November has quickly become one of the biggest months for crypto-ransomware all year. Multiple new crypto-ransomware variants have been introduced, as cyber criminals prepare to prey on vulnerable users heading online for their holiday shopping.
The first variant, Chimera, has been encrypting both files and networks drives, as well as threatening to publish personal data and pictures online if the ransom is not paid. Chimera has been in circulation since September, using business-focused emails as its primary avenue of compromise.
According to the Anti-Botnet Advisory Centre:
“Several variants…try to target specific employees within a company and they have one thing in common: within the email, a link points to a source at Dropbox, claiming that additional information has been stored there.”
Users naïve enough to click on the link are infected with Chimera, which encrypts all locally stored data and demands a nearly $700 ransom.
Currently, there is no evidence that Chimera is following through on its threat to publish the compromised data, but the threat alone is a new modus operandi for crypto-ransomware.
Next up, Cryptowall has been updated to Cryptowall 4.0. Previously, Bromium has chronicled the history of Cryptowall and crypto-ransomware, in its report, “Understanding Crypto-Ransomware.” Cryptowall is one of the original crypto-ransomware variants, first appearing around November 2013. In addition to encrypting user files, Cryptowall 4.0 also encrypts file names, making it even more unlikely for file recovery.
Third, CryptoLocker Service is also an update to one of the original crypto-ransomware variants, CryptoLocker. CryptoLocker Service emerged from the Darknet this week, being run by an individual known as Fakben (known for his participation in stolen credit card forums). Fakben is making CryptoLocker available as a service for $50, plus ten percent.
Fakben notes that this ransomware shares only a name with CryptoLocker, making It clear the new code is different than the original.
Regardless of the variant, crypto-ransomware targets exploits and vulnerabilities in products such as Flash and Java. A recent Bromium survey determined that 90 percent of security professionals believe their organization would be more secure if it disabled Flash.
Finally, Linux servers have been hit by a ransomware attack that gains administrative access and encrypts key files. These attacks should be of little concern to end users since the attacks were against admin servers.
Organizations should be concerned with crypto-ransomware because once an attack succeeds, recovery options are limited to installing from back-ups. Detection and reaction are destined to fail against crypto-ransomware. The only hope for preventing crypto-ransomware attacks is proactive protection, such as the threat isolation provided by Bromium vSentry.
Microsoft today announced the availability of the “Windows for Business” update to Windows 10, which (for geeks) was code-named “Threshold 2”. The update includes a slew of new features and bug fixes.
Rather than focus on the visible changes, I wanted to know just how much Microsoft had changed the OS, given its new “Windows as a service” approach to aggressively patching the OS, and to delivering only cumulative patch updates. WaaS has put IT departments on notice that not patching is not acceptable – which has predictably riled some IT folk, but is nonetheless the right way to address the major contributor to breaches, in which 70% of breaches result from malware exploiting a vulnerability for which a patch has been available for over a year.
On to the data: TH2 delivers massive changes under the hood. A typical Windows 10 installation (with 3 language packs) numbers about 130,000 files. For build 10240, the total number is 130,266, and for build 10565 (the TH2 preview released to the fast ring of testers about a week ago), that number changed to 131,404. Did they simply add 1,138 files? Far from it. Upgrading from 10240 to 10565, Microsoft modified 26,434 files, added 94,431 files and deleted 93,264.
Probably the vast number of deletions and additions is due to the way the WinSXS works – the files are logically moving from folders that include a Windows version number; but at the same time, the binaries in them are indeed different. Without the SxS folder structure the delete/add totals would probably diminish, but the “files modified” count would correspondingly rise.
So, if you roughly tot up the files modified (~26k), plus the “swaps in and out” (~94k) (== ~120k) you’re not far off the full install (~130k). The registry is similarly transformed. On the upgrade the number of registry keys changed was 288,320.
In a nutshell: Threshold 2 essentially delivers a completely new OS, and the amazing thing is that you’ll probably not notice the changes, other than the new features. Of course this is a massive update in terms of download size, but no enterprises have rolled out Windows 10 yet so the impact will hit consumers more. Of course there might be a downside for ISVs that rely on areas of the registry that were modified, or assumed that the Windows folder was intended for anything other than Windows, but ultimately ISVs need to adjust their world-view too: Gone are the days when you can dig deep inside the OS and hope that nothing will change.
