Tools & Training To ‘Hack Yourself’ Into Better Security

How to teach your blue team to think like the red team when your network is under attack and time is your most valuable asset. Perhaps you’ve purchased the best cybersecurity technology available. Maybe you’ve brought in a red team (or have one in-house). You feel prepared in case of a cyber attack. However, there’s another step to attaining the proper level of preparation for today’s sophisticated cyber attacks: making sure your blue team knows how attackers operate. If you can implement a “hack-yourself” program effectively, you can improve the effectiveness of your defense-in-depth strategies by having a blue team capable of carrying out red team exercises to gain a better awareness of how attackers might approach certain network vulnerabilities. When your network is under attack, your most valuable asset is time.

The faster you understand you’re being attacked and the quicker you understand what’s happening, the faster you can identify where the attackers are and what they’re doing. Responding to attacks quickly and efficiently requires an advanced level of preparation that many security teams haven’t yet achieved. The first step in improving preparation is theoretical training in the latest tools, techniques and procedures.

Cybersecurity conferences such as Black Hat, DefCon, BSides and the Chaos Communication Conference can provide the higher-level, theoretical learning to get your security team moving toward proper awareness and preparation.

The next step is to introduce red team exercises. Red team exercises with third-party consultants can help large enterprises spot critical vulnerabilities in their networks. However, many companies rely on these red team exercises to the point that they don’t maintain the proper level of internal cybersecurity awareness.

External red team exercises offer a level of expertise that most organization don’t have internally.

But there is also real value in implementing a “hack-yourself” program to build your security posture from the inside -- and arm your blue team with the necessary skills to think like the red team and improve your security posture. More than simulationsRather than having your security team practice hacking skills on third-party sites, internal red team exercises are carried out on your real network--they are not just simulations.

But to get the most out of a “hack yourself” program and avoid causing damage to the network, your security team must have the proper training to identify vulnerabilities as it hunts for data, administrator credentials, or any other valuable assets on your servers. One way to ensure your security team has the proper training to carry out an advanced “hack-yourself” program is to invest in the Cyber Guardians program from the SANS Institute.

The Cyber Guardians program consists of four core courses and corresponding certificates. The program is meant to provide security professionals with knowledge about all kinds of cyber attacks and how to respond to them accordingly.

After your security team has achieved Cyber Guardian status, you’ll know that they are capable of understanding many techniques attackers might use to maneuver through your network. Once your internal red team is trained to enact the “hack-yourself” program, you need to supply them with tools similar to those that attackers have at their disposal when launching threats.

The following are two toolkits blue teams can use together for an effective “hack-yourself” program: Metasploit through Kali Linux and Cobalt Strike. MetasploitMetasploit, which has been labeled the Attacker’s Playbook by many in the cybersecurity community, offers a rich library of exploits you can run on a number of different servers.
If your blue team can simulate the various steps of APT attacks, they will better be able to spot the attack paths and vulnerabilities that might have otherwise allowed major data breaches. However, before your internal security team can start using Metasploit to its fullest potential, they’ll need specific training. Offensive Security offers a free training program for the toolkit called Metasploit Unleashed. Cobalt StrikeCobalt Strike is a tool used by red teams to emulate real network threats. You can use the tools within Cobalt Strike to conduct penetration testing.

The toolkit’s website says the software includes functionality for: Network reconnaissance Attack packages for Java Applet, Microsoft Office, Microsoft Windows, website cloning and more Spear phishing Collaboration within the penetration team Post exploitation (execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other payloads) Covert communications to evade security systems Browser pivoting to avoid two-factor authentication Reporting and logging to analyze the results of the exercise While Metasploit offers a collection of exploits for blue teams to use, the tools and functionality in Cobalt Strike help blue teams gather information and move laterally without exploits. With the combination of an exploit toolkit and a set of tools reconnaissance and lateral movement, your trained security team can successfully carry out a “hack-yourself” program and uncover even the deepest layer of vulnerabilities. Why "hack yourself?"If you’ve never experienced a cyber attack, you will likely think the first time will happen exactly as how you’ve studied.

Consequently, you will be caught off guard when an attack actually occurs; there will be so much more information that it’s hard to understand what’s important, what isn’t important, and what to investigate further.

The more you practice internally, the better prepared you’ll be when the time comes that you’re actually under attack. Related Content: Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Ofer Israeli is illusive networks' founder and vice president of research and development. Prior to founding illusive networks, Ofer was a team leader at Check Point Software Technologies, where he led the endpoint security management and the cloud and document security ...
View Full Bio More Insights

These Figures Show Cybercrime Is A Much Bigger Menace Than Anyone...

One in 10 people have fallen victim to cybercrime. (Image: iStock) Cybercrime rates are much higher than previously estimated, with new figures from the Office for National Statistics, the UK's official producer of national statistics, suggesting that ...

Windows 10: What’s New in the Security System

Operating system security is one of Microsoft’s priorities.

The developers of the new generation of Windows have vigorously responded to the most significant and relevant threats that target the Windows platform by developing numerous security technologies that were previously available only in third-party solutions.

The system has become better protected, making the life of cybercriminals more difficult. Nevertheless, in some cases, the tools provided by the operating system are not sufficient – the developers have had to make compromises in a number of areas, which has negatively affected system security and makes it necessary to use third-party IT security tools. Because it is so widespread, Windows has been, and remains, the target of choice for cybercriminals of all stripes.

