ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Innovation and Laboratory Area in ElevenPaths New Version of Our SIEM Attack Framework, Now With 7 Manufacturers For some time now, the ElevenPaths Innovation and Laboratory team has been working on different projects and research related to the security aspects of SIEM (Security Information and Event...
Sergio De Los Santos What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You? We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Nikolaos Tsouroulas Looking for a MDR partner? Beware, not all MDRs are the same Are you throwing more money than you can afford into your SOC but still failing to detect and respond quickly enough to incidents? Have you suffered the impact of...
Carlos Ávila ZoomEye: Extending TheTHE With More Plugins Those who follow the developments carried out by the Innovation and Laboratory team will be familiar with our theTHE platform, which specialises in Threat Hunting, IoC analysis and is...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
ElevenPaths The base rate fallacy or why antiviruses, antispam filters and detection probes work worse than what is actually promised Before starting your workday, while your savoring your morning coffee, you open your favorite cybersecurity newsletter and an advertisement on a new Intrusion Detection System catches your attention: THIS IDS...
ElevenPaths Tackling Cybercrime: Three Recommendations for 2018 In 2017 we saw ransomware variants such as Wannacry wreak havoc across computer networks in the UK. Not only were these variants of malware almost impossible to remove from...
Analysis of APPs Related to COVID19 Using Tacyt (II)Andrés Naranjo Amador Aparicio 22 September, 2020 We continue with the research started in the previous entry in which we analysed these type of applications with our Tacyt tool. Regarding the application analysed, we can see that a quick glance at the permissions in Tacyt already makes it clear that we are not dealing with a conventional APP: permissions for calls, accounts, SMS, elimination of processes, NFC, audio recording and a long etcetera. All this is much more typical of a malicious APP than a legitimate one, whatever its functionality is. The probability of a Trojan running in the background in order to access sensitive information generated via the mobile device is therefore quite high. Official Apps in Spain accessible in Google Market (10 altogether) Nothing to do with the amount of applications found in any unofficial market: Apps found in APTOIDE, an alternative market using the term: “coronavirus” As with other markets, Aptoide, for example, does not directly download the app we have requested but the “downloader” through which the actual download will be requested. This can easily be guessed by checking that the file size is exactly the same: Downloaded Apps through APTOIDE In fact, we easily check it out at Tacyt when uploading these applications. It detects them as one, with identical hash: This is due to Tacyt not only including its own application discovery drivers and applications downloading, but also, using the upload function (either via web or API) the user can upload the applications to be analysed. These can be seen labelled as “userUpload” and can also be tagged with our own identification labels (as in the image: the author of the upload or the market from which it was downloaded). This upload function can be very useful to detect altered versions of our legitimate applications in unofficial markets, for example, from a bank. Tacyt includes a button on the interface to compare applications. In any case, we do not miss the opportunity to totally discourage the installation of applications from unofficial sources. Google Play Search Using Tacyt for COVID19 Related Apps Since the Beginning of the Pandemic We will focus the research on Google Play. The filters are used to form the next search in Tacyt. As you can see these usual composite queries (dorks) in Google search, for example, are easy to read: ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (origin:"GooglePlay") AND (createDate:"2020-03-14 00:00:00 - today") “Dorking” to search using Tacyt apps in Google Play related to COVID-19 published since the beginning of the alarm state Tacyt’s respond to the previous search: Apps related to COVID-19 published overseas in Google Play We now search for unofficial apps related to COVID19 using Tacyt from the official date of the start of the pandemic. For this task, we can use the parameter ORIGIN indicating the exclusion of all those whose origin is not the official one. For example -origin:GooglePlay. ((packageName:*covid19*) OR (packageName:*coronavirus*)) AND (-origin:GooglePlay) AND (createDate:"2020-03-14 00:00:00 - today") Unofficial apps published since the beginning of the pandemic For example we have a look at the permissions of the app with “coronavirus.tracker.news” package name and do a quick scan. The following permissions are suspicious: (we only comment on permissions different to the “normal” official apps that violate privacy or security) android.permission.CHANGE_WIFI_STATE: allows the APP to change the state of Wi-Fi connectivity.android.permission.INTERNET: allows the APP to open network connections.android.permission.WRITE_EXTERNAL_STORAGE: allows the APP to write in the external storage of the device.android.permission.READ_EXTERNAL_STORAGE: allows the APP to read on the external storage of the device.android.permission.WAKE_LOCK: allows you to use PowerManager WakeLocks to prevent the processor from going into sleep mode or the screen from getting dark. For any research, we can load the apps in batches into Tacyt and then search for them using a custom label and locating, for example, as we said, suspicious permissions: Likewise, we could have used the expiry date of the certificate (sometimes suspiciously long), apikeys, text or emails chains associated with malware, and a long etc… We will see in the next part some more information about the findings. Cybersecurity Weekly Briefing September 12-18When Preventing a Cyberattack Becomes a Vital Decision
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Innovation and Laboratory Area in ElevenPaths 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD) Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time...
Carlos Ávila WhatsApp terms and conditions update – a cheeky move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...
ElevenPaths Cyber Security Weekly Briefing January 2-8 SolarWinds Update To end the year, Microsoft published an update of its findings regarding the impact of the SolarWinds incident on its systems. In this release, it emphasizes that neither...