Another positive: With an upgrade this big, just about everything is being changed. The OS is more secure, and any vulnerabilities that bad guys had thought about exploiting may well have been addressed or substantially changed – setting the attackers back substantially.
(Sleuthing by Adrian Taylor & Tim Howes of @Bromium)
“Cyber insurance premiums rocket after high-profile attacks” reports Reuters, as the increasing frequency and magnitude of cyber attacks has caused cyber insurance providers to reevaluate cyber security risk. According to Reuters, the rate hikes have also been accompanied by increased deductibles and caps on coverage at $100 million – a far cry from the cost of high-profile breaches, which can cost more than $200 million.
Organizations that were planning to mitigate cyber security risk with cyber security insurance are in a perilous position. According to some estimates, a company may need as much as $1 billion in cyber insurance to protect its assets, but the maximum coverage available today is $500 million, but most companies will be unable to secure more than $300 million.
According to Stephen Catlin, the head of the largest Lloyd’s of London insurer, cyber attacks are “the biggest, most systemic risk…our balance sheets are not large enough to pay for that.” Catlin has argued that cyber insurance should become a responsibility of the government.
In fact, the government has taken cyber insurance into consideration. The Department of Homeland Security has recommended that “a robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
However, not every organization has implemented these recommendations and may find they are not eligible for coverage. According to Reuters:
AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.
“We have turned clients away,” said Tracie Grella, the global head of professional liability at insurance giant American International Group Inc (AIG.N).
Where does this leave organizations that want to decrease cyber security risk?
The DHS has identified four pillars of effective cyber risk culture:
- Engaged executive leadership
- Targeted cyber risk education and awareness
- Cost-effective technology investments
- Relevant information sharing
The bottom line is that the rising price of cyber insurance will force organizations to adopt stronger security practices, both to reduce the cost of insurance premiums and to further mitigate risk.
I always look forward to attending security conferences, and DerbyCon is no exception. It’s a quality conference, with great presentations, training, and camaraderie.
This year’s conference was ripe with new tools, new exploits, and even a primer on how to make better BBQ (always a worthwhile hacker skill). But the one piece of information that really sent me reeling was one that I gleaned from Chris Hadnagy of Social-Engineer.org. It was simply this – that only 7% of organizations ever phish their own employees.
This statistic is appalling. Not because phishing is one of the top attack vectors today. Not because the issue has been around since the mid-nineties, giving us over two decades to work on the problem. Not because of the ease with which companies can run a self-assessment campaign today. No, it’s appalling because of the amount of money most organizations dump into their security stack, and yet those same organizations never run even the simplest of phishing assessments to test whether their multi-million dollar security stack can be bypassed via what is arguably one of the weakest links in any organization.
The cost of running an internal phishing campaign is a fraction of what a professional penetration test might cost. Yet most organizations I encounter have never tried to test what many pen-testers are likely to target early in an engagement – if they’re allowed to do so as part of the test’s scope. Often the fear of the likely results of an internal phishing campaign makes prevents organizations from allowing pen-testers to phish as part of their scope, even though this has been the attack vector of choice for some of the highest profile breaches of the last few years.
As security professionals, we need to get past whatever fears we have about phishing our own organizations. A key approach to dispelling those fears is creating an internal phishing campaign that is centered on learning, growth, and improvement of the organizations security posture, rather than embarrassment. So, where does one start?
- Get permission. In writing.
At this point this should be standard operating procedure for any Infosec professional, but I have to state it, just in case. I’ve seen too many presentations about people that got fired for assessing their own company without permission.
- Don’t reinvent the wheel.
There’s a lot of good primers out there to help you, from Brian Kreb’s article “Phishing Your Employees 101”, to Infosystir’s blog post “The Path to Fixing Security Awareness Training”, which lays out great pointers on getting started. A wealth of other articles can readily be found to assist you.
Ready for more advanced strategies? Check out Hadnagy’s book “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails”.
- Start small – but get started!
There’s a wealth of free tools available for download, and I highly suggest you start with a free tool first. Large organizations will most likely need to move to a commercial tool or service eventually. But one of the best ways to understand what you’ll need from a commercial resource is to run a small assessment using free or cheap tools that give you a feel for what you’ll need as you grow. Every time you say “If it only did this”, write that feature down in you notes, and find a vendor that can provide it.
Those just getting started will want to take a look at tools like:
- The Simple Phishing Toolkit – One of the original open source tools, and a new group has picked up the reigns to continue the project.
