Free Tools: spotting APTs through Malware streams

Cyber security expert and founder of Yoroi has published a new tool that could be used to spot APTs (Advanced Persistent Threats) through Malware streams.

There are many ways to spot Advanced Persistent Threats, for example during a forensic analysis on “high rate incident” or having sandbox systems on critical infrastructures or again working as incident responder for big companies, working into a national CERT or building a simple tool performing analysis on Malware streams. Today I’d like to share a little bit of my personal experience on spotting APTs through Malware streams.

First of all, let me say that it is the easiest way to spot APT groups but it’s also one of the most inaccurate and it needs a lot of manual analysis before being able to confirm the sample belongs to a specific APT. Having said that, you might decide to get a Malware streaming service (or you might build one on your own, this was my case) and decide to perform dynamic or static analysis on it.

A few years ago when I approached this problem I decided (in the first stage) to exploit static analysis and to build up specific signatures to detect possible APTs on a given Malware stream. So let’s say I do have a personal Malware stream and I do have a personal engine who is able to perform basic static analysis (by comparing YARA rules) over and over again on a given Malware stream, so why don’t write specific signature for APTs and manually check every single output to see for false positives or real APTs?

hunting APTs

So I wrote it up and today after few years I decided to share it with all of my readers ! I hope you might find interesting samples to start analysis and to find nice and interesting samples.Please if you find it useful help me in sharing it by linking HERE so that many cybersecurity analysts might decide to start from here to investigate new samples.

According to the static analysis, we might build YARA rules to identify a specific set of binaries. If we classify those binaries as “related to APT” we might extract from tons of binaries the ones that match classified YARA rules and that could be related to APTs. So here we are! The following table represents a set of binaries which hit classified YARA rules related to APTs. Of course, we might have false positives for mainly two reasons: (i) It’s only static analysis. If you run those Samples on live SandBox you might discover unattended behavior. (ii) No human analysis.

This is the result of mere algorithms, no human interacted and checked those results.

Marco Ramilli also published other free tools:

Below the original post published by Marco Ramilli:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – APT, intelligence)

The post Free Tools: spotting APTs through Malware streams appeared first on Security Affairs.

Overview of the CyberSeek Cybersecurity Career Pathway

Considering a career in the exciting cybersecurity field? Or have you worked diligently in an entry-level role and are curious about the next step in your career? It’s no secret that cybersecurity jobs are exciting, fast-paced and best of all, in extremely high demand among employers. However, finding the perfect role for yourself can still […]

The post Overview of the CyberSeek Cybersecurity Career Pathway appeared first on Infosec Resources.


Overview of the CyberSeek Cybersecurity Career Pathway was first posted on March 25, 2019 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Peeling the Onion — Security Onion OS

Introduction In a world where security threats feel out of control, the security professional needs some help to do their job. Security tools are an important part of the armory for those professionals. But there is quite a bit of choice, including open-source enterprise toolkits. The question being asked is do you build your own […]

The post Peeling the Onion — Security Onion OS appeared first on Infosec Resources.


Peeling the Onion — Security Onion OS was first posted on March 25, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Hack the Box (HTB) Machines Walkthrough Series — Active

Continuing with our series on Hack The Box (HTB) machines, this article contains the walkthrough of an HTB machine named Active. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log […]

The post Hack the Box (HTB) Machines Walkthrough Series — Active appeared first on Infosec Resources.


Hack the Box (HTB) Machines Walkthrough Series — Active was first posted on March 25, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Hackers raised fake tornado alarms in two Texas towns

Hackers took control of the emergency tornado alarms in Texas causing the panic, it has happened on March 12th, at around 2:30 a.m.,

On March 12th, at around 2:30 a.m. in two towns in Texas (the DeSoto and Lancaster areas) hackers took control of the emergency tornado alarms causing the panic among residents.

The alarms repeatedly went on and off until 4:00 a.m., when authorities regained their control.

The areas interested by the incident were hit by tornadoes several times in the past, for this reason, the authorities build an emergency tornado alarm system.

Every time people hear the emergency tornado alarms need to follow specific procedures to protect themselves against the natural disaster.

The hackers raised at least 30 alarms, twenty of them were raised in Lancaster and the rest in DeSoto.

The systems remained offline until Monday 17th March, fortunately, there were no imminent risks of tornados in that period.

The police are investigating the intrusion in the alarm systems of the two towns, the authorities will be intransigent with those who have breached into a critical system on which human lives may depend,

Pierluigi Paganini

(SecurityAffairs – emergency tornado alarms, hacking)


The post Hackers raised fake tornado alarms in two Texas towns appeared first on Security Affairs.

PewDiePie ransomware oblige users subscribe to PewDiePie YouTube channel

It is a battle with no holds barred between T-Series and PewDiePie, their fans are spreading the PewDiePie ransomware to force users to subscribe to PewDiePie Youtube channel.

The story I’m going to tell you is another chapter of the battle between the most followed Youtuber T-Series and PewDiePie. T-Series is an Indian music company, while PewDiePie a Youtuber whom fans are accused to use any means to increase the number of subscribers to its channel.

