Threat News Ledger

News, opinion, advice and research on computer security threats from Sophos

Get a grip.

The latest privacy glitch, which went unnoticed for over four years, may trigger yet another EU privacy probe.

A Chilean Senator has taken to Twitter with alarming news – the company running the country’s ATM network suffered a serious cyberattack.

Oklahoma’s Department of Securities (ODS) exposed 3TB of files in plain text containing sensitive data on the public internet this month.

The Apple CEO wants the FTC to set up a data-broker clearinghouse so people can see the data that companies have collected on them.

From WhatsApps that aren't meant for you to the highly promising USB-C authentication, and everything in between. It's weekly roundup time.

Here's a fascinating history of cryptography that has plenty to teach you - and you don't need a degree in mathematics to follow along!

A cybercrook is offering a giant stash of stolen emails and passwords, dubbed Collection #1 - allegedly the first of several such dumps

Android apps that want access to your call and SMS data now have to pass muster with Google's team of reviewers.

...or that they can edit the (often inaccurate) pigeon-holes Facebook likes to put us in, a study found.

Online headquarters of Kaspersky Lab security experts.

Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In the last few days, our anti-ransomware module has been detecting a new variant of malware - KeyPass ransomware. According to our information, the malware is propagated by means of fake installers that download the ransomware module.

Olympic Destroyer worm, Roaming Mantis mobile banker, Operation Parliament cyber-espionage campaign, SynAck ransomware and other notable targeted attacks and malware campaigns of Q2 2018.

In Q2 2018, attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users, ransomware attacks were registered on the computers of 158,921 unique users.

It’s easy to notice if you've fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, 99% of the time it’s “partner stuff”.

Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. But information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

Read, think, share … Security is everyone's responsibility

A rogue MySQL server could be used to steal files from clients due to a design flaw in the popular an open source relational database management system (RDBMS). The flaw resides in the file transfer process between a client host and a MySQL server, it could be exploited by an attacker running a rogue MySQL server to access […] The post A flaw in MySQL could allow rogue servers to steal files from clients appeared first on Security Affairs.

The electronics firm Omron released a security update to address flaws in its CX-Supervisor product that can be exploited DoS attacks and remote code execution. CX-Supervisor allows to rapidly create human-machine interfaces (HMIs) for supervisory control and data acquisition (SCADA) systems thanks to the availability of a large number of predefined functions and libraries. The software […] The post Omron addressed multiple flaws in its CX-Supervisor product appeared first on Security Affairs.

An Iranian developer is promoting on a Telegram hacking channel the BlackRouter ransomware through a Ransomware-as-a-Service model. An Iranian developer is advertising on Telegram a Ransomware-as-a-Service called BlackRouter. The same expert advertises other malware and is believed to the author of another ransomware called Blackheart. promotes other infections such as a RAT. BlackRouter was first […] The post Iranian developer advertised BlackRouter RaaS appeared first on Security Affairs.

Unpatched critical flaw CVE-2018-15439 could be exploited by a remote, unauthenticated attacker to gain full control over the device. Cisco Small Business Switch software is affected by a critical and unpatched vulnerability (CVE-2018-15439) that could be exploited by a remote, unauthenticated attacker to gain full control over the device. Cisco Small Business Switch SOHO devices allow […] The post Unpatched Cisco critical flaw CVE-2018-15439 exposes small Business Networks to hack appeared first on Security Affairs.

Bulgaria has extradited a Russian hacker that was indicted by a US court for mounting a sophisticated hacking scheme to the United States. According to the Russian embassy in Washington, the Russian hacker Alexander Zhukov was extradited on January 18. The Russian embassy has chosen to disclose the news on the VK social network, the […] The post Russian hacker Alexander Zhukov extradited by Bulgaria to US appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal 20% discount Kindle Edition Paper Copy Once again thank you! TA505 Group adds new ServHelper Backdoor and FlawedGrace […] The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.

Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel. DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at […] The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.

Cybersecurity expert Marco Ramilli has analyzed the huge trove of data, called Collection #1, that was first disclosed by Troy Hunt. Few weeks ago I wrote about “How Data Breaches Happen“, where I shared some public available “pasties” within apparently (not tested) SQLi vulnerable websites. One of the most famous data breaches in the past […] The post “Collection #1” Data Breach Analysis – Part 1 appeared first on Security Affairs.

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals, too. For people who still need some convincing that cybersecurity is an essential point of focus, […] The post 6 Reasons We Need to Boost Cybersecurity Focus in 2019 appeared first on Security Affairs.

A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners, fortunately, no customer data was exposed. The Register in exclusive reported that Microsoft partner portal ‘exposed ‘every’ support request filed worldwide.’ Tickets submitted from all over the world were exposed to all Microsoft support partners due to the glitch. “At the moment […] The post A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners appeared first on Security Affairs.

News, views, and insight from the ESET security community

If you use Twitter for Android and want your tweets to be private, you may want to play safe and review your settings The post Twitter bug may have exposed private tweets of Android users for years appeared first on WeLiveSecurity

The hacking duo is believed to have exploited a software flaw and compromised several SEC workstations with malware in order to take early peeks at financial disclosures The post Two men charged with hacking into SEC in stock-trading scheme appeared first on WeLiveSecurity

773 million email IDs, 21 million passwords exposed for anyone to see in massive data dump. A car and almost $1m on offer for Tesla Model 3 hacks. Plus some resolutions for 2019 with tips for securing your router The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The vast dossier of login details appears to have been gathered from data stolen in many breaches The post 773 million email IDs, 21 million passwords for anyone to see in massive data dump appeared first on WeLiveSecurity

As another thing to improve this year, you may want to route your focus on a device that is the nerve center of your network and, if poorly secured, the epicenter of much potential trouble The post New Year’s resolutions: Routing done right appeared first on WeLiveSecurity

The electric car maker is raising the ante in automotive security, putting one of its swanky models as a target at a hacking contest The post Car and almost $1m on offer for Tesla Model 3 hacks appeared first on WeLiveSecurity

Forget balaclavas or hoodies; these cybercriminals are hiding in plain sight The post What makes a cybercriminal? appeared first on WeLiveSecurity

In our final report from CES we take a look at smart city initiatives The post CES: Smart cities and the challenge of securing the neighborhood appeared first on WeLiveSecurity

Automotive security for cars. Do you know who your connected home is talking to? Plus some resolutions for 2019 with tips for passwords The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

No 3D-printed heads or realistic masks were needed to trick even a handful of high-end handset models into unlocking their screens The post Face unlock on many Android smartphones falls for a photo appeared first on WeLiveSecurity

There’s a digital treasure trove to be had in your home so you should take steps to protect it The post CES IoT security – do you know who your home is talking to? appeared first on WeLiveSecurity

What's in store for automotive security once cars morph into mobile living rooms and working spaces? And how about transportation at large? The post CES – singularity and securing the car appeared first on WeLiveSecurity

In case there are some blank entries in your laundry list of New Year’s resolutions, we have a few tips for a bit of cybersecurity ‘soul searching’. Here’s the first batch, looking at how you can fix your good ol’ passwords. The post New Year’s resolutions: Get your passwords shipshape appeared first on WeLiveSecurity

The program with a prize pool of almost US$1 million aims to leverage the ‘power of the crowd’ in order to prevent another Heartbleed The post EU offers bug bounties on popular open source software appeared first on WeLiveSecurity

The vast trove of data was released online and disseminated via Twitter over the span of four weeks – without anybody really noticing The post Personal data of German political elite dumped online appeared first on WeLiveSecurity

What stalled the production and delivery of several major newspapers in the US on the last Saturday of 2018? The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

A reflection on how acknowledging the cumulative nature of cyber-threats and understanding its implications can benefit our digital security The post What is threat cumulativity and what does it mean for digital security? appeared first on WeLiveSecurity

The message starts off with the kind of information that is apt to send shivers down the spines of many binge-watchers The post This Netflix-themed scam prompts FTC to issue warning appeared first on WeLiveSecurity

Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks. The post Ransomware vs. printing press? US newspapers face “foreign cyberattack” appeared first on WeLiveSecurity

As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018 The post 2018: Research highlights from ESET’s leading lights appeared first on WeLiveSecurity

An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activity The post Analysis of the latest Emotet propagation campaign appeared first on WeLiveSecurity

Disposal of old tech requires thought and effort and the need to cleanse the device of any personal data is just one of the concerns The post What should you do with your old devices appeared first on WeLiveSecurity

There is still some time left to pick up some last-minute shopping before it’s too late but in the rush to do so don’t forget to do it safely The post SPARE: Five tips for a safer online shopping experience appeared first on WeLiveSecurity

The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customers The post Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service appeared first on WeLiveSecurity

Details are sparse about a security hole that Microsoft said is being exploited in targeted attacks The post Microsoft issues emergency fix for Internet Explorer zero-day appeared first on WeLiveSecurity

Some useful advice for staying safe while hunting for bargains in this holiday season The post Holiday online shopping special tips appeared first on WeLiveSecurity

A probe launched immediately after the discovery of the suspected incident has yet to establish the scale of the potential damage The post NASA fears hackers may have stolen employee data appeared first on WeLiveSecurity

In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers The post Target targeted: Five years on from a breach that shook the cybersecurity industry appeared first on WeLiveSecurity

With just days left in 2018, ESET experts offer their reflections in ‘Cybersecurity Trends 2019’ on themes that are set to figure prominently in the upcoming year The post Cybersecurity Trends 2019: Privacy and intrusion in the global village appeared first on WeLiveSecurity

Besides the usual suspects among the worst of passwords, a handful of notable – but similarly poor – choices make their debuts The post The most popular passwords of 2018 revealed: Are yours on the list? appeared first on WeLiveSecurity

As the threat of bogus apps continues, what can we do to protect ourselves against these fraudulent practices? The post How to protect yourself as the threat of scam apps grows appeared first on WeLiveSecurity

Android Trojan steals money from PayPal accounts, the next generation of Dark Markets, and the Google+ to shut down earlier after new bug The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

An interview with ESET researchers Tomáš Gardoň and Filip Kafka on their research of a malware toolkit used in espionage against the Malaysian government The post Malaysian government targeted with mash-up espionage toolkit appeared first on WeLiveSecurity

There is no evidence that the flaw was misused during the six days it was alive, said the tech giant The post Google+ to shut earlier as new bug exposed data of 52.5 million users appeared first on WeLiveSecurity

ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication The post Android Trojan steals money from PayPal accounts even with 2FA on appeared first on WeLiveSecurity

The “evolution” of these markets is making cybercrime easier than ever before The post Next Generation Dark Markets? Think Amazon or eBay for criminals appeared first on WeLiveSecurity

DanaBot operators have been expanding the malware’s scope with new spam-sending capability. ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. Plus fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

ESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating with another criminal group The post DanaBot evolves beyond banking Trojan with new spam-sending capability appeared first on WeLiveSecurity

ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats The post The Dark Side of the ForSSHe appeared first on WeLiveSecurity

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users The post Scam iOS apps promise fitness, steal money instead appeared first on WeLiveSecurity

A welcome return to the hacker conferences of yesteryear The post CyberwarCon – focusing on the impact of cyber-badness appeared first on WeLiveSecurity

Defensive steps for Marriott Starwood guests worried their personal information may have been compromised by the massive data breach The post Marriott Starwood data breach: 5 defensive steps travelers should take now appeared first on WeLiveSecurity

A recent survey carried out by ESET has revealed that Americans are worried most about cyberattacks on the financial sector, listing it above attacks against hospitals, voting systems, or energy supply companies The post Cyberattacks on financial sector worries Americans most appeared first on WeLiveSecurity

International law enforcement swoops on fake ad viewing outfit. Cyber Monday spam from Emotet. German chat site fined after GDPR data breach The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The hacking and extortion scheme took place over a 34-month period with the SamSam ransomware affecting over 200 organizations in the US and Canada The post US indicts two over SamSam ransomware attacks appeared first on WeLiveSecurity

International law enforcement swoops on fake ad viewing outfit The post 3ve – Major online ad fraud operation disrupted appeared first on WeLiveSecurity

The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures The post German chat site faces fine under GDPR after data breach appeared first on WeLiveSecurity

As we increasingly make use of our smartphones to satisfy our shopping needs, let’s shine a light on how these hubs of our digital lives can be used to shop securely, on and around a day dedicated to online deals The post Smartphone shopping: Avoid the blues on Cyber Monday appeared first on WeLiveSecurity

New watering hole attack in Southeast Asia uncovered. The latest on Sednit. Plus some tips for Black Friday shopping The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The suspect is believed to have carried out the scam on no fewer than six executives in the Bay Area, albeit ultimately with varying success The post New Yorker accused of stealing $1m from Silicon Valley executive via SIM swap appeared first on WeLiveSecurity

Protect Your Interwebs!

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq andRead More

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you andRead More

Darkleech is a nasty malware infection that infects web servers at the root level. It use malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are not logged in, and the iFrame is only injected once a dayRead More

I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must alwaysRead More

Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website. We are failingRead More

The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this? To help provide some clarity on the influxRead More

Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More

Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version:  2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administrationRead More

Emerging threats and malware research

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.) As we dig deeper into our analysis, we found out that these macro scripts are not crafted […] The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the Donoff […] The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF.   An Interactive […] The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection […] The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success. TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files […] The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the […] The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since. Locky e-mails usually come in with an attached zip archive and once extracted may contain a […] The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but […] The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to […] The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam […] The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

The most recent posts from across the AlienVault blogs.

London saw a few flakes of snow drop this week, and social media nearly broke with everyone sharing photos of the white pixie dust falling from the sky. Fortunately, I have few friends, and even fewer social media platforms that I use, so was saved from most of the insanity… well, except for my daughter singing “let it snow”. The Curious Case of the Raspberry Pi in the Network Closet What would you do if you found a Raspberry Pi plugged into the network closet? Sounds like something from your worst nightmare, especially if you hadn’t commissioned any red team testing. But that’s exactly what one team found, and this is the story of how they tracked down (almost) the suspect. If Scooby Doo has taught me anything, it was the janitor! The curious case of the Raspberry Pi in the network closet | Christian Haschek Ad Company Serves Magecard Code To quote Miss IG Geek, when your supply chain is so long you don’t even know who’s got their fingers in your website, you cannot manage your risk. Yeah, go ahead, ask me to disable my ad-blocker. Compromised ad company serves Magecart skimming code to hundreds of websites | HelpNetSecurity Hunting the Con Queen of Hollywood: Who's the "Crazy Evil Genius" Behind a Global Racket? This is a story from last July, but only saw it this week, and wow. This is a masterclass in social engineering, and the work of someone who genuinely seems to enjoy tormenting her victims. Hunting the Con Queen of Hollywood: Who's the "Crazy Evil Genius" Behind a Global Racket? | Hollywood Reporter Beware Of This Scam Targeting Travel Photographers And Instagram Influencers | SLR Lounge The DDoS Attacker Rescued by a Disney Cruise Ship is Sentenced to Over 10 Years in Prison A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital. The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner. The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison | Hot for Security Facebook Cybersecurity Exec Victim of Swatting Call A Facebook cybersecurity exec had his home swatted by Palo Alto police after a prank call claimed he shot his wife, tied up his kids, and placed pipe bombs around the house. A SWAT squad arrived in force at the exec's home, a two-bedroom house in Palo Alto, ordered him to step out, and quicky arrested the man as they searched the house. Officers released the exec after a few hours when they realized the call was just another swatting hoax carried out by anonymous users using untraceable phone numbers. Facebook cybersecurity exec victim of swatting call | ZDNet Software Bill of Materials (SBoM) - Does It Work for DevSecOps? Rob Graham raises some interesting points about SBoM. I used to think it was a great concept… well, I still do, but it’s more nuanced than I initially thought it to be. Software Bill of Materials (SBoM) - Does It Work for DevSecOps? | AlienVault blog Location Data is Ground Zero in Privacy Wars Our phones' GPS and location capabilities are a key part of what make them magical — enabling them to speed our commutes, hail rides and find the devices when we lose them. These capabilities are also ground zero for the looming fight over defining the boundaries of privacy and acceptable uses of our personal information. Location data is ground zero in privacy wars | Axios On the topic of phones Researcher shows how popular app ES File Explorer exposes Android device data | Tech Crunch Speaking of privacy Facebook’s 10 year challenge is just a harmless meme - right? | Wired Oklahoma Data Breach May Expose 7 years of FBI Investigations A massive data breach was discovered at the Oklahoma Securities Commission, leaving an unsecured pathway to millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials to be purloined by potential black hats. Oklahoma data breach may expose 7 years of FBI investigations | Newsweek Other Stories I Hearted This Week America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It | WSJ Slack has a new logo | Slack (no seriously, it’s an interesting read on why a company’s brand identity sometimes needs to evolve). We need to talk about the cult of content creation | notebooks and tea       

In a post released on 1/8/19, I wrote about the record number of breaches in 2018. This brought to mind a podcast that I was listening to a few days back hosted by Corey Nachreiner, CTO of WatchGuard Technologies, Inc. on his 443 Podcast. Corey discussed the potential data deduplication problem on the Dark Web. This article will attempt to break down how this can happen and how this can cause issues not only for users of the Dark Web, but also for those whose data has been stolen and placed on the Dark Web for purchase. The breaches of 2018 were vast and widespread, affecting businesses from fast food to department stores to airlines with record amounts of data being lost. If you look at just the breaches I referenced in the previous article, total PII records counts are over one billion in the United States. In India, every citizen in the country had their data compromised with the breach of Aadhaar, the Indian biometric IT program owned and operated by the government of India. The Aadhar breach alone accounted for 1.1 Billion records lost to hackers.    Researching this, I discovered that for just the US-based hacks in the article,  Americans and foreign travelers doing business with one of the breached companies had a total of 1.3 billion records stolen. If you figure there are approximately 330 million citizens of the United States and if every person in the US was affected they would have their personally identifiable information exposed to the Dark Web approximately 4 times. While that may not seem like a lot, please consider that it would be nearly impossible for every US citizen to be breached. The US does not have a mandatory centralized identification system as the Indian government has. Then, of course, not all 330 million Americans were affected by these breaches due to lack of exposure to affected breached sites, age, and other factors. Let’s say that 150 million Americans were affected in some way - which would mean that about half of all US citizens were affected by the breaches of 2018. Let’s also assume that another 150 million citizens of other countries were affected by the breaches of 2018. That would calculate to 300 million total people affected by the breaches of 2018. With a nice round number like 300 million people being affected one could assume there would be some duplicate records. With that being said, there are probably a lot of duplicate records. The total number of records duplicated per affected person I calculate at 4.333 records. This is admittedly a pretty arbitrary number, considering some people are more active than others on the web or at a particular retailer. Some people fly frequently, while others may not fly or stay in hotels at all. But this is an estimate to work with. From the results of the 2018 breaches, it is fairly safe to say that a very large number of people globally had their PII stolen and many of those had the information stolen several times. Each time a little more and different information was stolen. Many people look at a cyber breach as a big, scary and mysterious thing. What they should be more concerned with is that their data is stolen multiple times, from different sources. A lot of information stolen is static, like social security numbers and driver’s license numbers; however, much of it is not. You can change your credit card numbers, passport numbers, addresses, and phone numbers. You can even improve your health or change it in some way that would make the stolen data inaccurate. Once you look at the statistics from the 2018 breaches and then multiply those numbers (how many?) times over the last 10 years then you will get a reasonably accurate picture of the data deduplication issue. Basic math on the scenario would be over 1 trillion PII records across the roughly 300 million people affected. Doing the math on the above assumption would calculate out to almost 4,000 records per person affected. 4,000 PII records over a 10 year timeframe per person and growing. That leaves us with a large collection of static and changeable information (that never is changed in the stolen records.) With this data, it is possible for someone with the proper data analysis skills to purchase or steal this information, feed it into a data-engine and see trends and habits. Perhaps even to the degree of being able to create an identity based on the aggregated information. Perhaps even using the information to feed Artificial Intelligence or Machine-Learning engines for predictive analysis on a single person or populations of people based on duplicated data that is considered old or expired. The aggregated information could be quite dangerous in the wrong hands. The Dark Web is indeed a scary place for this and other reasons.       

