ElevenPaths Cybersecurity Weekly Briefing September 12-18 PoC for Critical Vulnerability on Netlogon Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched...
Sergio De Los Santos What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You? We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can...
ElevenPaths #CyberSecurityPulse: Guess Riddle… How Is Information Stored In a Bitcoin Address? As we have seen in previous post on ElevenPaths blog, the OP_RETURN field of a Bitcoin transaction is used to store a small portion of information (up to 80...
ElevenPaths #CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack? A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution,...
Andrés Naranjo Analysis of APPs Related to COVID19 Using Tacyt (II) We continue with the research started in the previous entry in which we analysed these type of applications with our Tacyt tool. Regarding the application analysed, we can see...
ElevenPaths Cybersecurity Weekly Briefing September 12-18 PoC for Critical Vulnerability on Netlogon Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched...
Juan Elosua Tomé Popular Docker Images under Security Scrutiny Discover the research carried out by our TEGRA cybersecurity centre on this technology's images used in the development of applications.
ElevenPaths The hugest collection of usernames and passwords has been filtered…or not (II) Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing...
Andrés Naranjo Analysis of APPs Related to COVID19 Using Tacyt (II) We continue with the research started in the previous entry in which we analysed these type of applications with our Tacyt tool. Regarding the application analysed, we can see...
ElevenPaths Cybersecurity Weekly Briefing September 12-18 PoC for Critical Vulnerability on Netlogon Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched...
ElevenPaths Cybersecurity Weekly Briefing July 11-17 Combining Citrix vulnerabilities to steal user sessions On July 7th, Citrix published a security bulletin to correct up to 11 vulnerabilities. A few days later, a report was released with...
ElevenPaths How to forecast the future and reduce uncertainty thanks to Bayesian inference (I) Imagine that you come back home from San Francisco, just arrived from the RSA Conference. You are unpacking your suitcase, open the drawer where you store your underwear and…...
APTualizator (II): Deconstructing Necurs Rootkit and Tools for Detecting and Removing ItElevenPaths 18 February, 2020 This report has been drafted by Roberto Santos and Javier Rascón from the CSIRT-SCC (Security Cyberoperations Center) Research Team, in collaboration with ElevenPaths. At the end of June 2019, a big Spanish company was attacked and thousands of their computers were impacted. Such was the size of the attack that we were motivated to begin this investigation. In July 2019, we wrote an article on this issue: APTualizador (I). At that time we were struck because in a first quick analysis we observed that the sample downloaded the legitimate Windows security update KB3033929, although it did so from an unofficial server. In other words: it installed the legitimate file (signed by Microsoft) from an unofficial server. This second report will be focused on the technical aspects of the rootkit found. As a result of the investigation we identified this rootkit as a development of Necurs. This botnet (appeared in 2012) is one of the most persistent and largest in the world and it is estimated that it is made up of 6 million zombie computers −target computers around the world and controlled by attackers remotely. This report will consider in depth and from a technical perspective how malware manages to hide in the computer, analyzing the tools used and the code that controls this behavior. On the other hand, the communication protocol used is also analyzed. This has been modified since the first versions and IOCTL commands are no longer used. Instead, it is now based on reading / writing on Windows registry, turning the registry into a local covert channel. Our investigation ends with the release of two tools, NeCure and NeCsists, that allow detecting malware and disinfecting the machine. These tools have been developed after finding the means to exploit the techniques used by the attackers themselves, thanks to the study and analysis using reverse engineering techniques. Through this report, we have helped update the state of the art on the evolution of one of the most sophisticated rootkits so far. Conclusions and findings: An updated list including all functional commands that the rootkit may receive has been drawn. So far, only a very small number of them were known but if there were full lists, they were not updated. We have been able to develop tools that allow detection and disinfection. In addition, we make publicly available both this analysis and its source code. We show how Necurs has evolved into a business model of the type Malware as a Service that serves as an input vector for another malware and offers this service to other actors. Only this explains the existence of the keys that set a deadline and a maximum number of malware executions. Thanks to the comparison between blacklists (list of processes against which the rootkit protects itself) from previous and current versions, an active investigation work performed by attackers on the state of the art of antimalware solutions is drawn. Full report available here: The Telco Security Alliance Bolsters Threat Detection Capabilities Through Shared IntelligenceElevenPaths at RSA Conference 2020
Andrés Naranjo Analysis of APPs Related to COVID19 Using Tacyt (II) We continue with the research started in the previous entry in which we analysed these type of applications with our Tacyt tool. Regarding the application analysed, we can see...
ElevenPaths Cybersecurity Weekly Briefing September 12-18 PoC for Critical Vulnerability on Netlogon Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched...
Christian F. Espinosa Velarde FaceApp and Personal Data, Hadn´t We Talked About This Already? Hadn’t we already talked about this? The comeback of applications like FaceApp and the fuss caused by the photos generated, in which their users can appear as women being...
ElevenPaths ElevenPaths Radio English #3 – Why is Cybersecurity So Necessary Today? In this episode, Gabriel Bergel, our CSA in Chile, explains that nowadays there is no excuse for not being interested in cybersecurity. At a personal level, the use of...
Andrés Naranjo Analysis of APPs Related to COVID19 Using Tacyt (I) Taking advantage of all the attention this issue is attracting, the official app markets, Google Play and Apple Store, have been daily deluged with applications. Both platforms, especially Android,...
Sergio De Los Santos What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You? We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can...