Each new version is researched thoroughly by thousands of blackhats in search of new moneymaking opportunities. Whitehats, for whom Windows is the main battleground in their fight against the bad guys, also explore it. Naturally, Kaspersky Lab always carries out a painstaking analysis of all changes introduced by Microsoft to the security system in order to provide its users with the best possible protection against cyberthreats. This review consists of three parts devoted to the most prominent new Windows 10 features that affect security.

These are the Microsoft Edge browser, virtualization-based security and an updated built-in anti-malware solution called Windows Defender.

All of these features have brought new capabilities to the Windows security system, but, unfortunately, they also come with some weaknesses of their own.
In this paper, we use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security. Microsoft Edge The latest browser, Microsoft Edge, is intended to replace Internet Explorer.
It is included in Windows 10 as the default browser.

The company has worked hard to implement numerous new features, some of which are security-related. Content Security Policy and HTTP Strict Transport Security technologies were introduced to combat cross-site scripting attacks.

These technologies are designed not only to lower the chances of a successful attack but also to notify the web service’s owner about the attempt to carry it out. Microsoft has also come up with ways to protect Edge against exploits, which were the curse of Internet Explorer. Now, by using containers and separating content handling operations into different processes, exploiting vulnerabilities has been made much more difficult.

Finally, integration with SmartScreen should prevent users from visiting sites with malicious content. In addition to supporting new technologies, the security of Edge has been enhanced by retiring vulnerable old ones.

The browser no longer supports VML, BHO and ActiveX, which are used by a multitude of advertising apps and malicious browser add-ons. However, a browser’s security is determined by its ability to combat real attacks.

The majority of malicious programs designed to steal money via Internet banking work successfully with browsers such as Internet Explorer, Chrome, Firefox and Opera.

Typically these are Zeus (Zbot), the infamous Dyreza (Dyre), and the peer-to-peer bot Cridex (Dridex), all of which, despite being old, are nevertheless still used by virus writers. The functionality of a typical banker leads to the implementation of an MiTB (Man-in-The-Browser) attack. Most bankers pull off such an attack by integrating their code in the browser process and intercepting the network-interaction functions. However, these functions are implemented differently in different browsers, forcing virus writers to constantly modify and update their malicious software so that it can work with all possible browsers and versions. In November 2015, it was reported that the Dyreza Trojan had been given functionality that enabled it to attack Microsoft Edge. However, the activity of that particular botnet fell to zero soon afterwards: updates ceased to be released and the command-and-control servers were taken offline. Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine.
In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware. Function that identifies the browser based on the checksum of its process name Kronos checks the process’s name, converts the string to lower case, calculates its checksum and squares it.

The hash obtained in this way is checked against a table – if it is found there, the Trojan will attempt to hook the functions it needs in the browser’s process. Browser process names known to the Trojan: Process name Checksum iexplore.exe 0x64302d39 chrome.exe 0x05d66cc4 firefox.exe 0x39ace100 opera.exe 0x9420a4a1 microsoftedge.exe 0x9b6d5990 microsoftedgecp.exe 0x949b93d9 In order to perform malicious operations that will make money for its owners, Kronos hooks the functions that create and send HTTP requests in the Wininet library. List of wininet.dll functions hooked: API function Hash HttpOpenRequestA Y7D4D7E3T2T2A4U3 HttpQueryInfoA C8C0U1A2G4G5Y2B5 HttpSendRequestA Y4U1P2F2G7T2A4U3 InternetCloseHandle A7S3H3X3D5Y7T7F7 InternetConnectA H0S6D5Q7E8P3P6U5 InternetCrackUrlA E6F2A3S8Y4C7D5A5 InternetOpenA B7P8P7T4E3U2H5A5 InternetQueryOptionA C1Y0B7E2B0P2P3T7 InternetReadFile D6X2S6E3Q3C5B5X2 InternetSetOptionA X3Y6Q2T7Q5Q2A5X6 Kronos hooks functions using the splicing method, adding a JMP (unconditional jump) instruction at the beginning of the code.
Since the malicious code injected into the browser is loaded as a shellcode rather than a library, the Mitigation Policy enabled in the browser will not block it from being executed. InternetReadFile function hook in MicrosoftEdgeCP.exe Handler for the hooked function Successfully hooking these functions enables the Trojan to inject data into web pages.
It also enables Kronos to get information about the user, the user’s credentials and bank account balance, to redirect the user to phishing sites, or to include additional entry fields to the bank’s legitimate page (enabling the malware to find out the user’s reply to the secret question, credit card number, date of birth or phone number). Web injection on a bank’s page Note that Kronos can only attack Edge on the 32-bit version of Windows 10.

But this is not a fundamental constraint – there are now bankers that work with the 64-bit version of Edge, as well. In the beginning of the year, a new modification of the infamous Gozi banker appeared.

Among other things, it was designed to carry out an MiTB attack against Edge under a 64-bit version of Windows 10.

The Trojan injects its code into the RuntimeBroker.exe process, launches the browser on behalf of that process and injects its code into the browser’s own processes. Part of the function that checks process names for injection As in the case of Kronos, the injected code hooks functions that create and send HTTP requests. However, instead of splicing, it substitutes IAT pointers as well as function addresses in the Export Table. Part of the function that checks process names to set the right hooks for each browser HttpSendRequestW hook set by Gozi banker in the MS Edge browser Note that Windows Defender successfully blocks the current versions of Kronos and Gozi. Nevertheless, new malware and adware will emerge that is capable of using Edge for its own purposes. Virtualization-Based Security In the corporate version of Windows 10, Microsoft has implemented a new approach to security that is based on Microsoft Hyper-V, a hardware-assisted virtualization technology.