According to Investopedia, “cryptocurrency is a digital or virtual currency that uses cryptography for security.” In other words, it’s electric money that is designed to be used by online users both safely and securely. The price of digital currencies, like Bitcoin and Ripple, have been all over the place throughout the past year — mainly because it’s a volatile online market that has celebrities, bankers, and other online users all wanting a piece of the pie. While there are a number of people who are skeptical about the impact cryptocurrency will have on our future, there’s no doubt that it has sent shockwaves through just about every industry in the world. The one question, however, many users are asking is what does the future have in store for cryptocurrency? Since 2009, online currencies haven’t just shown promise; they’ve started being used for various applications as well. Nowadays, it’s hard to hold a financial conversation without discussing cryptocurrency. It’s also not uncommon to hear the subject being talked about on the news, talk show radio, and of course, social media. This just goes to tell you how far this subject has come in such a short amount of time. So, what impact will cryptocurrency have on us in 2019? Even though it’s hard to predict how much cryptocurrency will change within the coming years, we do know some changes that users should be on the lookout for this year. So, let’s take a look. Economic Growth Citizens who are born in underdeveloped countries like Ghana, Brazil, Honduras, Nigeria, and certain parts of China are all at a disadvantage because of financial reasons. Aside from jobs being scarce and hard to find, residents also have a difficult time finding a safe place to store their money. While most people would consider going to a bank, you have to remember that in underdeveloped countries, banks might not be that common. Fortunately, cryptocurrency has the power to solve some of these issues, which helps improve economic growth in smaller countries. That’s because anyone with internet access can open an account and create a cryptocurrency wallet, which provides users with the opportunity to store and transfer values safely and securely. With cryptocurrency services becoming more popular, millions of unbanked people in other countries across the globe can finally have access to banking services. Furthermore, these platforms can be accessed through mobile apps, and handheld devices, making telecommunication in the financial world that much easier. Giving Power Back to the People The arrival of cryptocurrency has had a major impact in our world today by creating a shift in power; it takes the power out of economic and political leaders’ hands and puts it in the grasp of everyday citizens. The public’s trust in banks and other financial institutions has always been in question. With economic crisis’s going on throughout the world, trust in banking institutions and government leaders is something that continues to be talked about today as these leaders start to lose more and more trust. Luckily, digital currencies can help people all over secure their money while keeping the intermediary out of the mix. Banks and government leaders can’t interfere with your digital currency. This means that transactions can be made online without the IRS watching your every move. Since banks can’t squeeze their way in your finances, you might find that your money can actually last longer. That’s because if you look closely at how banks use the money they have from customers, then you’ll know that banking leaders can sometimes gamble with their money at the customers expense. With banks being removed from the situation, however, you’re now in charge of your money and can do whatever you want with it. Upgrade in Blockchain According to Western Governors University, blockchain will continue to revolutionize how we do business online. To avoid confusion, blockchain refers to the platform, which brings cryptocurrency into play; it isn’t the tokens being used to send value and pay for things. With more transactions being made online, safer ways to pay for things, and companies being removed from the middle seat, blockchain technology may eventually become the international standard. Although blockchain and cryptocurrency are different, they do go hand-in-hand. If we didn’t have blockchains, for example, then we wouldn’t have the means for these transactions as well. From the moment cryptocurrency hit the market, it started changing the world — and with CEOs and presidents of various companies and countries talking about it, and in some cases banning it, it will only get bigger. While some people aren’t in favor of cryptocurrency, the power that everyday citizens are able to obtain over their money, along with the countless benefits of these currencies, outweigh the voices that go against them. Every day we see proof that cryptocurrency is getting stronger and slowly becoming the norm.       

There has been much discussion of a “software bill of materials” (SBoM) lately, for use when addressing security vulnerabilities. Many are curious, wanting to learn more. Googling the term gives lots of positive descriptions. This post will go negative, describing problems with the concept. Rather than cover the entire concept, I want focus on a narrow part of it, so I asked Kate Brew to write a short blurb why she’s interested in SBoMs. Her response was: “I am an Industrial Engineer by training. So when I heard of the concept of software BoM I was intrigued. Being able to quickly see all the components, open source or not, incorporated into an application appears like a valuable way to determine needed actions in the case of vulnerabilities found in a component. It seems efficient and helpful to me to have a clear view of components in an application.” Software is never built wholly from scratch these days. Instead, software is built combining components, development frameworks, libraries, operating system features, and so on. It has a “bill of materials” describing the bits that make it up every much as hardware does. When vulnerabilities happen, knowing this information can help. Good examples are the high profile Apache Struts bugs, where customers don’t know they are vulnerable because they are unaware that products they own include Struts. If only product vendors provided a list of sub-components, then customers would quickly know if they are vulnerable, and be able to act accordingly. Some claim this sort of thing already exists in narrow industries, like medical and energy. They are pushing the concept for use everywhere because it’s already being used successfully somewhere. This is a great story, but it isn’t true. Software Bill of Materials Is a Misguided Concept for DevSecOps Proponents are being deliberately vague defining exactly what should be in included in a software BoM. For hardware BoMs, you don’t list the ingredients of the circuit board, where you sourced the silica for glass fibers, or the recipe of the epoxy that binds them together. Hardware BoMs aren’t that granular because it’s not necessary. They include an indented list of components and sub-components. Hardware is basic. But when tracking software vulnerabilities, such granularity is important: you need to track every line of source code. There are four levels of details for SBoMs: Licenses Modules Patch levels Backports Most of the discussion about SBoMs is roughly at the license level. The makers of software already track this, even when they don’t disclose it to customers. Commercial products track this for legal reasons, for compliance with legal contracts they have with suppliers. Open-source products track this for practical reasons, since you often have to hunt down install the dependencies yourself in order to make open-source work -- importing open-source implicitly means importing the license. You see the artifacts of this everywhere. My parents just bought a new Subaru, which like most new cars contains a small screen for the maps and backup camera. On one of the pages on the screen I find something that lists a number of embedded components. Displaying this information is often a requirement of the license. Software Bills of Materials Aren’t That Great for Tracking Vulnerabilities SBoMs aren’t as useful as you’d think for tracking vulnerabilities, because it’s not granular enough. Take Linux, for example. The entire thing is licensed under the GPL. This hides the complexity that the kernel is around 20 million lines of code, and the GNU userland components are millions more. An SBoM saying this IoT product uses “Linux” hides a lot of the complexity of what may or may not exist in the product. A new Linux vuln is discovered at the rate of about once per week. Using the above example of tracking Struts vulns, it means you’d be diligently patching most of the devices in your organization once per week. The paragraph above says “if a vulnerability” is found. The reality is “when”, and they are found constantly. That Struts example is cherry picked to show how the SBoM-vuln process could work sometimes, but is not representative of how this process would work most of the time. The way it would work most of the time is that you’d have a team of people checking vulns every morning and pushing out the patches. Lists of Component Licenses Doesn’t Work in Software BoMs We don’t want an SBoM built from just the existing list of licenses, but something listing the subcomponents. When a subcomponent of Linux has a bug, we only want to patch the stuff using that subcomponent. For example, many IoT devices use BusyBox and uClibc instead of the GNU glibc userland code. When a glibc bug is found, you don’t to patch all the devices using uClibc instead. While there are many examples of SBoMs at the software license level, I’ve found none that successfully track things at the module/sub-component level. A good measure of this is looking at popular modules like zlib and pcre. These are used everywhere. Most large software product includes them, even Windows itself. However, they have easy licensing terms, and are buried deep in the SBoM hierarchy, as a component of a component of a component, rather than an easily identifiable piece itself, so they are rarely seen. If you pretend there is a vulnerbiltiy in zlib and track it down, you’ll find it in less than 10% of your products, when in fact, something like 80% of your products depend upon it. When people claim they are already successfully using SBoMs to track vulnerabilities, I’m not sure they really are, since I know they aren’t tracking subcomponents with sufficient granularity. Listing all the licensed modules gets you around 10 items per product, but trying to include all the subcomponents can easily balloon to thousands. Modern software is complex. The average, simple app for your phone is often the work of only a couple developers, but is megabytes in size, because of the enormous system of sub-components that make up the software. Figure - First level dependencies of the Apache web server IoT, Software Bills of Materials and Other DevSecOps Complexities And this is still only scratching the surface. By the time you get software, it’s already out of date, especially for commercial products and IoT devices, which can be years out of date. You aren’t listing just the subcomponents, but also their versions. This includes patch levels. When version 4.6 of the outdated module has a vuln, the vendor doesn’t upgrade to the latest version at 5.2 where the vuln is fixed, because that’ll introduce bugs into their product. Instead, they’ll upgrade to version 4.6.1, with just the added patch. Thus, checking whether you are vulnerable doesn’t mean checking if you have the latest version of the software, like 5.2, but whether you have the latest of the old version of the software like 4.6.1. Popular libraries like zlib are a good example. Not only do you have it everywhere throughout your enterprise, you have every version and patch level someplace as well, going back decades. When proponents claim that SBoMs exist and are being used, they don’t mean at this level of granularity. But there is still more. When a vulnerability is found, the owner of a module doesn’t go back and patch every known version. They only patch a few of the most recent versions and tell everyone else to upgrade. In recent years, “LTS” (long term support) versions of modules have become popular, where the owners of modules declare the subset of versions that they will continue to support, and for how long. In the open-source world, if the owner of a module doesn’t provide a patch for your version of the module, then you’ll have to handle it yourself. This is known as a “backport”. Usually the fix applied for a later version of the module will work cleanly for earlier versions as well, so backports are often an easy process. While there are efforts to track subcomponents, versions, and patch levels, nobody has even attempted to track backports. The problem is pretty much insurmountable. When the owner/maintainer of a project updates the software, that’s a single event that can be named and tracked. When many different people apply backports to an older version, these are all separate events, often all slightly different. Software, especially in IoT devices, has lifespans of decades. Even LTS “long term support” version rarely continue supporting software for more than 5 years. Thus, most products spend most of their lifecycle in this area where backports are a thing. When people talk about SBoMs tracking vulnerabilities, they are talking about only a small subset of products, tracking the latest versions. You can force vendors of the products to continue to support them for decades, but those vendors can’t force their suppliers of subcomponents to continue supporting them, especially open-source components. Practical DevSecOps Considerations for Software Bills of Materials But even if a magic faerie could fix these problems, then you’d simply have an overload of work, because this would tell you about a lot of vulnerabilities. Just because a module has a vulnerability doesn’t mean the entire package using the module is vulnerable. Not all users of the latest Apache Struts is vulnerable to their latest vulnerability, for example, but only those that used a specific feature of Struts. Chris Wysopal, CTO & Co-founder of VeraCode, has looked into this. They have a static analyzer for binary code that can often determine whether a software package can reach the vulnerable code in a subcomponent. They find that most of the time, a vulnerability in a subcomponent isn’t practically exploitable. In other words, a vulnerability in a module means that some users are vulnerable, but not automatically all of them, or even most. Using SBoMs to track vulnerabilities gives you two unappealing options. You can either try to patch every time there is a match, or do your own analysis to see if you are actually vulnerable and whether the patch is needed. Either way is expensive. Or, you can rely upon the vendor of to make this determination, and only apply the patches the vendor recommends. But that’s the situation were are in today without SBoMs. Example: Heartbleed. Would Software BoM Help? The OpenSSL Heartbleed bug form 2014 is a good example. Some of your stuff is still vulnerable to this. How will an SBoM help you out? Using SBoMs at the software license level won’t help you much. Since OpenSSL is often a component of a component, it’ll get missed, so the list of products using OpenSSL will be partial. Since the bug is only server side, whereas OpenSSL is most often used in clients, most of that list that you do  get will be of packages that aren’t actually vulnerable to Heartbleed. In other words, you’ll simultaneously miss needed patches while applying unneeded ones. Katie Moussouris, formerly the manager of Microsoft’s vulnerability disclosure program, describes how Microsoft, which internally tracks software modules with things like SBoMs, still took months to figure out exactly which of their products and services were vulnerable to Heartbleed. It’s not the “easy” solution people imagine. This is why I’m dubious of claims that SBoMs already exist and are being used successfully in some places. This cannot possibly be the case. I feel the situation is similar to the TSA, the airport passenger screeners. They regularly post (https://www.tsa.gov/blog/tags/year-review) about the thousands of firearms they block from getting on airplanes. The implication is that TSA screening works. But it doesn’t. Independent audits going back years show that 80% of firearms get through (https://abcnews.go.com/US/tsa-fails-tests-latest-undercover-operation-us-airports/story?id=51022188). The system is deeply flawed, and their measurement of success comes from cherry picking the type of measurement they use, such as “guns blocked” rather than “guns let through”. Conclusion: Do Software Bills of Materials Really Work in Real Life for DevSecOps Practitioners? That’s how SBoM-vuln programs are “successful”. They are in fact, missing most vulnerabilities, but it’s not a problem because other mitigations (like firewalls) block most of the attacks anyway. At the same time, a lot of the patches they do apply are unnecessary, but nobody notices when you overspend on useless security, because everyone agrees it’s your moral duty to spend a lot on security. There is so far no example of a successful SBoM program that hasn’t fudged its numbers like the TSA. Forcing companies to publish the SBoM at the license level isn’t necessarily a bad thing, since they already track the information. This will weed out those companies that have such crappy development processes that they can’t track the information. This will also weed out ethically challenged companies like Oracle that hide this information because they are in violation of software licenses (like the GPL). But it won’t tell you all the information you need for vulnerability management. SBoMs today are not nearly granular enough, and simply matching vulnerabilities still doesn’t tell you whether you are actually vulnerable.       

And we’re back into the swing of things with a proper first week on the books and plenty to talk about as to the weird and wonderful goings on in the world of security, technology and beyond. International Security of Mystery Joe Gray hasn’t really flown outside of the US other than Canada, so when presented with an opportunity to speak at conferences in Switzerland and Paris, he went about trying to find what a security professional should do when travelling internationally. The Preliminary Cybersecurity Guide To International Travel | Forbes Lesley Carhart’s blog which is referenced in Joe’s article probably has one of the most comprehensive posts on the topic The Infosec Introvert Travel Blog | tisi phone Mondelez Sues Zurich in Rest for Cyber Hack Insurance And so it begins… Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. Mondelez sues Zurich in test for cyber hack insurance | FT (may require subscription) 2019 - The Year of Cloud-Based Cybersecurity Yes, it’s a prediction piece, but a rather specific one talking about how we’re seeing a rise in cloud-based security analytics and operations. 2019 will be the year of cloud-based cybersecurity analytics/operations | CSO The Cyber-Attack That Sent an Alaskan Community Back in Time They still don’t know where it came from. But when it hit, the Alaskan borough of Matanuska-Susitna was knocked for six. Malware rapidly spread across the borough’s computer networks, disrupting a bewildering array of services. Hundreds of employees found themselves locked out of their work stations. Staff at local libraries received urgent phone calls telling them to quickly turn off all the public PCs. The animal shelter lost access to data on medications required by its furry residents. The cyber-attack that sent an Alaskan community back in time | BBC Hacker History III: Professional Hardware Hacker In the mid-to-late 1980’s, following France’s 1985 bombing and sinking of the Rainbow Warrior in New Zealand, if you wanted to learn to hack and not worry about repercussions – any system related to the French Government was within scope. It was in that period that war-dialing and exploit development really took off and, in my opinion, the professional hacker was born – at least in New Zealand it was. Through 1989-1991 I had the opportunity to apply those acquired skills in meaningful ways – but those tales are best not ever written down. Hacker History III: Professional Hardware Hacker | Technical info Rush to Attribution Misses the Point During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes. Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee How a Russian Firm Helped Catch an Alleged NSA Data Thief The company’s role in exposing Harold T. Martin is a remarkable twist in an increasingly bizarre case that is believed to be the largest breach of classified material in U.S. history. It indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin, who prosecutors say took home an estimated 50 terabytes of data from the NSA and other government offices over a two-decade period, including some of the NSA’s most sophisticated and sensitive hacking tools. How a Russian firm helped catch an alleged NSA data thief | Politico You Gotta fight! For Your Right! To Repaaaair! You buy a new appliance and soon after the warranty runs out the appliance coughs and splutters in the sweet embrace of death. Maybe you can’t repair it, maybe no one else can, or won’t for a reasonable price - so you end up throwing it out and getting a new appliance. But the EU and some US states are fighting for a right to repair, of sorts, to make appliances last longer and be easier to repair. It should make for interesting developments over the coming years as more devices become smart, or cloud enabled, and repair becomes less about the hardware, and more about the software. Climate change: 'Right to repair' gathers force | BBC California becomes the 18th state to introduce right to repair bill | The Verge John Deere just swindled farmers out of their right to repair | Wired Other Stories I Lked This Week Meet ‘NoSurf,’ the Self-Help Group That Told Us to Log Off Before It Was Cool | Medium, Andrew Zaleski The Workplace of the Future Is Lonely as Hell | Medium, Deanna Pai 40% of companies are adding jobs after deploying AI, not killing them | Tech republic       

Time to look back on the top AlienVault blogs of 2018! Here we go: A North Korean Monero Cryptocurrency Miner by Chris Doman Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.  VLAN Hopping and Mitigation by Pam This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques. DNS Poisoning and How To Prevent It by Jeff Thompson  The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]  4 SIEM Use Cases That Will Dramatically Improve Your Enterprise Security by Stephen Roe Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill. Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks. Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen. For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress. If you’re worried about malware infection, community-powered data makes it likely that even new malware won’t be able to infiltrate your system. Ensure auditors and regulators don’t have a reason to turn off your lights with easy, one-step compliance status monitoring. How SIEM Correlation Rules Work by Kim Crawley  The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified. Here are some examples of SIEM correlation rules which illustrate this concept. Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”). Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”). Satan Ransomware Spawns New Methods to Spread by Javier Ruiz  This Satan variant attempts to propagate through: JBoss CVE-2017-12149 Weblogic CVE-2017-10271 EternalBlue exploit CVE-2017-0143 Tomcat web application brute forcing YARA Rules for Finding and Analyzing in InfoSec  by Monty St. John If you work in security anywhere, you do a lot searching, analyzing, and alerting.  It’s the underpinning for almost any keyword you can use to describe the actions we take when working.  The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use.  It’s YARA. The variables of the equation really don’t matter.  A quick interrogation of a file to find out about its contents?  Dig through source code to find a specific algorithm?  Determining if something is malicious or safe to whitelist?  YARA handles those use cases and plenty more.  Really, it comes down to finding things.  Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus.  YARA is my go-to. New! Free Threat Hunting Service from AlienVault – OTX Endpoint Security™  by Danielle Russell OTX Endpoint Security is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free. Malware Analysis using Osquery Part 1 by Javier Ruiz Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis. Explain PGP Encryption: An Operational Introduction by @CryptoCypher 15 Reasons to Not Use PGP: SECUSHARE published an article “15 reasons not to start using PGP”. Since I feel that they had communicated some great points regarding the risks of using PGP, I briefly summarized most of their key-points for us to consider. This information will help us understand how and why we should practice good operational security during PGP-involved communications. Misusage: a party may use PGP wrong or respond to an encrypted email in plaintext The OpenPGP Format: PGP is noticeable during packet analysis and surveillance efforts (i.e. government dragnets) Transaction Metadata: metadata reveals context and parties involved in the conversation (i.e. email address, subject line, message size, etc.) No Forward Secrecy: risk of long-term keys being compromised, it is hard and even impractical to use short-term keys Cryptography is Crackable: parties may store encrypted messages and could hypothetically start decrypting messages once technology advances enough to do so (i.e. using quantum computing for cracking RSA cryptography, encrypted messages may be collected and stored via dragnet surveillance, to be cracked in the future) Overexposure: using surveilled services and networks will draw attention to our PGP usage, especially on centralized or cloud-hosted services that participate in surveillance Discovery (Web of Trust): web of trust is publicly available information and can be analyzed for investigative/discovery purposes, and it doesn’t scale well globally PGP Conflates Non-repudiation and Authentication: if a message is signed, we only know that the sender’s private key was used to sign the message, it is possible that the sender’s key could be compromised and used by a third-party (i.e. spy, espionage). Also, by signing a message, we sacrifice any plausible deniability of writing that message Message Size Analysis: we can guess the size of messages based on encrypted length Workflow: group messaging is impractical, PGP is used for one-on-one communication Message Drafts & Message Storage: drafts of messages may be transferred or stored insecurely, in plaintext, without encryption Overhead: DNS / X.509 must work harder, thus more expensive servers and networking equipment may be required at scale Targeted Attacks Against PGP Key IDs: an adversary could generate a PGP key with a matching short-key ID or long-key ID, the shortened key ID could be used for impersonation “I’ve got nothing to hide”: people may not want to use PGP simply because “they have nothing to hide” - this is a worthy consideration, but an invalid excuse to not care about your human right to privacy Public Key Exchange: to use PGP, a public key must be shared. We must exchange public keys securely and privately in a contextually safe manner MassMiner Malware Targeting Web Servers  by Chris Doman One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers. One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us how many different exploits and hacking tools it leverages in a single executable. MassMiner spreads first within the local network, before attempting to propagate across the wider internet:   North Korean Cyber-Attacks and Collateral Damage by Chris Doman WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions. Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK. Into 2019, look for more technical and thought leadership blogs to help the InfoSec community!        

Gartner just released their 2018 Magic Quadrant for Security Information and Event Management (SIEM), which we’re once again excited to be part of! Our inclusion in the Gartner SIEM MQ is further validation that our unique, unified approach to threat detection and response continues to resonate.  Many continue to struggle with increasingly advanced threats, expanding attack surfaces, and a growing list of compliance requirements -- all with less IT staff, time, and money. Since the beginning, AlienVault has taken a different approach to SIEM. We’ve sought to eliminate the main two barriers inherit to traditional SIEM offerings -- cost and usability. Let’s face it, when it comes to most SIEM purchases, companies are left holding the bag for a very expensive “solution,” which they now have to try and make work. That’s like buying a new car, but only getting the frame and a box of engine parts — then being told some assembly required if you actually want to drive the car (and if you’re wondering about the tires, those are extra too). AlienVault set out to change this when we launched our Unified Security Management® (USM) solution. Our goal has always been to make it as simple as possible for IT and security pros to quickly detect threats, efficiently respond to breaches, and manage compliance. This meant going beyond SIEM to deliver complete threat management, out-of-the-box -- no additional product purchases necessary, no convoluted licensing models, and no complicated integrations required. We’ve stayed true to that goal with USM Anywhere™, our SaaS platform that seamlessly combines the essential security capabilities organizations need, while removing the administrative overhead they don’t. We appreciate that Gartner calls out AlienVault USM’s straightforward implementation -- two words you rarely hear when it comes to SIEM! Our simplified approach to SIEM and threat management is further evidenced by the fact that 46 percent of our customers are detecting threats on day one! Moreover, our extensible SaaS architecture and growing “galaxy” of AlienApps allow us to rapidly deliver new features and functionality, including powerful, built-in response automation and orchestration with third-party IT and security technologies. Not only does this allow our customers to capitalize on existing investments, it saves valuable time and effort by enabling them to bring more of their security monitoring tools into USM’s single pane of glass -- without any daunting integration work! And We’re Just Getting Started . . . As we continue our evolution to AT&T Cybersecurity, we’re harnessing the power of one of the world’s largest cybersecurity operations.  “Okay, but what does this mean?” you ask.   It means we’re now delivering a unique combination of people, process, and technology to not only help you better detect and respond to threats, but also mitigate and manage ongoing risks. We’ll also continue to enrich our threat intelligence (now augmented with AT&T threat data), and improve the USM Anywhere platform, delivering new capabilities that simplify and automate your critical security processes, improve your security and compliance posture, and outpace the ever-evolving threat landscape. More to come . . .       

