About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

Avast AV & CCleaner Massive Malware Download: How to Help the End users

ccleaner

Screenshot of CCleaner from Talos Blog

Computers are hard. Ask the average user. They expect technology to serve their needs, not the other way around. Computers are supposed to be instant gratification, entertainment, making life easier, solving problems. They are not supposed to require much more effort than pressing the “on” key and typing. Anything else is our problem – we we were supposed to build security in, right?

We talk increasingly about “the human condition” in tech and security, because more often than not, it is that path of least resistance. Attackers know how we succumb – hence phishing. We opt for free – but you really do only get what you pay for, and buyer beware. Convenience, immediacy, lowest price – these drive the standard of quality in our connected world. It explains the current abysmal state of the IoT. And as we know, we cannot keep doing what we have been doing because – say it with me – it just doesn’t work anymore.

So when things go wrong, which they have been on an almost daily basis it seems, we who are tech reach out to the end users and let them know that they have to do more: remove software, delete files, check for files, run scans. As anyone who has ever worked helpdesk or worked with end users knows, this is not an easy ask. Most people struggle with just setting up their ISP modem/routers. Never mind removing default passwords or enabling controls. People tend to be afraid of technology, because as humans, we are afraid of what we don’t know. So we are afraid of breaking things, just as we are afraid to ask for help. And face it, tech support has earned its reputation for good reason.  People know when they are being made fun of, talked down to. We don’t make it easy for people to ask for help.

It doesn’t help that mega breaches and global ransomware outbreaks have been consistently in the headlines this past year. It’s enough to give anyone breach fatigue. And that’s what brings me to this. The talented team at Cisco Talos have issued a warning in their blog about a massive malware infection being spread by a tool, CCleaner 5.33, that has been shipping with a popular, often free, antivirus product, Avast. This is the statement according to Piriform, who owns CCleaner:

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

There are excellent technical write ups on this latest event and mine is not one of them. Initially, I saw the threat of securing third parties – we all know the perils of supply chain. But then, as I read through it, I realized I could read through it only after months of immersing myself, by choice, in infosec. Choosing to look up and learn what I did not already know (which is still a lot). The average user – that ain’t happening. They may read some of the articles that are more mainstream, but don’t bank on that either. Increasingly, end users are hitting the bar. Some are defeatist, saying they don’t care anymore, it’s pointless, what can they do anyway. Others believe in the power of the megacorps to protect them, so they follow whatever advice is given, like buying credit monitoring. Because that is easier than having to piece together a solution themselves on something they really know nothing about. And others prefer the head in the sand approach – Hear no evil, see no evil. I kid you not.

Some are lucky enough to have the money to pay a tech to fix the problem. Some have tech friends/family who can fix it for them. Most, however, are cast adrift on a sea of increasing peril, without life preservers. And even if we threw them a lifeline, we can’t expect they would be willing to take it. Trust goes both ways.

Before you make fun of the folks who chose Avast because it was free, here’s how I rationalized it years ago, before I arrived in InfoSec. I knew I needed to do something to secure my computer, and a free AV was better then nothing at all. Plus I could use it. And understand enough to use it, to scan. To pay attention if it alerted me. Maybe I even read a bit more to see that it suggested things I could do to clean up my computer and be safer. So, I would have downloaded CCleaner, which I have seen recommended in other places as a safe and free solution to optimizing my performance. And here’s the thing – I would have expected a known AV product, like Avast, would not be endorsing something harmful. Hence, I could trust CCleaner because I could trust Avast.

certsAnd Avast trusted CCleaner enough to promote and bundle them. To download them. So let’s look at that breakdown of trust. The researchers at Cisco Talos flagged a malicious executable file while doing some beta testing for their new product. That file happened to be the installer file for CCleaner v5.33. Now, that file was being delivered as downloads in good faith by legit CCleaner servers to millions of customers. It was legit because the appropriate digital certification was issued and signed to the main company, Piriform.

Enter the attackers. They had managed to intrude this trust worthy process and include a free, unwelcome gift with download.  This was malware, a malicious payload containing the ability to call back to the attackers command and control server, as well as being equipped with a DGA or Domain Generating Algorithm – definitely not a good thing. Obfuscation is a thing. If you can’t find someone was there, how do you know? And, without evidence or proof, trying to analyze this after the fact is problematic. The good news is there was a short window of release between August 15 til the latest version, 5.34 was issued on September 12. In previous attacks I’ve seen, manipulation of digital certificates is often an indicator that compromise is deep, systemic even, and trust in the signing authority may have been misplaced. In this case, Cisco cites:

 “the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code”

