Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.This solution has the capability of learning and modelling the legitimate behaviour...
ElevenPaths How are we preparing ourselves for the RSA Conference 2018? 2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s...
ElevenPaths Cybersecurity Weekly Briefing 29 August-4 September Red Dawn, new attached document from Emotet The use of a new attached document template by Emotet has been identified over the past week. The name given by security researcher Joseph...
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Innovation and Laboratory Area in ElevenPaths New TheTHE Version with URLScan and MalwareBazaar Plugins The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is...
Sergio De Los Santos Facebook signed one of its apps with a private key shared with other Google Play apps since 2015 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version...
ElevenPaths New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in...
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths CSAs 10 Tips for Secure Homeworking in Your Company We tell you ten measures you can take to make homeworking secure for your company, employees and customers.
Gonzalo Álvarez Marañón Top 10 TED Talks to Learn about Cybersecurity Discover the top 10 talks to learn about cybersecurity and, at the same time, some ways to improve your own presentations.
Analysis of APPs Related to COVID19 Using Tacyt (I)Andrés Naranjo Amador Aparicio 15 September, 2020 Taking advantage of all the attention this issue is attracting, the official app markets, Google Play and Apple Store, have been daily deluged with applications. Both platforms, especially Android, has already limited the publication and search of terms such as “covid” or “coronavirus”: Google has declared war against those who try to take advantage of fear to win downloads. Currently, only those belonging to official government bodies remain on Google Play. For this rapid analysis we will use ElevenPaths’ Tacyt tool, the mobile cyberintelligence ecosystem, where its Big Data structure monitors, stores, analyses and correlates thousands of new applications every day. In addition to collate or compare information which we have access to through easy and simple queries. One of the advantages that Tacyt offers is that we can have all applications accessible regardless of location. Since Google Play can only offer results based on our country of origin according to the availability proposed by the developer. We go to the Official Google Play repository in Spain and search for those apps related to COVID19. Official Apps in Spain accessible in Google Market (10 altogether) Nothing to do with the amount of applications found in any unofficial market: Apps found in APTOIDE, an alternative market using the term: “coronavirus” As with other markets, Aptoide, for example, does not directly download the app we have requested but the “downloader” through which the actual download will be requested. This can easily be guessed by checking that the file size is exactly the same: Downloaded Apps through APTOIDE In fact, we easily check it out at Tacyt when uploading these applications. It detects them as one, with identical hash: This is due to Tacyt not only including its own application discovery drivers and applications downloading, but also, using the upload function (either via web or API) the user can upload the applications to be analysed. These can be seen labelled as “userUpload” and can also be tagged with our own identification labels (as in the image: the author of the upload or the market from which it was downloaded). This upload function can be very useful to detect altered versions of our legitimate applications in unofficial markets, for example, from a bank. Tacyt includes a button on the interface to compare applications. In any case, we do not miss the opportunity to totally discourage the installation of applications from unofficial sources. Google Play Search Using Tacyt for COVID19 Related Apps Since the Beginning of the Pandemic We will focus the research on Google Play. The filters are used to form the next search in Tacyt. As you can see these usual composite queries (dorks) in Google search, for example, are easy to read: ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (origin:"GooglePlay") AND (createDate:"2020-03-14 00:00:00 - today") “Dorking” to search using Tacyt apps in Google Play related to COVID-19 published since the beginning of the alarm state Tacyt’s respond to the previous search: Apps related to COVID-19 published overseas in Google Play We now search for unofficial apps related to COVID19 using Tacyt from the official date of the start of the pandemic. For this task, we can use the parameter ORIGIN indicating the exclusion of all those whose origin is not the official one. For example -origin:GooglePlay. ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (-origin:GooglePlay) AND (createDate:"2020-03-14 00:00:00 - today") Unofficial apps published since the beginning of the pandemic For example we have a look at the permissions of the app with “coronavirus.tracker.news” package name and do a quick scan. The following permissions are suspicious: (we only comment on permissions different to the “normal” official apps that violate privacy or security) android.permission.CHANGE_WIFI_STATE: allows the APP to change the state of Wi-Fi connectivity.android.permission.INTERNET: allows the APP to open network connections.android.permission.WRITE_EXTERNAL_STORAGE: allows the APP to write in the external storage of the device.android.permission.READ_EXTERNAL_STORAGE: allows the APP to read on the external storage of the device.android.permission.WAKE_LOCK: allows you to use PowerManager WakeLocks to prevent the processor from going into sleep mode or the screen from getting dark. For any research, we can load the apps in batches into Tacyt and then search for them using a custom label and locating, for example, as we said, suspicious permissions: Likewise, we could have used the expiry date of the certificate (sometimes suspiciously long), apikeys, text or emails chains associated with malware, and a long etc… We will see in the next part some more information about the findings. What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You?ElevenPaths Radio English #3 – Why is Cybersecurity So Necessary Today?
Innovation and Laboratory Area in ElevenPaths DIARIO Already Detects “Stomped” Macros, But What Are They Exactly? Few weeks ago, we presented DIARIO, the malware detector that respects the privacy of users, and we continue to improve it so that it detects more and better. We...
Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Telefónica’s ElevenPaths enhances its global IoT security capabilities with Subex This collaboration provisions the offering of IoT Threat Detection, an incident monitoring and response service for IoT environments.This solution has the capability of learning and modelling the legitimate behaviour...
Innovation and Laboratory Area in ElevenPaths New TheTHE Version with URLScan and MalwareBazaar Plugins The first time an IoC lay on your hands. Let’s say it is a hash, URL, IP or a suspicious domain. You need to know some basic information. Is...
Franco Piergallini Guida Adversarial Attacks: The Enemy of Artificial Intelligence (II) In Machine and Deep Learning, as in any system, there are vulnerabilities and techniques that allow manipulating its behaviour at the mercy of an attacker. As we discussed in...
ElevenPaths Cybersecurity Weekly Briefing September 19-25 New attack vector for vulnerability in Citrix Workspace Pen Test Partners security researcher Ceri Coburn has discovered a new attack vector for the CVE-2020-8207 vulnerability in Citrix Workspace corrected in...