- The Social-Engineer Toolkit – More open source goodness. This one come to us from David Kennedy and TrustedSec.
- Phishing Frenzy – This open source tool puts a strong focus on campaign management and ease of use.
- King Phisher – Another campaign focused tool with a good feature set.
- Phish.io – This web-based tool lets anyone try to run a quick phishing simulation. No technical skills required; even a non-technical manager or executive can phish their staff, their board, their business unit, and demonstrate how easy it is for anyone to fall for a well-crafted phishing message. But please, get permission first. In writing!
So, what can organizations hope to gain by running their own phishing campaigns? It is one of the most effective ways to handle an issue that no technology can truly prevent – phishing for credentials. Hadnagy also claims that companies who stuck with it saw an 85% reduction in malware. That’s a huge payoff, and it’s this type of security awareness training that truly gets results – not the relatively ineffective Computer Based Trainings (CBT) through which so many of have slept been subjected. Additionally, the time recuperated from those issues can be put toward shoring up the remaining 15% of an organizations malware exposure, focusing on a deeper, more effective defense in depth program.
Last week, Brian Krebs reported that a Russian security vendor was attacked by Molotov cocktails after it published its analysis of an ATM skimmer. When cyber attacks become physical, it is an interesting trend to observe. Unfortunately, it seems the trend has been increasing during the past few years, with reports of physical attacks, “swatting” and even kidnapping, which can all be tied back to cyber security.
Most cyber attacks have real-world consequences, most frequently these consequences are economic; however, some cyber attacks have physical ramifications. For example, Stuxnet attacked Iranian SCADA systems that were being used to enrich uranium gas. The result was the physical failure of centrifuges.
The hacktivist group, Anonymous, also straddles this cyber-physical line. Early Anonymous operations include Project Chanology, which combined denial-of-service (DDoS) attacks with real-world protests. Later Anonymous operations, such as Operation Payback, were conducted almost entirely online through DDoS attacks. More recently, Anonymous has participated in real-world protests, such as the Occupy Movement, donning its eponymous Guy Fawkes masks and taking to the street to demonstrate solidarity.
Another practice that crosses the cyber-physical line is doxing, the tactic of researching personally identifying documents (hence: doxing) about a target for the purpose of further harassment. A more recent trend related to doxing is swatting, which spoofs phone calls to 911 in an effort to dispatch emergency services – primarily police and SWAT teams – to respond to the false report of an emergency situation.
In 2013, Brian Krebs found himself the target of a swatting attack (at the same time his Web site was under a DDoS attack) after reporting about a black market identity theft Web site. Krebs later learned that the young hacker responsible for the attack “got pissed that you released the site he uses.”
Krebs, in turn, was able to deduce the identity of one hacker and provided it to the police, which resulted in his eventual arrest. However, Krebs believes this arrest may have been a diversion from his true attacker.
It is worth noting that the swatting attack against Krebs was motivated by his publication and analysis of identity theft attacks. Similarly, the Molotov cocktail attacks against Dr. Web was motivated by the analysis of its ATM skimmer attack.
The “International Carders Syndicate” attacked Dr. Web after warning it to remove all references to ATM malware from its site. Dr. Web CEO Boris Sharov believes the Molotov attack was ordered over the Internet, “through a black market where you can order almost any crime…all the attacks had been ordered by the Internet. And since they never succeeded against our office, it showed us that not much money was paid for these attacks.”
Here we get to the most likely modus operandi for many of these cyber attacks that become physical: money. Brian Krebs was swatted because he threatened the economics of an identity thief. Dr. Web was firebombed because it threatened the economics of ATM skimmers. Eugene Kaspersky, son of Kaspersky CEO Yevgeny Kasperky, was kidnapped for a ransom. Silk Road mastermind Ross Ulbricht, hired multiple hitmen through his black market forum, in an effort to track and kill those that sought to expose him.
Unfortunately, it seems that lines between the digital realm and the real world are increasingly blurring. It is unlikely that these cyber-motivated physical attacks will be the last. The only good news for information security practitioners is that it remains highly unlikely that any of these physical attacks would ever target their enterprises. These physical attacks have been motivated by money (or desperation) when the anonymity of the Internet has been threatened.
