ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths #CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United...
Innovation and Laboratory Area in ElevenPaths TheTHE: The Threat Hunting Environment, our tool for researchers TheTHE, a unique tool within its category that allows analysts and hunters to carry out their research tasks in a more agile and practical way.
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
ElevenPaths What Kind of Professionals Work in Our Security Operations Center (SOC)? Discover the different profiles of the SOC professionals in this post, who work day and night to provide the best security to our customers.
Gonzalo Álvarez Marañón Hiding Keys Under the Mat: Governments Could Ensure Universal Insecurity The doorbell rang. “Who will be ringing now?” asked Brittney Mills, as she struggled to get off the couch. Her eight months of pregnancy were beginning to hinder her...
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
ElevenPaths Cybersecurity Weekly Briefing 26 September – 2 October The logistics giant CMA CGM affected by a cyber attack This week, the French logistics group CMA CGM, which operates in 160 different countries, reported via its website and social...
ElevenPaths Don’t confuse the frequency of an incident with the ease you remember it Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go...
Most Software Handling Files Overlooks SmartScreen in WindowsInnovation and Laboratory Area in ElevenPaths 22 June, 2020 SmartScreen is a component of Windows Defender aimed at protecting users against potentially harmful attacks, whether in the form of links or files. When a user is browsing the Internet, the filter or SmartScreen component analyses the sites visited by the user and, if the user access a website considered suspicious, it displays a warning message so that the user can decide whether to continue or not. But it also warns about downloaded files. We have conducted a study on how SmartScreen works particularly in this area and have tried to understand what triggers this protection component developed by Microsoft in order to better understand its effectiveness. How Does SmartScreen Know Which File to Analyse? Alternate Data Streams or ADS is a feature of the NT file system that allows metadata to be stored in a file, whether by a stream directly or by another file. Currently ADSs are also used by different products to tag files in the “:Zone.Identifier” stream so that you know when a file is external (i.e. not created on your own computer) and therefore needs to be examined by SmartScreen. Microsoft began tagging all files downloaded through Internet Explorer (at the time), and other browser developers began doing the same to take advantage of SmartScreen’s protection. The value written to the stream, i.e. the ZoneId, can have the value that you wish. However, SmartScreen’s behaviour is based on the values reflected in the table below: Activating the value in any file is easy by command line: Do Browsers Use This Feature to Tag Files? We analysed the 10 most used browsers in desktop operating systems. To do this, we downloaded a file from a web page. Is the ZoneId added to the downloaded file? In most cases it is. What about FTP, Code Versioning, Cloud Sync or File Transfer Clients? We now examine other programs capable of downloading files. For example, most email clients do not add the ZoneId to be scanned by SmartScreen. However, many desktop instant messaging clients do. No FTP, code versioning, or cloud sync client adds the appropriate ZoneID, so files obtained by this means will not be analysed by SmartScreen. Nor do cloud sync clients worry about tagging files. The same goes for the integrated file transfer mechanisms in Windows. At least, WinZip and the native Windows decompressor do respect this option if it is decompressed after the download. Potential Evasions After understanding how and when the file is tagged, the research led us to reflect on which process is responsible for running SmartScreen and whether there are ways to bypass that process. To conduct the test, we mostly tagged files that were interpreted and known by SmartScreen as malicious to find out whether or not the file executed in this way was bypassing SmartScreen. We took a series of files in different interpreted languages and set the bit, as mentioned above. The result can be seen in the following table: Perhaps the most interesting point is the difference when launching them by using the start command: Where SmartScreen gets in the way of PowerShell, but not in the way of CMD. Conclusions In the following table, we can observe the percentage of those who do NOT implement ZoneId when the file is downloaded to be analysed by SmartScreen: In general, we can conclude that a potential attacker would have several ways to get a malicious file onto a computer with greater chances of not being discovered by SmartScreen: by relying on the user to download executables through certain programs. We believe that it is necessary for both developers and users to be aware of how SmartScreen works in order to take advantage of its detection capabilities and better protect the user. The full report is available here: Click to access 20200619-Report%20SmartScreen.pdf Cybersecurity Weekly Briefing 13-19 JuneAnti-Coronavirus Cryptography
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...