, and no two are alike. Each has unique compliance obligations, reporting requirements, and penalties. If you have clients, customers and/or supply chain partners in multiple states, managing this expanding maze of privacy requirements will soon be very complicated. How can you cost-effectively keep pace and use privacy as a competitive edge in your business?
The post How to Win at State Privacy Whack-A-Mole appeared first on Security Boulevard.
The post How to Win at State Privacy Whack-A-Mole appeared first on Malware Devil.
Because companies are defined by their customers, we connected with IT Central Station for real user experiences with Sonatype’s Nexus Lifecycle and Nexus Firewall. Our second in the series, we first looked at benefits of data quality to Software Composition Analysis (SCA). Today, we continue with other benefits to individual developers and development teams.
The post Effective Tools for Software Composition Analysis appeared first on Security Boulevard.
The post Effective Tools for Software Composition Analysis appeared first on Malware Devil.
As we head to Hacker Summer Camp, how should we rebuild our infosec communities to be more inclusive and diverse? Jack Daniel offers his unique voice. As one of the founders of BSides and as a community advocate for Tenable, Jack provides guidance on how we can re-emerge successfully.
The post The Hacker Mind Podcast: Hacking Communities appeared first on Security Boulevard.
The post The Hacker Mind Podcast: Hacking Communities appeared first on Malware Devil.
Post Content
The post 🔴 LIVE: Enterprise Security Weekly #234 appeared first on Malware Devil.
An extremely thorough and eye-opening 2011 report by the AAUP exposes how extremist conservative professors manipulated political pressure to censor American voices they disagreed with: Regents and administration and some faculty of the University of Colorado at Boulder (CU) allowed an obvious political vendetta against Ward Churchill to override their honesty, deny due process, violate … Continue reading Conservative Cancel Culture: The Curious Case of Ward Churchill
The post Conservative Cancel Culture: The Curious Case of Ward Churchill appeared first on Security Boulevard.
The post Conservative Cancel Culture: The Curious Case of Ward Churchill appeared first on Malware Devil.
By Jean Schaffer, Federal CTO, Corelight As the first National Cyber Director begins to settle into office, private industry is very hopeful that this will be one of the turning points to solidify a true private/public partnership for raising the cybersecurity posture of the U.S. As I mentioned in my previous post, Chris Inglis is…Read more »
The post What’s next for the National Cyber Director? appeared first on Security Boulevard.
The post What’s next for the National Cyber Director? appeared first on Malware Devil.
XStream from ThoughtWorks is a simple library to serialize and deserialize objects in XML and JSON format. Compared to alternative XML serialization libraries such as JAXB (JSR-222) and Jackson, developers find XStream both lightweight and easier to integrate within their applications and services. This simplicity, however, comes at a price which is security. Until recently, XStream didn’t come with security features enabled by default. Attackers and security researchers have regularly found ways to exploit applications using XStream to perform Remote Command Execution (RCE), Denial-of-Service (DoS), and even blind Server-Side Request Forgery (SSRF). These could lead to data breaches, ransomware, and even bitcoin mining that we regularly read about.
The below table summarizes some recent CVEs reported against XStream since the pandemic.
https://medium.com/media/ec53ac02be070feacde3e3acc43e5db6/href
While the sheer number of CVEs and high CVSS base scores such as 9.8 are perturbing information for developers and application security people alike, the reality is that most of these CVEs are merely misconfiguration and highlights insecure coding practices. The number of CVEs and the base score do not mean that these vulnerabilities could be subsequently exploited by an attacker externally, a prioritization concept we call “Attacker Reachability”. While typical SCA tools such as the free dependency track (or those that come with your git) are optimized for just detecting open-source vulnerabilities, ShiftLeft Intelligent SCA is optimized for both detecting and prioritizing vulnerabilities based on Attacker Reachability.
To detect Attacker Reachable CVEs, the process employed by ShiftLeft CORE is as follows.
Build Software BoM (SBoM) using the CycloneDX standard
Overlay the vulnerability information on top of the application attack surface using our open-source Code Property Graph technology
Identify Attacker Reachable vulnerabilities by querying the graph database for those vulnerable packages and methods that can be reached from an attacker controlled data-flow.
