Four cyber security milestones that shaped the future of malware

Sergio de los Santos    22 May, 2023

In early 2001, Bill Gates sent out a memo (a shorthand for sending a company-wide email) that marked a historic moment. He acknowledged that, “…he had come under fire from some of his largest customers (government agencies, financial companies and others) for security problems in Windows, problems that were being brought to the forefront by a series of self-replicating worms and embarrassing attacks.”  

So something was supposed to change, drastically. Put the focus on Cyber Security. Get away from those “self-replicating worms.” Windows was threatened by malware that would seem like a joke today. At the end of that same year, Windows XP was launched, and things got worse. More attacks and more problems.

Windows XP (2001) Image: Microsoft.

But the strategy germinated. It took many years before they were able to reap some fruits of that initiative… because there were some. Let’s review the pillars on which the initiative was based to change course. 

Microsoft has spent 15 years consolidating a strategy that has impacted cybersecurity globally.

Active measures and secure development 

The “self-replicating worms” were simply malware that, taking advantage of any bug shared among all Windows, allowed them to run and infect others. Exponential growth. Those bugs were essentially code vulnerabilities.

And so, the enemy was not so much each individual virus or worm, but to fight against the vulnerabilities that made it possible for them to replicate in each Windows connected to the network. And against that it focused on its next operating system: Windows Vista.

It was supposed to be released in 2004 but wasn’t until 2006. It was delayed by the attempt to make it more secure. One of its great achievements was to incorporate ASLR, which prevents the same bug from being exploitable in the same way in all Windows. In other words, it eliminated the possibility of “self-replicating worms” being programmed. And, except for horrible exceptions such as Wannacry, which managed to evade ASLR protection, it is true that in general this plague was largely eradicated.

With Vista, despite its bad reputation in usability, substantial progress was made in basic technologies to fight malware and its way of exploiting bugs. It laid the first stone. The new system project did not come to fruition until Windows 7, but it laid the groundwork.

With Vista, Microsoft laid the foundations for an effective fight against malware, although this did not happen until Windows 7.

Although many users did not realize it, from that year onwards, the server version of Windows and the system’s internals began to contain a good handful of measures aimed at eradicating how the most common vulnerabilities were exploited. More or less effective technologies such as CFG, MemGC, CIG, ACG… are quietly making their way to protect us. Although, as is often the case with defensive technologies, they attract more attention because of their failures than their successes. 

All these functions were programmed under the umbrella of a secure development methodology called Secure Systems Development Life Cycle, a way of programming that put cybersecurity at the center. This more secure programming project will also be complemented when some of the code is moved from C to Rust to alleviate the burden of memory management that causes so many bugs. 

The Blue Hat Prize 

Microsoft used to offer bounties to hunt down malware creators until 2011. Usually, $250,000 for anyone who offered a clue that would lead to the arrest of the creator of a major virus of the moment. MyDoom, Conficker, Blaster… It was not a sustainable strategy.

From 2011 onwards, something completely different was proposed. It decided to award $250,000 to any researcher who offered a technical improvement in Windows to stop malware. Invest in techniques and protection measures instead of punishment. And so, it did.

Windows 10 (2015) Image: Microsoft.

Since then, they implemented many formulas that today in Windows 10 help make it harder for malware to replicate, and they did it by listening to the community and researchers. 

Antivirus included in Windows

Microsoft announced in June 2003 that it was acquiring antivirus technology. The antivirus houses looked askance. A default antivirus in Windows?

Despite all the doubts, the company finally made a good move. It introduced a very simple tool (Malicious Software Removal Tool), which was launched from time to time on the system and removed the most popular viruses, nothing too advanced.

What was Microsoft’s intention with this move? The goal was to take care of users, but also to capitalize on metadata. What it got was a good snapshot of the malware that was “out there” and so it knew firsthand what was going on in its most unprotected systems to, again, improve its defenses.

Then came Windows Defender, which began to be resident and still managed to coexist with traditional antivirus. Later Windows 10 has turned Defender into a whole security strategy in the operating system.

“Defender” is an umbrella that brings together a global cybersecurity policy of Microsoft not only on the desktop but also in the cloud. 

EMET and Windows 10 

In 2009 a tool called EMET was launched, aimed not so much at detecting viruses (of which there were millions), but at thwarting the techniques they used to spread (of which there are only dozens). It was free and almost “amateurish”.

However, its importance grew and after six years of development it was abandoned in favor of including its improvements as standard in Windows 10. Thus, it incorporates improvements to stop the exploitation of vulnerabilities and therefore malware that have proven their effectiveness in a non-“production” environment.

Although little known, it is a tool that really scared attackers and today, incorporated as standard, have made Windows 10 much less palatable to malware. 

So, what does this mean? 

The moral is that a solid cyber security strategy, with several open fronts, global and in a changing environment, does not reap rewards the first time around.

It took Microsoft almost 15 years (from 2001 when the memo was written to 2015 when Windows 10 came out) to consolidate a strategy that has impacted cybersecurity globally and, in the meantime, of course, they have suffered failures and many new milestones and challenges to address.

This is a sliding window, but good ground has been gained. The threat has not disappeared but has mutated into something that must continue to be fought with other weapons and will need new and better strategies.

But those arguments, or the never-ending long-distance race that is cyber security, should not be enough to make us forget that it is never too late to start an ambitious strategy.

The only failed cybersecurity strategy is the one that is not implemented. 

Featured photo: Ed Hardie / Unsplash.

Cyber Security Weekly Briefing, 15 – 19 May

Telefónica Tech    19 May, 2023

Vulnerabilities in cloud platforms

Otorio’s team of researchers found 11 vulnerabilities affecting different cloud management platform providers. Sierra Wireless, Teltonika Networks and InHand Networks are the affected companies.

The security flaws affecting Teltonika Networks are CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587 and CVE-2023-2588 identified in the remote management system (RMS). Their exploitation could expose confidential information and allow remote code execution (RCE).

Regarding the vulnerabilities in InHand Networks CVE-2023-22600, CVE-2023-22598, CVE-2023-22599, CVE-2023-22597 and CVE-2023-2261 these could be exploited by malicious actors to perform RCE.

Lastly, the flaws identified in Sierra Wireless CVE-2023-31279 and CVE-2023-31280 could allow an attacker to search for unregistered devices that are connected to the cloud, obtain their serial numbers and register them to an account under their control for the purpose of executing commands.

More info

The new .zip TLD under the researchers’ magnifying glass

Google has opened the registration of new domains on May 3 under eight new TLDs including .dad, .esq, .prof, .phd, .nexus, .foo, .mov and especially .zip. The registration of the latter is generating a lot of controversy among the security community as it can be used in phishing campaigns distributing compressed .zip files.

Some researchers have already managed to exploit the existence of these domains together with the use of special characters in the address bar and disguise links to malicious files under URLs that appear to be legitimate.

An adversary could do this by using special Unicode characters such as the U+2044 (⁄) and U+2215 (∕) slashes that visually resemble the conventional slash character, U+002F (/) and exploit the way some browsers interpret the at (@) character in a URL to achieve unwanted redirects.

For this reason, it is recommended to pay attention to all those links containing the characters U+2044 (⁄) and U+2215 (∕), which also include an at-arrow and point to allegedly compressed .zip files since they could actually include a disguised redirect to domains of this new TLD..

More info

Critical Vulnerabilities in Cisco Small Business Series Switches

Cisco has issued a security advisory stating that it has fixed nine critical vulnerabilities in its Small Business Series Switches products.

The vulnerabilities have been assigned the following CVEs and CVSS: CVE-2023-20159 (CVSS: 9.8), CVE-2023-20160 (CVSS: 9.8), CVE-2023-20161 (CVSS: 9.8), CVE-2023-20189 (CVSS: 9.8), CVE-2023-20024 (CVSS: 8.6), CVE-2023-20156 (CVSS: 8.6), CVE-2023-20157 (CVSS: 8.6), CVE-2023-20158 (CVSS: 8.6), CVE-2023-20162 (CVSS: 7.5).

All of the security holes affect Small Business Series Switches versions 200, 250, 300, 350, 350X and 500 and are due to improper validation of requests sent to the web interface. This could allow an unauthenticated remote threat actor to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device.

Cisco reports that it has issued software updates that address these vulnerabilities and that there are no workarounds, so it is recommended to upgrade to the latest version available.

More info

​Google fixes critical vulnerability in Chrome 113

Google has issued a security update for Chrome 113 that fixes a total of 12 vulnerabilities, one of them critical. This last one, identified as CVE-2023-2721 and still pending CVSS, is a use-after-free (UAF) vulnerability that would allow a remote attacker to create an HTML page that triggers a heap corruption situation when a user accesses it.

For an attacker to exploit this security flaw, it would be necessary to convince the user to visit the page. This and five other fixed vulnerabilities have been reported to Google by external researchers for rewards ranging from $1500 to $7000.

This update is available for versions 113.0.5672.126 on Mac and Linux devices and 113.0.5672.126/.127 for Windows.

More info

​​Apple fixes three 0-day vulnerabilities and dozens of other CVEs across its portfolio

Apple has recently issued security updates for iOS, iPadOS, macOS, tvOS, watchOS and the Safari web browser; and warned about three 0-day vulnerabilities that would be actively exploited.

Those security flaws affect the WebKit browser engine that Apple employs in its Safari browser, and requires it to be used by other browsers on iOS. The first vulnerability (CVE-2023-32409) is a sandbox leak that allows remote attackers to escape web content sandboxes.

The other two (CVE-2023-28204 and CVE-2023-32373) consist of an out-of-bounds read that allows threat actors to gain access to sensitive information and achieve arbitrary code execution on compromised devices.

The CVEs were recently assigned, so detailed information is not available. Apple recommends that all users update their devices to the latest version available.

More info

Automation, Connectivity and Augmented Intelligence at the service of a competitive, disruptive and sustainable reindustrialization

Telefónica Tech    18 May, 2023

Por Javier Martínez Borrguero

I am back for the second consecutive year to participate in the Advanced Factories (AF 2023), the largest exhibition and professional congress dedicated to Industry 4.0 in Southern Europe.

A unique event to immerse yourself in the latest innovations and trends in industrial production processes and to share the main challenges and objectives of the sector: digital disruption, sustainable transition and competitive reindustrialization of the industry to reach 20% share in the national GDP, a target set by the EU.

In this edition the fair has reached its maturity. It has grown in all relevant figures of visitors, exhibitors, and impact on the sector.

In addition, it has moved to the Fira Gran Vía in Barcelona, a much more suitable setting for its size and relevance. It has even brought to light the new exhibition, Advanced Machine Tools (AMT 2023), which complements it perfectly and will undoubtedly gain relevance in the coming years.

All this in order to showcase the most disruptive ideas and cutting-edge technologies that are transforming the industrial landscape and that more than a vision of the future, are already a sample of an emerging reality.

The European Union aims for industry to account for 20% of the GDP of the Member States.

Apart from the impressive figures for a national industry event, where we are still at around 15.5% contribution to the Spanish GDP, one of the elements that gives it character and deserves to be highlighted is that, despite its large size, Advanced Factories is still a very specialized event.

This meeting is attended by numerous professionals with decision-making capacity to share real, concrete and urgent problems to be solved in industrial processes and in the deployment of technological solutions available today in the field of Industry 4.0.

Talking about technology, what were the winners of this edition?

On the one hand, the theme of the congress promised to focus on robotics and industrial automation, and on the other hand, Artificial Intelligence as the top trend of the moment claimed its presence in every presentation and in every demonstration.

However, if I had to choose a technological headline that summarizes what was seen at AF 2023, I would choose Augmented Intelligence.

What is Augmented Intelligence and how does it impact competitive, disruptive and sustainable reindustrialization

Augmented intelligence (a concept also known as Augmented Humanity) combines the power of artificial intelligence and human capacity to enhance and expand people’s cognitive and creative capabilities. It seeks to complement human work, enabling people to be more efficient, accurate and effective.

Unlike artificial intelligence, it seeks to empower humans by providing them with digital tools and resources that improve their decision-making and performance in different industrial processes.

In this way, it contributes to a reindustrialization that preserves its role as a driver of employment in Europe, and that this employment can reach the levels of competitiveness required in the global economy.

Augmented intelligence is based on the processing of large amounts of data and the application of advanced algorithms that provide relevant and personalized information in real time and enable the generation of disruptive innovations through the interaction between humans and machines, allowing people to collaborate with automated systems to solve complex problems.

Augmented Intelligence enables the generation of disruptive innovations through the interaction between humans and machines.

Machines can automate repetitive and tedious tasks, thus freeing up time and resources for higher value-added activities that require human skills, such as creativity, empathy, and critical thinking.

In this way augmented intelligence seeks to harness the best of human intelligence and technology. Combining the cognitive and creative skills of people with the analytical and data processing capabilities of artificial intelligence creates a collaborative environment that enhances performance and decision making and is essential to drive the challenges of sustainable transition that require new processes and business models with a net positive impact on society and the environment.

Artificial Intelligence applied to industrial Cyber Security (OT)

The Industry 4.0 Congress: Forum for the exchange of proposals and debate on the challenges facing the sector

The congress featured a spectacular list of technology experts and business leaders from the industry, and society in general, who shared industry challenges and reflections on economic recovery, rebuilding and strengthening resilience.

Also, on how to co-create solutions and highlighting the most recent advances and their impact on the productivity and efficiency of factories and production environments.

The lectures and panel discussions promoted refreshing debates and provided challenging ideas on how to adapt and make the most of these emerging technologies.

Advanced Factories 2023 also provided countless networking opportunities; all of us who attended had the chance to interact with industry colleagues and make connections and contacts for future collaborations. Several networking spaces facilitated the exchange of ideas and the emergence of synergies, creating an environment conducive to innovation and the proposal of new projects.

Javier Martínez Bor
reguero (Telefónica Tech)

Telefónica Tech contributed to the debate by participating in different presentations and round tables focused on innovation, sustainability, and competitiveness:

  • Comprehensive innovation of production processes by applying Artificial Intelligence, where it was highlighted that data is the asset with the greatest disruptive power in organizations.
  • The intelligent industrial helmet to improve the preventive safety of workers, with a message focused on how the digitization of industry also benefits the people who are at the center of the processes.
  • Quality and maintenance: a leap in competitiveness supported by technology, where attendees were challenged to implement in their production processes the technologies already available in 5G Connectivity and Augmented Intelligence.

Industry 4.0 Expo: Showcase and live experiences of key technologies

The exhibition area was an exciting journey through the real possibilities of the enabling technologies of Industry 4.0, where we could all experience firsthand the latest innovations in advanced manufacturing and also “surprised” to find visitors of the animal species, unusual in this type of meetings, such as dogs, dinosaurs and even a dragon.

We were able to witness the different types of autonomous and collaborative robots, drones and quadrupeds or “robot dogs”, which were the focus of many of the most spectacular demonstrations.

The additive manufacturing stands with some big size 3D printers, until recently unbelievable, but more than enough to print all the parts to assemble a life-size “3D dinosaur”.

Finally, the different experiences around the metaverse, where between industrial processes supported by augmented reality and digital twins created with augmented reality, you could be surprised to find even a “virtual dragon” to avoid in some Virtual Reality glasses booth.

There were also in almost every booth, the rest of the usual technological participants such as IIoT (Industrial Internet of Things) and Big Data, Connectivity and 5G, Cloud and Industrial Edge, Artificial Intelligence and Machine Learning, Machine Tools and Industrial Software, Cyber Security and Blockchain, etc.

Spot is a perfect example of the possibilities offered by autonomous robots in real factory environments,

Our contribution at the Telefónica Tech booth focused on the following demos:

  • Lego Factory 4.0, where the visitor could “play” Lego in a continuous process factory with monitoring of its main parameters through IIoT/5G technologies and with the possibility to make simulations in the environment of a simple digital twin.
  • Fab Lab 4.0, also with a scale model, we show visitors how to apply our MOM management system and our Blockchain expertise in a discrete manufacturing process, allowing them to become the operator and experience these technologies applied to the various stages of the process.
  • 5G Legged Robot, to meet Spot, the ‘robot dog’ that is a perfect example of the possibilities offered in real factory environments, fully autonomous robotics, connected via 5G/Edge, and free from the bondage of wheeled drive systems to be able to actively collaborate with human operators.
  • IoT Smart Helmet, to put us in the context of a front-line operator of a large mining or petrochemical facility and be able to send, through NB-IoT connectivity, the monitored data to a platform that processes them to activate the most advanced safety and personal protection measures.
Consequences of a cyber-attack in industrial environments

A year ahead to continue promoting Reindustrialization

In short, this edition of Advanced Factories managed to capture the essence of new technologies and their impact on real industry.

There is now a year left until the next edition, to continue working on our processes and to bring closer that dream of a radically new industrialization that will boost our economies and have a positive impact on our societies and the planet we inhabit.

Next stop? Barcelona, April 2024. See you there!

Google’s Passkey is just another nail in the password coffin

Nacho Palou    17 May, 2023

Google’s Passkey offers users the possibility of using an access key to identify themselves on websites or apps without typing their username and password.

Google explains that the passkeys replace traditional (and burdensome) passwords. A new mechanism in addition to Google’s “Skip password when possible” function, such as accepting a notification from another device.

Passkeys are an alternative to username and password credential systems.

The end of passwords is a desire and a necessity that many users have been demanding for years. Not only for convenience, but above all, for security. Passwords are “primitive” and have too many flaws.

What is a passkey?

n this context, when we talk about a passkey, we mean a digital credential that identifies us to a system (such as a web page or service, or an app) using a PIN or biometric identification.

That is, instead of authenticating ourselves by typing something we know (username and password) we also identify ourselves with something we are or have:

  • Drawing an unlock pattern on our device.
  • Type a PIN number.
  • Using our fingerprints.
  • Identifying ourselves by our faces.

The result is similar to when the operating system or web browser saves passwords. But with an additional layer of security that verifies the identity of the person trying to use those saved credentials.

Cybersecurity: “black swan“ events in a connected world

How does Google Passkey work?

Unlike username and password-based credentials, passkeys use asymmetric or public key cryptography.

In other words, the credential is made up of two mathematically related keys:

  • The public key, which is stored on the website or in the app.
  • The private key, which is stored on the user’s device.

Since the website or app only stores the public key, password theft or leak does not expose the user’s credentials. An attacker with only the public key cannot do anything with it: neither identify the user nor access the user’s account.

This is one of the reasons passkeys are more secure than passwords. Even with the device that stores the private key (the other “half” of the key) an attacker will still have to circumvent one of the identification systems we mentioned —PIN, unlock pattern, fingerprint, or facial recognition.

Improved phishing protection

Passkeys keeps a record that links each private key to the app or website that holds the public key, unique in each case. So a passkey is not activated when accessing a malicious site, because can only be used on the website or app where it was generated.

Passkey are based on the FIDO standard and work on Android, Chrome, Windows, Edge, macOS, iOS, Safari, etc. …

Passkey is based on the FIDO (Fast Identity Online) specification of the FIDO Alliance that applies more robust authentication factors than passwords. Its purpose is to promote a common mechanism that saves us from remembering or managing passwords.

However, above all, it aims to strengthen security by better protecting users. This includes, for example, preventing attacks designed to steal passwords and access credentials, such as phishing attacks.

Goodbye to the two-factor authentication (2FA)

Passkey adds an additional benefit for users: passkeys make two-factor authentication (2FA) through mechanisms such as SMS codes, security calls or email links unnecessary.

Example of two-factor authentication (2FA). Photo: Photo by Ed Hardie on Unsplash

Two-factor authentication is now an essential mechanism to strengthen security and protect against credential theft or unauthorized access. However, it is also cumbersome because it requires taking a call or waiting for an SMS or email with a numeric code or link.

How to set up Google Passkey

To use Passkey the Android, iOS, Windows or macOS device must meet a series of minimum requirements that can be checked here.

To activate Passkeys:

  1. Go to g.co/passkeys and log in with your Google account.
  2. Click on the Create passkey option.
  3. Choose which device you want to create the passkey on.

Once created, the passkey is saved on the selected device. It can then be used to log in to Google without typing the username and password.

Artificial Intelligence, ChatGPT, and Cyber Security

It is critical to note that once a key is created it can be used by anyone who has access to that device. For example, another person who has your mobile and knows the PIN or unlock pattern.

The passkey is stored on that device and cannot be removed, although it can be shared with other devices belonging to the same user.

In case of loss or theft of the device that stores the passkey, it will be necessary to access the Google account (this time with the usual password) and delete the keys associated with the lost device.

Featured photo: Florian Berger / Unsplash.

Nacho Palou
Nacho Palou

Marketing & Comms en Telefónica Tech. Apasionado de las tecnologías disruptivas y también de las obsoletas. Cuando no escribo hago fotos.

Cyber Security Weekly Briefing, 6 – 12 May

Telefónica Tech    16 May, 2023

Security updates vulnerabilities in Fortinet products

Fortinet has announced a set of security updates that fix up to a total of 9 vulnerabilities, 2 of which are considered high severity and affect FortiADC, FortiOS and FortiProx.

On the one hand, there is the security flaw registered as CVE-2023-27999 that affects FortiADC versions 7.2.0, 7.1.1 and 7.1.0. A malicious actor could exploit this flaw through crafted arguments to existing commands, allowing them to execute unauthorized commands.

On the other hand, there is vulnerability CVE-2023-22640, which arises from a bug in the sslvpnd component of FortiOS versions 7.2.x, 7.0.x, 6.4.x, 6.2.x and 6.0.x and in FortiOS versions 7.2.x, 7.0.x, 2.0.x and 1.xx of FortiProxy.

This bug allows an authenticated attacker to send specially crafted requests for the purpose of arbitrary code execution. Fortinet recommends updating assets to the latest version available to correct these bugs.

More info

Intel investigates private key leak after MSI incident

MSI recently confirmed a data breach suffered in a security incident that would have caused the leakage of private keys affecting numerous devices.

As a result, Intel is investigating a possible leak of Intel Boot Guard private keys. This asset is a security feature that protects the operating system boot process on Intel processors.

Malicious actors could then use this leak to disable the Boot Guard protection on affected systems, allowing them to insert malicious software into the boot process.

The Binarly research team has published a list of affected MSI hardware.

More info

Microsoft Patch Tuesday includes actively exploited 0-day vulnerabilities

In its latest security update, Microsoft has fixed a total of 38 vulnerabilities affecting several of its products, including Microsoft Windows, SharePoint and Office, of which 6 have been categorized as critical and 32 as important.

Among all of them, three 0-day vulnerabilities stand out, two of which are being actively exploited. These vulnerabilities, registered as CVE-2023-29336, CVSSv3 of 7.8 according to the manufacturer, are a flaw in the Win32k kernel that could be exploited by malicious actors in order to obtain SYSTEM privileges.

On the other hand, the security flaw registered as CVE-2023-24932, CVSSv3 of 6.7 according to manufacturer, is a security flaw in the secure boot mode that could be used to install the BlackLotus UEFI malware.

The last of the 0-day vulnerabilities catalogued as CVE-2023-29325, CVSSv3 of 8.1 according to the manufacturer, although it has not been actively exploited, is a security flaw in Windows OLE of Microsoft Outlook that can be exploited by means of specially crafted emails and trigger remote code execution.

More info → 

SAP fixes 28 vulnerabilities at its May patch day

SAP has released 24 security notes, including a total of 28 vulnerabilities, two of which are classified as critical and nine of which are high priority. Note No. 3328495, considered critical with a CVSS score of 9.8, fixes five vulnerabilities in version 14.2 of the Reprise License Manager (RLM) component used with SAP 3D Visual Enterprise License Manager.

On the one hand, the one identified as CVE-2021-44151, would allow an attacker to hijack the session through brute force.

On the other hand, the one classified as CVE-2021-44152, could lead to an unauthenticated user changing the password of any user, gaining access to their account. CVE-2021-44153 could be exploited to execute a malicious binary. CVE-2021-44154 could cause a buffer overflow.

Lastly, the one identified as CVE-2021-44155, would allow an attacker to enumerate valid users. It is recommended to upgrade SAP 3D Visual Entreprise License Manager to version 15.0.1-sap2, in addition to disabling the RLM web interface.

Additionally, #3307833, with CVSS 9.1, includes information disclosure bug fixes for SAP BusinessObjects Business Intelligence Platform.

More info

​​New details about the distribution of Amadey and Redline Stealer

McAfee Labs has published an analysis of the malicious executable with which various types of malware such as Amadey and Redline Stealer are distributed. Its original name is wextract.exe.mui and, inside it, there is a CAB file, which contains an attribute called RUNPROGRAM, used to start cydn.exe, which contains two other executables, aydx.exe and mika.exe, which are deployed as malware.

On the other hand, there is another attribute, POSTRUNPROGRAM, which contains an instruction to run vona.exe.

All these executables are placed in the TEMP folder as temporary files, and are linked, along with other executables from their secondary processes to Redline Stealer and Amadey, as well as disabling security mechanisms.

More info →  

Featured photo: Freepik.

Pay When You Get Infected by Ransomware? Many Shades of Grey

Sergio de los Santos    9 May, 2023

The Internet is full of articles explaining why ransomware should not be paid. And they are probably right, but if you don’t make a difference between the type of ransomware and who is affected, the reasons given may not make as much sense.

It is therefore necessary to explain the circumstances of the person concerned in order to understand why payment should not be made and, above all, to understand the situation well in order to make the right decisions. 

Two Types of Ransowmare

The first thing is to come clean about the fact that there are two types of ransomware.

“Domestic” attack

The first appeared massively around 2012, as a natural evolution of “police virus” malware and affected the average user. Since 2017, it has not disappeared, but its incidence has fallen considerably. They were attacks on unsuspecting random victims who asked for large amounts that could be dealt with by an individual.

This type of ‘domestic’ attack has perhaps a more direct response: it should not be paid unless there is a good reason to do so.

No one guarantees that the files will be returned (an amusing example is this anecdote in which, despite not having actually infected anything, the attacker still insisted that he should be paid). Nor does anyone guarantee that the victim will be extorted again. And most of the time, it is more than likely that the user can continue to live without his many files, data, etc.

But… what if your business, livelihood, clients and future depend on recovering that data? Then the answer turns more complicated. 

Professional attack

Since this is not the time to blame the victim (he has enough already) because his backup was also encrypted, did not work, or simply did not have any.

In a professional ransomware attack everything is more complex, we are talking about campaigns that could have involved months of work and study from the attacker, with the sole objective of entering the entrails of the network (sometimes enormous) and, at the right moment, taking control and encrypting everything. By then it is too late.

Image by DCStudio on Freepik.

The whole system is encrypted and sometimes it takes months to check not only that the system has been recovered but also that the attackers cannot get in again.

Here, every day thousands and thousands of euros are lost because of the frustrating impossibility of running the business. The situation is much more critical and serious, and that is why the attackers are asking for millions of euros for the rescue. 

In that moment a negotiation begins, because when there is so much at stake, not paying is not something that is dismissed immediately. Just as in real life when kidnapping happens, payment is an option that is always considered. 

But it is always the last option. In fact, it is an option that may end up being officially illegal. In July 2019, the US mayors’ confederation at its annual meeting recommended not to pay. If you pay, you encourage them to keep attacking, they said. In that case, the statement did not go beyond a purely “moral” position, as it was not binding.

Then it went further, two proposals by two senators (one Democrat and one Republican) contemplated in January 2020 that it would be forbidden to spend public money on these bailouts. The Republican senator also proposed the creation of a fund to help organisations improve their cybersecurity. 

It keeps going further

The Office of Foreign Assets Control (OFAC) now reports that “companies that facilitate ransomware payments to cybercriminals on behalf of victims, including financial institutions, insurance companies and companies involved in forensic analysis and incident response, not only encourage future ransomware payment claims, but also risk violating OFAC regulations”.

The aim would be to fine both, those who pay, the intermediaries and those who receive the money (if they can be identified). 

The role of “Threat Hunting” as an enabler in ransomware incident response

More Figures Than You Can Imagine 

Actually, the recommendation is that instead of paying, one should collaborate with the law and order forces and not involve “cover” intermediaries on the grounds of already committing something illegal and criminalized.

The reason? Many more affected than we think are paying, to the point that the payment process itself has become a business. 

Image by Pressfoto on Freepik

The payment process itself has become a business. 

The ransomware business has become industrialised both from the point of view of the attackers (very elaborate techniques, very professional treatment…) and from the point of view of the victims, who are already using intermediaries and other figures as insurers to deal with the crisis.

When business continuity is critical, the companies affected set up various channels. Of course, the technical recovery attempt, damage assessment, etc. But other “diplomatic” channels are also initiated, which may include contact with the attackers and other companies.

With the attackers, you bargain and negotiate, establishing a line of dialogue as if it were any other type of transaction. Extortionists may even offer useful advice after the victim has gone through the checkout line. And like any negotiation, it can be delegated.

Cybercrime, a constant threat to all types of companies

The intermediaries

In the light of this murky business of extortion, intermediaries who offer “consulting” services have emerged dealing with the negotiation and the payment of the ransom. In this industrialized scenario, payment usually does guarantee recovery.

Even going further, insurers can act as intermediaries. These businesses may find it more rewarding to pay the attackers than the affected party for the damage suffered, depending on what their insurance covers. 

In short, a complex web where not everything is so clear when we talk about figures and above all very distant from the domestic environment where the guidelines are usually clearer.

The new laws in the United States seek to strangle the extortionists by preventing their business from being lucrative… but this measure may not be enough because many times the continuity of legitimate businesses is more important. Survival… not at any price, but at the one imposed (unfortunately) by criminals. 

Featured photo: Omid Armin / Unsplash.

Raspberry Pi for Edge AI: Artificial Intelligence at the Edge for Everyone

Nacho Palou    8 May, 2023

Raspberry Pi is a popular computer widely used among developers, students and fans of computing, robotics, and gadgetry.

Among its virtues are its low cost (a basic kit costs about 20 euros), versatility to run a wide variety of applications and solutions, and a huge community of users who share projects, tutorials, and all kinds of content to get the most out of it.

The most affordable basic configuration of Raspberry Pi is not a powerful computer. Although its capacity will depend on the model chosen, its configuration, peripherals and added components, and the modifications made by the user.

Even in their most basic and affordable models, Raspberry Pi boards can run programs with multiple purposes and applications.

However, in any of its models, even the cheapest ones, Raspberry Pi allows running applications with multiple purposes, including the control of home automation installations, robotic systems or as a web server.

Raspberry Pi 1 Model A+. Photo: RASPBERRY PI

The Raspberry Pi boards, however, are not as efficient as they could be when it comes to running algorithms and Artificial Intelligence models, regardless of their power.

Something that Sony wants to solve.

Sony integrates its Edge AI Aitrios platform on Raspberry Pi boards

In order to change this, Sony has announced a “strategic investment” to help “drive the development of Edge AI solutions” by integrating its Aitrios platform into Raspberry Pi boards.

In this way Sony enables AI capabilities on this popular computer for everyone.

This integration will allow Raspberry Pi users to use the Aitrios platform to run their own Artificial Intelligence solutions; with customized developments tailored to their needs, whether domestic or industrial.

Aitrios provides Raspberry Pi with increased capacity to process data and AI models in real time.

By incorporating this Sony technology, Raspberry Pi devices equipped with Aitrios are more efficient at processing and analyzing data locally, in the same place where that data is generated and where it is needed: at the edge of the network and without the need to send it to a data center or a Cloud platform.

Raspberry Pi boards are increasingly used in the industry due to their low cost, versatility and ability to run a wide variety of applications and solutions. Photo: RASPBERRY PI.

As we saw in a previous article, processing data and running AI models at the edge (Edge AI) is especially useful when an immediate response is required and without relying on an internet connection. For example:

  • For the control of drones and self-piloted robots, or for image or voice recognition.
  • When an IoT project is deployed in an area without network coverage or in an isolated environment, without connectivity.

Sony Aitrios platform for IoT devices

Sony’s Aitrios platform enables data processing and efficient execution of AI algorithms and models in IoT devices.

Aitrios is a complete hardware and software solution, scalable and flexible, Sony explains. It can be adapted to a wide variety of IoT devices and applications and is available in different architectures, such as SoC processors or peripheral modules. It can be controlled with different operating systems.

These features should facilitate its adoption by the Raspberry Pi user community by facilitating the development and implementation of new projects. In the process, Sony gains for Aitrios a potentially huge user and developer base.

Local machine vision to monitor retailer inventory while protecting customer privacy is an Edge AI use case. Photo: SONY.

On the hardware side, Aitrios uses an ASIC (Application-Specific Integrated Circuit) type processor. As an advantage over CPU or general-purpose processors, ASIC processors are especially efficient at performing the task for which they are designed.

In this case, the Aitrios processor is specifically designed to run and train ultra-low latency machine vision and machine learning models, which will improve the efficiency of Raspberry Pi computers to process and analyze data locally.

More articles in this series:

Featured photo: Karminski / Unsplash.

Cyber Security Weekly Briefing, 29 April – 5 May

Telefónica Tech    5 May, 2023

Critical vulnerability in Zyxel firewalls

Network equipment manufacturer Zyxel has released security patches for a critical vulnerability affecting its firewalls. The vulnerability, which was discovered and reported by the TRAPA Security team, has been classified as CVE-2023-28771 and with CVSS of 9.8. It allows an unauthenticated attacker to execute some operating system commands remotely by sending manipulated packets to an affected device.

The security flaw affects firmware versions of ATP (ZLD V4.60 to V5.35, patched in ZLD V5.36); USG FLEX (ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (ZLD V4.60 to V5.35, patched in ZLD V5.36), ZyWALL/USG (ZLD V4.60 to V4.73, patched in ZLD V4.73).

The vulnerability is not known to have been exploited so far; however, Zyxel recommends that firewalls be upgraded to the latest available version.

More info

Google releases Chrome 113 with 15 security updates

Google has released to the stable channel version 113 of Google Chrome for Windows, macOS and Linux, which fixes up to 15 vulnerabilities, 10 of them reported to Google through its bug bounty program.

None of the vulnerabilities now fixed are of high criticality, being the most relevant the one cataloged as CVE-2023-2459, still without CVSS, but for which Google has paid 7,500 dollars to the researcher Rong Jian.

This is an inappropriate implementation issue in Prompts, its severity is considered medium and would allow a remote attacker to bypass permission restrictions through a manipulated HTML page. This latest iteration of the browser is now deployed as Chrome version 113.0.5672.63 for Linux and macOS, and as Chrome versions 113.0.5672.63/.64 for Windows.

More info

Vulnerabilities in BGP protocol allow attackers to carry out DoS attacks

Researchers at Forescout Vedere Labs have published a report detailing new vulnerabilities in the BGP protocol. The vulnerabilities, already patched and with a CVSS of 6.5, have been classified as CVE-2022-40302, CVE-2022-40318 and CVE-2022-43681.

The flaws would be related to parsing of BGP messages found in the FRRouting implementation that could be exploited to achieve a denial of service on vulnerable BGP peers. The DoS condition can be prolonged indefinitely by repeatedly sending malicious packets.

It should be noted that two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before FRRouting validates the BGP Identifier and ASN fields.

More info → 

​Critical Vulnerability in Cisco Phone Adapters

Cisco has issued a security advisory warning of a critical vulnerability in Cisco SPA112 two-port phone adapters. The security flaw in particular, has been logged as CVE-2023-20126, CVSSv3 of 9.8, and is due to a flaw in the authentication process within the firmware update feature.

Exploiting this vulnerability could allow an attacker to execute arbitrary code on the affected device with full privileges, and, consequently, could help a threat actor move laterally in a network. However, it is estimated that most of these are not exposed to the Internet, making these flaws susceptible to exploitation from the local network.

It should be noted that Cisco has indicated that the affected model has reached the end of its useful life, so it will not receive any security updates and recommends replacing the adapter with the ATA 190 series model.

More info

​​Fleckpe: new Android malware that subscribes victims to premium services

Securelist has found a new Android malware called Fleckpe spread through at least 11 apps available on Google Play that together accumulate more than 620,000 downloads. Fleckpe, in particular, subscribes victims, without their permission, to different premium premium services with special pricing, which deliver part of the proceeds to the threat actors.

According to Securelist, Fleckpe has been active since 2022 and has been spread through 11 apps (already removed from the market by Google), most of them image editors. Fleckpe works by receiving from C2 the URL where it must subscribe the victim, opens it in invisible mode and copies the confirmation code of the notifications. Once the process is completed, the app works normally, thus avoiding raising suspicions on the part of the victim.

More info

Will Rust save the world? (I)

David García    4 May, 2023

The issue

Programming bugs related to memory usage take a big slice of the CVE (Common Vulnerabilities and Exposures) pie every year.

It has been many years since Elias Levi’s (then known as Aleph One) classic and historic article, Smashing the Stack for Fun and Profit put in black and white how stack overflows could be exploited in an era where available information was scarce and not exactly easy to access.

It was soon realised that memory management required attention and expertise that not all programmers possessed. When you create an object using dynamic memory (malloc), you have to keep track of its “lifetime” and free it when it is no longer useful so that the memory resources it owns can be reused.

Memory management requires attention and expertise that not all programmers possess.

This ecology is simple to set up, but devilishly complex to put into practice when a program exceeds the adjective of simple. It is easy to understand: when an object is created, it does not live in isolation from the rest of the program, it tends to create numerous references (pointers) and establish relationships (sometimes multi-layered) that finally lead us to ask ourselves the question:

  • What if we release the object, will there be a reference that still requires the use of that object?
  • What happens if we use an object that has already been released?
  • What happens if I mistakenly release the same object twice?

Rubbish collectors: a solution with drawbacks

In the mid-1990s a programming language tried, successfully, to solve the problem with software created by languages with manual memory management: mainly C and C++.

Unsurprisingly, it was Java. The language of the now defunct Sun Microsystems company (curious note: remember that there is an IDE for Java called… Eclipse), combined the incipient rise of object orientation and added concepts that were not new, but were well executed: a virtual machine and a memory collector, among others.

Photo: Kelly Sikkema / Unsplash

Java was a leap in quality and quantity. Programmers could (almost) abstract from memory management and were more productive. In addition, because Java was easier to learn (or rather, to master) than C and C++, it reduced the entry level for new programmers, which made it more affordable for companies, which in turn were able to complete more complex projects in a shorter period of time.

Go language, also known as Golang, born precisely out of frustration with the use of C++ and… Java.

Even today, other programming languages have emulated this initiative. The clearest example is the language Go, also known as Golang. Born precisely out of frustration with the use of C++ and… Java.

The use of memory collectors in both of them erases the problem created by manual management, something that promotes the simplicity of the language and, once again, lowers the barrier to entry for new programmers.

There is only one drawback, and it is not one that can be overlooked. Automatic memory management has a performance cost.

The biggest drawback

Although new memory management algorithms are increasingly advanced and the development capabilities of techniques allow nanoseconds of performance to be shaved off, the use of memory rubbish collectors has a toll to take during the collection of “rubbish” (unreferenced or unused memory) the world grinds to a halt.

Indeed, when it is time to collect memory to be recycled, the program stops what it is doing, calls a garbage collector procedure, and routinely frees memory. Whatever the program is doing at that moment, its world stops for a fraction of a second, and it goes about cleaning up memory. Once it is done, it goes back to what it was doing as if nothing had happened.

This Stop the world for many companies, on a large enough scale, translates into an added cost to the server bill.

There are dozens of articles, almost all of which list the same reasons or complaints: the cost of the rubbish collector.

Source: https://discord.com/blog/why-discord-is-switching-from-go-to-rust

It may seem miniscule, but the response spikes accumulated in large, high-demand applications translate into an economic bill at the end of the chain. No matter how well you program, no matter how many algorithms and data structures you use, the world stops to collect rubbish and don’t come back until the memory is clean as a whistle.

The dilemma

So,

  • On the one hand, we have the languages that have great performance and exceptional execution, but which require suitably qualified personnel (and even so…) and tools that mitigate management errors.
  • On the other hand, there are languages that increase productivity, drastically reduce memory management errors (although let’s not forget about NullPointerException), but on the other hand, they have a little hindrance that makes them a bigger swallower of computational resources.

It is a real dilemma in some cases, although it also becomes evident depending on the nature of the project (you are not going to write a Linux kernel module in Perl, nor are you going to implement a web application in C, as was done in the 90s).

Barring the extremes, the options are to think about and calibrate what we sacrifice and what advantages are more appropriate.

The third way

However, what if there was a middle ground? What if we could find a way to get rid of rubbish collector pauses, but still not have to manage memory manually?

How do we do that? Let’s see it in next article.

Will Rust save the world? (II)

Featured photo: Mark Fletcher Brown / Unsplash.

The three revolutions of the Contact Center: apple pies, convertibles, and social media

Marina Domínguez    3 May, 2023

Every business relationship begins with a “match”. Since the foundation of any business, no matter how small it may be, one of its main objectives is to make itself known to the world and create a two-way communication link with it that hyper-connects and builds loyalty.

We constantly receive calls from companies that want to offer us services. Or even we are the ones who contact them ourselves, requesting information or carrying out increasingly complex procedures, from any place and at any time of the day.

No one would believe that what may seem modern and even futuristic in some cases, with the use of Artificial Intelligence and bots serving customers anywhere on the planet, dates back to nothing less than a Berlin bakery at the end of the 19th century.

Apple pies

In 1881, Alfred Kranler, the young German son of the official pastry chef of the Prussian Empire and heir to his bakery in the capital, was desperate. After the death of his father, coupled with the inclement weather that plagued the harsh Berlin winters, visits to his bakery had dropped considerably and so had his sales.

Phot: Patrick Fore / Unsplash

Before going bankrupt, in a desperate attempt to maintain the legacy his father had left him, Kranler came up with a brilliant idea based on the famous “If Mohammed does not go to the mountain…”: he would publicize his cakes throughout the city by taking them to the neighborhoods so that the locals could get to know and taste them, thus reaching a wider audience.

The problem was that his ambitious project was expensive, and he didn’t have the money to hire anyone to go around selling his cakes while he was still in the workshop serving his usual clientele and making his cakes. So, he opted to buy a phone book and called the 186 telephone subscribers that the city had registered at that time to offer them his famous apfelstrudel, freshly made and warm, with the promise that he would take it home when he closed the store in the evenings.

Success was not long in coming

Kranler’s cakes went viral and in a short time he tripled his sales. People lined up at the door of the bakery in the cold winter and his business endured over time. So much so that, even today, his famous hot apple pie can still be enjoyed in the café of the same name that remains open in the German capital.

Alfred Kranler and his cakes can therefore be credited with the first telephone marketing campaign in history.

And this was just the beginning. A few decades later, another moment of business crisis of a well-known brand sharpened the ingenuity of another visionary, Lee Iacocca, and led us to what we could call the First Communication Revolution: the emergence of the Call Center.

Convertibles

In 1918, John Ford, the president of the most important automobile company in the United States, agreed to run for senator for the state of Michigan and bequeathed the presidency of the company to his only son, Esdel Bryan Ford.

Photo: Jorgen Hendriksen / Unsplash

The latter, with great ambition and the need to prove to his father that he had left the company in good hands, launched the largest, most luxurious and expensive model to date and named it after him. But the experiment did not go as expected and the Esdel Ford turned out to be an unreliable vehicle that consumed a lot of fuel and had notable flaws in the design and safety, which ended up being a real failure and led the company almost to bankruptcy.

Esdel died very young, and his father took back the reins of the company for a few years until he was able to leave it to his son, John Ford II. John inherited from his grandfather a complicated panorama at a time when the American financial crisis, together with his father’s bad decisions, meant that the future of the corporation was in imminent danger.

Desperate times call for desperate measures

In a display of courage, John Ford II decided to surround himself with a young team to turn the company around, giving it a fresher and more popular image by targeting the boomers of the 1960s. An audience with a small budget but eager for freedom of movement.

And the result was to invest the entire budget in the creation of the Ford Mustang, an affordable and cheeky sports car designed for that generation of young people. But it had to be made known so that it could “fall in love” with its future drivers.

The task was entrusted to Lee Iacocca, whose challenge was to sell as many units as possible in the shortest possible time in order to return to profit and continue production.

To this end, he launched an initiative in which he hired a team of telephone operators who would use the telephone to arrange visits to the dealership with as many potential customers as possible.

The success was, once again, overwhelming: the campaign lasted two and a half years and they contacted 20 million potential buyers. Each of the company’s 20,000 salespeople received more than two visits a day, day after day. Visits that would later make the Mustang in its first year its best-selling sports car of all those made up to then by the brand.

This success led Iacocca to the presidency of the company in 1970, and also to go down in history as the “Father of the Call Center”.

Subsequently, this tactic was imitated by all the world’s major corporations, which, together with the boom and deployment of telephony, made telemarketing one of the main pillars of sales revenue.

Social Networks

If we focus on Spain, the beginning of Call Centers was limited by the lack of telephones in homes until the seventies and eighties. That is why, until the 90s, coinciding with the boom of mobile telephony and the emergence of numerous operators, the companies that had a team of teleoperators for customer service were very limited.

Photo: Adem Ay / Unsplash

Pioneering examples were, for example, the banking sector with La Caixa in the late 80s. The telephone operators subsequently evolved their relationship with customers via telephone. They did not stop there but turned the Telephone Centers into Contact Centers where thousands of operators, in addition to answering calls, approached customers through other emerging channels such as mail, chat or SMS. This opened up a range of possibilities that would facilitate the task of reaching more people in less time. We would then be in the Second Communication Revolution, the rise of Contact Centers.

All this meant that the technology that provided the link we mentioned at the beginning had to evolve rapidly, as well as providing it with security and immediacy.

With the pandemic, the relocation of companies and digital transformation, once again changed the way we relate to much more open and disruptive digital channels. Those companies that had not already done so had to adapt quickly to non-conventional sales and service methods in order to continue serving their confined customers and not lose them.

You are no longer just a company of products or services, you are a data company

From multichannel to omnichannel

Once again, this forced technology to evolve. Multiple channels began to appear in contact centers, such as video calls, WhatsApp, and social networks, which until then had hardly been considered for business relationships.

The Third Revolution would also be found in the possibility of combining all these communication channels in such a way that the relationship with a customer could start with a message, continue with a call and end with an email without losing the traceability of all this information. This is what we would call omnichannel.

All this brings us to the present day, when the communication paradigm is leading us to the door of what could be the Fourth Revolution: the metaverse and the use of Artificial Intelligence and predictive models to automate, expand and evolve communications as we understand them today thanks to the unstoppable advance of technology and networks.

Will we therefore change our headsets for virtual reality glasses to talk to agents and “match”?