The new paradigm, called Virtualization Based Security (VBS), is based on a whitelisting mechanism that only allows applications that are on the trusted-application list to be executed, and on isolating the most important services and data from other components of the operating system. VBS depends on the platform and CPU features, which means that the technology needs the following to operate: Windows 10 Enterprise. UEFI firmware v2.3.1+ with Secure Boot support. CPU supporting Intel VT-x/AMD-V virtualization features. Ability to block some features of the UEFI firmware and its secure updating. TPM (optional). Microsoft uses the Hyper-V hypervisor as its virtualization platform.

The less code a hypervisor contains, the fewer attack vectors against it exist.
In this aspect, the compactness of Hyper-V is very beneficial for security. Unlike previous Windows versions, the hypervisor starts not as a kernel-mode driver but in UEFI, at an early stage of the computer’s startup. Hyper-V initialization procedure In VBS, with the hypervisor active, each virtual CPU is assigned a Virtual Trust Level (VTL) attribute.

Two attributes are currently used: VTL 1 (“Secure World”) and VTL 0 (“Normal World”).
VTL 1 is more privileged than VTL 0. Secure Kernel Mode or SKM (Ring 0, VTL 1) includes a minimal kernel (SK), a Code Integrity (CI) module and an encryption module.
Isolated User Mode or IUM (Ring 3, VTL 1) includes several isolated services called Trustlets that are isolated not only from the external world but also from each other.
In “Normal World” (VTL 0) mode, the traditional kernel, kernel-mode drivers, processes and services work according to the former rules. Diagram describing the two worlds When the hypervisor is active, physical RAM pages and their attributes are only controlled by the secure isolated kernel (SK).
It can manipulate page attributes, blocking or allowing reading, writing or executing code on specific pages.

This makes it possible to prevent execution of untrusted code, malicious modification of trusted application code, as well as to make leaking protected data more difficult. In this architecture, the only component that controls the execution of any code in the system is the secure isolated Code Integrity (CI) module.

The kernel from “Normal World” cannot set the attributes of kernel-mode physical pages. Credential Guard Credential Guard is one of the main functional blocks of VBS.
It isolates secrets in such a way as to ensure that only trusted code has access to them.

This helps to withstand direct memory access (DMA) attacks, as well as pass-the-hash and pass-the-ticket attacks. System Information.

Credential Guard and HVCI
We have tested the technology, attempting to get secret data using direct memory access. We used Mimikatz and Inception hacker tools for this. Nothing worked.

These hacker tools were powerless against Credential Guard. DMA attack using the Inception tool Device Guard The Device Guard technology that is part of VBS is the successor of Microsoft AppLocker.
It controls the launching and execution of all code: executable files and dynamic libraries, kernel-mode drivers and scripts (e.g., PowerShell).

This is based on a code integrity policy created by the system administrator that defines which software is regarded as trusted. The main difficulty in using Device Guard is in creating a proper policy, which can be difficult even for experienced system administrators.
Ideally, the procedure is as follows: Enable the necessary Windows 10 VBS mechanisms on a test computer. Prepare a master image of Windows OS. Install all the necessary software. Create a code integrity policy based on certain rules and leave it in audit mode for some time.

During this time, software can be added or changed. Watch the event log for CI events. Perform any necessary policy adjustments, such as signing any software that is not signed. Consolidate the original policy with the version created while the policy was in audit mode. Disable audit mode in the code integrity policy, replacing it with enforced mode. Distribute the prepared policy to end users. A code integrity policy defines the conditions for executing code both in user mode (User Mode Code Integrity or UMCI) and in kernel mode (Kernel Mode Code Integrity or KMCI).
Secure loading of the Windows kernel itself is provided by the Secure Boot technology.

The integrity policy needs to be maintained and updated based on the software requirements in place at a specific organization. In addition to the integrity policy, there are other restrictions on executing code.

A physical memory page gets the “executable” attribute only if the certificate is validated.

Additionally, a kernel-mode page cannot have “writable” and “executable” attributes at the same time (the W^X restriction), which prevents most exploits and hooks from working in kernel mode.
In the event of an attempt to modify the contents of a kernel mode page that has “readable” and “executable” attributes, this will lead to an exception.
If it is not handled, Windows will stop and display a BSOD. As a result, it is impossible to execute unsigned drivers, applications, dynamic libraries, UEFI modules and some script types when the hypervisor and all the security options, such as Secure Boot, TPM, IOMMU, and SLAT are active.

Depending on settings, code that is signed but not trusted can also be blocked from being executed. To protect the policy from unauthorized changes or substitution, Microsoft suggests that it should be signed using a certificate generated by the administrator.

To remove a policy or change settings, another policy signed with the same certificate is required.
If an attempt is made to remove a policy or ‘plant’ an unsigned policy, the operating system will not start. Still, Device Guard is not perfect.
Increased protection comes at a price – in the form of performance degradation.

This is unavoidable due to the presence of a hypervisor.

The convoluted process of creating, configuring and maintaining a code integrity policy can be considered a weakness of the technology.

The options used by the policy are scattered across the operating system and cannot be managed through a single control panel.

As a result, it is easy to make a mistake, leading to weaker protection. Since Secure Boot plays a key role in this technology, the level of protection very much depends on the quality of UEFI code, which is developed by a third party over which Microsoft has no control.

