ElevenPaths Cyber Security in Times of Pandemic: How Has Confinement Affected Our Digital Security? The pandemic has accelerated the transition to a digital life, and with it, cyber-attacks against users and businesses have risen. The most frequent attack, which is the most common...
ElevenPaths Top 4 Programming Languages for Beginners Have you set yourself new challenges this year but don’t know where to start? How would you like to become an expert in programming? We know that, at first,...
ElevenPaths ElevenPaths and Chronicle partner to create new advanced managed security services ElevenPaths, Telefónica’s cybersecurity company, today announced a strategic collaboration with Chronicle, a cybersecurity solutions company part of Google Cloud, aimed at bringing more powerful and flexible managed security analytics...
ElevenPaths ElevenPaths at RSA Conference 2020 Once again, we return to the RSA Conference, the reference event in the cybersecurity sector. From February 24 to 27 we will be presenting our proposal under the claim...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
Gonzalo Álvarez Marañón Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands?...
ElevenPaths #CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case...
ElevenPaths Cyber Security in Times of Pandemic: How Has Confinement Affected Our Digital Security? The pandemic has accelerated the transition to a digital life, and with it, cyber-attacks against users and businesses have risen. The most frequent attack, which is the most common...
ElevenPaths Top 4 Programming Languages for Beginners Have you set yourself new challenges this year but don’t know where to start? How would you like to become an expert in programming? We know that, at first,...
ElevenPaths #CyberSecurityReport19H2: Qihoo is the company that most collaborates in the reporting of vulnerabilities in Microsoft products Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just launched another release...
ElevenPaths Cyber Security Weekly Briefing February 6-12 Attempted contamination of drinking water through a cyber-attack An unidentified threat actor reportedly accessed computer systems at the City of Oldsmar’s water treatment plant in Florida, US, and altered the...
APTualizator (II): Deconstructing Necurs Rootkit and Tools for Detecting and Removing ItElevenPaths 18 February, 2020 This report has been drafted by Roberto Santos and Javier Rascón from the CSIRT-SCC (Security Cyberoperations Center) Research Team, in collaboration with ElevenPaths. At the end of June 2019, a big Spanish company was attacked and thousands of their computers were impacted. Such was the size of the attack that we were motivated to begin this investigation. In July 2019, we wrote an article on this issue: APTualizador (I). At that time we were struck because in a first quick analysis we observed that the sample downloaded the legitimate Windows security update KB3033929, although it did so from an unofficial server. In other words: it installed the legitimate file (signed by Microsoft) from an unofficial server. This second report will be focused on the technical aspects of the rootkit found. As a result of the investigation we identified this rootkit as a development of Necurs. This botnet (appeared in 2012) is one of the most persistent and largest in the world and it is estimated that it is made up of 6 million zombie computers −target computers around the world and controlled by attackers remotely. This report will consider in depth and from a technical perspective how malware manages to hide in the computer, analyzing the tools used and the code that controls this behavior. On the other hand, the communication protocol used is also analyzed. This has been modified since the first versions and IOCTL commands are no longer used. Instead, it is now based on reading / writing on Windows registry, turning the registry into a local covert channel. Our investigation ends with the release of two tools, NeCure and NeCsists, that allow detecting malware and disinfecting the machine. These tools have been developed after finding the means to exploit the techniques used by the attackers themselves, thanks to the study and analysis using reverse engineering techniques. Through this report, we have helped update the state of the art on the evolution of one of the most sophisticated rootkits so far. Conclusions and findings: An updated list including all functional commands that the rootkit may receive has been drawn. So far, only a very small number of them were known but if there were full lists, they were not updated. We have been able to develop tools that allow detection and disinfection. In addition, we make publicly available both this analysis and its source code. We show how Necurs has evolved into a business model of the type Malware as a Service that serves as an input vector for another malware and offers this service to other actors. Only this explains the existence of the keys that set a deadline and a maximum number of malware executions. Thanks to the comparison between blacklists (list of processes against which the rootkit protects itself) from previous and current versions, an active investigation work performed by attackers on the state of the art of antimalware solutions is drawn. Full report available here: The Telco Security Alliance Bolsters Threat Detection Capabilities Through Shared IntelligenceElevenPaths at RSA Conference 2020
ElevenPaths Cyber Security in Times of Pandemic: How Has Confinement Affected Our Digital Security? The pandemic has accelerated the transition to a digital life, and with it, cyber-attacks against users and businesses have risen. The most frequent attack, which is the most common...
ElevenPaths Top 4 Programming Languages for Beginners Have you set yourself new challenges this year but don’t know where to start? How would you like to become an expert in programming? We know that, at first,...
ElevenPaths A Trillion-Dollar on Offer to the Puzzle Solver Are you a fan of mathematical puzzles? Well, here’s a lucrative one… but hard to beat! If you discover a method to crack the hashes used in Blockchain, you...
ElevenPaths Cyber Security Weekly Briefing April 3-9 Malware distribution campaign via LinkedIn The eSentire research team has published details on the analysis of a new malware distribution campaign via LinkedIn. Threat actors are sending zipped files under...
ElevenPaths No Pain, No Gain: Let´s Hack 2021 “No pain, no gain”, you have probably heard this on more than one occasion. An expression that is used endlessly in different environments, in a time when the body...
ElevenPaths What is VPN and What is It For? VPN connections are nothing new, they have been with us for a long time, always linked to the business world. The great versatility and its different uses have made...