One final parting thought is that if cyber attacks are becoming physical, why can’t cyber security become physical as well? In fact, it can. Bromium vSentry utilizes hardware-isolated micro-virtualization, which creates a secure environment where users tasks are isolated from each other, the protected system and the network. If you’re interested in learning more about how physical security can be applied to information security, please visit: http://www.bromium.com/products/our-technology.html
CTIA Mobility Survey – Understanding Mobility & Risk
Earlier this month, Bromium attended the CTIA Super Mobility 2015 conference, as part of the Microsoft Startup Alley. The conference, which focuses on full mobile immersion, was a departure from the typical security conferences that Bromium attends. As a result, Bromium took the opportunity to connect with some of the biggest users and proponents of mobile technology to better understand their mobile usage patterns as it applies to security and risk. What we found should come as no surprise since the majority of attendees were not focused on security. For example, mobile users connect to public networks even though they are aware of the risk. Read on for the full findings.
Question #1: How do you define mobility?
- Mobile devices
- Mobile/remote users
- Both mobile devices and mobile/remote users
The intention of asking this question was to determine how mobile users define mobility. Certainly, there is some confusion about the term since the concept of mobile security tends to focus primarily on mobile devices, such as mobile device management. However, mobile security is much more than just mobile devices, as mobile and remote workers should also be considered under the umbrella of “mobility.” Ultimately, the survey reveals that mobility should be defined as both mobile devices and mobile users, suggesting that mobile security should do more to focus on mobile users.
Question #2: Do you ever access your corporate network, corporate files or corporate email account from your personal devices?
Question #3: Do you ever access your corporate network, corporate files or corporate email account from a public network?
Questions #2 and #3 unveiled mobile usage patterns, both related to mobile devices and mobile users. Virtually every mobile user has accessed corporate assets from their mobile device, in part because of a mobile addiction that has us checking our smart phones more than 100 times per day. The access of corporate assets from mobile devices should be viewed as a relatively minor security concern since mobile devices have yet to experience any major security breaches, outside of the occasional issue with malicious apps finding their way into app stores.
More concerning for information security professionals is that nearly two-thirds of mobile users will access corporate assets from public networks (a concern that will be underscored by the responses to the next question). There are significant risks to connecting to public networks, including compromised networks, man-in-the-middle attacks, sniffing and snooping, or malicious rogue networks; each with the ultimate goal of intercepting your traffic or infecting your machine. Information security professionals need to be aware that the overwhelming majority of end users are connecting to corporate assets from unsecured public networks, so they can take the appropriate precautions.
Question #4: Which precautions do you take when connecting to public networks? (select all that apply)
- Connect via VPN
- Avoid entering sensitive information (bank accounts numbers/passwords/etc.)
- Browse using SSL/encrypt traffic
- Avoid connecting to public networks
- No precautions
Speaking of appropriate precautions, 14 percent of mobile users take no precautions when connecting to public networks; a finding that should be at least a minor concern to information security professionals since the vast majority of mobile users connecting to public networks are accessing corporate assets. On the bright side, a quarter of mobile users claim to avoid connecting to public networks (of course it is entirely possible they may still connect to public networks; they just claim to avoid them). It is also encouraging that more than a third of mobile users connect via VPN, which can greatly bolster security. Ultimately, a large number of mobile users are connecting to public networks with no precautions or in a grey area of security.
Question #5: Which of the following public networks have you accessed from a corporate laptop? (select all that apply)
- Coffee shop/restaurant
- Hotel/convention center
- Transportation (airplane/subway/bus)
- Municipal WiFi/government building (library/courthouse/etc.)
Question #6: Rank in order the security risk for each of the following public networks (1= low risk; 5=high risk)
- Coffee shop/restaurant
- Hotel/convention center
- Transportation (airplane/subway/bus)
- Municipal WiFi/government building (library/courthouse/etc.)
It is interesting to review the results of these questions in tandem because they reveal that even though mobile users recognize the risk of connecting to public networks in coffee shops, airports and hotels, the majority of mobile users will connect to them anyway.
Coffee shops, airports and hotels/convention centers are quite clearly considered the most risky public networks, while transportation and municipal WiFi/government buildings are considered less risky.
Simultaneously, 85 percent of mobile users have connected to a public network from a corporate laptop at a hotel or convention center. This should be quite concerning for information security teams in light of attacks like DarkHotel. Likewise, nearly two-thirds of mobile users have connected their corporate laptops to public networks in coffee shops/restaurants and airports.