During the holiday season people logged on to make purchases through online retailers, like no other time of the year. While there was significant growth in many segments of society on a global scale in 2018, we also  saw a significant increase in online retail breaches where personally identifiable information was compromised at an alarming rate. With more and more people using online services for everything from ordering perishable food products to plane tickets and hotel reservations, 2018 proved to be a huge year for online/cybercriminals. Here are some facts around some of the largest and most far-reaching retail breaches of 2018: Data breaches are on the rise, and the total number of accounts breached has become ridiculously high. A report from cybersecurity firm Shape Security showed that almost 90% of the login attempts made on online retailers' websites are hackers using stolen data. Many of these breaches were caused by flaws in payment systems that were taken advantage of by hackers. Dozens of security breaches have occurred in 2018. Many of them were caused by flaws in payment systems, either online or in stores. Data breaches are on the rise for both retailers and other businesses. These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands. According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period. Example Breaches Cheddar's Scratch Kitchen Darden Restaurant announced it was notified by government officials on August 16 that it had been the victim of a cyber attack. Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017, and January 2, 2018, may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised. Customers affected would have visited a Cheddar's location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin. Macy's Macy's confirmed that some customers shopping online at Macys.com and Bloomingdales.com between April 26 and June 12 could have had their personal information and credit card details exposed to a third party. Macy's did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people. Macy's said in a statement: "We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services." Adidas Adidas announced in June that an "unauthorized party" said it had gained access to customer data on Adidas' US website. Currently, the company believes only customers who shopped on and purchased items from the US version of Adidas.com may have been affected by the breach. The data that is potentially at risk include customer contact information, like email addresses and physical addresses, as well as login information, like usernames and passwords. The passwords were stored with encryption, however, which would need to be unencrypted before they could be used. Adidas did not say exactly how many customers could have been affected by the breach, but an Adidas spokeswoman confirmed it is likely "a few million." Sears Sears alerted customers on April 4 of a "security incident" with an online support partner [24]7.ai that may have resulted in up to 100,000 people having their credit-card information stolen. The incident affected shoppers who bought items online from September 27, 2017, to October 12, 2017 Delta Delta used the same online support service as Sears and was also affected by the reported breach. The airline said customer payment information may have been vulnerable but did not estimate how many of its customers were affected. Best Buy Best Buy was also affected by the breach of [24]7.ai, it told customers on April 5. The retailer said only "a small fraction of our overall online customer population" was affected in the breach, which might have jeopardized payment information. Saks Fifth Avenue 5 million records breached combined with Lord & Taylor. Hudson's Bay, the parent company of Saks Fifth Ave, confirmed in April that a data breach compromised payment systems and therefore customers' credit and debit cards. Estimates of the number of affected customers have not yet been released but could number in the millions. Online customers were not affected. Lord & Taylor 5 million records breached combined with Saks. Hudson's Bay also owns Lord & Taylor, and those stores were also affected by the breach. Panera Bread 37 million records breached. Panera Bread confirmed on April 2 that it was notified of a data leak on its website. At the time, it said personal information, including names, addresses, and partial credit card numbers may have leaked, though the company says the investigation is ongoing. Forever 21 Forever 21 alerted its customers in November that some of their information may have been stolen. A flaw in the store's cashier terminals may have inadvertently exposed data like credit card numbers, expiration dates, and internal verification codes to hackers. Customers who shopped in stores from March through October 2017 are vulnerable. PumpUp 6 million records breached. On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates, and card verification values. When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed. Sacramento Bee 19.5 million records breached. In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future. According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters. Ticketfly 27 million records breached. On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.  Panera Bread 37 million records breached. Panera Bread took its website temporarily offline following the publication of Krebs’ report. Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million. British Airways 380,000 records breached On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates, and CVV codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September. “The credit card skimming campaign launched against hundreds of thousands of British Airways customers stood out due to its large scope and the effectiveness of the tactic employed: the modification of JavaScript code on BA’s website to effectively steal payment data while avoiding detection,” says Yonathan Klijnsma, head threat researcher at RiskIQ.  “By inserting just 22 lines of code, Magecart Group 6 was able to extract information entered into the airline’s online payment forms without disrupting the payment flow.” Ticketmaster 40,000 records breached When the personal data of 40,000 Ticketmaster customers was stolen by hackers, it emerged that a third-party supplier was involved. The company, Inbenta Technologies, which operates a chatbot on the Ticketmaster site, customized its product by modifying a line of JavaScript code. “Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift. The Giants of the List Facebook At least 87 million records breached (though likely many more). Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica's claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared. Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users. MyHeritage 92 million records breached A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “MyHeritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. The service also stores family tree and DNA data on servers separate from those that store email addresses, but MyHeritage said there was no reason to believe that information had been exposed or compromised.  Quora 100,000,000 records breached. In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts, and upvotes. “The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial. Under Armour's MyFitnessPal app 150 million records breached While Under Armour's store systems or online store wasn't affected, the retailer confirmed in March that data from its MyFitnessPal app was accessed by an "unauthorized party." Payment information was not released, but Under Armour says usernames, emails, and encrypted passwords were affected. More than 150 million people's information was likely compromised. Exactis 340 million records breached. Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children. Marriott 500,000,000 records breached At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses, and passport numbers. “Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time," says Glasswall’s Henderson. "Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.” Aadhaar 1.1 billion records breached. In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number, and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.  The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.  A Troubling First Half of the Year The number of records compromised in Q1 and Q2 2018 has already surpassed the total number of breached records for all of 2017, as identified in Identity Theft Resource Center's (ITRC) 2017 Data Breach Industry Summary report.  For context, the list of breaches provided in this article is far from comprehensive. There were plenty of additional data breaches that took place in the first half of 2018, which means the number of compromised records could actually be much higher. Only time will tell whether this is actually the case. In Conclusion The cyber threat landscape is ever changing and while technological innovation is growing at the speed of light. The abilities of cybercriminals to take advantage of those new innovations is just as broad. Cybercriminals have an advantage of not having to “play by the rules” which makes things more difficult for those who try to protect business and society from those who wish to do criminal things. Other things to account for is the passion with which cyber-criminal operate, having not only a knack for what they do but almost a savant-like nature in their activities. Whether the attack comes from a single criminal or a group of hackers, it is evident that business and society as a whole will have to endure these issues for the indefinite future. Most corporate security teams work diligently to prevent attacks such as those mentioned in this article, however, many lack funding and support from the executives. Security is often put on the back burner as an expense that can be avoided until it is needed. In fact, this could not be further from the truth. Creating a cyber-threat and action plan is essential to keeping corporations and society, as a whole, safe. Until executives at the heights of power can be convinced of the importance of creating a secure environment, the scourge of cybercriminals will continue to run rampant and grow organized crime across every aspect of the global economy. References https://www.businessinsider.com/data-breaches-2018-4 https://blog.barkly.com/biggest-data-breaches-2018-so-far https://www.forbes.com/sites/kateoflahertyuk/2018/12/19/breaking-down-five-2018-breaches-and-what-they-mean-for-security-in-2019/#16a37e4141c4 https://www.alienvault.com/blogs/security-essentials/whats-the-difference-between-a-data-breach-and-a-security-incident       

In the previous blog in this four-part blog series, we discussed AWS IAM and how it can be compromised to allow for data exfiltration. In this blog we will drill into data exfiltration. One of the more common issues reported on lately involves EC2 instances running data storage services like Elasticsearch and MongoDB, which by default don't have any credential requirements to interact with the data store. And if you don't get your security groups set up properly you can inadvertently expose, for example, the Elasticsearch port (9200) out to the Internet. If that happens, you can bet that somebody is going to find it and dump its entire data set. Here’s a common scenario we’ve seen in AWS: A web application is capturing user details and analytics.  The developers want to capture that data in a metrics-friendly repository (in addition to the database that the application uses) so they spin an EC2 instance, install Elasticsearch and start dropping data in it that is useful for analytics tracking.  It’s probably not sensitive data so they’re not too worried about locking it down and for convenience, the backend Elasticsearch port is exposed to the Internet. As the analytics requirements evolve along with the application, more and more data ends up in the completely exposed data store.  Then a bad guy does a port scan and finds it sitting there, ripe for the picking. It's become so common that adversaries have gone through the trouble of creating ransomware that fully hijacks the data store and encrypts the data within it. Here are some examples: Data Exfiltration: Risks Marketing Firm Exactis Leaked a Personal Info Database with 340 Million Records  - WIRED Sales Engagement Startup Apollo Says its Massive Contacts Database was Stolen in a Data Breach - TechCrunch Veeam Server Lapse Leaks Over 440 million Email Addresses - TechCrunch Ransomware Online databases dropping like flies, with >10k falling to ransomware groups -  Ars Technica With a public vulnerability search tool such as Shodan, you can do a search for publicly exposed Elasticsearch databases and it’ll give you a big list. It's not difficult to find systems that have been exposed this way and attackers are finding them pretty quickly. Application Abuse The other way that data exfiltration takes place is through an application vulnerability, but this isn't AWS-specific. There are common application vulnerabilities that some attackers are very adept at discovering. A crafty attacker will bang on a web application long enough to find a vulnerability that they can use to exfiltrate data from the system.  This technique is very effective because most web applications need access to some degree of sensitive data in order to be of any use. https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html I highlight this because AWS actually has some resources and utilities you can use to try to help prevent this sort of thing, which we’ll get into in another blog, but, before we go there, the next part of this blog series will offer some insights on how to monitor IAM in AWS.       

Welcome to 2019! I hope that you had a well-deserved break over the holidays, and a special shout out to all the people that carried on pulling shifts in the SOC, were on-call, and helped ensure stuff stayed as secure as possible while the rest of us were eating and sleeping too much! I’ve said it before, and I’ll say it again, that you are the real backbone of the security industry, and although you may never go to conferences, or be heard on a podcast, or put your name to a blog - you go about your job keeping things as secure as possible. We’re only half a week into the new year and the security world hasn’t slowed down in the slightest, so let’s just get down to what’s been going on these last few days, and catch up with some of the excitement that I missed while I was busy consuming mince pies. Victorian Government Employees Details Stolen We didn’t even make it a day into the new year without news of a data breach where thousands of records were stolen. Sure, it’s small compared to the millions of records we’re getting accustomed to reading about, but it’s significant nonetheless. It’s like data breaches have become an olympic level sport with everyone racing to be first. The work details of 30,000 Victorian public servants have been stolen in a data breach, after part of the Victorian Government directory was downloaded by an unknown party. The list is available to government employees and contains work emails, job titles and work phone numbers. Employees affected by the breach were told in an email their mobile phone numbers may have also been accessed if they had been entered into the directory. Data breach sees Victorian Government employees' details stolen | ABC New Town of Salem Breach Affects 7 Million Accounts Getting up to the kind of breach numbers we’re all more used to, The Town of Salem (video game) was hit with a massive data breach last week that exposed the information on more than 7 million users. The breach was discovered by the cybersecurity research Dehashed on December 28 when he received an anonymous email that indicated someone had gained access to the game’s database. Town of Salem is a role-playing game operated by BlankMediaGames. Town of Salem breach affects 7 million accounts | SC Magazine Promote Your Scams In the battle for advertising revenue supremacy, social media giants have automated their whole process and seem to have forgotten to include any basic checks for, you know, looking for obvious scams. Like this little gem whereby an obvious PayPal phishing scam was sent as a promoted tweet. And we think we’re going to clean up fake news. Twitter let someone promote an obvious PayPal phishing scam | The Next Web Subscribe to PewDiePie! At this point, I am have conflicting opinions on the world's most-subscribed to YouTuber PewDiePie aka Felix Kjellberg. He either has the most dedicated fans (well fan who goes by the name of TheHackerGiraffe) on the planet, who go around trying to find creative and innovative ways to promote his channel. Or he has hired a bunch of hackers who operate under the name The HackerGiraffe) to try and find ways to promote him. Or subscribe to PewDiePie has become the equivalent of popping calc.exe on a box. Anyway, 2019 has brought about a new campaign that targets Chromecast adapters, Smart TV’s, and Google Home in order to play a YouTube video to promote PewDiePie’s channel. Hacker Streaming PewDiePie Videos on Exposed Chromecast Devices | Bleeping Computer Vulnerability Disclosure Economics EU’s cybersecurity agency ENISA has delved into the problematics of vulnerability disclosure and has released a report that addresses economic factors, incentives and motivations that influence the behaviour of the various vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities (Meltdown, Spectre, EternalBlue) that illustrate how the process occurs. Economics of Vulnerability Disclosure | ENISA Why are some vulnerabilities disclosed responsibly while others are not? | HelpNetSecurity OWASP IoT Top 10 OWASP released it’s IoT top 10 just before the year ended and is a solid list which is simple and usable. OWASP IoT Top 10 | OWASP Other Articles I Found Interesting Why it’s hard to escape Amazon’s long reach | Wired Amazon and Facebook Reportedly Had a Secret Data-Sharing Agreement, and It Explains So Much | Gizmodo The Cybersecurity Stories We Were Jealous of in 2018 | Motherboard       

table, th, td { border: 1px solid black; Posted by Lukasz Siewierski, Android Security & Privacy TeamGoogle Play Protect detects Potentially Harmful Applications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as "malware." in a variety of ways, such as static analysis, dynamic analysis, and machine learning. While our systems are great at automatically detecting and protecting against PHAs, we believe the best security comes from the combination of automated scanning and skilled human review. With this blog series we will be sharing our research analysis with the research and broader security community, starting with the PHA family, Zen. Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts. These accounts are created by abusing accessibility services. Zen apps gain access to root permissions from a rooting trojan in its infection chain. In this blog post, we do not differentiate between the rooting component and the component that abuses root: we refer to them interchangeably as Zen. We also describe apps that we think are coming from the same author or a group of authors. All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect. BackgroundUncovering PHAs takes a lot of detective work and unraveling the mystery of how they're possibly connected to other apps takes even more. PHA authors usually try to hide their tracks, so attribution is difficult. Sometimes, we can attribute different apps to the same author based on a small, unique pieces of evidence that suggest similarity, such as a repetition of an exceptionally rare code snippet, asset, or a particular string in the debug logs. Every once in a while, authors leave behind a trace that allows us to attribute not only similar apps, but also multiple different PHA families to the same group or person. However, the actual timeline of the creation of different variants is unclear. In April 2013, we saw the first sample, which made heavy use of dynamic code loading (i.e., fetching executable code from remote sources after the initial app is installed). Dynamic code loading makes it impossible to state what kind of PHA it was. This sample displayed ads from various sources. More recent variants blend rooting capabilities and click fraud. As rooting exploits on Android become less prevalent and lucrative, PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud. This post doesn't follow the chronological evolution of Zen, but instead covers relevant samples from least to most complex. Apps with a custom-made advertisement SDKThe simplest PHA from the author's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic. By proxying all requests through a custom server, the real source of ads is opaque. This example shows one possible implementation of this technique. This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps. It may even allow them to sell ad space directly to application developers. The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue. Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers. We have seen two types of apps that use this custom-made SDK. The first are games of very low quality that mimic the experience of popular mobile games. While the counterfeit games claim to provide similar functionality to the popular apps, they are simply used to display ads through a custom advertisement SDK. The second type of apps reveals an evolution in the author's tactics. Instead of implementing very basic gameplay, the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK. The only noticeable difference is the game has more ads, including ads on the very first screen. In all cases, the ads are used to convince users to install other apps from different developer accounts, but written by the same group. Those apps use the same techniques to monetize their actions. Click fraud appsThe authors' tactics evolved from advertisement spam to real PHA (Click Fraud). Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them. This allows the PHA authors to monetize their apps more effectively than through regular advertising. This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers, and impacts user experience by consuming their data plan resources. The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK. The command & control server (C&C server) returns the URL to click along with a very long list of additional parameters in JSON format. After rendering the ad on the screen, the app tries to identify the part of the advertisement website to click. If that part is found, the app loads Javascript snippets from the JSON parameters to click a button or other HTML element, simulating a real user click. Because a user interacting with an ad often leads to a higher chance of the user purchasing something, ad networks often "pay per click" to developers who host their ads. Therefore, by simulating fraudulent clicks, these developers are making money without requiring a user to click on an advertisement. This example code shows a JSON reply returned by the C&C server. It has been shortened for brevity. { "data": [{ "id": "107", "url": "<ayud_url>", "click_type": "2", "keywords_js": [{ "keyword": "<a class=\"show_hide btnnext\"", "js": "javascript:window:document.getElementsByClassName(\"show_hide btnnext\")[0].click();", { "keyword": "value=\"Subscribe\" id=\"sub-click\"", "js": "javascript:window:document.getElementById(\"sub-click\").click();"Based on this JSON reply, the app looks for an HTML snippet that corresponds to the active element (show_hide btnnext) and, if found, the Javascript snippet tries to perform a click() method on it. Rooting trojansThe Zen authors have also created a rooting trojan. Using a publicly available rooting framework, the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device. Installing apps on the system partition makes it harder for the user to remove the app. This technique only works for unpatched devices running Android 4.3 or lower. Devices running Android 4.4 and higher are protected by Verified Boot. Zen's rooting trojan apps target a specific device model with a very specific system image. After achieving root access the app tries to replace the framework.jar file on the system partition. Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API. In particular, these apps try to add an additional method called statistics() into the Activity class. When inserted, this method runs every time any Activity object in any Android app is created. This happens all the time in regular Android apps, as Activity is one of the fundamental Android UI elements. The only purpose of this method is to connect to the C&C server. The Zen trojanAfter achieving persistence, the trojan downloads additional payloads, including another trojan called Zen. Zen requires root to work correctly on the Android operating system. The Zen trojan uses its root privileges to turn on accessibility service (a service used to allow Android users with disabilities to use their devices) for itself by writing to a system-wide setting value enabled_accessibility_services. Zen doesn't even check for the root privilege: it just assumes it has it. This leads us to believe that Zen is just part of a larger infection chain. The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services, chosen by checking the operating system version, to create new Google accounts. This is done by opening the Google account creation process and parsing the current view. The app then clicks the appropriate buttons, scrollbars, and other UI elements to go through account sign-up without user intervention. During the account sign-up process, Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA. To get around this, the app then uses its root privilege to inject code into the Setup Wizard, extract the CAPTCHA image, and sends it to a remote server to try to solve the CAPTCHA. It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background. After the server returns the solution, the app enters it into the appropriate text field to complete the CAPTCHA challenge. The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding. It's one of the strings - "How you'll sign in" - that it looks for during the account creation process. The code snippet below shows part of the screen parsing process. if (!title.containsKey("Enter the code")) { if (!title.containsKey("Basic information")) { if (!title.containsKey(new String(android.util.Base64.decode("SG93IHlvdeKAmWxsIHNpZ24gaW4=".getBytes(), 0)))) { if (!title.containsKey("Create password")) { if (!title.containsKey("Add phone number")) {Apart from injecting code to read the CAPTCHA, the app also injects its own code into the system_server process, which requires root privileges. This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process. The app also creates hooks to prevent the phone from rebooting, going to sleep or allowing the user from pressing hardware buttons during the account creation process. These hooks are created using the root access and a custom native code called Lmt_INJECT, although the algorithm for this is well known. First, the app has to turn off SELinux protection. Then the app finds a process id value for the process it wants to inject with code. This is done using a series of syscalls as outlined below. The "source process" refers to the Zen trojan running as root, while the "target process" refers to the process to which the code is injected and [pid] refers to the target process pid value. The source process checks the mapping between a process id and a process name. This is done by reading the /proc/[pid]/cmdline file.This very first step fails in Android 7.0 and higher, even with a root permission. The /proc filesystem is now mounted with a hidepid=2 parameter, which means that the process cannot access other process /proc/[pid] directory. A ptrace_attach syscall is called. This allows the source process to trace the target. The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address. The source process reads /proc/[pid]/maps to find where libc is located in the target process memory. By adding the previously calculated offset, it can get the address of the mmap function in the target process memory. The source process tries to determine the location of dlopen, dlsym, and dlclose functions in the target process. It uses the same technique as it used to determine the offset to the mmap function. The source process writes the native shellcode into the memory region allocated by mmap. Additionally, it also writes addresses of dlopen, dlsym, and dlclose into the same region, so that they can be used by the shellcode. Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it. The source process changes the registers in the target process so that PC register points directly to the shellcode. This is done using the ptrace syscall.This diagram illustrates the whole process. SummaryPHA authors go to great lengths to come up with increasingly clever ways to monetize their apps. Zen family PHA authors exhibit a wide range of techniques, from simply inserting an advertising SDK to a sophisticated trojan. The app that resulted in the largest number of affected users was the click fraud version, which was installed over 170,000 times at its peak in February 2018. The most affected countries were India, Brazil, and Indonesia. In most cases, these click fraud apps were uninstalled by the users, probably due to the low quality of the apps. If Google Play Protect detects one of these apps, Google Play Protect will show a warning to users. We are constantly on the lookout for new threats and we are expanding our protections. Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions. You can check the status of Google Play Protect on your device: Open your Android device's Google Play Store app. Tap Menu>Play Protect. Look for information about the status of your device.Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d