Looking through the malware, Cisco found clues that the attacker tried to cover their tracks. Once the infection was in place, the program worked to erase its source data and the memory regions it inhabited. With the legit program now installed, the attacker has the ability to do as they wish in the machine they now occupy. Which means they can gather system information on the machine and send it back to their command + control server. With this link established, other malware could be sent to infect the compromised machines. Here is a high level view of what happens, as written by the Talos crew:talos pic2

As for the DGA, if the key C+C server for the malware failed to respond, the program had a failback to generate some other IP addresses using the DGA and dns lookups. Here’s the good news. Talos used the algorithm and found that the domains it generated had not been registered. Moving on it,  they registered them instead and sinkholed them to keep the attackers out. As well, the malicious version of CCleaner had been removed from the download servers.

talos pic3

What is of concern is how many people around the world apparently use CCleaner.  As of today, Piriform is somewhat ambivalent in its claims of the number of users affected. Are they limited to only 32 bit windows machines? If you go back to Aug 15, would almost 4 million users have downloaded the malware?

cleaner

Talos advises that users need to either rollback to the previous version or install the new one. Which brings me to my earlier point about the human condition:

“according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.”

The team at Talos is seeing a lot of DNS activity around machines trying to connnect with those suspect domains that are no longer available. And the only reason can be those machines are being controlled by malware. Worse, the malware is not being detected using current methods. So far as fixing things goes: if you currently are a Cisco customer then you are covered. As for the rest of us, sigh. We have work to do. Uninstalling will not remove the malware. That is left to you.  If you have a full backup of your system, (and in this age of ransomware you really, really need one)  you can restore from that. Otherwise, I suggest using Malwarebytes.

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

Advertisements

Equifax: WTF

Sorry. I waited to weigh in on the “dumpster fire” (credit to Brian Krebs) that is the Equifax breach because I wanted to see if those impacted expand beyond the US. They do.  If it was Apache Struts. It was. And if things got worse. Don’t cry for me Argentina but they just did.

How do you say I’m sorry for losing the confidential data of 143 million people who are your customers? You don’t. Certainly not if you are Equifax, one of the three largest bureaus for credit reports on consumers globally. You make them wait. And then, you sell them a half-baked service to fix the problem you made.  The site known as equifaxsecurity2017.com (sorry – not linking it here) is, in the words of Brian Krebs, “completely broken at best, and little more than a stalling tactic or sham at worst”.  It was flagged as a phishing site, and provided inconsistent responses.

And help comes with big strings. The offer for a year of free credit monitoring by the same firm that f*cked up in the first place has some dual-edged fine print to absolve Equifax of their responsibilities, originally stating that those who consent forfeit their rights to participate or launch a class action suit, or receive any benefits from a suit. They have since amended the injurious clause (see – I can speak legal too!) to say it “does not apply to this cybersecurity incident.” Insult to injury is that victims would have to pay for all the subsequent years of credit monitoring.  Freezing your credit is far cheaper, and effective.

We should be worried. Over 200K Visa and Mastercard holders are at risk of fraudulent purchases at the least because attackers have their account numbers, expiration dates and cardholder names.

Now, let’s talk about “Apache Struts”. Which has been flagged three times this year. Struts is hard to patch because it requires more migration and a lot more testing, which is impact and cost to business, but it happens to be used in over 60% of corporations on their major web server applications. There was a massive critical patch alert issued back around March for a zero day being actively exploited. Zero day means you’re not ready to fix it but attackers are ready to move. Guess what? The Struts flaw was unpatched back in May, when the attackers hit.

Jeff Williams is the co-founder and CTO of Contrast Security and explained the severity of this flaw which allows attackers to take over a Web host with just one HTTP request.

“This vulnerability was scored CVSS 10/10 – the highest rating. Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing…Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack.”

And then there is what happened in Argentina. Earlier this week,  it was reported by investigators who were looking into the risk to Argentina that “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.” I can’t even. The good news is that they took the portal down after Krebs gave them a call.

Do I sound bitter? Sorry not sorry. And so far, I am not one of the confirmed compromised. But oh, I am waiting for that shoe to drop. It has taken a ridiculous length of time for anyone in authority in Canada to address this. I get that we are polite to the point of complacency but come on! Thursday our privacy commissioner, Daniel Therrien, finally stepped in, claiming he had learned via complaints and the press, not from the source. The US has more regulations on credit reporting agencies than we have in Canada, where they are regulated by individual provinces and territories. According to Tamir Israel, who is a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa, “because of that mismatch, it falls through the cracks a little”. Per an article by Nestor Arellano in IT Canada Online:

“We have advised Equifax to provide information to affected Canadians as soon as possible and we expect the company to adopt measures to help affected Canadians,” Therrien said. “…Our office is urging Equifax to find a solution to permit Canadians to find out if they are affected as soon as possible.”