It just goes to show you that when it comes to end users, security is an afterthought. Even though these mobile users realize the security risk of connecting to these public networks, they still connect to them in droves. It is unrealistic to expect to be able to change end user behavior, so instead information security professionals must take proactive measures to protect their users.
One example of proactive protection is Bromium vSentry, which isolates threats to prevent data breaches by utilizing micro-virtualization. Micro-virtualization prevents unknown and untrusted Internet content (Web sites and emails) from ever accessing critical system files. Bromium captures each threat in its own micro-VM, monitoring its activity and alerting security teams with real-time threat intelligence. Bromium threat isolation succeeds where signature-based solutions fail because it provides proactive protection instead of reactive detection.
Flash has been getting a lot of attention recently, as Amazon and Google each announced they would be blocking or pausing Flash ads. This should come as no surprise to anyone that has been following trends with Flash. Previously, Bromium research indicated that 90 percent of security professionals believe their organization would be more secure if it disabled Flash. Additionally, the Bromium threat report, “Endpoint Exploitation Trends 1H 2015,” highlighted the growing issues with Flash:
In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.
The reason that Flash exploits are so popular is because Flash advertisements are so prevalent. According to Ad Age, 84 percent of online ads are delivered through Flash, which makes it a green field for cyber attacks. Unfortunately, as is the case with so many industries, security has been an afterthought to the advertising industry, who had no financial motivation to develop a more secure delivery model.
That changes now that Google is forcing the issue with its Chrome internet browser. Beginning September 1, Google Chrome will be “intelligently pausing” Flash ads. Flash video players will still work, but non-essential Flash content will be blocked. Part of the motivation for blocking Flash ads is a better user experience; Flash ads can be noisy and intrusive, even draining battery life.
There is no doubt that blocking Flash ads will improve security. Bromium research has written extensively about malicious advertising, which can be targeted to specific users of operating systems, browsers and plug-ins. Therefore, even though Chrome will be blocking Flash, malicious Flash ads will remain a viable attack vector for other browsers because they can be easily targeted.
Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.
A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month.
Today, TechCrunch has published “The Psychology of Insecurity” by Bromium CTO Simon Crosby. You can read the whole article here: http://techcrunch.com/2015/08/27/the-psychology-of-insecurity/
The recent Ashley Madison hack isn’t the only high-profile one to make headlines this summer. The personal and private information of more than 21.5 million current and former federal employees and over a million unique fingerprint scans were leaked in an attack on the Office of Personnel Management (OPM) that is believed to be the work of the Chinese. Government officials said longtime security lapses left the OPM vulnerable to hackers. As a result of the OPM hack, Director Katherine Archuleta has been forced to resign.
Why do we keep reading about a litany of breaches? Don’t cyber pros understand they are looking after our most sensitive personal data? Yes they do, but to understand their actions demands a more detailed examination of the psychology of security from the perspective of the security professional.
Malvertising has been back in the news recently.
This is no surprise to us here at Bromium, check out the report we issued on malvertising via YouTube last year.
In our paper we concluded that ad networks could be leveraged by, or even replace attack kits to target organizations and effectively distribute malware by the bad guys. Unfortunately this appears to be coming true. The question is what impact will this trend have on our organizations?
The answer is that this trend has the potential to have a tremendous negative impact on our security. Why? Because malvertising often powers drive by downloads that can compromise a system without ever requiring the user to do anything but visit a popular, legitimate web site that is unwittingly part of a malvertising network.
Let’s face it, we have all been focused on spear phishing attacks that have factored into so many successful breaches in recent years, and that is one reason this new attack channel is so dangerous. Conventional wisdom is that if you filter your users from accessing obscure, “uncategorized” or unknown web sites, or sites with poor “web reputation” scores with a web gateway that you will be safe from drive by attacks.
Malvertising effectively bypasses web filters, after all, who is going to black list YouTube or many of the popular news sites we have been seeing delivering malvertising payloads? These sites are selected by the attackers to have pristine web reputations and bypass current defenses.
Malvertising is a very effective delivery channel for targeted waterhole attacks as well. The image included is a snippet of a Bromium LAVA trace we received from a customer earlier this year showing delivery and isolation of a very nasty Bootkit from an IT support oriented web site via a malvertisement. Very nasty indeed, undetectable by AV engines (we tested it against AV comparatives with no hits) and targeted at the right people in the organization if your goal is to establish a privileged beach head in an organization.
So malvertising really does matter if you are concerned with security. I am sure we will be hearing and seeing more on this topic as the future unfolds….