Posted by Marshall Vale, Product Manager and Puneet Sood, Software EngineerGoogle Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.The DNS environment has changed for the better since we launched Google Public DNS over eight years ago. Back then, as today, part of Google Public DNS’ mission has been to improve the security and accuracy of DNS for users all over the world. But today, there is an increased awareness of the need to protect users’ communication with their DNS resolvers against forged responses and safeguard their privacy from network surveillance. The DNS-over-TLS protocol specifies a standard way to provide security and privacy for DNS traffic between users and their resolvers. Now users can secure their connections to Google Public DNS with TLS, the same technology that protects their HTTPS web connections.We implemented the DNS-over-TLS specification along with the RFC 7766 recommendations to minimize the overhead of using TLS. These include support for TLS 1.3 (for faster connections and improved security), TCP fast open, and pipelining of multiple queries and out-of-order responses over a single connection. All of this is deployed with Google’s serving infrastructure which provides reliable and scalable management for DNS-over-TLS connections.Use DNS-over-TLS todayAndroid 9 (Pie) device users can use DNS-over-TLS today. For configuration instructions for Android and other systems, please see the documentation. Advanced Linux users can use the stubby resolver from dnsprivacy.org to talk to Google’s DNS-over-TLS service.If you have a problem with Google Public DNS-over-TLS, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

Posted by Vikrant Nanda and René Mayrhofer, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]There is no better time to talk about Android dessert releases than the holidays because who doesn't love dessert? And what is one of our favorite desserts during the holiday season? Well, pie of course. In all seriousness, pie is a great analogy because of how the various ingredients turn into multiple layers of goodness: right from the software crust on top to the hardware layer at the bottom. Read on for a summary of security and privacy features introduced in Android Pie this year. Platform hardeningWith Android Pie, we updated File-Based Encryption to support external storage media (such as, expandable storage cards). We also introduced support for metadata encryption where hardware support is present. With filesystem metadata encryption, a single key present at boot time encrypts whatever content is not encrypted by file-based encryption (such as, directory layouts, file sizes, permissions, and creation/modification times).Android Pie also introduced a BiometricPrompt API that apps can use to provide biometric authentication dialogs (such as, fingerprint prompt) on a device in a modality-agnostic fashion. This functionality creates a standardized look, feel, and placement for the dialog. This kind of standardization gives users more confidence that they're authenticating against a trusted biometric credential checker.New protections and test cases for the Application Sandbox help ensure all non-privileged apps targeting Android Pie (and all future releases of Android) run in stronger SELinux sandboxes. By providing per-app cryptographic authentication to the sandbox, this protection improves app separation, prevents overriding safe defaults, and (most significantly) prevents apps from making their data widely accessible. Anti-exploitation improvementsWith Android Pie, we expanded our compiler-based security mitigations, which instrument runtime operations to fail safely when undefined behavior occurs. Control Flow Integrity (CFI) is a security mechanism that disallows changes to the original control flow graph of compiled code. In Android Pie, it has been enabled by default within the media frameworks and other security-critical components, such as for Near Field Communication (NFC) and Bluetooth protocols. We also implemented support for CFI in the Android common kernel, continuing our efforts to harden the kernel in previous Android releases.Integer Overflow Sanitization is a security technique used to mitigate memory corruption and information disclosure vulnerabilities caused by integer operations. We've expanded our use of Integer Overflow sanitizers by enabling their use in libraries where complex untrusted input is processed or where security vulnerabilities have been reported.Continued investment in hardware-backed security One of the highlights of Android Pie is Android Protected Confirmation, the first major mobile OS API that leverages a hardware-protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. Developers can use this API to display a trusted UI prompt to the user, requesting approval via a physical protected input (such as, a button on the device). The resulting cryptographically signed statement allows the relying party to reaffirm that the user would like to complete a sensitive transaction through their app. We also introduced support for a new Keystore type that provides stronger protection for private keys by leveraging tamper-resistant hardware with dedicated CPU, RAM, and flash memory. StrongBox Keymaster is an implementation of the Keymaster hardware abstraction layer (HAL) that resides in a hardware security module. This module is designed and required to have its own processor, secure storage, True Random Number Generator (TRNG), side-channel resistance, and tamper-resistant packaging. Other Keystore features (as part of Keymaster 4) include Keyguard-bound keys, Secure Key Import, 3DES support, and version binding. Keyguard-bound keys enable use restriction so as to protect sensitive information. Secure Key Import facilitates secure key use while protecting key material from the application or operating system. You can read more about these features in our recent blog post as well as the accompanying release notes.Enhancing user privacyUser privacy has been boosted with several behavior changes, such as limiting the access background apps have to the camera, microphone, and device sensors. New permission rules and permission groups have been created for phone calls, phone state, and Wi-Fi scans, as well as restrictions around information retrieved from Wi-Fi scans. We have also added associated MAC address randomization, so that a device can use a different network address when connecting to a Wi-Fi network. On top of that, Android Pie added support for encrypting Android backups with the user's screen lock secret (that is, PIN, pattern, or password). By design, this means that an attacker would not be able to access a user's backed-up application data without specifically knowing their passcode. Auto backup for apps has been enhanced by providing developers a way to specify conditions under which their app's data is excluded from auto backup. For example, Android Pie introduces a new flag to determine whether a user's backup is client-side encrypted.As part of a larger effort to move all web traffic away from cleartext (unencrypted HTTP) and towards being secured with TLS (HTTPS), we changed the defaults for Network Security Configuration to block all cleartext traffic. We're protecting users with TLS by default, unless you explicitly opt-in to cleartext for specific domains. Android Pie also adds built-in support for DNS over TLS, automatically upgrading DNS queries to TLS if a network's DNS server supports it. This protects information about IP addresses visited from being sniffed or intercepted on the network level.We believe that the features described in this post advance the security and privacy posture of Android, but you don't have to take our word for it. Year after year our continued efforts are demonstrably resulting in better protection as evidenced by increasing exploit difficulty and independent mobile security ratings. Now go and enjoy some actual pie while we get back to preparing the next Android dessert release!Making Android more secure requires a combination of hardening the platform and advancing anti-exploitation techniques.Acknowledgements: This post leveraged contributions from Chad Brubaker, Janis Danisevskis, Giles Hogben, Troy Kensinger, Ivan Lozano, Vishwath Mohan, Frank Salim, Sami Tolvanen, Lilian Young, and Shawn Willden.

Posted by Lilian Young and Shawn Willden, Android Security; and Frank Salim, Google Pay[Cross-posted from the Android Developers Blog] New Android Pie Keystore FeaturesThe Android Keystore provides application developers with a set of cryptographic tools that are designed to secure their users' data. Keystore moves the cryptographic primitives available in software libraries out of the Android OS and into secure hardware. Keys are protected and used only within the secure hardware to protect application secrets from various forms of attacks. Keystore gives applications the ability to specify restrictions on how and when the keys can be used. Android Pie introduces new capabilities to Keystore. We will be discussing two of these new capabilities in this post. The first enables restrictions on key use so as to protect sensitive information. The second facilitates secure key use while protecting key material from the application or operating system. Keyguard-bound keysThere are times when a mobile application receives data but doesn't need to immediately access it if the user is not currently using the device. Sensitive information sent to an application while the device screen is locked must remain secure until the user wants access to it. Android Pie addresses this by introducing keyguard-bound cryptographic keys. When the screen is locked, these keys can be used in encryption or verification operations, but are unavailable for decryption or signing. If the device is currently locked with a PIN, pattern, or password, any attempt to use these keys will result in an invalid operation. Keyguard-bound keys protect the user's data while the device is locked, and only available when the user needs it. Keyguard binding and authentication binding both function in similar ways, except with one important difference. Keyguard binding ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout. With keyguard binding, the keys become unavailable as soon as the device is locked and are only made available again when the user unlocks the device. It is worth noting that keyguard binding is enforced by the operating system, not the secure hardware. This is because the secure hardware has no way to know when the screen is locked. Hardware-enforced Android Keystore protection features like authentication binding, can be combined with keyguard binding for a higher level of security. Furthermore, since keyguard binding is an operating system feature, it's available to any device running Android Pie. Keys for any algorithm supported by the device can be keyguard-bound. To generate or import a key as keyguard-bound, call setUnlockedDeviceRequired(true) on the KeyGenParameterSpec or KeyProtection builder object at key generation or import. Secure Key ImportSecure Key Import is a new feature in Android Pie that allows applications to provision existing keys into Keystore in a more secure manner. The origin of the key, a remote server that could be sitting in an on-premise data center or in the cloud, encrypts the secure key using a public wrapping key from the user's device. The encrypted key in the SecureKeyWrapper format, which also contains a description of the ways the imported key is allowed to be used, can only be decrypted in the Keystore hardware belonging to the specific device that generated the wrapping key. Keys are encrypted in transit and remain opaque to the application and operating system, meaning they're only available inside the secure hardware into which they are imported. Secure Key Import is useful in scenarios where an application intends to share a secret key with an Android device, but wants to prevent the key from being intercepted or from leaving the device. Google Pay uses Secure Key Import to provision some keys on Pixel 3 phones, to prevent the keys from being intercepted or extracted from memory. There are also a variety of enterprise use cases such as S/MIME encryption keys being recovered from a Certificate Authorities escrow so that the same key can be used to decrypt emails on multiple devices. To take advantage of this feature, please review this training article. Please note that Secure Key Import is a secure hardware feature, and is therefore only available on select Android Pie devices. To find out if the device supports it, applications can generate a KeyPair with PURPOSE_WRAP_KEY.

Posted by Dave Kleidermacher, VP, Head of Security & Privacy - Android & PlayProviding users with safe and secure experiences, while helping developers build and grow quality app businesses, is our top priority at Google Play. And we’re constantly working to improve our protections.Google Play has been working to minimize app install attribution fraud for several years. In 2017 Google Play made available the Google Play Install Referrer API, which allows ad attribution providers, publishers and advertisers to determine which referrer was responsible for sending the user to Google Play for a given app install. This API was specifically designed to be resistant to install attribution fraud and we strongly encourage attribution providers, advertisers and publishers to insist on this standard of proof when measuring app install ads. Users, developers, advertisers and ad networks all benefit from a transparent, fair system.We also take reports of questionable activity very seriously. If an app violates our Google Play Developer policies, we take action. That’s why we began our own independent investigation after we received reports of apps on Google Play accused of conducting app install attribution abuse by falsely claiming credit for newly installed apps to collect the download bounty from that app’s developer.We now have an update regarding our ongoing investigation:On Monday, we removed two apps from the Play Store because our investigation discovered evidence of app install attribution abuse.We also discovered evidence of app install attribution abuse in 3 ad network SDKs. We have asked the impacted developers to remove those SDKs from their apps. Because we believe most of these developers were not aware of the behavior from these third-party SDKs, we have given them a short grace period to take action.Google Ads SDKs were not utilized for any of the abusive behaviors mentioned above.Our investigation is ongoing and additional reviews of other apps and third party SDKs are still underway. If we find evidence of additional policy violations, we will take action.We will continue to investigate and improve our capabilities to better detect and protect against abusive behavior and the malicious actors behind them.

Posted by Billy Lau and René Mayrhofer, Android Security & Privacy TeamCustomization is one of Android's greatest strengths. Android's open source nature has enabled thousands of device types that cover a variety of use cases. In addition to adding features to the Android Open Source Project, researchers, developers, service providers, and device and chipset manufacturers can make updates to improve Android security. Investing and engaging in academic research advances the state-of-the-art security techniques, contributes to science, and delivers cutting edge security and privacy features into the hands of end users. To foster more cooperative applied research between the Android Security and Privacy team and the wider academic and industrial community, we're launching ASPIRE (Android Security and PrIvacy REsearch).ASPIRE's goal is encouraging the development of new security and privacy technology that impacts the Android ecosystem in the next 2 to 5 years, but isn't planned for mainline Android development. This timeframe extends beyond the next annual Android release to allow adequate time to analyze, develop, and stabilize research into features before including in the platform. To collaborate with security researchers, we're hosting events and creating more channels to contribute research.On October 25th 2018, we invited top security and privacy researchers from around the world to present at Android Security Local Research Day (ASLR-D). At this event, external researchers and Android Security and Privacy team members discussed current issues and strategies that impact the future direction of security research—for Android and the entire industry.We can't always get everyone in the same room and good ideas come from everywhere. So we're inviting all academic researchers to help us protect billions of users. Research collaborations with Android should be as straightforward as collaborating with the research lab next door. To get involved you can:Submit an Android security / privacy research idea or proposal to the Google Faculty Research Awards (FRA) program.Apply for a research internship as a student pursuing an advanced degree.Apply to become a Visiting Researcher at Google.If you have any security or privacy questions that may help with your research, reach out to us.Co-author publications with Android team members, outside the terms of FRA.Collaborate with Android team members to make changes to the Android Open Source Project.Let’s work together to make Android the most secure platform—now and in the future.

Posted by Elie Bursztein and Oxana Comanescu, Google Security and Privacy GroupWe believe that cutting-edge research plays a key role in advancing the security and privacy of users across the Internet. While we do significant in-house research and engineering to protect users’ data, we maintain strong ties with academic institutions worldwide. We provide seed funding through faculty research grants, cloud credits to unlock new experiments, and foster active collaborations, including working with visiting scholars and research interns.To accelerate the next generation of security and privacy breakthroughs, we recently created the Google Security and Privacy Research Awards program. These awards, selected via internal Google nominations and voting, recognize academic researchers who have made recent, significant contributions to the field.We’ve been developing this program for several years. It began as a pilot when we awarded researchers for their work in 2016, and we expanded it more broadly for work from 2017. So far, we awarded $1 million dollars to 12 scholars. We are preparing the shortlist for 2018 nominees and will announce the winners next year. In the meantime, we wanted to highlight the previous award winners and the influence they’ve had on the field.2017 AwardeesLujo Bauer, Carnegie Mellon UniversityResearch area: Password security and attacks against facial recognitionDan Boneh, Stanford UniversityResearch area: Enclave security and post-quantum cryptographyAleksandra Korolova, University of Southern CaliforniaResearch area: Differential privacyDaniela Oliveira, University of FloridaResearch area: Social engineering and phishingFranziska Roesner, University of WashingtonResearch area: Usable security for augmented reality and at-risk populationsMatthew Smith, Universität BonnResearch area: Usable security for developers2016 AwardeesMichael Bailey, University of Illinois at Urbana-ChampaignResearch area: Cloud and network securityNicolas Christin, Carnegie Mellon UniversityResearch area: Authentication and cybercrimeDamon McCoy, New York UniversityResearch area: DDoS services and cybercrimeStefan Savage, University of California San DiegoResearch area: Network security and cybercrimeMarc Stevens, Centrum Wiskunde & InformaticaResearch area: Cryptanalysis and lattice cryptographyGiovanni Vigna, University of California Santa BarbaraResearch area: Malware detection and cybercrimeCongratulations to all of our award winners.

Posted by Per Bjorke, Product Manager, Ad Traffic QualityFor years, Google has been waging a comprehensive, global fight against invalid traffic through a combination of technology, policy, and operations teams to protect advertisers and publishers and increase transparency throughout the advertising industry.Last year, we identified one of the most complex and sophisticated ad fraud operations we have seen to date, working with cyber security firm White Ops, and referred the case to law enforcement. Today, the U.S. Attorney’s Office for the Eastern District of New York announced criminal charges associated with this fraud operation. This takedown marks a major milestone in the industry’s fight against ad fraud, and we’re proud to have been a key contributor.In partnership with White Ops, we have published a white paper about how we identified this ad fraud operation, the steps we took to protect our clients from being impacted, and the technical work we did to detect patterns across systems in the industry. Below are some of the highlights from the white paper, which you can download here.All about 3ve: A creative and sophisticated threatReferred to as 3ve (pronounced “Eve”), this ad fraud operation evolved over the course of 2017 from a modest, low-level botnet into a large and sophisticated operation that used a broad set of tactics to commit ad fraud. 3ve operated on a significant scale: At its peak, it controlled over 1 million IPs from both residential malware infections and corporate IP spaces primarily in North America and Europe.Through our investigation, we discovered that 3ve was comprised of three unique sub-operations that evolved rapidly, using sophisticated tactics aimed at exploiting data centers, computers infected with malware, spoofed fraudulent domains, and fake websites. Through its varied and complex machinery, 3ve generated billions of fraudulent ad bid requests (i.e., ad spaces on web pages that advertisers can bid to purchase in an automated way), and it also created thousands of spoofed fraudulent domains. It should be noted that our analysis of ad bid requests indicated growth in activity, but not necessarily growth in transactions that would result in charges to advertisers. It’s also worth noting that 3+ billion daily ad bid requests made 3ve an extremely large ad fraud operation, but its bid request volume was only a small percentage of overall bid request volume across the industry.Our objectiveTrust and integrity are critical to the digital advertising ecosystem. Investments in our ad traffic quality systems made it possible for us to tackle this ad fraud operation and to limit the impact it had on our clients as quickly as possible, including crediting advertisers.3ve’s focus, like many ad fraud schemes, was not a single player or system, but rather the whole advertising ecosystem. As we worked to protect our ad systems against traffic from this threat, we identified that others also had observed this traffic, and we partnered with them to help remove the threat from the ecosystem. The working group, which included nearly 20 partners, was a key component that shaped our broader investigation into 3ve, enabling us to engage directly with each other and to work towards a mutually beneficial outcome.Industry collaboration helps bring 3ve downWhile ad fraud traditionally has been seen as a faceless crime in which bad actors don’t face much risk of being identified or consequences for their actions, 3ve’s takedown demonstrates that there are risks and consequences to committing ad fraud. We’re confident that our collective efforts are building momentum and moving us closer to finding a resolution to this challenge.For example, industry initiatives such as the Interactive Advertising Bureau (IAB) Tech Lab’s ads.txt standard, which has experienced and continues to see very rapid adoption (over 620,000 domains have an ads.txt), as well as the increasing number of buy-side platforms and exchanges offering refunds for invalid traffic, are valuable steps towards cutting off the money flow to fraudsters. As we announced last year, we’ve made, and will continue to make investments in our automated refunds for invalid traffic, including our work with supply partners to provide advertisers with refunds for invalid traffic detected up to 30 days after monthly billing.Industry bodies such as the IAB, Trustworthy Accountability Group (TAG), Media Rating Council, and the Joint Industry Committee for Web Standards, who are serving as agents of change and collaboration across our industry, are instrumental in the fight against ad fraud. We have a long history of working with these bodies, including ongoing participation in TAG and IAB leadership and working groups, as well as our inclusion in the TAG Certified Against Fraud program. That program’s value was reinforced with the IAB’s requirement that all members need to be TAG certified by the middle of this year.Successful disruptionA coordinated takedown of infrastructure related to 3ve’s operations occurred recently. The takedown involved disrupting as much of the related infrastructure as possible to make it hard to rebuild any of 3ve’s operations. As the graph below demonstrates, declining volumes in invalid traffic indicate that the disruption thus far has been successful, bringing the bid request traffic close to zero within 18 hours of starting the coordinated takedown.Looking aheadWe’ll continue to be vigilant, working to protect marketers, publishers, and users, while continuing to collaborate with the broader industry to safeguard the integrity of the digital advertising ecosystem that powers the open web. Our work to take down 3ve is another example of our collaboration with the broader ecosystem to improve trust in digital advertising. We are committed to helping to create a better digital advertising ecosystem — one that is more valuable, transparent, and trusted for everyone.