Felix Arvid Ulf Kjellberg, aka PewDiePie, is a popular Swedish Youtuber, comedian, and video game commentator, formerly best known for his Let’s Play commentaries and now mostly known for his comedy and vlogs.

PewDiePie

News of the day is that PewDiePie fans have launched a PewDiePie ransomware to force victims to follow their idol.

In the last months, security experts have spotted at least two strains of the PewDiePie ransomware, the first one in mid-December. Malware researchers that analyzed it discovered that is was a modified version of the ShellLocker ransomware likely written by a novice. The ransomware didn’t save encryption keys or upload them anywhere causing the loss of the encrypted data.

In January, experts discovered a second piece of PewDiePie ransomware dubbed PewCrypt. The malware is written in Java and was developed to allow file decryption once PewDiePie has gained over 100 million followers. At the time of writing, PewDiePie had around 90 million fans, this means that victims would have to wait for a long time before regaining access to their files.

It isn’t the first time that PewDiePie fans made the headline for questionable conduct, in December an anonymous hacker hijacked over 50,000 internet-connected printers worldwide to print out messages promoting the subscription to the PewDiePie YouTube channel

In January, a hacker that goes online with the moniker TheHackerGiraffe hacked thousands of Chromecasts and Smart TVs and ran advertisement asking people to subscribe to the PewDiePie channel on YouTube.

Pierluigi Paganini

(SecurityAffairs – PewDiePie ransomware, hacking)

The post PewDiePie ransomware oblige users subscribe to PewDiePie YouTube channel appeared first on Security Affairs.

Telegram allows users to delete any sent/received message from both sides with no time limit

Telegram development team implemented a new feature that allows users to delete any received message from the sender’s device.

Telegram announced a new feature to improve user privacy, the development team implemented a functionality that allows users to delete any received message from the sender’s device.

Two years ago, Telegram introduced the “unsend” feature that allowed users to remove any message they sent within the last 48 hours from both devices participating in the chat. Telegram has now improved this feature allowing users to delete any message, even very old ones, in a one-on-one chat. The new feature allow to remove the message from both the sender and recipient’s device.

To delete a message, users have to tap and hold a message until the Delete option is displayed. Clicking on the Delete option, users will be asked if they want to delete the message from their own chat or on both devices.

“You can now choose to delete any message you have sent or received from both sides in any private chat. The messages will disappear for both you and the other person – without leaving a trace.”reads the blog post published by Telegram.

“The “Unsend” feature we introduced 2 years ago worked only for messages sent by you and only for 48 hours. Now you can “unsend” messages you have received as well, and there is no time limit. You can also delete any private chat entirely from both your and the other person’s device with just two taps.”

Telegram also introduced other features to protect user privacy, such as the “anonymous sending”. This feature removes the link back to the original account profile of a forwarded message that will just display an unclickable name in the “from” field. In this way people users chat with will have no verifiable proof they ever sent them anything.

Other features implemented by Telegram, such as the “Settings Search,” the “Emoji Search and GIFs,” and “VoiceOver and TalkBack” are described in the post published by Telegram.

Pierluigi Paganini

(SecurityAffairs – privacy, instant messaging)

The post Telegram allows users to delete any sent/received message from both sides with no time limit appeared first on Security Affairs.

Microsoft Defender ATP now protects also macOS

Microsoft has announced the availability of Defender ATP Endpoint Security for Apple macOS

Microsoft has announced the availability of Microsoft 365 advanced endpoint security solution across platforms, with the support of Apple Mac it added to Microsoft Defender Advanced Threat Protection (ATP).

Microsoft Windows Defender ATP was first introduced in 2016 as a defensive solution for Windows 10, now the tech giant introduced a version for Apple Mac and changed its name to Microsoft Defender Advanced Threat Protection (ATP) (instead of Windows Defender because it supports also Mac).

microsoft-defender-atp- for-mac-2-scan-options

In 2018, Microsoft launched versions for Windows 7 and Windows 8.1.

Microsoft Defender ATP supports macOS Mojave, macOS High Sierra, and macOS Sierra.

Microsoft Defender Advanced Threat Protection (ATP) is now available for Mac in a limited public preview that anyway allows users to review and perform configuration of their protection, run scans, review detected threats, and manage detected threats (quarantine, remove, or allow).

“For us, it’s all about experiences that follow the person and help the individual be more productive,” Jared Spataro, Microsoft’s corporate VP for Office and Windows, told me. “Just like we did with Office back in the day — that was a big move for us to move it off of Windows-only — but it was absolutely the right thing. So that’s where we’re headed.”
“We’re just headed in that same direction of saying that it’s our intent that we can secure every endpoint so that this Microsoft 365 experience is not just Windows-centric,” 

Administrators can disable/enable real-time protection, cloud-delivered protection, and automatic sample submission, and manage other features by using the Microsoft Intune or other Mac management consoles.