Finally, the absence of protection against exploits in user mode is disappointing. Testing VBS If malicious code makes its way onto a computer with VBS by taking advantage of a vulnerability, it will have to elevate its privileges to kernel mode to be able to attack the hypervisor, the “Secure World” or UEFI. We tried to do this using a signed and trusted kernel mode driver. Kernel mode penetration testing results: Test Result Test Result W+X PE section .INIT + (by design) Allocate NP/P MEM, hack PTE manually + (BSOD) W^X PE section .INIT + (as is) R+X section, remove WP in CR0 + (BSOD) W+X PE section + (no start) Stack code execution + (BSOD) Allocate MEM, execute + (BSOD) Allocate MEM, hack MDL manually + (BSOD) R PE section, write, execute + (BSOD) None of the attack methods that we tried was successful.

Attacks based on changing Control Registers (CR0-CR8, EFER etc.) and Model-Specific Registers (MSR) did not work either – they all invariably ended in a Privileged Instruction exception (0xC0000096). We also carried out some tests in user mode, trying to circumvent a code integrity policy in enforced mode.

The objective was to execute an unsigned application or load an unsigned dynamic library into a trusted process. We were unable to do this directly, but we found a curious error in the Windows 10 preview release (10154). The error lies in the fact that, although Device Guard checks whether an application, driver or library is signed, it does not verify that the signature is valid for the application signed with it.

This makes it possible to extract a valid signature from any trusted application and insert it into any untrusted application – after this the system will consider the application to be trusted.
So, by inserting a signature from another application, we were able to execute an untrusted application and to load an untrusted dynamic library. We immediately reported the error to Microsoft and it was fixed within a few days. Windows 10 RTM (10240) does not include that error. We also discovered a denial-of-service error that makes it possible to crash the system and cause a BSOD for the hypervisor from the user space with just one Assembler instruction.

A fix for this error was included in Windows 10 TH2 (10586). The hypervisor’s BSOD Overall, Microsoft has done a great job in developing new security mechanisms. However, as in previous versions, there are still opportunities for attacks via the firmware.

Another problem is that the system administrator needs to be highly qualified to configure protection properly.
In the event of faulty configuration or loss of the private certificate, all protection becomes useless.
In addition, there is no protection against user-mode vulnerabilities.
It is also important to keep in mind that VBS is only available to users of the corporate Windows 10 version. We have notified Microsoft of all the vulnerabilities discovered during testing. Built-in Anti-Malware Protection in Windows Let’s have a look at the Windows component that protects the system against malware in real time.
It is enabled by default and, for users who do not install third-party anti-malware solutions, it is the main Windows IT security tool. The principal purpose of built-in protection is to prevent the installation and execution of malware.
It scans files and active processes in real time, identifying those that are malicious by checking them against a regularly updated signature database.
In most cases, this protection is sufficient. However, if you are an active Internet user and often perform critically important operations on your computer – such as managing your bank accounts via online banking – you need multi-tier protection.

Even the best anti-malware solution can miss new, as yet unknown malware.
In this case, only additional layers of protection can save the day by preventing a Trojan from carrying out malicious activity in the system. We did some research and found a few real-life examples demonstrating that built-in protection may not be sufficient. Keystroke Interception Some banker Trojans intercept data entered on the keyboard to steal the user’s online banking account.

Examples of such malware include Qadars, Zbot and Cridex. Many anti-malware solutions, including Kaspersky Internet Security, have a component that detects and blocks attempts by programs to intercept the sequence of keypresses.
In some cases, this can be enough to prevent criminals from making money at the victim’s expense, even if they have managed to infect the computer. We tested the response of built-in protection to keystroke logging with the help of a test application that uses the GetAsyncKeyState WinAPI function (this method is similar to the one used in the latest MRG testing). We were able to intercept the user’s login and password for a PayPal account with Windows Defender enabled. Logging the user credentials while entering a PayPal account Unauthorized Web Camera Access In the next test, we tried to gain unauthorized access to the web camera.

This functionality has been increasingly used in Trojans and other hacker tools in the past years.

The fact that a surveillance module using the web camera is included in the AdWind Trojan is a telling example of the popularity of this functionality among cybercriminals. Monitoring victims using their own web cameras can provide a wealth of information about them, which can later be used to make money illegally – for example, by blackmailing a victim with intimate videos. Some anti-malware solutions can control application access to the camera.
In real life, there are practically no situations in which a legitimate application could need to use the camera without notifying the user, which is why providing such notifications is a convenient and widely accepted practice.

The user can decide in each specific case whether the application really needs to use the camera or whether this is suspicious activity that should be blocked. Our test application used a publicly available library called OpenCV (which is what the Rover Trojan does, to give one example).

A simple Python script captured video from the web camera and displayed it in a separate window.

This means that an application was able to intercept video from the web camera on a Windows 10 machine with protection enabled, without the user being notified of this in any way. Capturing the screen with a script Control of Drive-By Downloads Another problem that is among the most serious issues faced by Windows users is the numerous exploits that can be used to infect the system via vulnerabilities in various applications. We tested the built-in protection with one of the latest exploits for the CVE-2016-1019 vulnerability in Adobe Flash Player. The exploit’s file is an SWF object compressed using the ZLIB algorithm. The flash exploit In this form, the file is recognized by the Windows Defender and quarantined. Successful detection of a packed exploit However, if the file is decompressed into the original SWF, the security system will miss it. Moreover, a compressed file that was detected on the hard drive is downloaded from websites in drive-by attacks and successfully executed from the browser’s context.
If a vulnerable version of Adobe Flash Player is installed in the system, an infection can occur, because Windows Defender does not include a drive-by download control component. Successful download of a Flash exploit that was previously detected on the hard drive In addition, we want to mention that Microsoft Windows has embedded component (SmartScreen) which could successfully stop drive-by attacks using reputation-based analysis, but in some cases, especially in targeted attacks, heuristic content analysis is needed for successful detection of exploitation process. We used this test case, which could not be covered with SmartScreen component to show that if threat actors will use Flash exploit with bypass techniques for Edge security mechanism user could be infected.