By leveraging “Attacker Reachability” our platform could triage and report only those applications that are definitely exploitable due to the presence of attacker-controlled data flows. We even find applications that might include the vulnerable version of XStream but do not have a vulnerable attacker-controlled flow that performs serialization and deserialization of data.
To get started with detection, simply register for a free ShiftLeft CORE account and follow the steps to connect and scan your application via GitHub or any other CI.
XStream developers promptly release an update whenever a security advisory gets published. Updating the version of XStream used in your application to the latest is a good starting point, however, it is not a comprehensive solution since each new version fixes security vulnerabilities found in the previous version. In many organizations, upgrading packages frequently may not be possible due to the additional Quality Assurance and Change Management tasks involved.
An alternative to updating packages is identifying attacker-reachable flaws and adding suitable mitigation and workarounds. ShiftLeft CORE platform really excels here. For many of the XStream CVEs, a single line shown below is often enough to mitigate the reported vulnerabilities.
XStream.setupDefaultSecurity()
The above snippet enables the default security allow lists and deny lists from the open-source developers, which are not enabled by default in version 1.4.x. You could also opt for a custom allowlist based on trusted types or a combination of allow and denylists.
// Allow only the types that were reviewed and approved
XStream.allowTypes(String[]);
// If allowlist is not possible opt for deny list
XStream.denyPermission(TypePermission);
XStream.denyTypesByRegExp(String[]);
XStream.denyTypesByRegExp(Pattern[]);
XStream.denyTypesByWildcard(String[]);
XStream.denyTypeHierary(Class);
Some example denylists suggested in the advisories are listed below:
xstream.denyTypes(new String[]{ “jdk.nashorn.internal.objects.NativeString” });
xstream.denyTypes(new Class[]{ void.class, Void.class });
xstream.denyTypes(new String[]{ “javax.imageio.ImageIO$ContainsFilter”, “jdk.nashorn.internal.objects.NativeString” });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ “.*\\.ReadAllStream\\$FileStream” });
xstream.denyTypesByRegExp(new String[]{ “.*\\$LazyIterator”, “javax\\.crypto\\..*”, “.*\\.ReadAllStream\\$FileStream” });
Attackers have regularly found ways to exploit applications using XStream. Manage known risk from open source code with ShiftLeft’s Intelligent Software Composition Analysis (SCA) tool. Start your free 15-day trial of ShiftLeft CORE to scan your code to see if your application is at risk from XStream vulnerabilities.
XStream Vulnerabilities — Detection & Mitigation was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post XStream Vulnerabilities — Detection & Mitigation appeared first on Security Boulevard.
The post XStream Vulnerabilities — Detection & Mitigation appeared first on Malware Devil.
Zero-days galore and lots more… July 2021 Patch Tuesday contains fixes for 117 vulnerabilities in total, with 9 zero-days amongst them. This is across the Microsoft suite of products, by far the most in a month this year. Products impacted by this latest security update include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, …
The post Patch Tuesday Update – July 2021 appeared first on Security Boulevard.
The post Patch Tuesday Update – July 2021 appeared first on Malware Devil.
I’ve spent my entire career in technology and can still recall the time when a desktop PC was the only way to work. (Truth be told, I’m also old enough to remember dumb terminals.) I also remember my first company laptop — a beast of a thing with a monochrome display so thick it came with an integrated 2.5″ floppy drive and a battery life that made it barely usable. My first mobile phone was a Motorola Timeport, the first tri-band mobile phone that could work in Europe and North America.
The post Location- and Device-agnostic Security for the Mobile Workforce appeared first on Security Boulevard.
The post Location- and Device-agnostic Security for the Mobile Workforce appeared first on Malware Devil.
Across Europe, the EURO 2020 tournament captivated fans over the past month, with Italy ultimately defeating England to take home the cup on July 11. As fans eagerly watched the matches, Imperva Research Labs was busy monitoring activity that wasn’t happening on the playing field — but across a range of sporting and gambling sites […]
The post Bad bot activity on sports betting websites rises during Euro 2020 appeared first on Blog.
The post Bad bot activity on sports betting websites rises during Euro 2020 appeared first on Security Boulevard.
The post Bad bot activity on sports betting websites rises during Euro 2020 appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