“Machines with alerts and detections will be surfaced in the Microsoft Defender ATP portal, including rich context and alert process trees. Security analysts and admins can review these alerts just as they can do today – except they’ll also see detections on Mac devices,” reads the post published by Microsoft.

In addition to the launch of the Microsoft Defender ATP, the tech giant also presented new threat and vulnerability management capabilities for its service.

“Threat & Vulnerability Management (TVM) serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. Furthermore, it bridges security stakeholders—security administrators, security operations, and IT administrators—by allowing them to collaborate and seamlessly remediate threats,” Microsoft says

Pierluigi Paganini

(SecurityAffairs – Microsoft Defender ATP, Windows)

The post Microsoft Defender ATP now protects also macOS appeared first on Security Affairs.

Federal Emergency Management Agency’s (FEMA) data leak exposes data of 2.3M survivors

The Federal Emergency Management Agency’s (FEMA) has disclosed a data leak that exposed banking details and other personal information of 2.3 million survivors.

In case of national disasters, the Federal Emergency Management Agency’s (FEMA) offers a program called Transitional Sheltering Assistance (TSA) that provides shelter to survivors

News of the day is that FEMA has admitted a data leak that exposed banking details and other personal information of 2.3 million survivors.

An unnamed contractor of the US Agency had accidentally received more information than it ever needed to know.

“FEMA, in coordination with the Department of Homeland Security Office of the Inspector General (DHS OIG), identified an incident involving the sharing of sensitive, personally identifiable information of disaster survivors using the Transitional Sheltering Assistance program.”reads the data breach notification published by FEMA.

“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary.”

FEMA

Since the discovery of the issue, the FEMA agency quickly adopted measures to solve the problem. FEMA announced that it will no longer share unnecessary data with the contractor and is currently reviewing information shared with contractors.

The data accidentally shared with the contractor included bank transit and electronic funds routing numbers, and address.

“The 2.3 million people include survivors of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires.The data includes “20 unnecessary data fields” such as electronic funds transfer number, bank transit number, and address.” reads an article published by CNN.

“The data was part of a stream of information the agency feeds to the housing contractor, whose name was redacted from the public version of the inspector general’s report.”

Exposed data are dated back 2017 and are related to 2.3 million survivors of the California wildfires, and Hurricanes Harvey, Irma, and Maria.

The good news is that survivor data has not been compromised.

“To date, FEMA has found no indicators to suggest survivor data has been compromised,” said the agency’s press secretary Lizzie Litzow.

“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards.”

The agency is already working with the contractor to delete leaked information from its systems.

“To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards.” states the FEMA.

“As an added measure, FEMA instructed contracted staff to complete additional DHS [Department of Homeland Security] privacy training,”

Pierluigi Paganini

(SecurityAffairs – Data Leak, FEMA)

The post Federal Emergency Management Agency’s (FEMA) data leak exposes data of 2.3M survivors appeared first on Security Affairs.

Security Affairs newsletter Round 206 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Experts uncovered a malspam campaign using Boeing 737 Max crashes
gnosticplayers offers 26 Million new accounts for sale on the Dark Web
Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol
Unprotected Elasticsearch DB exposed 33 Million job profiles in China
Could Beto ORourke become the first US President with a past of hacking?
GCHQ implements World War II cipher machines in encryption app CyberChef
Google took down 2.3 billion bad ads in 2018,including 58.8M phishing ads
Hackers used Scanbox framework to hack Pakistani Govts passport application tracking site
Slack Launched Encryption Key Addon For Businesses
A new development shows a potential shift to using Mirai to target enterprises
Aluminum producer Norsk Hydro hit by a massive cyber attack
EU adopts EU Law Enforcement Emergency Response Protocol for massive cyberattacks
Experts observed the growth of hi-tech crime landscape in Asia in 2018
New JNEC.a Ransomware delivered through WinRAR exploit
Google white hat hacker found new bug class in Windows
MyPillow and Amerisleep are the latest victims of Magecart gangs
Putty users have to download a new release that fixes 8 flaws
SimBad malware infected million Android users through Play Store
The Document that Microsoft Eluded AppLocker and AMSI
Experts found a critical vulnerability in the NSA Ghidra tool
Facebook passwords stored in plain text, hundreds of millions users affected
Pwn2Own 2019 Day 1 – participants hacked Apple, Oracle, VMware products
South Korea – 1,600 guests at 30 motels secretly live streamed
[SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies
Cisco addresses High-Severity flaws in IP Phone 8800 and 7800 series
FIN7 is back with a previously unseen SQLRat malware
Medtronics implantable heart defibrillators vulnerable to hack
Pwn2Own 2019 Day 2 – Hackers earned $270,000 for Firefox, Edge hacks
Russian APT groups target European governments ahead of May Elections
Pwn2Own 2019 Day 3: Experts hacked Tesla 3 browser

Pierluigi Paganini

(SecurityAffairs – newsletter)


The post Security Affairs newsletter Round 206 – News of the week appeared first on Security Affairs.