Currently we have not registered usage of such bypass techniques yet. Conclusion Today, a multi-tier approach is required to provide reliable protection for user systems, combining standard detection methods (signature-based analysis, behavioral analysis, etc.) with additional modules designed to detect attack techniques commonly used by cybercriminals. As our brief review has demonstrated, in some cases the IT security technologies built into Windows 10 are not sufficient for full-scale protection against malicious attacks.

As in previous Windows versions, all possible attack vectors should be blocked using dedicated Internet Security class security solutions.

Facebook malware – the missing piece

 Download the full report (PDF) In our last blogpost, Facebook malware: tag me if you can, we revealed a phishing campaign led by Turkish-speaking threat actors who exploited social networks to spread a Trojan that compromises the victim’s machine and captures its entire browser traffic.

The report did not address the issue of lateral movement because Kaspersky Lab researchers were still investigating it. After two weeks of research, Kaspersky Lab researcher Ido Naor, and Dani Goland, the CEO & co-founder of Israel-based company Undot, managed to extract the proverbial needle from a haystack: a Facebook vulnerability that allowed an attacker to replace the comment identifier parameter attached to each web/mobile Facebook comment with an identifier that was reserved for embedded plugins usually located on third-party websites (where they allowed visitors to comment with their Facebook identity). By tampering with the comment identifier, the attacker was able to create a post on the victim’s Facebook timeline, tag their entire ‘Friends’ list in a comment to the post (which will store the array of tagged users in Facebook servers), and then replace the comment identifier with a third-party Facebook comments plugin identifier (controlled by the attacker) and delete the tagging.
Since the notifications were already stored and “shipped” to the tagged friends, the act of replacing the web comment identifier with a Facebook plugin comment identifier resulted in the redirection of the tagged user outside of the Facebook platform, to a malicious link which instantly downloaded a Windows JSE file.

And where would be the best place to store such file if not in the victim’s cloud storage – Google Docs / Dropbox? If those were not present, the malware had a fail-safe mechanism that sent a tinyurl link as a Facebook message to the victim’s entire Facebook friends list and, just in case the message wasn’t delivered, a malicious Google short link was posted on the victim’s timeline along with a convincing message that contained pictures of the victim’s friends. Facebook has now fixed the issue and blocked the vulnerability that was a key feature in spreading the malware. It is worth mentioning that the code responsible for the vulnerability is filled with strings and variable names in the Spanish language, suggesting that whoever wrote it is not necessarily part of the Turkish-speaking group. Looking at the complexity of the code puts it in an even more questionable position regarding the author’s identity.
In addition, the file is completely dynamic and adaptive to every action made by an analyst, preventing them from fully inspecting the code.

Flaws Found In Security Products AVG, Symantec, And McAfee

Patch frenzy imminent, say researchers, thanks to bad use of code hooking Updated Hundreds of security products may not be up to the job, researchers say, thanks to flawed uses of code hooking. The research is the handiwork of EnSilo duo Udi Yavo and Tommer Bitton, who disclosed the bugs in anti-virus and Windows security tools ahead of their presentation at the Black Hat Las Vegas conference next month. The pair says 15 products including those from AVG, Symantec, and McAfee are affected.
Scores more may be vulnerable thanks to their use of Microsoft's Detours, code Redmond says is used for "re-routing Win32 APIs underneath applications [and] is licensed by over 100 ISVs and used within nearly every product team at Microsoft." The researchers did not specify if Microsoft's enhanced mitigation experience toolkit (EMET) is affected. Attackers would already need access to a system to reap the benefits of the vulnerabilities and neuter the security platforms running on the target system. "We found six different common security issues that stem from incorrect implementation of code hooking and injections techniques," the pair say. "These issues were found in more than 15 different products. Practically, it means that thousands of products are affected." Microsoft is brewing a patch for Detours due to drop next month, which will help to address matters. The pair examined intrusive user-mode hooks common across end point security products and man-in-the-middle malware alike, namely the Duqu trojan, making the "depressing" finding that many are vulnerable to exploitation. Patching will be a slow process of recompiling affected security software, the pair say. ® Updated to add Symantec contacted us to let us know that it provided a fix to customers back in March.

The security advisory can be found here. Sponsored: Global DDoS threat landscape report

Improving Attribution & Malware Identification With Machine Learning

New technique may be able to predict not only whether unfamiliar, unknown code is malicious, but also what family it is and who it came from. One of the cybersecurity promises of machine learning (particularly "deep learning") is that it can accurately identify malware nobody has ever seen before because of what it's learned about malware it's seen in the past. Konstantin Berlin, senior research engineer at Invincea Labs, is trying to take the techology further, so that organizations can get more information about unfamiliar code than simply "it's benign" or "it's malicious." Berlin, who will be presenting his work next month at Black Hat, says security pros also want to know more about the malware family so they can plan their mitigation strategy accordingly. His technique, he says will do that, as well as improve malware triage and attribution by using new methods of recognizing similarities between malware samples.