Now there is full on call for investigation. Meanwhile, the Canadian Automobile Association has informed 10,000 of its members they are at risk. Per Ian Jack, CAA managing director of communications and government relations, the information of those Canadian members who signed up for the identity protection program was stored with – wait for it – Equifax USA. That would be the sound of the other shoe dropping.

But wait – there is a happy-ish ending. News is just being released that both the CIO, David Webb, and CSO, Susan Mauldin, of Equifax are retiring. Immediately. That’s the first good news we’ve had.

https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/

https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/

http://itincanadaonline.ca/index.php/security/2273-equifax-blames-apache-vulnerability-canada-s-privacy-chief-weighs-in-on-breach

https://www.programmableweb.com/news/how-not-to-be-next-equifax/analysis/2017/09/08

http://www.ctvnews.ca/business/caa-says-10-000-consumers-could-be-equifax-hack-victims-1.3589848

https://www.darkreading.com/threat-intelligence/equifax-cio-cso-step-down/d/d-id/1329907

https://www.darkreading.com/attacks-breaches/ftc-opens-probe-into-equifax-data-breach/d/d-id/1329889?piddl_msgid=329384#msg_329384

 

A Hunting We Will Go

This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com.  We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.

I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG!  Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.

“Enumeration”. Per Jack

Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.

“Credentials”. Jack says

Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.

“Powershell”. Jack adds

Here are some additional things to think about when looking at Powershell

And I saved the best for last! How will they execute?

Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.

Thank you, Jack, for sharing this wisdom. And thank you for reading!

Gone

Someone I love is gone. Depression claimed another star from our infosec universe. He was funny, brilliant, so very special. There was so much more to him than most will ever know. I will forever be glad for what we shared. But now there is only grief, loss and pain increasing with each moment as the reality takes hold. Please make it not be true.

Live from Vegas! Hacker Summer Camp is this Week!

3 cons. 4 talks. No sleep. Lol. Well I did get some finally. It has been a whirlwind and I love it. Every glorious second!

BSidesLV has been the best yet. 3rd year for me. Volunteered as speaker liaison, which I love because I give talks. It’s about helping them feel more confident, ready to step up and own that moment. I also had the early bird shift in the lobby as greeter. Since I am a morning person, 6:00 a,m Vegas time was fine with me. Besides, you can’t beat watching the sun come up over the desert hills.

I was a mentor to a terrific speaker. BSides has the Proving Grounds track to encourage and enable folks to give talks. It’s how I got started, and I will forever be grateful.  And mentoring is mutually rewarding. I’ll do a separate post on it because I think it’s so vital.  My mentee, Karolyn Bachelor, gave a great talk on how to ask the right questions for the right answers. Way to go! I’ll post links.  And my other mentee from home, Nitha Suresh, gave her first talk at Proving Grounds as well. I am thrilled for both of them!

womenbsideslv

And I had fun again this year, giving my talk in the Underground Track, picking up where I left off last year on How to Rob a Bank. This year was “Banking on Insecurity”, because the hits just keep on coming. The room was packed and my opening line went something like “Holy sh*t!” lol! We had lots of interactions and laughs about some very serious and even controversial topics in the realm of finsec and cyber security. Honestly, it was better than I could have wished for!

Now, I have two full days ahead of the little con that could. The Diana Initiative is about encouraging, empowering and supporting women in InfoSec and Tech. It rose from the ashes of what was TiaraCon, of which we will say no more.  This event comes from the heart, and what I will say is that we were so moved by the belief in what we were doing by the attendees from last year. Failure was not an option. There were people counting on us to deliver and we have made it happen. Oh my god this community and their support is amazing. Truly. I am grateful beyond words for the generosity shown.  And as being part of this extraordinary team, who pulled together, gave up sleep, work, life to make this happen – I am so blessed. Resilience. Strength. Determination. We are gonna change some lives, make a difference and have a great time doing it. The Diana Initiative – this Con is on!

Book Club: Defensive Security Handbook Chapter 1

Welcome! To recap. We’ll be working through this book together to learn and grow our Blue team skill. Cuz the best offence can be a proactive defence. This book is a fantastic resource, especially for those who are starting out, or need a good overall reference. Based on my real-world experience,I believe it should be a desk reference, and part of any security curriculum. I am going to go on Amazon and say that infact!

Now. Chapter 1: Creating a Security Program. That does not just magically happen. And yet, we really wish it could because everyone needs a good security program in place. If you’ve ever tried to clean your kid’s room, you’ll understand how daunting this can be. Where do you begin?  Well, as our insightful authors Amanda and Lee point out, we don’t need to reinvent the wheel. They’re right. They refer to the NIST framework, which I can tell you I get to use on an almost daily basis when doing security audits (let’s not go there, ok?) You want to work from best practices, existing and proven standards that are used to hold organizations accountable ie compliance standards.  Good news! Amanda and Lee will take us through all that fun in Chapter 8.

So Point 1: Have the right team in place. You need the right people in the right role to make the right decision.  The book recommends establishing 4 main teams: Executive, Risk, Security and Audit.  I will tell you from experience that if you don’t have Exec buy in from the get go, you will find yourself spinning your wheels. How do you get that? Speak to the suits in their love language – Risk. And you need Audit to bring the flowers &b chocolates to their door. And yes – this is from my daily reality. Plus, audit lets you put everything down, and organize it, which makes it easier to track things, and reorganize things. Because you cannot secure what you don’t know.

Point 2: Set a Baseline.  I love talking about threat intel (holding back – self-control) and how to make it relevant. This is how you make it relevant. What’s your normal? That’s your baseline. Because how else will you know something went bump in the night? The attackers are wery wery quiet. And believe me, they are in your network like those darn carpenter ants are in the woodwork. So this will be a fact gathering mission, and you want to do it well, Plus set it up with automation, and updates. SInce Asset mgmt is the next chapter, so we’ll leave that alone for now.

Point 3: Threat/Risk Assessment. This is challenging, and a learning process for those starting out. The concept of risk and being able to articulate it to business is way hard, I’ll be honest, and I am very good with words. What we in security think is a threat has to be explained in terms relevant to the organization we serve. That’s the crux right there. It’s not what we think so much as what they understand. And true – unless it negatively impacts the organization’s bottom line or existence then even if we think it is a risk, it isn’t.  So, you need a parlay with the suits to know how the organization is defined in terms of threat and risk. Then, when Patch Tuesday comes, you can look at what is critical and determine if that is critical to your organization and why as you justify the need to make adjustments to your regular patching cycle (real world). 4 steps process: Assess, Mitigate, Monitor, Prioritize.

Point 4: Practice and Prepare. Are you as ready as you think?  So, I like to talk about why everyone, everyone needs a good Disaster Recovery/Business Continuity plan in place. And that means one that has been tested, so that people know how it works, and how they work with it. Let your inner kid come out for this because you need to play “What If” to do this right. There are things called Table Top Drills that are so good especially for addressing ransomware and DDoS scenarios. Or Sharknado. Lol! As stated in the book “testing of tabletop exercises and drills can serve as a proof of concept”.  Amanda and Lee are right on the money by stipulating your need participants from across the org like HR, Legal, Marketing, Finance etc. Infact, they provide such a good explanation you should be able to go do one.

Now, I love that the book has used a great tool, the Intrusion Kill Chain, to explain how to think through an event scenario. I happen to be a HUGE fan of the Cyber kill chain (Lockheed Martin),  the extended cyber kill chain, and ATT&CK matrix by MITRE.

Point 5: Learn and Grow. The chapter finishes by encouraging us to expand our knowledge and skills through home labs and projects, CTFs, conferences and mentoring. I have done all of these and YES! It’s not hard to do and so rewarding you’ll want to make time. Because my friends, learning never stops in InfoSec. To paraphrase the wise and wonderful Leslie Carhart aka @hacksforpancakes (on the July 11 Down the Security Rabbithole podcast) “It never stops. This job never stops. And if you want to be good at it, if you really want to be good at it, you can’t stop.”

Because it’s not just what we do, it’s so much about who we are. Til next time!

 

Blue Team FTW!

Time to do some learning. There are things we can be doing better. Things we can be doing right. And with the help of two very good friends, Amanda Berlin and Lee Brotherston, we are going to batten down these hatches and secure the *&$@ out of our fortresses.

As stated in the Foreward, “the red teams get all the glory.”  And it’s true. For blue teams it feels lonely and unappreciated, but there is so much truth in this:

“Doing defense is a vital, noble and worthwhile pursuit”

It’s easy to get turned around by hype. We follow the direction the noise is making, and tbh vendors make a lot of noise.  What we need to do, and have known for so long, is not to be dazzled by the shiny, blinky boxes. As so well said by Andrew Kalat:

Security Vendors will often define the problem set as the problem they can solve with their technology, not necessarily the problem an organization actually has.

So here’s to taking a more holistic view, as this excellent guide advocates, and understanding how all the pieces need to work for this particular machine. We’ll share Chapter 1 next.