Posted by Mo Yu, Damien Octeau, and Chuangang Ren, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]In a previous blog post, we talked about using machine learning to combat Potentially Harmful Applications (PHAs). This blog post covers how Google uses machine learning techniques to detect and classify PHAs. We'll discuss the challenges in the PHA detection space, including the scale of data, the correct identification of PHA behaviors, and the evolution of PHA families. Next, we will introduce two of the datasets that make the training and implementation of machine learning models possible, such as app analysis data and Google Play data. Finally, we will present some of the approaches we use, including logistic regression and deep neural networks.Using Machine Learning to ScaleDetecting PHAs is challenging and requires a lot of resources. Our security experts need to understand how apps interact with the system and the user, analyze complex signals to find PHA behavior, and evolve their tactics to stay ahead of PHA authors. Every day, Google Play Protect (GPP) analyzes over half a million apps, which makes a lot of new data for our security experts to process.Leveraging machine learning helps us detect PHAs faster and at a larger scale. We can detect more PHAs just by adding additional computing resources. In many cases, machine learning can find PHA signals in the training data without human intervention. Sometimes, those signals are different than signals found by security experts. Machine learning can take better advantage of this data, and discover hidden relationships between signals more effectively.There are two major parts of Google Play Protect's machine learning protections: the data and the machine learning models.Data SourcesThe quality and quantity of the data used to create a model are crucial to the success of the system. For the purpose of PHA detection and classification, our system mainly uses two anonymous data sources: data from analyzing apps and data from how users experience apps.App DataGoogle Play Protect analyzes every app that it can find on the internet. We created a dataset by decomposing each app's APK and extracting PHA signals with deep analysis. We execute various processes on each app to find particular features and behaviors that are relevant to the PHA categories in scope (for example, SMS fraud, phishing, privilege escalation). Static analysis examines the different resources inside an APK file while dynamic analysis checks the behavior of the app when it's actually running. These two approaches complement each other. For example, dynamic analysis requires the execution of the app regardless of how obfuscated its code is (obfuscation hinders static analysis), and static analysis can help detect cloaking attempts in the code that may in practice bypass dynamic analysis-based detection. In the end, this analysis produces information about the app's characteristics, which serve as a fundamental data source for machine learning algorithms.Google Play DataIn addition to analyzing each app, we also try to understand how users perceive that app. User feedback (such as the number of installs, uninstalls, user ratings, and comments) collected from Google Play can help us identify problematic apps. Similarly, information about the developer (such as the certificates they use and their history of published apps) contribute valuable knowledge that can be used to identify PHAs. All these metrics are generated when developers submit a new app (or new version of an app) and by millions of Google Play users every day. This information helps us to understand the quality, behavior, and purpose of an app so that we can identify new PHA behaviors or identify similar apps.In general, our data sources yield raw signals, which then need to be transformed into machine learning features for use by our algorithms. Some signals, such as the permissions that an app requests, have a clear semantic meaning and can be directly used. In other cases, we need to engineer our data to make new, more powerful features. For example, we can aggregate the ratings of all apps that a particular developer owns, so we can calculate a rating per developer and use it to validate future apps. We also employ several techniques to focus in on interesting data.To create compact representations for sparse data, we use embedding. To help streamline the data to make it more useful to models, we use feature selection. Depending on the target, feature selection helps us keep the most relevant signals and remove irrelevant ones.By combining our different datasets and investing in feature engineering and feature selection, we improve the quality of the data that can be fed to various types of machine learning models.ModelsBuilding a good machine learning model is like building a skyscraper: quality materials are important, but a great design is also essential. Like the materials in a skyscraper, good datasets and features are important to machine learning, but a great algorithm is essential to identify PHA behaviors effectively and efficiently.We train models to identify PHAs that belong to a specific category, such as SMS-fraud or phishing. Such categories are quite broad and contain a large number of samples given the number of PHA families that fit the definition. Alternatively, we also have models focusing on a much smaller scale, such as a family, which is composed of a group of apps that are part of the same PHA campaign and that share similar source code and behaviors. On the one hand, having a single model to tackle an entire PHA category may be attractive in terms of simplicity but precision may be an issue as the model will have to generalize the behaviors of a large number of PHAs believed to have something in common. On the other hand, developing multiple PHA models may require additional engineering efforts, but may result in better precision at the cost of reduced scope.We use a variety of modeling techniques to modify our machine learning approach, including supervised and unsupervised ones.One supervised technique we use is logistic regression, which has been widely adopted in the industry. These models have a simple structure and can be trained quickly. Logistic regression models can be analyzed to understand the importance of the different PHA and app features they are built with, allowing us to improve our feature engineering process. After a few cycles of training, evaluation, and improvement, we can launch the best models in production and monitor their performance.For more complex cases, we employ deep learning. Compared to logistic regression, deep learning is good at capturing complicated interactions between different features and extracting hidden patterns. The millions of apps in Google Play provide a rich dataset, which is advantageous to deep learning.In addition to our targeted feature engineering efforts, we experiment with many aspects of deep neural networks. For example, a deep neural network can have multiple layers and each layer has several neurons to process signals. We can experiment with the number of layers and neurons per layer to change model behaviors.We also adopt unsupervised machine learning methods. Many PHAs use similar abuse techniques and tricks, so they look almost identical to each other. An unsupervised approach helps define clusters of apps that look or behave similarly, which allows us to mitigate and identify PHAs more effectively. We can automate the process of categorizing that type of app if we are confident in the model or can request help from a human expert to validate what the model found.PHAs are constantly evolving, so our models need constant updating and monitoring. In production, models are fed with data from recent apps, which help them stay relevant. However, new abuse techniques and behaviors need to be continuously detected and fed into our machine learning models to be able to catch new PHAs and stay on top of recent trends. This is a continuous cycle of model creation and updating that also requires tuning to ensure that the precision and coverage of the system as a whole matches our detection goals.Looking forwardAs part of Google's AI-first strategy, our work leverages many machine learning resources across the company, such as tools and infrastructures developed by Google Brain and Google Research. In 2017, our machine learning models successfully detected 60.3% of PHAs identified by Google Play Protect, covering over 2 billion Android devices. We continue to research and invest in machine learning to scale and simplify the detection of PHAs in the Android ecosystem.AcknowledgementsThis work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Sebastian Porst, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, and Zhikun Wang.

Posted by Jason Woloz and Eugene Liderman, Android Security & Privacy TeamUpdate: We identified a bug that affected how we calculated data from Q3 2018 in the Transparency Report. This bug created inconsistencies between the data in the report and this blog post. The data points in this blog post have been corrected.As shared during the What's new in Android security session at Google I/O 2018, transparency and openness are important parts of Android's ethos. We regularly blog about new features and enhancements and publish an annual Android Security Year in Review, which highlights Android ecosystem trends. To provide more frequent insights, we're introducing a quarterly Android Ecosystem Security Transparency Report. This report is the latest addition to our Transparency Report site, which began in 2010 to show how the policies and actions of governments and corporations affect privacy, security, and access to information online.This Android Ecosystem Security Transparency Report covers how often a routine, full-device scan by Google Play Protect detects a device with PHAs installed. Google Play Protect is built-in protection on Android devices that scans over 50 billion apps daily from inside and outside of Google Play. These scans look for evidence of Potentially Harmful Applications (PHAs). If the scans find a PHA, Google Play Protect warns the user and can disable or remove PHAs. In Android's first annual Android Security Year in Review from 2014, fewer than 1% of devices had PHAs installed. The percentage has declined steadily over time and this downward trend continues through 2018. The transparency report covers PHA rates in three areas: market segment (whether a PHA came from Google Play or outside of Google Play), Android version, and country.Devices with Potentially Harmful Applications installed by market segmentGoogle works hard to protect your Android device: no matter where your apps come from. Continuing the trend from previous years, Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources. Before applications become available in Google Play they undergo an application review to confirm they comply with Google Play policies. Google uses a risk scorer to analyze apps to detect potentially harmful behavior. When Google’s application risk analyzer discovers something suspicious, it flags the app and refers the PHA to a security analyst for manual review if needed. We also scan apps that users download to their device from outside of Google Play. If we find a suspicious app, we also protect users from that—even if it didn't come from Google Play.In the Android Ecosystem Security Transparency Report, the Devices with Potentially Harmful Applications installed by market segment chart shows the percentage of Android devices that have one or more PHAs installed over time. The chart has two lines: PHA rate for devices that exclusively install from Google Play and PHA rate for devices that also install from outside of Google Play. In 2017, on average 0.09% of devices that exclusively used Google Play had one or more PHAs installed. The first three quarters in 2018 averaged a lower PHA rate of 0.08%.The security of devices that installed apps from outside of Google Play also improved. In 2017, ~0.82% of devices that installed apps from outside of Google Play were affected by PHA; in the first three quarters of 2018, ~0.68% were affected. Since 2017, we've reduced this number by expanding the auto-disable feature which we covered on page 10 in the 2017 Year in Review. While malware rates fluctuate from quarter to quarter, our metrics continue to show a consistent downward trend over time. We'll share more details in our 2018 Android Security Year in Review in early 2019.Devices with Potentially Harmful Applications installed by Android versionNewer versions of Android are less affected by PHAs. We attribute this to many factors, such as continued platform and API hardening, ongoing security updates and app security and developer training to reduce apps' access to sensitive data. In particular, newer Android versions—such as Nougat, Oreo, and Pie—are more resilient to privilege escalation attacks that had previously allowed PHAs to gain persistence on devices and protect themselves against removal attempts. The Devices with Potentially Harmful Applications installed by Android version chart shows the percentage of devices with a PHA installed, sorted by the Android version that the device is running.Devices with Potentially Harmful Applications rate by top 10 countriesOverall, PHA rates in the ten largest Android markets have remained steady. While these numbers fluctuate on a quarterly basis due to the fluidity of the marketplace, we intend to provide more in depth coverage of what drove these changes in our annual Year in Review in Q1, 2019.The Devices with Potentially Harmful Applications rate by top 10 countries chart shows the percentage of devices with at least one PHA in the ten countries with the highest volume of Android devices. India saw the most significant decline in PHAs present on devices, with the average rate of infection dropping by 34 percent. Indonesia, Mexico, and Turkey also saw a decline in the likelihood of PHAs being present on devices in the region. South Korea saw the lowest number of devices containing PHA, with only 0.1%.Check out the reportOver time, we'll add more insights into the health of the ecosystem to the Android Ecosystem Security Transparency Report. If you have any questions about terminology or the products referred to in this report please review the FAQs section of the Transparency Report. In the meantime, check out our new blog post and video outlining Android’s performance in Gartner’s Mobile OSs and Device Security: A Comparison of Platforms report.

Posted by Matt Ruhstaller, TPM and Oliver Chang, Software Engineer, Google Security TeamOpen Source Software (OSS) is extremely important to Google, and we rely on OSS in a variety of customer-facing and internal projects. We also understand the difficulty and importance of securing the open source ecosystem, and are continuously looking for ways to simplify it.For the OSS community, we currently provide OSS-Fuzz, a free continuous fuzzing infrastructure hosted on the Google Cloud Platform. OSS-Fuzz uncovers security vulnerabilities and stability issues, and reports them directly to developers. Since launching in December 2016, OSS-Fuzz has reported over 9,000 bugs directly to open source developers.In addition to OSS-Fuzz, Google's security team maintains several internal tools for identifying bugs in both Google internal and Open Source code. Until recently, these issues were manually reported to various public bug trackers by our security team and then monitored until they were resolved. Unresolved bugs were eligible for the Patch Rewards Program. While this reporting process had some success, it was overly complex. Now, by unifying and automating our fuzzing tools, we have been able to consolidate our processes into a single workflow, based on OSS-Fuzz. Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster.We are committed to helping open source projects benefit from integrating with our OSS-Fuzz fuzzing infrastructure. In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large. Projects that integrate are eligible for rewards ranging from $1,000 (initial integration) up to $20,000 (ideal integration); more details are available here. These rewards are intended to help offset the cost and effort required to properly configure fuzzing for OSS projects. If you would like to integrate your project with OSS-Fuzz, please submit your project for review. Our goal is to admit as many OSS projects as possible and ensure that they are continuously fuzzed.Once contacted, we might provide a sample fuzz target to you for easy integration. Many of these fuzz targets are generated with new technology that understands how library APIs are used appropriately. Watch this space for more details on how Google plans to further automate fuzz target creation, so that even more open source projects can benefit from continuous fuzzing.Thank you for your continued contributions to the Open Source community. Let’s work together on a more secure and stable future for Open Source Software.

Posted by Jonathan Skelker, Product ManagerIt’s Halloween 🎃 and the last day of Cybersecurity Awareness Month 🔐, so we’re celebrating these occasions with security improvements across your account journey: before you sign in, as soon as you’ve entered your account, when you share information with other apps and sites, and the rare event in which your account is compromised.We’re constantly protecting your information from attackers’ tricks, and with these new protections and tools, we hope you can spend your Halloween worrying about zombies, witches, and your candy loot—not the security of your account.Protecting you before you even sign inEveryone does their best to keep their username and password safe, but sometimes bad actors may still get them through phishing or other tricks. Even when this happens, we will still protect you with safeguards that kick-in before you are signed into your account.When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious. We’re always working to improve this analysis, and we’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.Chances are, JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday. But, because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off. This might make sense if you are reading static content, but we recommend that you keep Javascript on while signing into your Google Account so we can better protect you. You can read more about how to enable JavaScript here.Keeping your Google Account secure while you’re signed inLast year, we launched a major update to the Security Checkup that upgraded it from the same checklist for everyone, to a smarter tool that automatically provides personalized guidance for improving the security of your Google Account.We’re adding to this advice all the time. Most recently, we introduced better protection against harmful apps based on recommendations from Google Play Protect, as well as the ability to remove your account from any devices you no longer use.More notifications when you share your account data with apps and sitesIt’s really important that you understand the information that has been shared with apps or sites so that we can keep you safe. We already notify you when you’ve granted access to sensitive information — like Gmail data or your Google Contacts — to third-party sites or apps, and in the next few weeks, we’ll expand this to notify you whenever you share any data from your Google Account. You can always see which apps have access to your data in the Security Checkup.Helping you get back to the beginning if you run into troubleIn the rare event that your account is compromised, our priority is to help get you back to safety as quickly as possible. We’ve introduced a new, step-by-step process within your Google Account that we will automatically trigger if we detect potential unauthorized activity.We'll help you:Verify critical security settings to help ensure your account isn’t vulnerable to additional attacks and that someone can’t access it via other means, like a recovery phone number or email address.Secure your other accounts because your Google Account might be a gateway to accounts on other services and a hijacking can leave those vulnerable as well.Check financial activity to see if any payment methods connected to your account, like a credit card or Google Pay, were abused.Review content and files to see if any of your Gmail or Drive data was accessed or mis-used.Online security can sometimes feel like walking through a haunted house—scary, and you aren't quite sure what may pop up. We are constantly working to strengthen our automatic protections to stop attackers and keep you safe you from the many tricks you may encounter. During Cybersecurity Month, and beyond, we've got your back.

Posted by Wei Liu, Google Product Manager[Cross-posted from the Google Webmaster Central Blog]Today, we’re excited to introduce reCAPTCHA v3, our newest API that helps you detect abusive traffic on your website without user interaction. Instead of showing a CAPTCHA challenge, reCAPTCHA v3 returns a score so you can choose the most appropriate action for your website.A frictionless user experienceOver the last decade, reCAPTCHA has continuously evolved its technology. In reCAPTCHA v1, every user was asked to pass a challenge by reading distorted text and typing into a box. To improve both user experience and security, we introduced reCAPTCHA v2 and began to use many other signals to determine whether a request came from a human or bot. This enabled reCAPTCHA challenges to move from a dominant to a secondary role in detecting abuse, letting about half of users pass with a single click. Now with reCAPTCHA v3, we are fundamentally changing how sites can test for human vs. bot activities by returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.More Accurate Bot Detection with "Actions"In reCAPTCHA v3, we are introducing a new concept called “Action”—a tag that you can use to define the key steps of your user journey and enable reCAPTCHA to run its risk analysis in context. Since reCAPTCHA v3 doesn't interrupt users, we recommend adding reCAPTCHA v3 to multiple pages. In this way, the reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website. In the reCAPTCHA admin console, you can get a full overview of reCAPTCHA score distribution and a breakdown for the stats of the top 10 actions on your site, to help you identify which exact pages are being targeted by bots and how suspicious the traffic was on those pages.Fighting bots your wayAnother big benefit that you’ll get from reCAPTCHA v3 is the flexibility to prevent spam and abuse in the way that best fits your website. Previously, the reCAPTCHA system mostly decided when and what CAPTCHAs to serve to users, leaving you with limited influence over your website’s user experience. Now, reCAPTCHA v3 will provide you with a score that tells you how suspicious an interaction is. There are three potential ways you can use the score. First, you can set a threshold that determines when a user is let through or when further verification needs to be done, for example, using two-factor authentication and phone verification. Second, you can combine the score with your own signals that reCAPTCHA can’t access—such as user profiles or transaction histories. Third, you can use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse. By providing you with these new ways to customize the actions that occur for different types of traffic, this new version lets you protect your site against bots and improve your user experience based on your website’s specific needs.In short, reCAPTCHA v3 helps to protect your sites without user friction and gives you more power to decide what to do in risky situations. As always, we are working every day to stay ahead of attackers and keep the Internet easy and safe to use (except for bots).Ready to get started with reCAPTCHA v3? Visit our developer site for more details.

Posted by Per Bjorke, Product Manager, Ad Traffic QualityFighting invalid traffic is essential for the long-term sustainability of the digital advertising ecosystem. We have an extensive internal system to filter out invalid traffic – from simple filters to large-scale machine learning models – and we collaborate with advertisers, agencies, publishers, ad tech companies, research institutions, law enforcement and other third party organizations to identify potential threats. We take all reports of questionable activity seriously, and when we find invalid traffic, we act quickly to remove it from our systems.Last week, BuzzFeed News provided us with information that helped us identify new aspects of an ad fraud operation across apps and websites that were monetizing with numerous ad platforms, including Google. While our internal systems had previously caught and blocked violating websites from our ad network, in the past week we also removed apps involved in the ad fraud scheme so they can no longer monetize with Google. Further, we have blacklisted additional apps and websites that are outside of our ad network, to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic. We are continuing to monitor this operation and will continue to take action if we find any additional invalid traffic.While our analysis of the operation is ongoing, we estimate that the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10 million. The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks.A technical overview of the ad fraud operation is included below.Collaboration throughout our industry is critical in helping us to better detect, prevent, and disable these threats across the ecosystem. We want to thank BuzzFeed for sharing information that allowed us to take further action. This effort highlights the importance of collaborating with others to counter bad actors. Ad fraud is an industry-wide issue that no company can tackle alone. We remain committed to fighting invalid traffic and ad fraud threats such as this one, both to protect our advertisers, publishers, and users, as well as to protect the integrity of the broader digital advertising ecosystem.Technical DetailGoogle deploys comprehensive, state-of-the-art systems and procedures to combat ad fraud. We have made and continue to make considerable investments to protect our ad systems against invalid traffic.As detailed above, we’ve identified, analyzed and blocked invalid traffic associated with this operation, both by removing apps and blacklisting websites. Our engineering and operations teams, across various organizations, are also taking systemic action to disrupt this threat, including the takedown of command and control infrastructure that powers the associated botnet. In addition, we have shared relevant technical information with trusted partners across the ecosystem, so that they can also harden their defenses and minimize the impact of this threat throughout the industry.The BuzzFeed News report covers several fraud tactics (both web and mobile app) that are allegedly utilized by the same group. The web-based traffic is generated by a botnet that Google and others have been tracking, known as “TechSnab.” The TechSnab botnet is a small to medium-sized botnet that has existed for a few years. The number of active infections associated with TechSnab was reduced significantly after the Google Chrome Cleanup tool began prompting users to uninstall the malware.In similar fashion to other botnets, this operates by creating hidden browser windows that visit web pages to inflate ad revenue. The malware contains common IP based cloaking, data obfuscation, and anti-analysis defenses. This botnet drove traffic to a ring of websites created specifically for this operation, and monetized with Google and many third party ad exchanges. As mentioned above, we began taking action on these websites earlier this year.Based on analysis of historical ads.txt crawl data, inventory from these websites was widely available throughout the advertising ecosystem, and as many as 150 exchanges, supply-side platforms (SSPs) or networks may have sold this inventory. The botnet operators had hundreds of accounts across 88 different exchanges (based on accounts listed with “DIRECT” status in their ads.txt files).This fraud primarily impacted mobile apps. We investigated those apps that were monetizing via AdMob and removed those that were engaged in this behavior from our ad network. The traffic from these apps seems to be a blend of organic user traffic and artificially inflated ad traffic, including traffic based on hidden ads. Additionally, we found the presence of several ad networks, indicating that it's likely many were being used for monetization. We are actively tracking this operation, and continually updating and improving our enforcement tactics.

Posted by Janis Danisevskis, Information Security Engineer, Android Security[Cross-posted from the Android Developers Blog]In Android Pie, we introduced Android Protected Confirmation, the first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. This Trusted UI protects the choices you make from fraudulent apps or a compromised operating system. When an app invokes Protected Confirmation, control is passed to the Trusted UI, where transaction data is displayed and user confirmation of that data's correctness is obtained. Once confirmed, your intention is cryptographically authenticated and unforgeable when conveyed to the relying party, for example, your bank. Protected Confirmation increases the bank's confidence that it acts on your behalf, providing a higher level of protection for the transaction. Protected Confirmation also adds additional security relative to other forms of secondary authentication, such as a One Time Password or Transaction Authentication Number. These mechanisms can be frustrating for mobile users and also fail to protect against a compromised device that can corrupt transaction data or intercept one-time confirmation text messages. Once the user approves a transaction, Protected Confirmation digitally signs the confirmation message. Because the signing key never leaves the Trusted UI's hardware sandbox, neither app malware nor a compromised operating system can fool the user into authorizing anything. Protected Confirmation signing keys are created using Android's standard AndroidKeyStore API. Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its Keystore Attestation certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations. There are many possible use cases for Android Protected Confirmation. At Google I/O 2018, the What's new in Android security session showcased partners planning to leverage Android Protected Confirmation in a variety of ways, including Royal Bank of Canada person to person money transfers; Duo Security, Nok Nok Labs, and ProxToMe for user authentication; and Insulet Corporation and Bigfoot Biomedical, for medical device control. Insulet, a global leading manufacturer of tubeless patch insulin pumps, has demonstrated how they can modify their FDA cleared Omnipod DASH TM Insulin management system in a test environment to leverage Protected Confirmation to confirm the amount of insulin to be injected. This technology holds the promise for improved quality of life and reduced cost by enabling a person with diabetes to leverage their convenient, familiar, and secure smartphone for control rather than having to rely on a secondary, obtrusive, and expensive remote control device. (Note: The Omnipod DASH™ System is not cleared for use with Pixel 3 mobile device or Protected Confirmation). This work is fulfilling an important need in the industry. Since smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulinSince smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulin pumps. A technology like Protected Confirmation plays an important role in gaining higher assurance of user intent and medical safety. To integrate Protected Confirmation into your app, check out the Android Protected Confirmation training article. Android Protected Confirmation is an optional feature in Android Pie. Because it has low-level hardware dependencies, Protected Confirmation may not be supported by all devices running Android Pie. Google Pixel 3 and 3XL devices are the first to support Protected Confirmation, and we are working closely with other manufacturers to adopt this market-leading security innovation on more devices.