This can all be done in a customized way that enables each organization to choose what features and factors interest them most. Berlin explains machine learning's difference to traditional signature-based anti-malware like this: If, for example, you want to predict the direction a rocket will go when it sets off, he says you don't necessarily need to learn the physics of propulsion and enter equations into the machine. You simply need to feed it lots of data of examples of rockets going off until it learns to accurately predict where the rockets will go. "Based upon millions of observations, it won't necessarily explain the rule, but it works in terms of prediction." So, even if the machine has never seen something before, it will know it's malicious -- even if it doesn't know precisely why. What Berlin wants to do, however, is give people more than just benign or malicious. To do that, he's using a technique that improves the way security tools recognize what binary is similar to another -- and therefore how they are classified into families, attributed to malware authors, and tied to threat actors.  According to Berlin, the current process usually used is expensive to develop, and requires periodic retuning that is done manually because organizations have their own sets of features they look for in malware binaries, their own weighting system for which features are most significant, and their own methods for minimizing the impact of those features that aren't important at all.

Because of the costs and the labor, the retuning isn't done as often, and therefore it's more difficult to keep up with the pace of malware evolution.   The method Berlin is presenting at Black Hat next month may not only improve accuracy but make the process cheaper, he believes.
It uses a technique called supervised embedding, and is something the security world more commonly encounters in facial recognition. Supervised embedding is a way to disregard malware samples' unimportant features, enhance their most important features, and re-map the distance between those malware samples.

Distance thus mirrors "semantic sense" and similarity is measured by the features the security team has deemed are the most essential for their needs.
So, if they're specifically interested in principally grouping malware by the likely threat actor, target industry, attack vector or attack type, they could. Any features of a file that are unrelated to whether it is malicious are automatically eliminated, says Berlin, "so the distances rely on the tradecraft of the malware." It does not require a stack of signatures, but the technology does require a database of labels for all of these malware features.

Berlin is using Microsoft's existing database of families and variants, but organizations could invest in creating their own bespoke database that truly zeroes in on the information they want. "That's the beauty of machine learning," he says. "You train it for the task you want to accomplish." This sort of system, this brain, is considerably lighter to carry around than a stack of signatures, too, says Berlin.

This "statistical approach," requires less power than an "all or nothing" approach, he says.  Related Content: Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Criminals Plant Banking Malware Where Victims Least Expect It

reader comments 42 Share this story A criminal gang recently found an effective way to spread malware that drains online bank accounts.

According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download. The legitimate tool is known as Ammyy Admin and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it.

According to Monday's blog post, members of a criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected.

To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website. What resulted was a highly effective means for distributing the banking Trojan.

That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on.

As researchers from antivirus provider Kaspersky Lab explained: We should note that attacks of this type (Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window.

This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money. Kaspersky Lab researchers say the Ammyy website has been breached several times.

Even after removing the malicious code earlier this year, it somehow managed to come back.
In June, after a law enforcement crackdown shut down the Lurk gang, the Ammyy site started distributing a new malicious program that had no ties to Lurk. "This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from," Kaspersky Lab researchers wrote. The take away is that website infections can have serious consequences and are often extremely hard to remove.
Sites that are caught distributing malware should probably not be trusted again. Listing image by Wikipedia

UK Rail Hit By Four Cyberattacks In One Year

No disruption to rail network caused, hackers appear to be nation-states, says cybersecurity firm Darktrace. UK’s rail network was hacked at least four times in the past one year, reports The Telegraph, quoting Darktrace, which handles security for the rail network.

Appearing to be cyberespionage activity conducted by nation-states, the attacks were exploratory in nature and did not disrupt the rail system, Darktrace said. Kaspersky Lab believes that at the moment, state-sponsored attackers were very active without doing much, but hackers could cause chaos if they managed to enter the rail network system. Network Rail has said cybersecurity would play an important part in their plan to introduce digital train control technology. “Safety is our top priority, which is why we work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats,” added a spokesperson. For more on this, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Lurk: a danger where you least expect it

While we were researching the malicious program Lurk in early February 2016, we discovered an interesting oddity in how this banking Trojan spreads.

From the data we had, it emerged that the users attacked by Lurk also installed the remote administration software Ammyy Admin on their computers.

At first, we didn’t really give this much thought, but further research showed that the official Ammyy Admin website had most probably been compromised, and the Trojan had been downloaded to users’ computers along with the legitimate Ammyy Admin software. It turned out that on the official site of Ammyy Admin (which is used for remote desktop access) there was an installer that did not have a digital signature and was an NSIS archive. When this archive was launched, two files were created in a temporary folder and launched for execution: aa_v3.exe – installer of the administration tool Ammyy Admin, signed with a digital signature; ammyysvc.exe – malicious spyware program Trojan-Spy.Win32.Lurk. In other words, the Ammyy Admin installer available for download on the manufacturer’s official website is basically a dropper Trojan designed to stealthily install a malicious program in the system, while displaying a screen mimicking the installation of legitimate software. We found out that the dropper was being distributed on a regular basis (with short breaks) over several hours on weekdays. Last November other researchers wrote about this same method of distributing malware, however that publication did not stop the distribution of the Trojan. Official Ammyy Admin website. Note the ‘Download’ button By the way, some browsers (e.g. Mozilla Firefox) were flagging the website as potentially dangerous at the time of writing this post, and warning about the presence of unwanted software. Mozilla Firefox warning page displayed when an attempt is made to access To ensure successful distribution of the malicious program, the cybercriminals modified the PHP script on the Ammyy Group web server in such a way that the malicious dropper was provided when a download request was made. An external function was added to the PHP script on the web server In early April, the cybercriminals uploaded a new, slightly modified dropper for distribution.

At launch, it used the function GetComputerNameExA to check if the computer being infected was part of a corporate network; if so, it launched the Lurk malicious program along with the remote administration tool.

