STE WILLIAMS

This is the last instalment of a four-part series about SophosLabs’ 2017 malware forecast, released this week at RSA Conference in San Francisco. Part 1 looked at malware targeting Linux and Internet-of-things (IoT) devices. Part 2 examined malware targeting Android. Part 3 was about malware designed for macOS. Today we look at Windows-based threats. Special thanks to SophosLabs researchers Gábor Szappanos, Michael Wood and Richard Cohen for contributing the research for this part.

Though much of this report has focused on malware directed at platforms where the risks are often not as well understood – specifically Linux, MacOS and Android devices – there’s no doubt that Windows remains the largest battlefield for attackers.

SophosLabs has paid particular attention of late to Microsoft Word Intruder (MWI), one of the best known Office exploit builders and certainly one of the most popular in cybercrime groups.

Based on what SophosLabs saw in 2016, MWI is undergoing continuous tweaks to expand the target range.

Beyond the Office

The author of this kit keeps updating the product. The most frequent updates are geared toward avoiding AV detections, but from time to time new exploits are added to the kit. Having new exploits increases the chance of successfully infecting targets. The newer the exploit, the greater the chance that the vulnerability has not been fixed yet.

Traditionally, MWI has used popular Microsoft Office exploits to get at its victims.

But the latest update, released some time around the beginning of August, adds a new twist: for the first time in the history of MWI, a non-Office exploit was added.

Specifically, the exploit targeted vulnerabilities in Adobe Flash Player outlined in CVE-2016- 4117. This exploit was also added to major exploit kits such as Angler, Neutrino and Magnitude in May 2016. In one scenario, a vulnerable Flash object was embedded into the Rich Text Format document. An external layer would decrypt the internal layer (it is stored in the DefineBinaryData internal storage), then load it.

This method was used by the once popular Angler Exploit Kit and it’s reasonable to assume that the author of MWI took the idea from there.

Payload

We identified a handful of documents generated with the new version of MWI. Most of them dropped Swrort, a simple backdoor that makes it possible to download and execute external programs, or execute commands and Powershell scripts.

The other malware in some of the delivered payloads was Latentbot, a highly encrypted bot. For the Latentbot infections, there were only a few infected endpoints, mostly in the USA, UK and China, as the map below shows:

SophosLabs will continue to watch for additional mutations of MWIs. Now that its toolbox has expanded beyond Office, 2017 could prove interesting.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p0is2IeY_XE/

On Tuesday, a fake Twitter account purportedly belonging to the retired Lieutenant General Michael Flynn, who had resigned from his position as US national security adviser the night before, hoodwinked not only the New York Times and other media outlets, but also House Minority Leader Nancy Pelosi and Congressman Elijah Cummings.

During a news conference on Tuesday, both politicians cited the fake Twitter account’s post about being made a scapegoat:

While I accept full responsibility for my actions, I feel it is unfair that I have been made the sole scapegoat for what happened. (1/2)

— Michael Flynn (@GenMikeFlynn) February 14, 2017

It’s not hard to see how they might have been fooled: Flynn’s official account had been offline as of the beginning of February, according to the Washington Post.

The fake Flynn account indicated in its bio that it was a parody account, but it’s easy to miss bios… particularly when the spoof account in question maintains a positive tone about the administration, as you might imagine the real Flynn would do.

As Mashable reports, the verified account of the real Flynn seems to have reappeared on Tuesday, bearing the little blue “verified” badge with a white tick in the center that appears on the accounts that Twitter has determined are of public interest.

It’s a lot easier to spot the difference when you put a verified account next to a non-verified account – verified accounts rank higher in Twitter’s search results, for one thing. But when the verified account has been taken offline, it leaves a vacuum for the fakers to step in and steal the limelight without much effort.

How to spot a fake Twitter account

Is it verified?

In a FAQ on its verified accounts, Twitter says that, typically, verified accounts belong to users in music, acting, fashion, government, politics, religion, journalism, media, sports, business and more, be they brands or individuals.

If you see the badge next to a tweet from an account with Donald Trump’s name, for example, it’s reasonable to assume it’s from the president.

Why “reasonable” instead of “certain”? Because Twitter has been bamboozled in the past. In 2012, Twitter slipped up and verified the wrong Wendi Deng, then Wendi Deng Murdoch, wife of Rupert Murdoch. @Wendi_Deng, a parody account, got the blue badge, but @WendiDeng was actually the real deal. The mistake boiled down to a simple copyediting glitch.

What complicates matters is that Twitter limits its use of the verification check mark. Just because an account lacks a verification badge doesn’t mean it’s a fake or a spoof. Lesser known people, even if they’re of public interest, might not have been in the public eye long enough to get verified, for example.

When was it created?

As the Washington Post notes, the fake Flynn account was created a day after the authentic @GenFlynn went offline. Suspicious timing, eh? The creation date can be helpful in spotting bogus accounts, particularly when they’re created at the same time as major news breaks about whatever parodied/spoofed person they’re based on.

Check out the account’s tweet history

A spoofed account may have slapped a picture of whoever it’s pretending to be on its profile. It also may have changed the name and biography details of an existing account.

To get to a given account’s true genesis, there’s an easy way to search for its first tweet: just go to #FirstTweet and enter the account name.

That will help you unravel the history of an account such as NotAltWorld, which says it’s “The #Resistance team against #AltFacts #FauxNews #FauxScience Formerly: Unofficial National Park Service #Science #Climate #Facts Run by non-gov individuals.”

That might all be true, but if you search on the account’s first tweet, you’ll see that it appeared in 2015 and is concerned with the Scottish election. So perhaps an account that had nothing to do with the recent alt accounts got repurposed by protestors, or … well, who knows?

@WingsScotland Oi, fellow plebian. What say you, honourable rev, on the elecshun result?

— NOT ALT WORLD (@NotAltWorld) May 9, 2015

Searching #FirstTweet on the fake Flynn account doesn’t reveal odd shifts in focus like that – it’s been consistent in tone since its inception – but it does reveal that it was created at a time when the world’s attention was focused on Mike Flynn and on a date that the general’s official Twitter account was offline: February 1.

Another way to get at earlier tweets is to use Twitter’s search tool. You can input a search string to get at a specific date range, like so, substituting the account name and the date you want to search up to in this string: from:LisaVaas until:2017-02-17.

Type in the name yourself

Lookalike account names are easy, given that the lowercase letter “l” is so easy to mistake for the figure “1” or the uppercase letter “I” in a sans serif font. The Washington Post notes that out of this list, only the first account is for the president, whereas the others are all just look-alikes:

• @RealDonaldTrump
• @ReaIDonaldTrump
• @ReaIDonaIdTrump
• @RealDonaIdTrump

You can avoid falling for the fakers by typing in the name yourself, though you do, of course, have to watch out for typos.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yUINQK7GFhQ/

The European Union is set to insist on better security for online purchases, but a number of retailers are digging their heels in.

The idea, which comes from the London-based European Banking Authority, consists of urging extra security for purchases over €10, such as a user-selected passcode number. Computer Business Review is among the publications suggesting that retailers believe any extra steps in a purchase process would reduce the amount of sales actually made.

Visa Europe, for example, conducted a survey that suggested €11.2bn a year in online sales, some 2% of the whole market, would be put at risk. It also found that 61% of customers would abandon a purchase if there were an extra step involved.

One of our retail contacts, Cath D’Arcy, proprietor of online jeweller Corazon Latino, queried whether a user-generated passcode would be effective. She told us:

They are suggesting a personal ‘Pin number’ be input. However, [the] Verified by Visa/MasterCard SecureCode [schemes] already request a personal password, so if there is already a piece of data required that is only in the head of the legal card owner, why would a second make a difference?

She welcomed the idea of additional security, however, as long as it would work sensibly. She pointed out that when a fraudulent transaction happens it’s the trader who ultimately pays for the refund rather than the banks, and smaller companies in particular will suffer. Lost sales, if you add manpower, are a non-issue, she says:

There will be some lost sales as we saw when we implemented the Verified by Visa/MasterCard SecureCard [scheme]. Not because people are put off, but because people forget their password and simply can’t complete the purchase.

In our case we followed up all failures, as they show in our system as orders with pending payments if they get that far, with a call and were able to verify the person and take a card payment over the phone. Big companies would probably lose these sales as they would not invest the manpower in the follow-up.

The European Banking Authority has been gathering  feedback and has said it will put solid proposals forward by the end of the month.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wCmolUTxh-A/

Immuta, a data governance startup run by former US National Security Agency technicians, has announced the conclusion of its Series A funding round, pulling in $8m.

The funding round was led by Drive Capital – whose partner Andy Jenks has been given a board seat – with participation from Greycroft Partners and Conversion Capital. It brings the company to $9.5m in total funding.

Headquartered a short drive away from NSA offices in Fort Meade, Maryland, Immuta currently has 21 employees and is based in College Park. It was officially founded in October 2014, and first went to market in the summer of 2015.

Talking to The Register, Immuta CEO Matthew Carroll said the company aimed to answer the question: “How do you have an environment in which to give data scientists the freedom to do what you want them to do, but also keep them in check?”

Using Immuta, data scientists can create regulated and compliant data sandbox environments that combine disparate data sources from within and across organizations. The business claims that it “supports every major structured and unstructured data source, on premises or in the cloud, including Amazon S3, SQL, NoSQL and Hadoop.”

Regardless of that source, Immuta’s platform virtualizes the data to protect its integrity, and as a layer between the end user and the source, allows data owners to expose that data with discretion, also enabling data scientists to experiment with it without being concerned of their access rights.

Neither Carroll nor CTO Steve Touw would go into much detail about their work at the NSA, but said “a lot of what we’re doing now is based on lessons we’ve learned” from the “trials and tribulations in government” following the Snowden revelations.

Although customers in the public sector haven’t been announced, they are stated to “include global financial institutions, telecommunications companies, and national security organizations,” as well as case study user General Electric.

The startup’s commitment to government governance is visible in its origins and in the early hire of a “chief privacy officer and legal engineer” in the form of Andrew Burt, who formerly served in the FBI as special advisor for policy to the assistant director of the Fed’s cyber division.

“Immuta is solving one of the most acute problems that is stifling innovation at large, highly regulated enterprises. They have the teams, and the technology, but data access and usage regulations are holding back innovation,” said Jenks. “We invested in Immuta because their team and technology are bar none the best in the business.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/immuta_nsa_tech_data_regulation/

F-Secure has acquired hardware and embedded system security firm Inverse Path. Financial terms of the deal, announced on Thursday, were undisclosed.

Inverse Path provides focus hardware security technology to specialist sectors including automotive, avionics and industrial control, as well as traditional software applications. It sells to both mid-market and Fortune 500 companies.

Jens Thonke, executive vice president, cyber security services at F-Secure, said the acquisition of inverse Path will help it grow its consultancy business.

“As part of our comprehensive portfolio, we offer a vast range of cyber security services, such as red teaming, risk assessments, vulnerability management, incident response and forensics,” Thonke said. “Inverse Path’s expertise is the perfect fit for our fast growing consultancy business.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/fsecure_inverse_path/

Yahoo! has issued a new warning of potentially malicious activity in user accounts.

Hackers used forged cookies to access users’ accounts without a password between 2015 and 2016.

Last September, Yahoo! admitted that the personal data of more than 500 million users might have been stolen by hackers. Three months later, in December, it admitted that a separate breach in 2013 might have exposed the account credentials of one billion users. Yahoo!‘s security controls and its incident response handling have been the focus of intense criticism from third-party security experts, which has continued on in the wake of the latest revelations.

Chris Boyd, malware intelligence analyst at Malwarebytes, said: “It’s fair to say that many Yahoo! users must already be feeling ‘incident fatigue’, given the frequency these stories seem to crop up. The sense of confusion – ‘Haven’t I heard about this one and taken steps already?’ – can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences.

“It’s essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification. While this clearly won’t save them in all circumstances, it is still certainly better than nothing,” he added.

Tony Pepper, chief exec and co-founder of data security company Egress, said: “Yahoo has clearly been under systematic attack for quite some time and, aside from questions about its historic ability – or lack thereof – to spot breaches, this incident raises a whole host of concerns about the state of data security in general.

“The fact that the hackers were able to access accounts without the need for passwords is a serious issue. We routinely rely on passwords to protect our data and privacy, and red flags are now being raised. Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible and keep a close eye on their accounts,” he added.

Jason Hart, CTO of data protection at Gemalto, commented: “While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising. Opt-in security is not an option in this day and age.

“The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts,” he added.

Andy Norton, risk officer EMEA at endpoint protection company SentinelOne, said: “Yahoo said in its announcement that an ongoing forensic investigation suspects that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts.”

“Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/yahoo_forged_cookie_hack_risk/

The International Telecommunication Union has decided the time has come to consider whether Blockchain deserves its attention so it can be considered for future security standards.

Study Group 17 of the Union’s Standardization Sector (ITU-T), which is dedicated to security, has scheduled a workshop in March to “examine blockchain’s potential to build trust into a wider variety of our interactions online”.

The meeting has been slotted in before a week-long gabfest that will consider SG 17’s many efforts to create security standards for things like secure operations of voice-over-LTE networks, or lifecycle management of e-commerce business data. So there’s every chance the meeting will attract a decent crowd of serious security wonks.

Among the aims of the blockchain meeting are :

• Provide a platform to share findings and for dialogue on policy and regulatory implications of blockchain between enterprises working on blockchain applications and regulators from various industrial-/economic sectors;
• Identify potential items that SG17 needs to analyze or review in the future, and
• Identify stakeholders with whom SG17 could collaborate further on and potential collective action and specific next steps to ​​​advance. ​

That’s a long way from the ITU baking blockchain into a standard. But merely organising the meeting it is also surely a sign that the organisation takes blockchain seriously and is open to the possibility it could be useful. And that’s a decent step forward. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/itu_investigates_blockchain/

Ephemeral messaging application Wickr has opened up the core crypto software of its Wickr Professional app so others can review it.

The repository is at GitHub.

At this stage, the company is not offering the code for re-use. It’s published under a purpose-written “review license” only, although the company says an open-source release under the GNU licence is on the cards.

So what’s in the box, so to speak?

To avoid single-library dependencies, the company says it’s organised Wickr Professional to expose its security primitives in an “organised and generic” way.

In other words, while the app uses OpenSSL 1.0.2, other libraries could be supported. Supported OpenSSL primitives include AES 256 (GCM and CTR); SHA from 256 to 512; various elliptic curve Diffie-Hellman flavours; SCRYPT and BCRYPT; HMAC (keyed-Hash Message Authentication Code) and HMAC-based Extract-and-Expand Key Derivation Function (HKDF).

As described in this white paper, the protocol provides:

As well as the crypto module, the other key pieces of the application’s architecture are the protocol itself (the low-level implementation that encodes and decodes encrypted messages); and “Context”.

Context provides, as Wickr explains, a “high level interface for managing an endpoint that can send and receive encrypted message packets” – which is how client front-ends integrate with the crypto library.

The protocol is also extensible, so in the future it could support non-text file content like file transfers, audio, and video.

Announcing the publication of the software, CEO Joel Wallenstrom adds that Wickr has added Austrian crypto-boffin Joël Alwen (of that country’s Institute of Science and Technology) to its team. Alwen first came to El Reg’s attention more than a decade ago, when worked with an Electronic Frontiers Foundation team to decode the dot-patterns that identified laser printers for spooks.

Wallenstrom says both the crypto source code and the white paper have already had an independent review: “I want to thank Whitfield Diffie, Paul Kocher, Dan Kaminsky, Adam Shostack, Scott Stender, and Jesse Burns for their insightful feedback and invaluable advice.”

Wickr’s not the first secure messaging app to allow this kind of review: rival Signal released its code in November 2016. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/cryptocurious_wickrs_opened_its_kimono_for_code_review/

A detailed analysis of the Shamoon malware – which is playing a huge role in the cyberwar between Saudi Arabia and Iran – has identified servers used to spread the software nasty.

Shamoon surfaced in 2012 when it infected 30,000 workstations in the world’s largest oil production firm, Saudi Aramco, wiped their hard drives, and put the giant into panic mode. Since then the malware has been refined, and attacks have continued on high-value Saudi government and industry targets as late as last month.

Now researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) team think they have cracked the propagation techniques used by the malware operators. They may know how they get it onto systems, giving IT managers a good chance of spotting whether they have an infection problem before the data-destroying part of the software is unleashed.

The attackers first spam out emails to staff in the target company, impersonating a trusted person and bearing a Word document marked as a resume, health insurance paperwork, or password policy guidelines. For example, the messages may appear to come from IT Worx, an Egyptian software company, or from Saudi Arabia’s Ministry of Commerce and Investment.

If opened, a macro within the document executes two Powershell scripts. The first script downloads and executes another PowerShell script from 139.59.46.154:3485/eiloShaegae1 via HTTP. The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from 45.76.128.165:4443/0w0O6 via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from 45.76.128.165:4443/0w0O6 via HTTP, and runs that, too.

“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” IBM reports.

The team also identified two web domains used to host malicious executables and used by Shamoon’s masterminds to carry out their attacks. Ntg-sa.com mimics the ntg.sa.com domain of Saudi petrochemical support firm Namer Trading Group and maps-modon.club is similar to the Saudi Industrial Property Authority’s maps.modon.gov.sa domain.

IBM advises blocking connections to and from these domains and the aforementioned IP addresses as a first priority and doing a network scan to see if there are users who are infected by the malware. Typically the attackers use these infected machines for reconnaissance and credentials stealing before deploying the main Shamoon payload.

It seems highly likely that Shamoon attacks are going to continue, since there now appears to be an exchange of malware between Iran and Saudi Arabia. The Iranians have blamed several petroleum plant fires last year on hacking, and the Saudis are pointing the finger of blame for Shamoon at the Iranians.

In the meantime, everyone else could get caught in the crossfire, so get checking those networks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/researchers_catch_drivedestroying_domains_for_cyberwar_shamoon_malware/

Here’s today’s call-home from the RSA Conference 2017 from our roving reporter and man-on-the-spot, Bill Brenner.

(If you haven’t listened to our Day 1 report yet, why not catch up first? [6’51”])

Paul Ducklin talks to Bill about the event so far:

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CDxvhaKlUNg/