Posted by Nagendra Modadugu and Bill Richardson, Google Device Security Group[Cross-posted from the Android Developers Blog]At the Made by Google event last week, we talked about the combination of AI + Software + Hardware to help organize your information. To better protect that information at a hardware level, our new Pixel 3 and Pixel 3 XL devices include a Titan M chip.We briefly introduced Titan M and some of its benefits on our Keyword Blog, and with this post we dive into some of its technical details. Titan M is a second-generation, low-power security module designed and manufactured by Google, and is a part of the Titan family. As described in the Keyword Blog post, Titan M performs several security sensitive functions, including: Storing and enforcing the locks and rollback counters used by Android Verified Boot. Securely storing secrets and rate-limiting invalid attempts at retrieving them using the Weaver API.Providing backing for the Android Strongbox Keymaster module, including Trusted User Presence and Protected Confirmation. Titan M has direct electrical connections to the Pixel's side buttons, so a remote attacker can't fake button presses. These features are available to third-party apps, such as FIDO U2F Authentication. Enforcing factory-reset policies, so that lost or stolen phones can only be restored to operation by the authorized owner. Ensuring that even Google can't unlock a phone or install firmware updates without the owner's cooperation with Insider Attack Resistance.Including Titan M in Pixel 3 devices substantially reduces the attack surface. Because Titan M is a separate chip, the physical isolation mitigates against entire classes of hardware-level exploits such as Rowhammer, Spectre, and Meltdown. Titan M's processor, caches, memory, and persistent storage are not shared with the rest of the phone's system, so side channel attacks like these—which rely on subtle, unplanned interactions between internal circuits of a single component—are nearly impossible. In addition to its physical isolation, the Titan M chip contains many defenses to protect against external attacks. But Titan M is not just a hardened security microcontroller, but rather a full-lifecycle approach to security with Pixel devices in mind. Titan M's security takes into consideration all the features visible to Android down to the lowest level physical and electrical circuit design and extends beyond each physical device to our supply chain and manufacturing processes. At the physical level, we incorporated essential features optimized for the mobile experience: low power usage, low-latency, hardware crypto acceleration, tamper detection, and secure, timely firmware updates. We improved and invested in the supply chain for Titan M by creating a custom provisioning process, which provides us with transparency and control starting from the earliest silicon stages. Finally, in the interest of transparency, the Titan M firmware source code will be publicly available soon. While Google holds the root keys necessary to sign Titan M firmware, it will be possible to reproduce binary builds based on the public source for the purpose of binary transparency. A closer look at Titan MTitan (left) and Titan M (right)Titan M's CPU is an ARM Cortex-M3 microprocessor specially hardened against side-channel attacks and augmented with defensive features to detect and respond to abnormal conditions. The Titan M CPU core also exposes several control registers, which can be used to taper access to chip configuration settings and peripherals. Once powered on, Titan M verifies the signature of its flash-based firmware using a public key built into the chip's silicon. If the signature is valid, the flash is locked so it can't be modified, and then the firmware begins executing. Titan M also features several hardware accelerators: AES, SHA, and a programmable big number coprocessor for public key algorithms. These accelerators are flexible and can either be initialized with keys provided by firmware or with chip-specific and hardware-bound keys generated by the Key Manager module. Chip-specific keys are generated internally based on entropy derived from the True Random Number Generator (TRNG), and thus such keys are never externally available outside the chip over its entire lifetime. While implementing Titan M firmware, we had to take many system constraints into consideration. For example, packing as many security features into Titan M's 64 Kbytes of RAM required all firmware to execute exclusively off the stack. And to reduce flash-wear, RAM contents can be preserved even during low-power mode when most hardware modules are turned off. The diagram below provides a high-level view of the chip components described here. Better security through transparency and innovationAt the heart of our implementation of Titan M are two broader trends: transparency and building a platform for future innovation. Transparency around every step of the design process — from logic gates to boot code to the applications — gives us confidence in the defenses we're providing for our users. We know what's inside, how it got there, how it works, and who can make changes. Custom hardware allows us to provide new features, capabilities, and performance not readily available in off-the-shelf components. These changes allow higher assurance use cases like two-factor authentication, medical device control, P2P payments, and others that we will help develop down the road. As more of our lives are bound up in our phones, keeping those phones secure and trustworthy is increasingly important. Google takes that responsibility seriously. Titan M is just the latest step in our continuing efforts to improve the privacy and security of all our users.

Posted by David Benjamin, Chrome networking*Updated on October 17, 2018 with details about changes in other browsersTLS (Transport Layer Security) is the protocol which secures HTTPS. It has a long history stretching back to the nearly twenty-year-old TLS 1.0 and its even older predecessor, SSL. Over that time, we have learned a lot about how to build secure protocols.TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. Today only 0.5% of HTTPS connections made by Chrome use TLS 1.0 or 1.1. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.In line with these industry standards, Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72. Sites using these versions will begin to see deprecation warnings in the DevTools console in that release. TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020. Apple, Microsoft, and Mozilla have made similar announcements.Site administrators should immediately enable TLS 1.2 or later. Depending on server software (such as Apache or nginx), this may be a configuration change or a software update. Additionally, we encourage all sites to revisit their TLS configuration. Chrome’s current criteria for modern TLS is the following:TLS 1.2 or later.An ECDHE- and AEAD-based cipher suite. AEAD-based cipher suites are those using AES-GCM or ChaCha20-Poly1305. ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the recommended option for most sites.The server signature should use SHA-2. Note this is not the signature in the certificate, made by the CA. Rather, it is the signature made by the server itself, using its private key.The older options—CBC-mode cipher suites, RSA-encryption key exchange, and SHA-1 online signatures—all have known cryptographic flaws. Each has been removed in the newly-published TLS 1.3, which is supported in Chrome 70. We retain them at prior versions for compatibility with legacy servers, but we will be evaluating them over time for eventual deprecation.None of these changes require obtaining a new certificate. Additionally, they are backwards-compatible. Where necessary, servers may enable both modern and legacy options, to continue to support legacy clients. Note, however, such support may carry security risks. (For example, see the DROWN, FREAK, and ROBOT attacks.)Over the coming Chrome releases, we will improve the DevTools Security Panel to point out deviations from these settings, and suggest improvements to the site’s configuration.Enterprise deployments can preview the TLS 1.0 and 1.1 removal today by setting the SSLVersionMin policy to “tls1.2”. For enterprise deployments that need more time, this same policy can be used to re-enable TLS 1.0 or TLS 1.1 until January 2021.

Posted by Troy Kensinger, Technical Program Manager, Android Security and PrivacyAndroid is all about choice. As such, Android strives to provide users many options to protect their data. By combining Android’s Backup Service and Google Cloud’s Titan Technology, Android has taken additional steps to securing users' data while maintaining their privacy.Starting in Android Pie, devices can take advantage of a new capability where backed-up application data can only be decrypted by a key that is randomly generated at the client. This decryption key is encrypted using the user's lockscreen PIN/pattern/passcode, which isn’t known by Google. Then, this passcode-protected key material is encrypted to a Titan security chip on our datacenter floor. The Titan chip is configured to only release the backup decryption key when presented with a correct claim derived from the user's passcode. Because the Titan chip must authorize every access to the decryption key, it can permanently block access after too many incorrect attempts at guessing the user’s passcode, thus mitigating brute force attacks. The limited number of incorrect attempts is strictly enforced by a custom Titan firmware that cannot be updated without erasing the contents of the chip. By design, this means that no one (including Google) can access a user's backed-up application data without specifically knowing their passcode.To increase our confidence that this new technology securely prevents anyone from accessing users' backed-up application data, the Android Security & Privacy team hired global cyber security and risk mitigation expert NCC Group to complete a security audit. Some of the outcomes included positives around Google’s security design processes, validation of code quality, and that mitigations for known attack vectors were already taken into account prior to launching the service. While there were some issues discovered during this audit, engineers corrected them quickly. For more details on how the end-to-end service works and a detailed report of NCC Group’s findings, click here.Getting external reviews of our security efforts is one of many ways that Google and Android maintain transparency and openness which in turn helps users feel safe when it comes to their data. Whether it’s 100s of hours of gaming data or your personalized preferences in your favorite Google apps, our users' information is protected.We want to acknowledge contributions from Shabsi Walfish, Software Engineering Lead, Identity and Authentication to this effort

Posted by Sami Tolvanen, Staff Software Engineer, Android Security & Privacy[Cross-posted from the Android Developers Blog]Android's security model is enforced by the Linux kernel, which makes it a tempting target for attackers. We have put a lot of effort into hardening the kernel in previous Android releases and in Android 9, we continued this work by focusing on compiler-based security mitigations against code reuse attacks. Google's Pixel 3 will be the first Android device to ship with LLVM's forward-edge Control Flow Integrity (CFI) enforcement in the kernel, and we have made CFI support available in Android kernel versions 4.9 and 4.14. This post describes how kernel CFI works and provides solutions to the most common issues developers might run into when enabling the feature. Protecting against code reuse attacksA common method of exploiting the kernel is using a bug to overwrite a function pointer stored in memory, such as a stored callback pointer or a return address that had been pushed to the stack. This allows an attacker to execute arbitrary parts of the kernel code to complete their exploit, even if they cannot inject executable code of their own. This method of gaining code execution is particularly popular with the kernel because of the huge number of function pointers it uses, and the existing memory protections that make code injection more challenging. CFI attempts to mitigate these attacks by adding additional checks to confirm that the kernel's control flow stays within a precomputed graph. This doesn't prevent an attacker from changing a function pointer if a bug provides write access to one, but it significantly restricts the valid call targets, which makes exploiting such a bug more difficult in practice. Figure 1. In an Android device kernel, LLVM's CFI limits 55% of indirect calls to at most 5 possible targets and 80% to at most 20 targets.Gaining full program visibility with Link Time Optimization (LTO)In order to determine all valid call targets for each indirect branch, the compiler needs to see all of the kernel code at once. Traditionally, compilers work on a single compilation unit (source file) at a time and leave merging the object files to the linker. LLVM's solution to CFI is to require the use of LTO, where the compiler produces LLVM-specific bitcode for all C compilation units, and an LTO-aware linker uses the LLVM back-end to combine the bitcode and compile it into native code. Figure 2. A simplified overview of how LTO works in the kernel. All LLVM bitcode is combined, optimized, and generated into native code at link time.Linux has used the GNU toolchain for assembling, compiling, and linking the kernel for decades. While we continue to use the GNU assembler for stand-alone assembly code, LTO requires us to switch to LLVM's integrated assembler for inline assembly, and either GNU gold or LLVM's own lld as the linker. Switching to a relatively untested toolchain on a huge software project will lead to compatibility issues, which we have addressed in our arm64 LTO patch sets for kernel versions 4.9 and 4.14. In addition to making CFI possible, LTO also produces faster code due to global optimizations. However, additional optimizations often result in a larger binary size, which may be undesirable on devices with very limited resources. Disabling LTO-specific optimizations, such as global inlining and loop unrolling, can reduce binary size by sacrificing some of the performance gains. When using GNU gold, the aforementioned optimizations can be disabled with the following additions to LDFLAGS: LDFLAGS += -plugin-opt=-inline-threshold=0 \ -plugin-opt=-unroll-threshold=0Note that flags to disable individual optimizations are not part of the stable LLVM interface and may change in future compiler versions. Implementing CFI in the Linux kernelLLVM's CFI implementation adds a check before each indirect branch to confirm that the target address points to a valid function with a correct signature. This prevents an indirect branch from jumping to an arbitrary code location and even limits the functions that can be called. As C compilers do not enforce similar restrictions on indirect branches, there were several CFI violations due to function type declaration mismatches even in the core kernel that we have addressed in our CFI patch sets for kernels 4.9 and 4.14. Kernel modules add another complication to CFI, as they are loaded at runtime and can be compiled independently from the rest of the kernel. In order to support loadable modules, we have implemented LLVM's cross-DSO CFI support in the kernel, including a CFI shadow that speeds up cross-module look-ups. When compiled with cross-DSO support, each kernel module contains information about valid local branch targets, and the kernel looks up information from the correct module based on the target address and the modules' memory layout. Figure 3. An example of a cross-DSO CFI check injected into an arm64 kernel. Type information is passed in X0 and the target address to validate in X1.CFI checks naturally add some overhead to indirect branches, but due to more aggressive optimizations, our tests show that the impact is minimal, and overall system performance even improved 1-2% in many cases. Enabling kernel CFI for an Android deviceCFI for arm64 requires clang version >= 5.0 and binutils >= 2.27. The kernel build system also assumes that the LLVMgold.so plug-in is available in LD_LIBRARY_PATH. Pre-built toolchain binaries for clang and binutils are available in AOSP, but upstream binaries can also be used. The following kernel configuration options are needed to enable kernel CFI: CONFIG_LTO_CLANG=yCONFIG_CFI_CLANG=yUsing CONFIG_CFI_PERMISSIVE=y may also prove helpful when debugging a CFI violation or during device bring-up. This option turns a violation into a warning instead of a kernel panic. As mentioned in the previous section, the most common issue we ran into when enabling CFI on Pixel 3 were benign violations caused by function pointer type mismatches. When the kernel runs into such a violation, it prints out a runtime warning that contains the call stack at the time of the failure, and the call target that failed the CFI check. Changing the code to use a correct function pointer type fixes the issue. While we have fixed all known indirect branch type mismatches in the Android kernel, similar problems may be still found in device specific drivers, for example. CFI failure (target: [<fffffff3e83d4d80>] my_target_function+0x0/0xd80):------------[ cut here ]------------kernel BUG at kernel/cfi.c:32!Internal error: Oops - BUG: 0 [#1] PREEMPT SMP…Call trace:…[<ffffff8752d00084>] handle_cfi_failure+0x20/0x28[<ffffff8752d00268>] my_buggy_function+0x0/0x10…Figure 4. An example of a kernel panic caused by a CFI failure.Another potential pitfall are address space conflicts, but this should be less common in driver code. LLVM's CFI checks only understand kernel virtual addresses and any code that runs at another exception level or makes an indirect call to a physical address will result in a CFI violation. These types of failures can be addressed by disabling CFI for a single function using the __nocfi attribute, or even disabling CFI for entire code files using the $(DISABLE_CFI) compiler flag in the Makefile. static int __nocfi address_space_conflict(){ void (*fn)(void); …/* branching to a physical address trips CFI w/o __nocfi */ fn = (void *)__pa_symbol(function_name); cpu_install_idmap(); fn(); cpu_uninstall_idmap(); …}Figure 5. An example of fixing a CFI failure caused by an address space conflict.Finally, like many hardening features, CFI can also be tripped by memory corruption errors that might otherwise result in random kernel crashes at a later time. These may be more difficult to debug, but memory debugging tools such as KASAN can help here. ConclusionWe have implemented support for LLVM's CFI in Android kernels 4.9 and 4.14. Google's Pixel 3 will be the first Android device to ship with these protections, and we have made the feature available to all device vendors through the Android common kernel. If you are shipping a new arm64 device running Android 9, we strongly recommend enabling kernel CFI to help protect against kernel vulnerabilities. LLVM's CFI protects indirect branches against attackers who manage to gain access to a function pointer stored in kernel memory. This makes a common method of exploiting the kernel more difficult. Our future work involves also protecting function return addresses from similar attacks using LLVM's Shadow Call Stack, which will be available in an upcoming compiler release.

Posted by James Wagner, Chrome Extensions Product Manager[Cross-posted from the Chromium blog] Incredibly, it’s been nearly a decade since we launched the Chrome extensions system. Thanks to the hard work and innovation of our developer community, there are now more than 180,000 extensions in the Chrome Web Store, and nearly half of Chrome desktop users actively use extensions to customize Chrome and their experience on the web.The extensions team's dual mission is to help users tailor Chrome’s functionality to their individual needs and interests, and to empower developers to build rich and useful extensions. But, first and foremost, it’s crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant. Users should always have full transparency about the scope of their extensions’ capabilities and data access.We’ve recently taken a number of steps toward improved extension security with the launch of out-of-process iframes, the removal of inline installation, and significant advancements in our ability to detect and block malicious extensions using machine learning. Looking ahead, there are more fundamental changes needed so that all Chrome extensions are trustworthy by default.Today we’re announcing some upcoming changes and plans for the future:User controls for host permissionsBeginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability. If your extension requests host permissions, we encourage you to review our transition guide and begin testing as soon as possible.Changes to the extensions review processGoing forward, extensions that request powerful permissions will be subject to additional compliance review. We’re also looking very closely at extensions that use remotely hosted code, with ongoing monitoring. Your extension’s permissions should be as narrowly-scoped as possible, and all your code should be included directly in the extension package, to minimize review time.New code reliability requirementsStarting today, Chrome Web Store will no longer allow extensions with obfuscated code. This includes code within the extension package as well as any external code or resource fetched from the web. This policy applies immediately to all new extension submissions. Existing extensions with obfuscated code can continue to submit updates over the next 90 days, but will be removed from the Chrome Web Store in early January if not compliant.Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes.Additionally, since JavaScript code is always running locally on the user's machine, obfuscation is insufficient to protect proprietary code from a truly motivated reverse engineer. Obfuscation techniques also come with hefty performance costs such as slower execution and increased file and memory footprints.Ordinary minification, on the other hand, typically speeds up code execution as it reduces code size, and is much more straightforward to review. Thus, minification will still be allowed, including the following techniques:Removal of whitespace, newlines, code comments, and block delimitersShortening of variable and function namesCollapsing the number of JavaScript filesIf you have an extension in the store with obfuscated code, please review our updated content policies as well as our recommended minification techniques for Google Developers, and submit a new compliant version before January 1st, 2019.Required 2-step verificationIn 2019, enrollment in 2-Step Verification will be required for Chrome Web Store developer accounts. If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key. We strongly recommend that you enroll as soon as possible.For even stronger account security, consider the Advanced Protection Program. Advanced protection offers the same level of security that Google relies on for its own employees, requiring a physical security key to provide the strongest defense against phishing attacks.Looking ahead: Manifest v3In 2019 we will introduce the next extensions manifest version. Manifest v3 will entail additional platform changes that aim to create stronger security, privacy, and performance guarantees. We want to help all developers fall into the pit of success; writing a secure and performant extension in Manifest v3 should be easy, while writing an insecure or non-performant extension should be difficult.Some key goals of manifest v3 include:More narrowly-scoped and declarative APIs, to decrease the need for overly-broad access and enable more performant implementation by the browser, while preserving important functionalityAdditional, easier mechanisms for users to control the permissions granted to extensionsModernizing to align with new web capabilities, such as supporting Service Workers as a new type of background processWe intend to make the transition to manifest v3 as smooth as possible and we’re thinking carefully about the rollout plan. We’ll be in touch soon with more specific details.We recognize that some of the changes announced today may require effort in the future, depending on your extension. But we believe the collective result will be worth that effort for all users, developers, and for the long term health of the Chrome extensions ecosystem. We’re committed to working with you to transition through these changes and are very interested in your feedback. If you have questions or comments, please get in touch with us on the Chromium extensions forum.