This shows that the cybercriminals were specifically hunting for corporate workstations and servers. We should note that attacks of this type (Watering Hole) are very effective, and doubly dangerous if they target the users of a remote administration software tool: administrators using such a tool might presume that a malware (or malicious activity) detection event reported by their security software is a false positive triggered by the presence of the remote administration tool itself, and allow the detected activity. Moreover, they could disable protection or add the malicious program to the tracking and checking exemption list, thus allowing it to infect the computer. Kaspersky Lab products detect this type of legitimate software (remote administration tools), but with a ‘not-a-virus’ verdict, displaying a yellow detection notification window.

This is done in order to keep the user informed when remote access software is launched on a computer, because this type of software was used by Lurk operators without the victim’s knowledge or consent, and is still used by cybercriminals distributing other malware adapted to steal money. As soon as we discovered that the Ammyy Group website had been breached and was distributing a malicious program, we reported it to the company’s representatives.

After that, as Ammyy Group communicated, the site was checked, and the alien code was removed.
In February, we notified the company of three such instances when malware was being distributed, and each time the problem was solved, although only temporarily. Interestingly, on June 1 the content of the dropper changed. On that very day, it was reported that the creators of Lurk had been arrested, and the website began distributing a new malicious program, Trojan-PSW.Win32.Fareit, in place of Lurk; this new Trojan was also designed to steal personal information.

This suggests the malicious actors behind the Ammyy Admin website breach are offering the chance to buy a place on their Trojan dropper in order to spread malware from We informed Ammy Group of the new attack and the new malware being distributed from the website Kaspersky Lab’s products proactively protect users from the installation of the malicious dropper program (as well as from the piggybacked programs Trojan-Spy.Win32.Lurk and Trojan-PSW.Win32.Fareit), and block it from being downloaded from the website MD5 D93B214C093A9F1E07248962AEB74FC8FA3F9938845EC466993A0D89517FE4BDC6847F43C3F55A9536DDCD34B9826C675811244C03A0A074E56F44B545A14406EF231C83CA2952B52F221D957C3A0B93CFD5093CB2BB3349616D9875176146C12F3259F58A33176D938CBD9BC342FDDD186789B35DFCDFEBFE7F0D4106B1996FE483C477F78119AF953995672E42B292B084C2099CE31DD8D3E9D34F31CD606D

Meet The Teams In DARPA's All-Machine Hacking Tournament

"Autonomous security" is DARPA's latest game.
Its Cyber Grand Challenge will culminate at DEF CON with a contest to see which of these seven finalists' machines will automatically detect and remediate the most security vulnerabilities. 1 of 8 Image Source: DARPA The Defense Advanced Research Projects Agency (DARPA) has a proud tradition of seeding research projects that lead to some of the world’s most important technology developments. It was DARPA that funded the original research in the 1970s that led to the creation of the Internet and a decade ago, DARPA was behind some of the first research on autonomous cars, which are slowly becoming a reality. Now, through the Cyber Grand Challenge, culminating Aug. 4 during DEF CON, DARPA aims to develop autonomous security systems that can analyze bugs and rapidly repair vulnerabilities in computer systems. Mike Walker, the DARPA program manager who headed up the Cyber Grand Challenge, says that analysts have estimated that on average, security flaws go unremediated for 10 months before being discovered and patched.

This gives bad actors ample opportunity to wreak havoc on affected systems before they move on to exploit other machines. Walker adds that is can take up to three weeks for security professionals to patch a system once malware is discovered.

That’s just too long a window for bad actors to do damage. The Cyber Grand Challenge, which was launched in 2013, aims to build autonomous systems that can bring the remediation time down to minutes or even seconds. Walker says that the conventional wisdom that says it’s only a matter of time when systems will be hacked as opposed to if they will be attacked is not acceptable today. Organizations rely on their computer systems to get work done and grow businesses and they must be kept safe.
In fact, the world’s financial systems run on computers today and everything hinges on a sense of trust by the public that they are secure. “Our role at DARPA is to see beyond the status quo and imagine something better -- a future where the network is defensible by default  -- and then chart a path to get there,” Walker says. The seven finalists were selected among more than 100 teams that applied to win the cash prizes and gain exposure for their organizations.

The top prize is $2 million, second prize $1 million and third prize $750,000. Each of the finalists were given autonomous reasoning machines (ARMs) developed by DARPA and asked to write code that will let the machines function at a high level in cyber defense contests. On August 4 at the Paris Hotel in Las Vegas during DEF CON, DARPA will release previously undisclosed code into a computer testbed and the seven machines will be challenged in a Capture the Flag format to find and patch within seconds the flawed code that’s vulnerable to be hacked.

The goal is for the machines to find their opponents' weaknesses before the defending systems do.

The teams will score points for defending their machines and lose points when the other teams find vulnerabilities. Walker adds that the real goal of the Cyber Grand Challenge is to prove the viability of autonomous cyber defense. “At a minimum, we’ll learn a lot from seeing how the systems fare against each other, and if we can even provide a clear proof of concept for autonomous cyber defense, that would be revolutionary,” he says. “In the same way that the Wright Brothers’ first flight didn’t go very far, but launched a chain of events that quickly made the world a much smaller place, a convincing demonstration that automated cyber defense is truly doable would be a major paradigm shift and would speed the day when networked attackers no longer have the advantage they enjoy today.” The following slides provide an overview of each of the finalists, plus links to videos about the teams. Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology.
Steve is based in Columbia, Md.
View Full Bio 1 of 8 More Insights

What's Next For Canada’s Surveillance Landscape?