table, th, td { border: 1px solid black; } td { width:100px; } Posted by Jason Woloz and Mayank Jain, Android Security & Privacy Team[Cross-posted from the Android Developers Blog]Our Android and Play security reward programs help us work with top researchers from around the world to improve Android ecosystem security every day. Thank you to all the amazing researchers who submitted vulnerability reports. Android Security RewardsIn the ASR program's third year, we received over 470 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 23%. To date, the ASR program has rewarded researchers with over $3M, paying out roughly $1M per year. Here are some of the highlights from the Android Security Rewards program's third year: There were no payouts for our highest possible reward: a complete remote exploit chain leading to TrustZone or Verified Boot compromise. 99 individuals contributed one or more fixes. The ASR program's reward averages were $2,600 per reward and $12,500 per researcher. Guang Gong received our highest reward amount to date: $105,000 for his submission of a remote exploit chain. As part of our ongoing commitment to security we regularly update our programs and policies based on ecosystem feedback. We also updated our severity guidelines for evaluating the impact of reported security vulnerabilities against the Android platform. Google Play Security RewardsIn October 2017, we rolled out the Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play. So far, researchers have reported over 30 vulnerabilities through the program, earning a combined bounty amount of over $100K. If undetected, these vulnerabilities could have potentially led to elevation of privilege, access to sensitive data and remote code execution on devices. Keeping devices secureIn addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates. Over 250 device models have a majority of their deployed devices running a security update from the last 90 days. This table shows the models with a majority of deployed devices running a security update from the last three months: ManufacturerDeviceANSL50AsusZenFone 5Z (ZS620KL/ZS621KL), ZenFone Max Plus M1 (ZB570TL), ZenFone 4 Pro (ZS551KL), ZenFone 5 (ZE620KL), ZenFone Max M1 (ZB555KL), ZenFone 4 (ZE554KL), ZenFone 4 Selfie Pro (ZD552KL), ZenFone 3 (ZE552KL), ZenFone 3 Zoom (ZE553KL), ZenFone 3 (ZE520KL), ZenFone 3 Deluxe (ZS570KL), ZenFone 4 Selfie (ZD553KL), ZenFone Live L1 (ZA550KL), ZenFone 5 Lite (ZC600KL), ZenFone 3s Max (ZC521TL)BlackBerryBlackBerry MOTION, BlackBerry KEY2BluGrand XL LTE, Vivo ONE, R2_3G, Grand_M2, BLU STUDIO J8 LTEbqAquaris V Plus, Aquaris V, Aquaris U2 Lite, Aquaris U2, Aquaris X, Aquaris X2, Aquaris X Pro, Aquaris U Plus, Aquaris X5 Plus, Aquaris U lite, Aquaris UDocomoF-04K, F-05J, F-03HEssential ProductsPH-1FujitsuF-01KGeneral MobileGM8, GM8 GoGooglePixel 2 XL, Pixel 2, Pixel XL, PixelHTCU12+, HTC U11+HuaweiHonor Note10, nova 3, nova 3i, Huawei Nova 3I, 荣耀9i, 华为G9青春版, Honor Play, G9青春版, P20 Pro, Honor V9, huawei nova 2, P20 lite, Honor 10, Honor 8 Pro, Honor 6X, Honor 9, nova 3e, P20, PORSCHE DESIGN HUAWEI Mate RS, FRD-L02, HUAWEI Y9 2018, Huawei Nova 2, Honor View 10, HUAWEI P20 Lite, Mate 9 Pro, Nexus 6P, HUAWEI Y5 2018, Honor V10, Mate 10 Pro, Mate 9, Honor 9, Lite, 荣耀9青春版, nova 2i, HUAWEI nova 2 Plus, P10 lite, nova 青春版本, FIG-LX1, HUAWEI G Elite Plus, HUAWEI Y7 2018, Honor 7S, HUAWEI P smart, P10, Honor 7C, 荣耀8青春版, HUAWEI Y7 Prime 2018, P10 Plus, 荣耀畅玩7X, HUAWEI Y6 2018, Mate 10 lite, Honor 7A, P9 Plus, 华为畅享8, honor 6x, HUAWEI P9 lite mini, HUAWEI GR5 2017, Mate 10ItelP13KyoceraX3LanixAlpha_950, Ilium X520LavaZ61, Z50LGELG Q7+, LG G7 ThinQ, LG Stylo 4, LG K30, V30+, LG V35 ThinQ, Stylo 2 V, LG K20 V, ZONE4, LG Q7, DM-01K, Nexus 5X, LG K9, LG K11MotorolaMoto Z Play Droid, moto g(6) plus, Moto Z Droid, Moto X (4), Moto G Plus (5th Gen), Moto Z (2) Force, Moto G (5S) Plus, Moto G (5) Plus, moto g(6) play, Moto G (5S), moto e5 play, moto e(5) play, moto e(5) cruise, Moto E4, Moto Z Play, Moto G (5th Gen)NokiaNokia 8, Nokia 7 plus, Nokia 6.1, Nokia 8 Sirocco, Nokia X6, Nokia 3.1OnePlusOnePlus 6, OnePlus5T, OnePlus3T, OnePlus5, OnePlus3OppoCPH1803, CPH1821, CPH1837, CPH1835, CPH1819, CPH1719, CPH1613, CPH1609, CPH1715, CPH1861, CPH1831, CPH1801, CPH1859, A83, R9s PlusPositivoTwist, Twist MiniSamsungGalaxy A8 Star, Galaxy J7 Star, Galaxy Jean, Galaxy On6, Galaxy Note9, Galaxy J3 V, Galaxy A9 Star, Galaxy J7 V, Galaxy S8 Active, Galaxy Wide3, Galaxy J3 Eclipse, Galaxy S9+, Galaxy S9, Galaxy A9 Star Lite, Galaxy J7 Refine, Galaxy J7 Max, Galaxy Wide2, Galaxy J7(2017), Galaxy S8+, Galaxy S8, Galaxy A3(2017), Galaxy Note8, Galaxy A8+(2018), Galaxy J3 Top, Galaxy J3 Emerge, Galaxy On Nxt, Galaxy J3 Achieve, Galaxy A5(2017), Galaxy J2(2016), Galaxy J7 Pop, Galaxy A6, Galaxy J7 Pro, Galaxy A6 Plus, Galaxy Grand Prime Pro, Galaxy J2 (2018), Galaxy S6 Active, Galaxy A8(2018), Galaxy J3 Pop, Galaxy J3 Mission, Galaxy S6 edge+, Galaxy Note Fan Edition, Galaxy J7 Prime, Galaxy A5(2016)Sharpシンプルスマホ４, AQUOS sense plus (SH-M07), AQUOS R2 SH-03K, X4, AQUOS R SH-03J, AQUOS R2 SHV42, X1, AQUOS sense lite (SH-M05)SonyXperia XZ2 Premium, Xperia XZ2 Compact, Xperia XA2, Xperia XA2 Ultra, Xperia XZ1 Compact, Xperia XZ2, Xperia XZ Premium, Xperia XZ1, Xperia L2, Xperia XTecnoF1, CAMON I AceVestelVestel Z20Vivovivo 1805, vivo 1803, V9 6GB, Y71, vivo 1802, vivo Y85A, vivo 1726, vivo 1723, V9, vivo 1808, vivo 1727, vivo 1724, vivo X9s Plus, Y55s, vivo 1725, Y66, vivo 1714, 1609, 1601VodafoneVodafone Smart N9XiaomiMi A2, Mi A2 Lite, MI 8, MI 8 SE, MIX 2S, Redmi 6Pro, Redmi Note 5 Pro, Redmi Note 5, Mi A1, Redmi S2, MI MAX 2, MI 6XZTEBLADE A6 MAXThank you to everyone internally and externally who helped make Android safer and stronger in the past year. Together, we made a huge investment in security research that helps Android users everywhere. If you want to get involved to make next year even better, check out our detailed program rules. For tips on how to submit complete reports, see Bug Hunter University.

Posted by Thai Duong, Information Security Engineer, on behalf of Tink teamAt Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades' worth of academic literature. Needless to say, many developers don’t have time for that.To help our developers ship secure cryptographic code we’ve developed Tink—a multi-language, cross-platform cryptographic library. We believe in open source and want Tink to become a community project—thus Tink has been available on GitHub since the early days of the project, and it has already attracted several external contributors. At Google, Tink is already being used to secure data of many products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. After nearly two years of development, today we’re excited to announce Tink 1.2.0, the first version that supports cloud, Android, iOS, and more!Tink aims to provide cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Tink is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, but includes countermeasures to many weaknesses in these libraries, which were discovered by Project Wycheproof, another project from our team.With Tink, many common cryptographic operations such as data encryption, digital signatures, etc. can be done with only a few lines of code. Here is an example of encrypting and decrypting with our AEAD interface in Java: import com.google.crypto.tink.Aead;    import com.google.crypto.tink.KeysetHandle;    import com.google.crypto.tink.aead.AeadFactory;    import com.google.crypto.tink.aead.AeadKeyTemplates;    // 1. Generate the key material.    KeysetHandle keysetHandle = KeysetHandle.generateNew(        AeadKeyTemplates.AES256_EAX);    // 2. Get the primitive.    Aead aead = AeadFactory.getPrimitive(keysetHandle);    // 3. Use the primitive.    byte[] plaintext = ...;    byte[] additionalData = ...;    byte[] ciphertext = aead.encrypt(plaintext, additionalData);Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces. Interfaces have security guarantees that must be satisfied by each primitive implementing the interface. This may exclude some encryption modes. Rather than adding them to existing interfaces and weakening the guarantees of the interface, it is possible to add new interfaces and describe the security guarantees appropriately.We’re cryptographers and security engineers working to improve Google’s product security, so we built Tink to make our job easier. Tink shows the claimed security properties (e.g., safe against chosen-ciphertext attacks) right in the interfaces, allowing security auditors and automated tools to quickly discover usages where the security guarantees don’t match the security requirements. Tink also isolates APIs for potentially dangerous operations (e.g., loading cleartext keys from disk), which allows discovering, restricting, monitoring and logging their usage.Tink provides support for key management, including key rotation and phasing out deprecated ciphers. For example, if a cryptographic primitive is found to be broken, you can switch to a different primitive by rotating keys, without changing or recompiling code.Tink is also extensible by design: it is easy to add a custom cryptographic scheme or an in-house key management system so that it works seamlessly with other parts of Tink. No part of Tink is hard to replace or remove. All components are composable, and can be selected and assembled in various combinations. For example, if you need only digital signatures, you can exclude symmetric key encryption components to minimize code size in your application.To get started, please check out our HOW-TO for Java, C++ and Obj-C. If you'd like to talk to the developers or get notified about project updates, you may want to subscribe to our mailing list. To join, simply send an empty email to tink-users+subscribe@googlegroups.com. You can also post your questions to StackOverflow, just remember to tag them with tink.We’re excited to share this with the community, and welcome your feedback!

Posted by Dave Kleidermacher, VP, Head of Security - Android, Chrome OS, Play[Cross-posted from the Android Developers Blog]At Google I/O 2018, in our What's New in Android Security session, we shared a brief update on the Android security updates program. With the official release of Android 9 Pie, we wanted to share a more comprehensive update on the state of security updates, including best practice guidance for manufacturers, how we're making Android easier to update, and how we're ensuring compliance to Android security update releases. Commercial Best Practices around Android Security UpdatesAs we noted in our 2017 Android Security Year-in-Review, Android's anti-exploitation strength now leads the mobile industry and has made it exceedingly difficult and expensive to leverage operating system bugs into compromises. Nevertheless, an important defense-in-depth strategy is to ensure critical security updates are delivered in a timely manner. Monthly security updates are the recommended best practice for Android smartphones. We deliver monthly Android source code patches to smartphone manufacturers so they may incorporate those patches into firmware updates. We also deliver firmware updates over-the-air to Pixel devices on a reliable monthly cadence and offer the free use of Google's firmware over-the-air (FOTA) servers to manufacturers. Monthly security updates are also required for devices covered under the Android One program. While monthly security updates are best, at minimum, Android manufacturers should deliver regular security updates in advance of coordinated disclosure of high severity vulnerabilities, published in our Android bulletins. Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement. Enterprise Best PracticesProduct security factors into purchase decisions of enterprises, who often consider device security update cadence, flexibility of policy controls, and authentication features. Earlier this year, we introduced the Android Enterprise Recommended program to help businesses make these decisions. To be listed, Android devices must satisfy numerous requirements, including regular security updates: at least every 90 days, with monthly updates strongly recommended. In addition to businesses, consumers interested in understanding security update practices and commitment may also refer to the Enterprise Recommended list. Making Android Easier to UpdateWe've also been working to make Android easier to update, overall. A key pillar of that strategy is to improve modularity and clarity of interfaces, enabling operating system subsystems to be updated without adversely impacting others. Project Treble is one example of this strategy in action and has enabled devices to update to Android P more easily and efficiently than was possible in previous releases. The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components. Another part of the strategy involves the extraction of operating system services into user-mode applications that can be updated independently, and sometimes more rapidly, than the base operating system. For example, Google Play services, including secure networking components, and the Chrome browser can be updated individually, just like other Google Play apps. Partner programs are a third key pillar of the updateability strategy. One example is the GMS Express program, in which Google is working closely with system-on-chip (SoC) suppliers to provide monthly pre-integrated and pre-tested Android security updates for SoC reference designs, reducing cost and time to market for delivering them to users. Security Patch Level ComplianceRecently, researchers reported a handful of missing security bug fixes across some Android devices. Initial reports had several inaccuracies, which have since been corrected. We have been developing security update testing systems that are now making compliance failures less likely to occur. In particular, we recently delivered a new testing infrastructure that enables manufacturers to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing. In addition, the Android build approval process now includes scanning of device images for specific patterns, reducing the risk of omission. Looking ForwardIn 2017, about a billion Android devices received security updates, representing approximately 30% growth over the preceding year. We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements. As a result, over coming quarters, we expect the largest ever growth in the number of Android devices receiving regular security updates. Bugs are inevitable in all complex software systems, but exploitability of those bugs is not. We're working hard to ensure that the incidence of potentially harmful exploitation of bugs continues to decline, such that the frequency for security updates will reduce, not increase, over time. While monthly security updates represents today's best practice, we see a future in which security updates becomes easier and rarer, while maintaining the same goal to protect all users across all devices.

Posted by Shane Huntley, Threat Analysis GroupTLDR: Government-backed phishing has been in the news lately. If you receive a warning in Gmail, be sure to take prompt action. Get two-factor authentication on your account. And consider enrolling in the Advanced Protection Program.One of the main threats to all email users (whatever service you use) is phishing, attempts to trick you into providing a password that an attacker can use to sign into your account. Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume ​of ​phishing ​emails that ​get ​through to our users. ​ Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security.Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries. Since 2012, we've shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if we have blocked the specific attempt.We also send alerts to G Suite administrators if someone in their corporate network may have been the target of government-backed phishing. And we regularly post public advisories to make sure that people are aware of this risk.This is what an account warning looks like; an extremely small fraction of users will ever see one of these, but if you receive this warning from us, it's important to take immediate action on it.We intentionally send these notices in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies. We have an expert team in our Threat Analysis Group, and we use a variety of technologies to detect these attempts. We also notify law enforcement about what we’re seeing; they have additional tools to investigate these attacks.We hope you never receive this type of warning, but if you do, please take action right away to enhance the security of your accounts.Even if you don’t receive such a warning, you should enable 2-step verification in Gmail. And if you think you’re at particular risk of government-backed phishing, consider enrolling in the Advanced Protection Program, which provides even stronger levels of security.

Posted by Eric Brown and Marc Henson, Trust & SafetySince 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware. These should continue to be reported through existing product-specific channels, such as for Google+, YouTube, Gmail, and Blogger.Reports submitted to our Vulnerability Reward Program that outline abuse methods are reviewed by experts on our Trust & Safety team, which specializes in the prevention and mitigation of abuse, fraud, and spam activity on our products.We greatly value our relationship with the research community, and we’re excited to expand on it to help make the internet a safer place for everyone. To learn more, see our updated rules.Happy hunting!

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpgPrice:• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files:  Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.NeutrAds redirect is now  accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201  elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win|149.56.115.166 - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org | 204.44.118.228felixesedit[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : Kaixin_2017-01-16.zip (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

  Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.https://twitter.com/kafeine/status/790482708870864896RIG panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|104.36.83.52blognetoo[.]com|45.59.114.126Caught by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJSRead More : http://pastebin.com/raw/uKLhTbLs few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented hereNeutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 ) Thanks to Malc0de for invaluable help here :)Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)Sundown :Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznashOn the 16th I recorded a pass where the CVE-2016-0189 had his own calls :Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )Files : Sundown_CVE-2016-0189_160716 (password is malware)RIG:I saw it on 2016-09-12 but might have appeared before.RIG successfully exploiting CVE-2016-0189 - 2016-09-12CVE-2016-0189 from RIG after 3 step decoding passFiles : RIG_2016-0189_2016-09-12 (password is malware)Magnitude:Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)CVE-2016-0189 in Magnitude on 2016-09-16Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)Out of topic Payload:  Cerbera0d9ad48459933348fc301d8479580f85298ca5e9933bd20e051b81371942b2cGrandSoft:Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071CVE-2016-0189 in GrandSoft on 2018-01-30Out of topic Payload:  GandCrab Ransomwarea15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware) Edits :2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme2016-07-20 Adding Sundown.2016-09-17 Adding RIG2016-09-19 Adding Magnitude2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)Read More :[CN] NeutrinoEK来袭：爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360Patch Analysis of CVE-2016-0189 - 2016-06-22 - TheoriInternet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - SymantecNeutrino EK: fingerprinting in a Flash - 2016-06-28 - MalwarebytesPost publication Reading :Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.---On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber RansomwareOn the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.Last Angler pass I captured on 2016-06-07EITest into Angler dropping CryptXXX 3.200 U000017On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :Last Hit in my Angler tracker.After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U0000102016-06-10"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXXIllustrating with a picture of words and some arrows:MISP : select documented EK pass with associated tags.1 arrow where you would have find Angler several days before.(+ SadClowns + GooNky not featured in that selection)With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.So is this the End of Angler ? The pages to be written will tell us.“If a book is well written, I always find it too short.” ― Jane Austen, Sense and SensibilityPost publication notes:[2016-06-12]RIG : mentioned they were sill alive and would not change their Price.Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :------Google translate:-----Tarif week on a shared server:Rent: $ 1500Limit: 100k hosts per dayOne-time daily discharge limits: $ 200Rate per month on a dedicated server:Rent: $ 4000Limits: 500k hosts per day, and more - on an individual basis.One-time daily discharge limits: $ 200----------------So now only price per week is doubled and month rate + ~20%[2016-06-13]Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck— News from the Lab (@FSLabs) June 13, 2016Acknowledgement:Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.Read More :XXX is Angler EK - 2015-12-21Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC NewsNeutrino EK and CryptXXX - 2016-06-08 - ISCSansLurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - KasperskyHow we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye - Thanks !On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports : import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperationSpotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0aFiddler sent here.Updates to come as it appears to be a work in progress.Neutrino :2016-05-23Spotted by Eset.2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXXSample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8Fiddler sent here (Password is malware)Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXXAngler EK:2016-05-23CVE identification by Henri Nurmi from F-Secure. Thanks !Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping DridexSample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2Fiddler sent hereOut of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902Most likely Dridex 123 targeting Germany based on distribution path.Sundown :  [3]2016-08-27Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 Fiddler sent here  (password : malware)Read More:[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :------------------------------------------By: [Redacted]Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -Доброе время суток всем.Рад предоставить свои услуги по разработке следующих проектов:Инжекты;Grabers 80-150$*;Pasive ATS 500-800$*;Active ATS 800-1500$*;Tooken Panels 400-800$*;Replacers 200-400$*;И многое другое...Фейки;Простые клоны 70-150$*;Продвинутые с перехватом 200-500$*;Админки на пхп;Под любые нужды ...*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуальноJabber( [Redacted]@exploit.im )ICQ( 6[Redacted]8 )------------------------------------------Google Translated as :------------------------------------------By: [Redacted]Subject: Inject | admin area | Fakes, -50% of the market price -Good time of day to all.I am glad to provide services for the development of the following projects:Inject;Grabers 80-150 $ *;Pasive ATS 500-800 $ *;Active ATS 800-1500 $ *;Tooken Panels 400-800 $ *;Replacers 200-400 $ *;And much more...fakes;Simple clones 70-150 $ *;Advanced interception $ 200-500 *;Admin Center on php;Under any needs ...* These prices are a guide. The actual price will depend on each individual ToRsJabber ([Redacted] @ exploit.im)ICQ (6[Redacted]8)------------------------------------------NB : The Subject became later :--Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен --Inject | admin area | fakes | Inject Android, 50% of the market price ---Seller later added :------------------------------------------Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.В самом начале надо понять что такое "СКАМ СТАНИЦА"."СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.Тоесть суть замута такова:жертва попадает на нашу страницу ->вводит данные->потом наша страница кидает жертву обратно на оригинал ->и мы поже ипользуем данные сами чтобы войти..| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .Дальше надо понять что такое "ПЕРЕХВАТ"."ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.| Зачем это надо?Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.Основной бенефит что это можно делать повторно ,много раз.|| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.|Поэтапно:Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. Мы находимся на другом конце в админке и наблюдаем такую катину .Краткое пособие по админке."I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.Колонка "Keys" это есть полученные детали для входа.Колонка "Pin" это для получених тукенов/пинов .Колонка "Task" для добавленья операции по запросу тукена/пинов .Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комадуИ так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .Нажимаем на "ask Pin1" и жертва видит вот это:Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.Вот и все!**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца ------------------------------------------On march 2016 the 9th :------------------------------------------доброе время суток всем.С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .Цены зависят от тех заданий .Пример роботы на один из UK линков можно посмотреть тут [REDACTED]pass:demoWith great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.The prices depend on those jobs.An example of one of the injects on the UK link can be found here [REDACTED]pass:demo------------------------------------------Files mirrored here. (pass: demo)On march 2016 the 16th:------------------------------------------Ladie's and Gentlemen's.Don't miss out some fresh and well-designed mobile injects for UK.9 common links.Hight % success task.------------------------------------------On march 2016 the 31st:------------------------------------------Доброе время суток всем.Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager и многое другое.[2 images here...not available at dump time]Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.[1 image here...not available at dump time]Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и фишинг сраницы.[1 images here...not available at dump time]Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID ивставить одну функцию в конец документа.Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.Tooken intercept- это собственно то о чем мы будем сейчас говорить.Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то наадминку в нашем случае это Universal Admin.Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут[1 image here...not available at dump time]Использовать эту информацию можно по-разному в зависимости от вашего проекта.Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Выможете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),которые действительны только 30 секунд, обойтись без Tooken interstep нереально. Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы. Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка гдеговорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код который надо вести тam же в рамочкe.Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для тогочтобы зайти на тот самый аккаунт где вам выскочила рамочка!! В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этападля всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертвена телефон ничего не приходило то он туда ничего никогда не ведет.Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показыватьрамочку данной жертве или не показывать.Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можнозадать для данной страницы на которой он(жертвa) находится.[1 image here...not available at dump time]в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.И у нее на экране покажет такую же рамочку.Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.Думаю здесь все понятно.Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. [1 image here...not available at dump time]Теперь структура Tooken intercept админки.Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.[1 image here...not available at dump time] Именно здесь и находится список операций.Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправленпакет информации и страница ждет дальнейших инструкций!.[1 image here...not available at dump time]Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх. Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PCтак и мобильная версия.[1 image here...not available at dump time]Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,в котором будет говориться про нового посетителя.Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина экрана и многое другое[1 image here...not available at dump time]с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели, она экранe у жертвы будет примерно такое[1 image here...not available at dump time]Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду. Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.[1 image here...not available at dump time]После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у васесть два варианта распрощаться жертвой. это поставить блок [1 image here...not available at dump time]или перенаправить его на оригинал страницу.[1 image here...not available at dump time]При работе с одним посетителем могут стучать другие новые.Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируютрегистрацию новых посетителей и переадресацию старых поголовно. Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.Это надо делать когда вы собрались к примеру уходить.------------------------------------------On april 2016 the 4th:------------------------------------------увжаемые друзьяновые инжекты под Андроид------------------------------------------On april 2016 the 11th:------------------------------------------Продается Пак инжектов под андроид для сбора карт.WhatsUpFacebookInstagramViberSkaypGooglePlayPrice:450$user posted imageОбезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.[Redacted]pass:1qaz------------------------------------------File mirrored here (pass : 1qaz)On april 2016 the 12th:------------------------------------------Pack of Injects for Columbia banks for sale.Credit cards colectors with admin panel on https domen.bancofalabellarbmcolombiacolpatriabancolombiabbvanetbancodeoccidentebancodebogotabancopichinchaPrice:800$[3 images here...not available at dump time]Video: [Redacted]Pass:columbia ------------------------------------------File mirrored here  (pass: columbia)On april 2016 the 14th:------------------------------------------Pack of Injects for Canada banks for sale.Credit cards colectors with admin panel on https domen.TdCibcBmoDesjRbcPrice:500$[3 images here...not available at dump time]Video: [Redacted]Pass:canada ------------------------------------------File mirrored here (pass: canada)On april 2016 the 18th:------------------------------------------Недавно вышел апдейт на U-admin(Universal Admin).Теперь все более соответствует написанному выше описанием.Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.[1 image here...not available at dump time]Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектороми в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.[1 image here...not available at dump time]Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS------------------------------------------File Tree from some components :Folder PATH listingUADMIN_|   cp.php|   head.php|   index.php|   login.php|   session.php|  +---files|   |   animate.css|   |   bootbox.min.js|   |   bootstrap-notify.min.js|   |   bootstrap-social.css|   |   hover-min.css|   |   index.php|   |   jquery-ui.css|   |   jquery-ui.min.js|   |   jquery.js|   |   my.css|   |  |   +---bootstrap|   |   +---css|   |   |       bootstrap-theme.css|   |   |       bootstrap-theme.css.map|   |   |       bootstrap-theme.min.css|   |   |       bootstrap-theme.min.css.map|   |   |       bootstrap.css|   |   |       bootstrap.css.map|   |   |       bootstrap.min.css|   |   |       bootstrap.min.css.map|   |   |      |   |   +---fonts|   |   |       glyphicons-halflings-regular.eot|   |   |       glyphicons-halflings-regular.svg|   |   |       glyphicons-halflings-regular.ttf|   |   |       glyphicons-halflings-regular.woff|   |   |       glyphicons-halflings-regular.woff2|   |   |      |   |   +---js|   |   |       bootstrap.js|   |   |       bootstrap.min.js|   |   |       npm.js|   |   |      |   |   \---switch|   |           bootstrap-switch.min.css|   |           bootstrap-switch.min.js|   |          |   +---dt|   |       dataTables.bootstrap.min.css|   |       dataTables.bootstrap.min.js|   |       jquery.dataTables.min.js|   |      |   \---images|           ui-icons_444444_256x240.png|           ui-icons_555555_256x240.png|           ui-icons_777620_256x240.png|           ui-icons_777777_256x240.png|           ui-icons_cc0000_256x240.png|           ui-icons_ffffff_256x240.png|          +---opt|       geo_switch.txt|       index.php|       theme.txt|      +---plugins|   +---intercept|   |   |   bc.php|   |   |   class.jabber.php|   |   |   dynamic__part.php|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |   panel.php|   |   |   text.php|   |   |  |   |   +---ajax|   |   |       cp_ajax.php|   |   |       index.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   index.php|   |   |   |   jquery-ui.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   +---dt|   |   |   |       dataTables.bootstrap.min.css|   |   |   |       dataTables.bootstrap.min.js|   |   |   |       jquery.dataTables.min.js|   |   |   |      |   |   |   \---images|   |   |           ui-icons_444444_256x240.png|   |   |           ui-icons_555555_256x240.png|   |   |           ui-icons_777620_256x240.png|   |   |           ui-icons_777777_256x240.png|   |   |           ui-icons_cc0000_256x240.png|   |   |           ui-icons_ffffff_256x240.png|   |   |          |   |   \---public|   |           .ht.db|   |           index.php|   |           Removed.txt|   |          |   +---log_parser|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   +---ajax|   |   |       server_side.php|   |   |       ssp.class.php|   |   |      |   |   +---classes|   |   |       browser.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   \---dt|   |   |           dataTables.bootstrap.min.css|   |   |           dataTables.bootstrap.min.js|   |   |           jquery.dataTables.min.js|   |   |          |   |   \---public|   |           .htBd.db|   |           geo_switch.txt|   |           index.php|   |           theme.txt|   |          |   +---settings|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           cfg.php|   |           index.php|   |          |   +---style|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           index.php|   |          |   \---text|       |   functions.php|       |   main.php|       |   text.php|       |  |       \---public|               index.php|               texts.txt|              \---scrNote: If you are interested by the [Redacted] part please send a mail

Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. On the 2016-03-24 I noticed several move in Bedep. Angler infecting a VM and integrating it into an instance of Bedep botnet2016-03-24No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.2ko size for Win7 64bits :80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9aPopup shown by the first payload from Bedep Stream - Win7(in the background Angler Landing)48ko size for WinXP 32bits:a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780Popup shown by the first payload from Bedep Stream - WinXPLooking at my traffic I thought for some time that one of the Bedep instances was split in two.Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :Bedep "Robot Town" - 2016-04-12Now look what i get instead with a VM that is not spotted as is:Same Angler thread - VM not detected. 1st Stream get Vawtrak2016-04-12( Vawtrak in that stream   d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61 )I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :Bedep doing some ACPI checksI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. This is quite powerful :- the checks are made without dropping an executable. - if you don't know what to expect it's quite difficult to figure out that you have been trapped- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. One of them is for instance knowing which of the infection path are researcher/bots "highway" :Illustration for Bedep "Robot Town" from an "infection path" focused point of viewThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.For researchers:In the last 3 weeks, if your VM have communicated with :95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.Marvin - Paranoid AndroidOn the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.[Edits]- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo Glitched. Maybe more about that a day or the other.- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)[/Edits]Acknowledgements :Thanks Will Metcalf and Malc0de for the discussions and help on this topic--I'm sorry, but I must do it...Greetings to Angler and Bedep guys. 😉 You are keeping us busy...and awake !Reading :Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - ProofpointBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSertAngler EK : now capable of "fileless" infection (memory malware) - 2014-08-30Modifying VirtualBox settings for malware analysis - 2012-08-23  - Mikael Keri

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213It's not the first time a "0day" exploit is being used in a "degraded" state.This happened before with Angler and CVE-2015-0310 and CVE-2014-8439You'll find more details about the finding on that Proofpoint blog here :"Killing a zero-day in the egg: Adobe CVE-2016-1019"and on that FireEye blog here:CVE-2016-1019: A new flash exploit included in Magnitude Exploit KitNote : we worked with Eset, Kaspersky and Microsoft as well on this case.Nuclear Pack :2016-03-31 "Degraded"Identification by  Eset, Kaspersky and FireEye (Thanks)Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31CVE-2016-1019 insideSample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploitMagnitude :2016-04-02 "Degraded" to 20.0.0.306Identified as is by FireEye[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.Payload is Cerber.Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber RansomwareNote: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.Neutrino:2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)CVE id by @binjo and Anton Ivanov (Kaspersky)Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-10192016-04-11Fiddler : Sent to vtOut of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e Reading :Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - ProofpointCVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEyeZero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306.Angler EK :2016-03-25The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7Fiddler sent to VT here.Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15daObserved as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .Selected examples I saw in the last 4 days : Teslacrypt (ID 20, 40,52, 74 ,47) , Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), GootKit b9bec4a5811c6aff6001efa357f1f99c, Vawtrak  0dc4d5370bc4b0c8333b9512d686946cRamnit 99f21ba5b02b3085c683ea831d79dc79Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)Andromeda (several instances)and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.Angler EK :On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :Silverlight integration Snipet from Angler Landing after decoding2016-02-18resulting in a new call if silverlight is installed on the computer:Angler EK replying without body to silverlight callHere a Pass in great britain dropping Vawtrak via Bedep buildid 77862016-02-18I tried all instances i could find and the same behavior occured on all.2016-02-22 Here we go : call are not empty anymore.Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 2016-02-22I made a pass with Silverlight : 5.1.41212.0 : safe.Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !Xap file : 01ce22f87227f869b7978dc5fe625e16Dll : 22a9f342eb367ea9b00508adb738d858Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)Fiddler sent hereRIG : 2016-03-29Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)RIG - CVE-2016-0034 - 2016-03-29Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6bcontaining this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )Files : Fiddler and sample (password is malware)Reading :The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - KasperskyPost Publication Reading:(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs

Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET Intelligence search on Specspa .comshow that the first sample ET has talking with it is :e2f4bb542ea47e8928be877bb442df1b  2013-10-20A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexionsET Intelligence : Associated alert pointing at Cryptowall.A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :NSFW://www.threatglass .com/malicious_urls/sunporno-comHiman EK dropping Cryptowall 2013-10-20captured by ThreatGlassWith the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.htmlInterestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :Flimrans US 2013-10-03What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :Flimrans ES 2013-10-03The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]The compromised server storing the first design Blob used by cryptowallused to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.Files : Items mentionned here. (password is malware)Read More:HiMan Exploit Kit. Say Hi to one more - 2013-10-02Flimrans Affiliate : Borracho - 2013-10-08

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)( all have the IE CVE-2015-2419 from august)Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28Angler EK : 2016-01-25The exploit might be here since the 22 based on some headers modification which appeared that day.It's not yet pushed in all Angler EK threads but widely spread.Thanks Anton Ivanov (Kaspersky) for CVE Identification !CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory2016-01-25Fiddler sent to VT.---Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)from the widely spread and covered "crypt13x" actor thread - 2016-01-25(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.---I spotted a thread serving a landing and an exploit to Firefox.2016-03-23 Firefox pass with Sandbox escape :Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305Bedep successfully wrote its payload on the drive.2016-03-23Files : Fiddler in a zip (password malware)Neutrino :Thanks Eset for identifying the added CVE here.Neutrino Exploiting CVE-2015-8651 on 2016-02-09Here Bunitu droppedNote: For some reason couldn't have it working with Flash 20.0.0.228.Files : Fiddler here (password is malware)Nuclear Pack:Thanks again Eset for CVE identification here.Nuclear Pack exploit CVE-2015-8651 on 2016-02-10Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)It seems Chrome won't save you if you do let it update.2016-02-17 on DE/US/FR trafficThis is not something i can reproduce.Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)Files : Fiddler here (password: malware)Magnitude:2016-02-18CVE ID confirmed by Anton Ivanov (Kaspersky)Magnitude dropping Cryptowall via CVE-2015-86512016-02-18Files : Fiddler here (Password is malware)RIG :Some days before 2016-04-06Thanks FireEye for CVE identification.CVE-2015-8651 successfuly exploited by RIG on 2016-04-07Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)Read More:(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBookPost publication reading :An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler 😉 ) I decided to share some data here.XXX Control Panel Login Page.XXX is Angler EK ( it's the real name of its most documented instance at least)Angler EK / XXX  IE sploit only Stats on 2015-07-25(for some reason Flash Exploits were not activated on that thread)Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.Snipshot of "The Transition" after Paunch's ArrestBut Angler was around before the Reveton team started to use it.Here is one used against Ukrainian that i captured  in August 20132013-08-27 - Exploit Kit unknown to me at that timeAncestor of Angler EK as we know it[Payload here is most probably Lurk]when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitorsSo the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits[Payload here is most probably Lurk]Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)Read More :Police Locker land on Android Devices - 2014-05-04Paunch's arrest...The end of an Era ! - 2013-10-11Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurityCool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - SecurelistPost publication Reading :Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]Is it the End of Angler ? - 2016-06-11How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)Angler EK exploiting Flash 19.0.0.245 via CVE-2015-84462015-12-14Sample in that pass : b5920eef8a3e193e0fc492c603a30aafSample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522Fiddler sent to VT.(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a streamf5c1a676166fe3472e6c993faee42b34d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)and after that performing AdfraudCVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560). pic.twitter.com/FCyvP43Q0X— Anton Ivanov (@antonivanovm) December 17, 2015 Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645Post publication readings :(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But there was an additionnal 11kb payload call for which i could not find sample on driveNuclear Pack dropping Nymaim in the 2015-11-30 Spam CampaignIt was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.Friends (who don't want to be mentioned) figured a privilege escalation was in use there :According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )I did not got to see the privilege escalation in live condition.Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.Read More :An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam BotnetI saw it loaded as a plugin in an instance of AndromedaThat Andromeda is being spread via :Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memoryBedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.2015-09-28Note : Bedep 6007 was sometimes loading it with other payload-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :Andromeda dnswow 2015-11-22Andromeda dnswow 2015-11-27Here the Otlard.A task in that Andromeda instance :Task installing Otlard.A as a plugin to Andromedaa Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A2015-11-28Smokebot : cde587187622d5f23e50b1f5b6c86969Andromeda : b75f4834770fe64da63e42b8c90c6fcd(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)Now here is what the control panel of that plugin looks like :Otlard.A panel :Otlard.A - JahooManager - Main - 2015-09-27Otlard.A - JahooManager - Servers - 2015-09-27Otlard.A - JahooManager - Settings - 2015-09-27Otlard.A - JahooManager - Campaigns - 2015-09-27Otlard.A - JahooManager - Bot - 2015-09-27that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be AndromedaOtlard.A - JahooSender - Tasks - 2015-09-27Otlard.A - JahooSender - Tasks - 2015-11-28Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27Otlard.A - JahooSender - Domains - 2015-09-27Otlard.A - JahooSender - Domains - 2015-11-28Otlard.A - JahooSender - Messages - 2015-09-27Otlard.A - JahooSender - Messages - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Headers - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Attach - 2015-11-28Otlard.A - JahooSender - Attach - Attached image - 2015-11-28Otlard.A - JahooSender - Rules - 2015-11-28Otlard.A - JahooSender - Rules > Spam - 2015-11-28Olard.A - JahooSender - Rules > User - 2015-11-28Olard.A - Bases - Emails - 2015-11-28Olard.A - Bases - Blacklist - 2015-11-28Olard.A - Bases - Blacklist - Edit - 2015-11-28Olard.A - Botnet - Main - 2015-09-27Olard.A - Botnet - Main - 2015-11-28Otlard.A - Botnet - Modules - 2015-11-28Otlard.A - Botnet - Modules - Edit - 2015-11-28Otlard.A - Incubator - Accounts - 2015-11-28Otlard.A - Incubator - Settings - 2015-11-28Note : registrator menu has disappeared in last version. --Andromeda C&C 2015-11-28 :5.8.35.241202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost IncSpam Module C&C 2015-11-28 :5.8.32.10 5.8.32.85.8.32.525.8.34.205.8.32.535.8.32.56202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost IncThanks : Brett StoneGross for helping me with decoding/understanding the network communicationsFiles :All samples which hashes have been discussed here are in that zip.Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798( If you want to look into this, i can provide associated network traffic)Read More :Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Inside Smoke Bot - Botnet Control Panel - 2012-04-28Post publication Reading :ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015 It has now made its way to Exploit KitAngler EK :2015-10-29CVE id confirmed by by Anton Ivanov ( Kaspersky )Angler EK successfully exploiting Flash 19.0.0.2072015-10-29Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36Another sample : bea824974f958ac4efc58484a88a9c18One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545eNot replayable fiddler sent to VTOut of topic sample loaded by bedep :5a60925ea3cc52c264b837e6f2ee915e Necursa9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)2016-03-12Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and EsetAngler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through EdgeFiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zipNuclear Pack:2015-10-30Nuclear Pack which has been playing with landing URI pattern lately has integrated itCVE-2015-7645 in Nuclear Pack on 2015-10-30Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)Fiddler sent to VTMagnitude:2015-11-10Magnitude trying to exploit CVE-2015-76452015-11-10Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo HirvonenNo payload but the actor behind that thread would like to see you Cryptowalled. Update might come.Spartan :2015-11-12Without surprise as Spartan is the work of the coder of Nuclear Pack.Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as wellSpartan pushing Pony and Alphacrypt via CVE-2015-76452015-11-12Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) Fiddler sent to VTNeutrino:Most probably appeared 2015-10-16Necurs being dropped by Neutrino via CVE-2015-76452015-11-17Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)Read More :Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie SilvanovichNew Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicroLatest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicroPost Publication Reading :Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)Earlier this year they were using https bit.ly,2015-07-11 - bit.ly as https url shortenertiny url2015-07-11 - tiny url as https url shorteneror goo.gl url shortener2015-06-12 - goo.gl as https url shorterner and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.euTwo pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot  srvdexpress3 .com)Different Legit part of the chain2015-09-29then 2 weeks ago mediacpm.com and wrontoldretter.eu )https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).Once discovered a way to Sig this is to flag the ssl certificate being used.Those days they are using a DoubleClick https open redirect.VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EKGB - 2015-10-15Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .comDoubleclick has been informed about the issue.Post Publication Readings :The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - ProofpointLet’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.First time I encountered that threat : 2014-10-08Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path2014-10-08At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.So two days ago in UK traffic :2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR trafficI saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22Apache ConfigData folder of the Apache installationCustomers of 4 financial institutions are targeted by the injects stored in the config.xmlconfig.xmlThe same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)So here we are: Shifu <3 GBRShifu <3 GBR2015-09-24Side note : Here are some of the DGA in case main domain stop working.Files : ShifuPackage_2015-09-24.zip Password : malwareContains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.Read More:Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-ForceJapanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfeePost publication Reading:3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-55602015-08-29Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0Fiddler sent to VT (password is malware)Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).Nuclear Pack :2015-09-10Additional post spotted on the 2015-09-10Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the roadand got a first payload  the day after :Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)2015-09-11( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )Files : Fiddler here (Password is malware)Read More :Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security ResearchThree bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project ZeroCVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEyeBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor SertPost publication reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 KasperskyAnalysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :Angler EK gathering ScriptEngineVersion data the fast way.2015-07-24Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.CVE-2015-2419 successfully exploiting IE11 in windows 72015-08-10(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)I spent (too much 😉 ) time trying to decode that b value in the POST reply.Here are some materials :- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXarThe post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )- The l() function handling the post : http://pastebin.com/hxZJwbaY- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXrFiles : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)Thanks :Horgh_RCE for his helpMagnitude :2015-08-22( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win72015-08-22As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)Note : The CVE-2015-2426 seems to be used for privilege escalation onlyCryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-24262015-08-23and has been associated to flash Exploit as well.Pass showing the privilege escalation has been associated to flash Exploit as well.2015-08-23Files : CVE-2015-2419 pass (password: malware)CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)Thanks :Horgh_RCE , EKWatcher and Will Metcalf for their helpNuclear Pack:2015-08-23Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt2015-08-23Files :  Fiddler (Password is malware)Neutrino :CVE Identification by Timo HirvonenNeutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 72015-08-27(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)Files: Fiddler (Password is malware)RIG:2015-08-27RIG successfully exploiting CVE-2015-24192015-08-27(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)Files : Fiddler (password is malware)Hunter :2015-08-27@hunter_exploit 2015-08-26As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419Hunter Exploit Kit successfully exploiting CVE-2015-24192015-08-27Files : Fiddler (password is malware)Kaixin :2016-01-08Files: Fiddler here (password is malware)( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )Sundown :2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmationSundown successfully Exploiting CVE-2015-2419 - 2016-07-06cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)Read More :Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - ProofpointCVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - EffitasPost publication Reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of date Plugin protection in Chrome 39.0.2171.71Out of date ActiveX controls blocking in Internet Explorer 11(introduced in August 2014)and also consider that Microsoft announced the end of Silverlight at beginning of the month.Angler EK :2015-07-21Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.Deofuscated snipet of Silverlight call exposed to Victims in Angler EK2015-07-02I failed trying to get something else than a 0 size silverlight calls.I heard about filled calls from Eset and EKWatcher.The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.But, it seems it's back today (or i get more lucky ? ) :--Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation--Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 72015-07-21Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 72015-07-21Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 72015-07-21Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3pSilverlight dll in DotPeek after Do4dotSample in those pass : ac05e093930662a2a2f4605f7afc52f2(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)Files: Fiddler (password is malware)[Edit : 2015-07-26, has been spread to all Angler Threads]Thanks for help/tips :Eset, Microsoft, Horgh_RCE,  Darien Huss, Will Metcalf, EKWatcher.Magnitude :2015-07-28  has been spotted by Will Metcalf in MagnitudeIt's a rip of Angler's oneSilverlight 5.1.30514.0 exploited by Magnitude2015-08-29Files: Fiddler (password is malware)Read more :CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13