Edward Snowden headlines SecTor security conference as Canadian privacy advocates await the Trudeau government's next move in the country's complex privacy and security debate. Edward Snowden’s 2013 revelations of massive state surveillance shocked the world and made it more aware of electronic privacy issues, but north of the border, Canada continues to struggle with its own. Just over a year ago, the former Conservative Canadian government, led by Stephen Harper, enacted a piece of legislation that enraged privacy advocates.

Bill C-51 extended the powers of Canada’s intelligence services, prompting an open letter from over 100 Canadian academics imploring the government to rethink it.

Even the federal Privacy Commissioner complained about it. A year later, we have a new government that has promised to overhaul things. What has been done, and where does Canada’s complex debate over privacy and national security sit now? C-51 angered privacy advocates by increasing information-sharing powers between 17 government agencies.

The Canadian Security Intelligence Service (CSIS), which is Canada’s domestic intelligence agency, can now obtain the tax records of anyone perceived to be a national security threat, for example.

The bill also permitted the disclosure of information shared between government agencies to others. C-51 gave new powers to CSIS.

They included the "disruption" mandate, which lets it take measures to reduce threats when it believes they pose a threat to the security of Canada. Legal experts have questioned the wording here, worrying that CSIS gets to determine what constitutes a threat and suggesting that it can legitimize a slew of activities including electronic surveillance without the need for the agency to ask for a warrant. All of this dismayed Snowden, who has specifically referenced Canada when warning against passing anti-terror laws that curtail civil liberties. Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 am on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article.
SecTor will be selecting the best to be addressed at the event.
Politically, the Conservative Harper government naturally supported the bill, having introduced it in the first place, while the left-leaning National Democratic Party (NDP) strongly opposed it.

The moderate Liberal party, which ended up winning last year’s federal election, came down in the middle, supporting the bill but with some caveats. Trudeau: Broader oversight, narrower scopeLiberal leader and now-Prime Minister Justin Trudeau voted for the bill but vowed to temper it a little in two broad areas. The first focal point was oversight.

The Liberal government would create a multi-party oversight committee to ensure that CSIS was acting appropriately.
Snowden himself criticized Canada for poor spying oversight back in May 2015, not long before the Bill became law. CSIS hasn’t been entirely without oversight in the past.

Traditionally, the body responsible for overseeing CSIS has been the Security Intelligence Review Committee (SIRC).

This body typically reviewed a sample of CSIS warrant applications, but in its annual report for 2014-15, it explained that it would have to broaden its review activities to cope with the new powers granted to CSIS under C-51.

The Harper Government had already earmarked additional funding to help with this in its 2015 Economic Action Plan. SIRC explained that it had broadened its scope to cover CSIS’ use of metadata, and had found it wanting in areas including training, policy and procedure, investigative thresholds, and recording its decision-making.
SIRC had made some key recommendations in this area that CSIS had not taken up, the report said. The Trudeau’s concern was that SIRC described itself as a review body, examining past activities, rather than an oversight body, monitoring CSIS operations in real-time. The Liberal leader vowed to alter this and started to make good on this promise in early 2016. His public safety minister Ralph Goodale has now introduced Bill C-22, which would create a cross-party oversight committee that would oversee almost 20 agencies related to national security. Mandatory review periodThe second problem that Trudeau had with C-51 was with the bill’s scope. He promised to refine some of its language to omit legal protests and advocacy from definition as terrorist activities, and said that he would introduce a mandatory review period for the legislation. He hasn’t taken these steps at the time of writing, and privacy advocates are awaiting the government’s next move.
In the interim, Trudeau has been shuffling. One notable political action was his appointment of a new national security advisor, Daniel Jean, in May this year. Jean replaces former Harper government National Security Advisor Richard Fadden, an ex-director of CSIS, who recently retired. Jean doesn’t come from the spy community, moving up instead from his role as deputy minister of foreign affairs.

Before that, he served in Heritage Canada and the Treasury Board.

That may point to a more international intelligence focus at the top and a move away from more hardline domestic intelligence policies.
It could be taken as an indicator that the Trudeau government intends to calibrate Bill C-51 to bring it more in line with its new focus. All this will still be guesswork until Trudeau actually takes steps to change the legislation.

An attempt at proper oversight may appease privacy advocates a little, but we still don’t know what will happen to the government’s electronic surveillance powers until a minister stands up in parliament with a proposed amendment. Even when that happens, it’s unlikely to satisfy privacy advocates who have always called for the repeal of C-51, but they’re unlikely to get much more.

After all, the Trudeau government never promised to do away with the thing altogether. Don’t forget, Edward Snowden will be speaking via video link at the SecTor security conference on October 18, so post your questions in the comments section below. Related Content: Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America.
In his day job, Bruce works for ...
View Full Bio More Insights

FDIC Likely Hacked By China But Covered Up Breach, Report Says

A 2013 FDIC internal memo indicates a cover-up of China breach by employees to protect chairman's job. US banking regulator Federal Deposit Insurance Corporation (FDIC) was likely hacked by China in 2010, 2011, and 2013, a congressional report says.

An internal FDIC probe said this information was covered up by employees to protect job confirmation of chief Martin Gruenberg by US Senate, according to Reuters.   The breach was first reported in May, but the latest information, based on a 2013 FDIC internal memo, points to China as the culprit with intruders reportedly after economic intelligence.

The report added that even Sheila Bair was hacked likely by China when she was FDIC chairperson between 2006 and 2011. However, cybersecurity expert Shane Shook, who was part of the hack probe, says he did not see evidence convincing enough to implicate China. Gruenberg is scheduled to testify today on FDIC cybersecurity measures. Read full story on Reuters. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights