The risks of not having controlled exposure to information (II)

Susana Alwasity    17 November, 2021

As promised last week in the first post of this series, this time we will talk about how to minimise the risks of our digital footprint.

¿ How to minimise the risks of our digital footprint?

The first thing we should focus on is egosurfing. This consists of doing a search on yourself in the different search engines to see what is available. To do this, it is not enough to search only by our full name, but to make combinations of our names, emails, phone numbers, IDs, or usernames through dorks. This involves using special operators and symbols in the various search engines, such as those offered by Google.

Based on this initial research or analysis, we will go on to collect the information and assess the associated risk. Assessing our exposure and digital footprint on ourselves or our organisations, seeing what is available, where and what risks it carries, is of vital importance to reduce our vulnerability to malicious third parties.

Once we detect and have the exposed information on our radar, in those cases where we have sensitive information, it is advisable to delete or hide the information. To do so, it will be essential to:

  • Keep track of which pages or services we have registered on.
  • Correctly configure the visibility of our profiles on social networks and control the content we upload.
  • When registering for a service or profile, we will be asked for a lot of voluntary information about ourselves, such as likes, hobbies or place of work. It is worth assessing what information we want to provide and reviewing the purpose of the processing of our data.
  • Avoid signing up for dubious-looking services and assess whether registration is necessary. Even if a service promises privacy, there is always the possibility of unintentional data leakage.
  • Use different e-mail addresses for different areas of your life (work, personal, etc.).
  • Do not reuse passwords and keep them under control together with your login details, e.g., through password managers.

Now that we know how to minimise the risks of our digital footprint, let’s see what practical resources we have for information removal. Next week we will tell you about it.

What is happening with the public Ethereum network and will it ever be scalable?

María Teresa Nieto Galán    15 November, 2021

From the beginning, one of the main limitations that we have found in Blockchain technology when developing solutions is scalability. This concept refers to the ability to continue offering a service without compromising its functionality as the number of transactions or requests made increases.

This limitation is inherited from what is known as the blockchain technology trilemma, which is based on three fundamental pillars: security, decentralisation and scalability. This trilemma, like others, alludes to the fact that any network implementation must choose two of these three characteristics and leave one of them in the background. Therefore, by definition, public blockchain networks must be primarily secure and decentralised, so scalability is relegated to the background. In contrast, private blockchains are secure and scalable, but they are not as decentralised as public blockchains.

Ethereum, as a public blockchain network, was not going to be any less, and during all these years different events have occurred which have led to compromising its functionality. The first of these occurred at the end of 2017 when the world of ICOs (Initial Coin Offerings) was booming. These trends also coincided with the first NFTs in the history of this platform, the Cryptokitties, which came to account for 15% of the network’s traffic.

The second one, we have been experiencing it since the summer of 2020, as two ecosystems are being adopted on a massive scale: DeFI (decentralised finance) and NFTs (Non-Fungible Tokens).

These scalability issues are due to Ethereum’s current mainnet consensus algorithm, the Proof of Work. This algorithm is computationally very expensive and causes the number of transactions per second on this network to be approximately fifteen to twenty.

Gas impact

Every write transaction carries an associated cost called gas and this cost, paid in ether, is calculated by reference to the computational cost of the transaction.

Furthermore, the transaction can be executed faster or slower depending on the ether we want to pay per unit of gas. Therefore, when the network is very congested because of the poor scalability and we increase what we pay for gas to speed up the transaction, we increase what is known as the gas price.

Why would this be considered a problem in the business world, you may ask. The answer is simple, and it is because of the associated cost that we find when acquiring or selling a software product.

Imagine now that you want to make a service that is deployed on the public Ethereum network, how would it be monetised if it depends on the value of the ether coin and the gas to be paid for those transactions? How would we cover costs when there are peaks of transactions on the network that end up rising uncontrollably?

Last but not least, two other limitations are the energy cost of validating blocks using the PoW consensus algorithm and the disk space required to store the network blockchain today.

For this reason, more and more solutions are appearing in the ecosystem that independently or jointly try to mitigate these limitations. These can be divided into two groups.

Layer 1 solution

These types of solutions require changes to the Ethereum network protocol and are contemplated in what is known as Ethereum 2.0. Their aim is to attack the Blockchain trilemma and ensure that the network is able to enjoy the three characteristics we talked about at the beginning of the article: security, scalability and decentralisation.

To this end, on the one hand, the Ethereum community has decided to change the network’s consensus algorithm from Proof of Work (PoW) to Proof of Stake (PoS) and, on the other, to fragment the network into different subnetworks using a technique called “sharding”.

Focusing on the first case, it is important to understand the main difference between the two consensus algorithms. While PoW validates transactions by solving a computational problem, which makes it computationally very expensive, PoS uses the coins wagered by users (stake) to validate transactions, eliminating the need for computational power.

This change, in the consensus algorithm, has already begun with a network known as the “Beacon chain”, which has already been implemented and is currently being tested. The purpose of this chain is to use the Proof of Stake consensus algorithm and coordinate shards or sub-networks. This chain cannot handle accounts or smart contracts. It was planned that by 2021 this network would be merged with the Ethereum mainnet, however, everything points to a delay. In addition, this makes it easier to run a node by keeping hardware requirements low.

As for sharding, this is not a Blockchain-specific technique but is already used in conventional databases. This solution involves dividing the chain into 64 sub-networks or shards horizontally to spread the transaction load. This technique allows for higher performance as each subnetwork operates a set of transactions in parallel. In this way, a validator (equivalent to a PoW miner) no longer must process all the transactions occurring in the entire network, thus lightening the transactional load and improving scalability.

Layer 2 solutions

As for the second layer solutions, the final intention is to minimise the number of interactions with the Ethereum main chain, thus grouping transactions in a secure way.

Thus, by eliminating the number of interactions, the cost that users must pay to write to the network is considerably reduced and, on the other hand, the performance of processed transactions is increased, due to the fact that they are processed in a group and not in an individualised manner.

Two types of second layer solutions are available: channels and sidechains and rollups.

  • Channels: This technique is used when two users want to carry out a series of transactions in a row in a short period of time, such as in a chess game. The objective is that, by means of a smart contract, only two transactions are made on the network: the initial one to open the channel and the final one to close it. As long as the channel is open, users can exchange as many transactions as they wish instantaneously without having to rely on blockchain validation.
  • So, if we were in that chess game, you would write the start of the game to open the channel, you would interact on every single move in the channel, and at the moment of checkmate you would close the channel.
  • Sidechains and rollups: A sidechain, or alternative blockchain, is an independent blockchain network that is used to enhance the features of the main blockchain. One of the most widely adopted sidechains today is the Ethereum-compatible Polygon network.
  • A rollup is also a solution that allows a group of transactions to be grouped into a single transaction. In other words, transactions are carried out in a sidechain and then, once the interaction is finished, the strictly necessary data is sent in a grouped manner to the main blockchain.

In turn, rollups are classified into two types, depending on the security model to be implemented:

  • ZK-Rollup: executes the calculation outside the chain and sends a proof of validity, following the Zero Knowledge Proof protocol, and sends a proof of validity to the main chain.
  • Optimistic Rollup: assumes that transactions are always valid by default and the computation is only executed in case of a challenge. In other words, every transaction that is aggregated is assumed to work without committing fraud and proofs are only provided in case of fraud. 

Therefore, we can determine that in the Blockchain ecosystem there is a clear trend that focuses on solving the scalability problems of public blockchain networks. One of the solutions that we are observing the most in the short term, and which are already operational, are second-layer solutions. A clear example is the adoption of Polygon as a sidechain in the DeFi ecosystem. This network in particular is experiencing more transactions than the Ethereum network.

However, regarding the first layer solutions, nowadays, these solutions are still in a period of development or testing, so it is not usual to see them applied in productive environments.

Nevertheless, we will soon be able to see these solutions already applied in the ecosystem and we will be able to determine which of them has succeeded over all the others.

Illustration 1 Photo by Max Ostrozhinskiy on Unsplash

Cyber Security Weekly Briefing 6-12 November

Telefónica Tech    12 November, 2021

​Microsoft’s security bulletin

Microsoft has published its November security bulletin in which it has fixed a total of 55 bugs in its software, including six 0-day vulnerabilities, two of which are currently being exploited. The first, classified as CVE-2021-42292 and with a CVSS of 7.8, is a security mechanism evasion flaw in Microsoft Excel. The second 0-day under exploitation (CVE-2021-42321 and CVSS of 8.8) is a remote code execution vulnerability in Microsoft Exchange Server. The remaining four 0-day vulnerabilities, for which no details have been provided at this stage, are information disclosure flaws in Windows Remote Desktop Protocol (CVE-2021-38631 and CVE-2021-41371) and remote code execution vulnerabilities in 3D Viewer (CVE-2021-43208 and CVE-2021-43209).

More: https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov

​Campaign against a recent vulnerability in Zoho

Researchers at Unit 42 in Palo Alto have published an investigation into a campaign exploiting vulnerability CVE-2021-40539 (CVSS 9.8) in Zoho’s ManageEngine ADSelfService Plus solution. This is the second campaign detected against the same flaw, as last 16 September CISA issued a statement confirming that it was being actively exploited by an APT. The exploitation attempts in this second campaign, unrelated to the one exposed by CISA, began on 22 September and did not end until the beginning of October, during which time the threat agent breached at least nine entities in various sectors. In the infection chain, researchers observed that, after gaining access to the victim’s network, either the Godzilla webshell or the NGLite backdoor, both of which are used to move laterally, were installed. As they managed to move through the infrastructure, they exfiltrated information from the servers until they reached the DC, where they installed the credential-stealing tool KdcSponge. It is worth noting that while Palo Alto links this campaign to the APT27 group (TG-3390), of Chinese origin, Microsoft’s Threat Intelligence team, which has also followed the exploitation of the same vulnerability, has attributed the campaign to the Chinese actor DEV-0322, related to the SolarWinds incident.

All details: https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

​​Unauthorised access to Aruba Central

HPE has reported a security incident that reportedly resulted in an unauthorised third-party gaining access to information in the Aruba Central cloud environment. The actor, who has not yet been identified, gained access by using a stolen access key, which allowed him to view stored user data. In particular, a repository containing clients’ network telemetry data and another with data on the location of WiFi devices were affected, affecting data such as MAC address, IP address, type of operating system, host name and username in WiFi networks where authentication is required. According to the information provided by the company, the actor would have had access on October 9th for the first time, and could have access until October 27th, when the password was changed. This meant that the data to which he had access dated back to 10 September at the latest, as they are removed from the repositories every 30 days. HPE reportedly confirmed that no sensitive/confidential data was affected, and no action was required from customers.

More information: https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/

​​Multiple vulnerabilities in AMD’s graphics driver for Windows 10

Private security researchers in collaboration with CyberArk Labs and Apple Media Products RedTeam have reported a long list of vulnerabilities in AMD’s graphics driver for Windows 10. In particular, 18 of the detected bugs have been rated with a high severity as a set of flaws in various APIs could lead to privilege escalation scenarios, denial of service, information disclosure and even arbitrary code execution in kernel memory. Meanwhile, AMD has already addressed all vulnerabilities and has issued an advisory reflecting all assigned CVEs, as well as information on how to apply updates to both AMD Radeon Software and AMD Radeon Pro Software for Enterprise. In addition, AMD has also recently fixed bugs in its AMD EPYC server processor product and performance issues of its processors compatible with the new versions of Windows 11 released by Microsoft.

More: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1000

Chronicle Of the Attack on A Youtuber Who Knew About Cyber Security

Sergio de los Santos    11 November, 2021

The news recently broke: youtubers with the largest number of followers are being targeted for extortion. The attacks are on the rise and the techniques are not new, but for some time now, these attacks have been detected and continue to increase. In fact, since a little more than a year ago, when this story occurred.

The beginning of the attack

This youtuber has more than 700,000 subscribers and is well known in the sector. His daily business is dealing with suppliers, manufacturers, advertisers… who send him emails with attached documents. He knows perfectly well not to click on links to unknown domains or downloads, he uses antivirus to check office documents and PDFs, and he does not trust those who come in through the cold door. He uses two-factor authentication on all his accounts and… a friend to call in case of emergency.

One day he received an email from a supplier with whom he had been exchanging emails for several days. He didn’t know him, but the relationship had been established. He was actually the attacker, and he had bothered to talk to our youtuber, propose the business and wait for the right moment (several days) to send him a supposed video. The file weighed 65 megabytes, so he sent the youtuber a link to Dropbox, which he downloaded to his computer.

Still, he didn’t trust it. He looked at the extension, he knows he shouldn’t launch executables. The extension was SCR. The attacker didn’t bother to use a double extension, but he might as well have. Still, our youtuber did configure Windows to display the most popular extensions. The file icon represented a video.

What is SCR? he asked himself. He googled and found that it was something to do with screensavers. It might make sense, being a video, he thought. Then he right clicked on it with the intention of scanning it with his antivirus. Nothing, he didn’t detect it. He saw something curious. “Test” in bold, could he test the file before launching it? It made sense to him, he concluded that it would be a good security measure to “test” this SCR before running it. Besides, he doesn’t work with the administrator account and it had already been scanned by the antivirus, which made him feel safer. So, he ran it as a “test”. What he didn’t know is that he was running it.

SCRs are executable extensions in every sense. Screensavers (and this is a little-known thing) have the possibility to run as “test” and can be tested on any Windows. But there is really little to test… launching an SCR in “test” is the same as executing, and therefore the whole malware payload is launched in exactly the same way. The video icon is trivial to insert into the file and the 65-megabyte weight is artificial, pure filler, to enhance the impression that it is a video. The youtuber was already infected.

The suspicion and the call

The alleged video did nothing, it would not run. And this alerted our youtuber. Something was going on, as the system CPU was reaching 100% at times. He looked at the screen, trying to kill some process, but he wasn’t sure what the malware was or what it was doing. After a few minutes he decided to shut down the computer and call me personally.

He told me what had happened, the alleged video, the precautions… I told him to immediately change all the passwords, while we were talking, to do it from a different mobile or tablet and to protect his channel. But I have two-factor, he said. I told him that it didn’t matter, that they could have stolen his session with cookies. That the SCR could have actually sent the attacker all the tokens of the open sessions in the browser and, if he (the attacker) was attentive at the time, he could get access to his accounts. In fact, he told me that the attacker specifically asked him to tell him when he would more or less watch the video as he was in a hurry. I asked him if he stored any passwords in his browser and he said no, thank goodness.

While I was warning him about this, he tried to change some passwords. He had trouble remembering all the identities he used online, he didn’t have a step-by-step emergency procedure, and now he was regretting it.

But in the middle of the call… he got cut off. I stopped hearing him. I tried to call him but there was no way, the phone wasn’t on. It was as if he had suddenly switched everything off completely. Although it was strange, I thought his battery had run out and he couldn’t charge it at that moment. After about 15 minutes he called me back. This time he was really scared.

The attack

He told me that, while he was talking, the phone had rebooted and started reformatting while in his hands. It was an Android. He felt he was being watched, he was really panicking. Do you use the “Find my device” service? I asked him. Yes, of course, he replied. It was clear that the attacker had accessed the Gmail account associated with the phone and requested a remote format of the Android. Is that the same account you use for YouTube? No,” he said. That account is just for the phone! Well done. It was just one of the accounts he hadn’t changed the password and logged out of. The only one the attacker had been able to access and was now desperately trying to inflict maximum damage.

I asked for reassurance. He had a bootable USB stick with a Linux distribution, so I guided him through running an antivirus, deleting the malicious file (which was gone) and potential aftermath, recovering some documents, and so on. He had no faith, so finally after recovering his data, he decided to format his Windows.

We went through, once again, all his accounts and, on a completely new system, he finished changing and tidying up his passwords. I didn’t recommend formatting the Android because the attacker had already done it.

Conclusions

Our YouTuber did a lot of things right:

  • He had two-factor authentication.
  • He trusted no one. He questioned files and submissions.
  • He did not store passwords in the browser, and segmented accounts (one for the phone, one for the channel…).
  • He had other systems from which to operate in case of emergency. Such as a USB key or tablets.
  • He shut down the computer as soon as he suspected an attack.

What he did wrong:

  • He did not probe further into the nature of an SCR, which is an executable. Still, the context menu “test” did not help to make a decision.
  • He did not have a list of accounts to change passwords in case of emergency.

And yet, he was lucky. The quick password change was effective. It kept him from getting into his channel or his email. The one account he forgot, the one associated with his Android phone, suffered the attacker’s wrath. It seems that he was very specifically looking to get into the channel and so getting to the phone did not provide him with a bounty to match.

The clearest conclusions could be:

  • Awareness-raising is not enough. Or, in other words, complete awareness is not enough, depending on how you look at it.
  • At any time, all our digital identities or files can be compromised. Apart from backup, there is a need for a clear protocol to run from another system. It can be as simple as a list in a TXT and a series of URLs to change passwords to, but it is desirable that it exists, along with a clean boot system for a computer, if necessary..

Fraud against financial institutions with particular incidence in France extends its impact to national territory

Rubén Menéndez Díaz    8 November, 2021

In September and October of this year, a malicious campaign was observed in France against the French population, affecting financial institutions, and it has spread to banks in Spain.

The French Deposit Guarantee Fund (FGDR) published an alert warning about scams carried out by threatening agents who used the name and logo of this institution on their letterheads and documents in order to gain the trust of their victims by implying that even a deposit of €100,000 would be guaranteed by the French state in case of loss.

In particular, the following logos to which the institution refers appear in the evidence analysed:

Telefónica Tech‘s Digital Risk Protection service has been able to investigate that this is a campaign that involves some prior step. To be precise, it consists of malicious actors making telephone calls, both to individuals and legal entities located in France, and subsequently sending e-mails offering savings and deposit accounts with high annual interest rates. To this end, they are creating domains with the name of the impersonated brand name created specifically for this campaign, which means that it is not only the FGDR that is affected.

Those behind these events are posing as employees of well-known financial companies, using elaborate mailing brochures pretending to be from the company they claim to be (adding that the operations are protected by the aforementioned FGDR, hence the alert that they are being impersonated) and providing attachments with the logo, name and format of the affected brand, which are being hosted on the pandadoc platform.

In this way, the victim is tricked into believing that he or she is going to create an account with the entity and transfer a certain amount of money to it. However, the money is moved to an account controlled by threat actors. It also denotes a certain legitimacy and complexity by using legitimate infrastructure.

Among the information that can be provided, for the purposes of certain searches, it is worth noting that malicious actors use the following telephone number pattern: 01 88 83 84 XX, which corresponds to geolocated landline numbers in Paris. Also, some of the names they use are Pascal Delconte, Sophie Labeyre, Eric Noa, Christophe Guerado, Philippe Marchand, Mickael Jolive and Julien Bertaux.

Lastly, three possible malicious bank accounts used in this campaign affecting Spanish assets should be highlighted:

  • IBAN ESXX XXXX XXXX XXXX XXXX XXX1
  • IBAN ESXX XXXX XXXX XXXX XXXX XXX8
  • IBAN ESXX XXXX XXXX XXXX XXXX XXX2

So far, direct spoofing has been detected against at least one national entity and two entities indirectly through the use of accounts possibly breached or controlled by malicious actors.

Cyber Security Weekly Briefing 30 October-5 November

Telefónica Tech    5 November, 2021

Trojan Source: vulnerability in source code compilers

Researchers at the University of Cambridge have published a paper detailing a new attack method called “Trojan Source” that exploits a flaw in most existing source code compilers and software development environments. The method exploits features of text encoding standards such as Unicode, making modifications that generate vulnerabilities in the source code that would go unnoticed by a human and could be implemented in major programming languages such as C, C++, C#, JavaScript, Java, Rust, Go and Python.

As a result, such an attack would lead to a compromise of the software supply chain. In addition, the research warns that vulnerabilities introduced in source code persist in the copy and paste functions of most modern browsers, editors and operating systems, meaning that any developer copying code from an untrusted source into a protected code base could inadvertently introduce “invisible” vulnerabilities into a system. The researchers have already shared these findings with 19 organisations involved, many of which are already developing updates to address the problem in code compilers, interpreters, code editors and repositories (e.g., Rust has catalogued it with the identifier CVE-2021-42574). There are also several proof-of-concepts that simulate attacks in the programming languages described.

All information: https://trojansource.codes/trojan-source.pdf

BlackMatter ​announces operational shutdown under pressure from authorities

Threat actors linked to the BlackMatter ransomware have announced the shutdown of operations due to pressure from local authorities. Researchers from the VX-Underground platform have released a screenshot of the statement, posted on the private RaaS (Ransomware-as-a-service) website where operators communicate and offer their services to affiliates. Originally written in Russian, the translation of the message states that BlackMatter’s infrastructure will be shut down in the next 48 hours, although they open the possibility of continuing to provide affiliates with the necessary decryptors to continue their extortion operations. Some media reports suggest that the group’s motivation comes in response to the recent publication of reports by Microsoft and Gemini Advisory linking the FIN7 group (believed to be the creators of BlackMatter) to a public company Bastion Secure, as well as an increase in arrests of individuals belonging to other ransomware groups.

More: https://twitter.com/vxunderground/status/1455750066560544769

Mekotio banking trojan is back with an improved campaign

Checkpoint researchers have detected a new campaign of the Mekotio banking trojan with more than a hundred attacks in recent weeks via phishing emails containing malicious links or zip file attachments. According to researchers, this new wave of attacks started following the operation carried out by the Spanish Guardia Civil last July which led to the arrest of 16 people involved in the distribution of this malware. However, current indications point to Brazil as the command centre of Mekotio’s operators, while maintaining some collaboration from Spain.

Mekotio’s main objective is the theft of banking credentials from Spanish-speaking users, and its current version brings with it striking new features in its attack flow, as its developers have achieved greater stealth and concealment when implementing its techniques. Apart from having more layers of obfuscation, the zip attached to phishing emails contains a script with location and analysis capabilities that allow it to discriminate victims based on their nationality or even detect if the malware is running from a virtual machine, allowing the threat actor to evade detection and therefore successfully deploy the malware.

All details: https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/

Threat actor Tortilla campaign distributing Babuk ransomware

Cisco Talos security researchers have identified an active campaign aimed at deploying Babuk ransomware by exploiting Microsoft Exchange servers vulnerable to ProxyShell and PetitPotam. This campaign is reportedly run by the threat actor known as Tortilla, a group that has been active since July 2021 and primarily targets organisations located in the United States, as well as the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras and Thailand to a lesser extent. The infection process usually starts with a downloader in DLL or EXE format, which will execute an obfuscated PowerShell command and download the final Babuk ransomware payload by inserting it into a new ad-hoc process (AddInProcess32). Additionally, researchers have also observed the presence of the webshell China Chopper on multiple infected systems; as well as the attempted exploitation of other vulnerabilities in Atlassian, Apache Struts, Oracle WebLogic, or WordPress.

More details: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

Monitoring technologies, a key element in cyber security

Cristina del Carmen Arroyo Siruela    4 November, 2021

IDS (Intrusion Detection System), IPS (Intrusion Prevention System) and SIEM solutions are fundamental elements in event monitoring and cybersecurity.

IDSs and IPSs are intrusion detection and prevention systems that employ a set of methods and techniques to reveal suspected malicious activity on one or more computer resources, and in the case of IPSs, take action when such potential malicious activity is detected.

IDSs respond to malicious activity by generating alarms. These malicious activities are detected by signature pattern matching, although it depends in a more concrete way on the class of IDS. IPSs analyse network traffic in real time and prevent attacks by taking actions according to their configuration and technology.

Unlike firewalls, IDSs and IPSs analyse data packets comprehensively, both headers and payload, looking for known events.

SIEMs are hybrid solutions comprising a SIM (Security Information Management) part and a SEM (Security Event Manager) part. This technology confers the capacity to analyse in real time the security alerts (previously configured) of what is happening in the network or systems.  

IDS, detecting intruders

 These systems aim to detect and monitor events occurring in the network. This helps to understand attacks, improve protection and estimate the impact of attacks.

To detect intrusions in a system, IDSs use 3 types of information: an event history, the current system configuration and, finally, active system processes or rules.

These elements perform 2 main functions:

  • Prevention, by means of sensors or probes installed in equipment or information elements that allow network traffic to be “listened” to.
  • Generation and notification of alarms, in the event of what it identifies as a pattern of intrusive behaviour or malicious activity on the network.

There are different types and typologies, depending on several factors such as the approach, the origin of the data, the structure of the IDS itself or the behaviour of the IDS.

 Within the focus IDS, 3 categories are established.

  • Anomaly detection, which uses knowledge-based techniques and statistical methods, as well as machine learning systems.
  • Usage or signature detection, which focus on monitoring network activity and comparing usage and signatures with their own database of attack signatures.
  • Hybrids, considered the most reliable, combine the two previous typologies, i.e., both anomaly detection and signature detection.

According to the data source, the following classes are established:

  • HIDS (Host-based Intrusion Detection Systems), based on the monitoring of data and events generated by users, in most cases via syslog, and identifying threats at host level.
  • NIDS (Network Intrusion Detection Systems), installed on devices in promiscuous mode and dedicated to passively listening and monitoring what happens on the network, acting as a sniffer, but with the capacity to generate alarms.
  • Hybrids, which are a combination of HIDS and NIDS, taking the best of each type. They allow local detection of malicious activity on systems, sensors on each network segment and take advantage of both architectures.
  • On the other hand, according to the structure of the IDS, they can be centralised, with sensors that send the information to a central system or distributed. The latter are based on the installation of distributed systems using nodes that collect events and then communicate them to a central node.

On the other hand, according to the structure of the IDS, they can be centralised, with sensors that send the information to a central system or distributed. The latter are based on the installation of distributed systems using nodes that collect events and then communicate them to a central node. 

IPS: the best defence is an attack

The behaviour of IPSs is often associated with the behaviour of firewalls, but their level of complexity and completeness is higher.

These elements analyse the entire contents of the packets, both header and payload, for malicious activity and when detected, proceed according to the configuration of the element, either generating an alarm, discarding packets or disconnecting connections.

Its main features are:

  • Automated reaction to incidents through real-time analysis.
  • Application of filters as attacks in progress are detected.
  • Automatic blocking of attacks carried out in real time.
  • Reduction of false alarms of network attacks.
  • Ability to detect applications and implement network security policies at the application layer.

There are several classes according to the technology:

  • HIPS (Host Intrusion Prevention System) are those aimed at protecting hosts from possible attacks via IP addresses.
  • NIPS (Network Intrusion Prevention System) focus on monitoring the network for suspicious traffic.

On the other hand, and in a more particular way, WIPS (Wireless Intrusion Prevention System) are dedicated to wireless networks, with the same functions as a NIPS, but for a wireless environment. And NBA (Network Behaviour Analysis), based on network behaviour, in order to analyse unusual traffic.

Differences between IDS, IPS and Next Generation Firewalls (NGFW)

IDSs and IPSs have in common that they analyse packets in their entirety, not just the headers. This is not the case for firewalls, which analyse only the packet headers.

The response of a firewall is based on the application of a set of configured rules, always depending on the source, destination addresses and ports. Firewalls can deny any traffic that does not meet specific criteria, even if it is legitimate and non-malicious traffic.  

On the other hand, when an IPS detects malicious activity after packet analysis, it can raise an alarm, discard packets or disconnect connections, depending on the action configured for that event. When IDSs detect malicious activity, they generate an alarm or notification.

Next generation firewalls (NGFWs) are solutions with superior capabilities to traditional firewalls.

While traditional firewalls detect suspicious traffic and block access to the network according to a predefined blacklist or according to rules they have established, NGFWs include additional functions such as intrusion prevention and deep packet inspection, as well as application blocking or management.

SIEMs, monitoring solutions

These solutions have multiple capabilities for collecting, analysing and presenting the information they gather, mainly from security devices (firewalls, sensors, IDS, IPS, etc.) and network traffic (servers, databases, etc.).

They are often the main tool used in SOCs (Security Operations Centres) for incident detection and response. The main capabilities of a SIEM are:

  • Correlation and alerting: processing of incoming data to transform the data into information, as well as analysis after correlation, generating security alerts.
  • Integration of sources and multiple data: Allows receiving and managing information received from sources.
  • Dashboards: They have environments that allow the generation of dashboards with the information represented in tables and graphs.
  • Storage and retention: Some have long-term data storage capacity, essential for forensic analysis.
  • Scalability: They can be configured by means of hierarchies that allow increasing or decreasing resources and elements according to the needs of the moment.

The main advantages of having a SIEM in place include:

  • Early detection of incidents, due to the fact that the analyses are carried out in real time, providing information at all times and allowing rapid action to be taken to avoid a greater impact.
  • Forensic analysis capacity, making it possible to identify the origin of an incident, how it happened and to take actions to improve and prevent incidents.
  • It allows the centralisation of information, in such a way that it facilitates the management of the elements integrated in the SIEM.
  • Allows for the identification of anomalous events, operational problems or events that could trigger an incident.

Edge Computing and Virtual Reality, new classmates

Marta Nieto Gómez-Elegido    3 November, 2021

It’s been a little while since the new school year started. New subjects, new challenges and new classmates. Among them, one name is becoming increasingly heard: Edge Computing.

Thanks to its ability to bring processing power as close as possible to the source of data generation, this technology is enabling new educational methodologies to become effective. A huge advantage for students who can enjoy learning experiences that would have been unthinkable in a classroom 20 years ago. But this technology has not arrived in the classroom on its own. Virtual Reality (VR) has joined this new educational adventure.

Who would have thought that studying Gothic architecture in class from inside a convent would be possible? Now it is a reality thanks to Edge Computing, 5G and VR. How? We tell you how.

IE University Case Study

They say a picture is worth a thousand words, and when it comes to learning it seems true. Our ability to take in knowledge and pay attention in class is more agile and motivating if we do it through images, photos and videos, so if we fully immerse ourselves through a VR experience, who knows how many 10’s on average there would be in the classroom?

We can’t talk much about grades yet, we are not psychics, but we can talk about virtual reality through the IE University success story. This educational centre has developed, thanks to the application of Edge Computing and 5G, in collaboration with Telefónica and Nokia, an immersive learning experience in its Segovia Campus.

It is an online architecture seminar where students learn within the same scenario they are studying, streaming it from their own devices, as if they were physically there. They do this with the help of 3 key deployed components:

  • 5G: provides low latency to generate an easier and more comfortable immersive experience, a very important point in the VR environment so that some people don’t get dizzy.
  • Edge Computing: deployed near the IE University campus, it offers minimal latency, generating closer content and faster processing of information, allowing the processing that would be done in a VR headset to be transferred to the Edge.
  • VR: feedback from the Edge and 5G makes it possible to develop specific video technology to generate 3D video streams, allowing the processing that would be done in VR glasses to be transferred to the Edge, and improving the experience perceived by users.

What Edge Computing and VR bring to the classroom

Undoubtedly, the combination of these technologies will represent a breakthrough for the development of new educational methodologies, opening up more immersive and dynamic spaces for better academic performance.

This is a step towards learning environments where personalisation has more weight, focusing on the interests and abilities of each student. A competitive advantage for the future, where both the Edge and VR will become the best classmates.

Cyber Security Weekly Briefing 23-29 October

Telefónica Tech    29 October, 2021

Google fixes two 0-days in Chrome browser

Google has released a new Chrome update (95.0.4638.69) for Windows, Mac and Linux, which fixes 7 vulnerabilities, two of them being 0-days. Regarding the last two, on the one hand, there is CVE-2021-38000 with a high criticality level, described as insufficient validation of untrusted input in Intents; and, on the other hand, CVE-2021-38003, also with a high criticality level, described as an inappropriate implementation in V8. Google claims that both vulnerabilities are being actively exploited, although for the moment they have not offered any more information on the matter, although it is likely that the details of these vulnerabilities will be detailed in future Google TAG or Project Zero reports, as it has been researchers from these projects who have detected them.

More details: https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html

​​​​​​New activity from Russian actor Nobelium

Microsoft’s Threat Intelligence team has detected new activity associated with the Nobelium group of actors, identified by the US government as part of the Russian Foreign Intelligence Service (FIS) and blamed for attacking the SolarWinds supply chain in 2020. In reference to the observed activity of this new campaign, it has been running since last May and is mainly focused on the United States and Europe, following a similar strategy to previous campaigns, but attacking a different part of the supply chain. This time, Nobelium has attempted to access customers of multiple Cloud Service Providers (CSPs), Managed Service Providers (MSPs), as well as other organisations that provide IT services to businesses. Significantly, the group of actors has been observed linking access from four different providers in order to compromise an end goal, demonstrating a wide range of techniques and complexity of actions used by this threat actor to exploit trust relationships between companies. It is estimated that a total of 140 cloud and managed service providers have been attacked, and at least 14 have been compromised since May 2021.

All details: https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/

​​Squirrelwaffle: new malware distributed in malspam campaigns

Researchers at Cisco Talos Intelligence have warned of a new malware family first discovered in September 2021 called Squirrelwaffle. This threat spreads through malspam campaigns, where in the most recent ones, it is used to infect systems with Qakbot and Cobalt Strike. This malware provides malicious actors with an initial foothold in systems and their network environments in order to facilitate further compromise. The campaign, similar to what has been observed in threats such as Emotet, leverages stolen email threads, and directs the response messages to match the language used in the original thread, dynamically denoting a certain locale. Their malicious emails include hyperlinks to malicious ZIP files hosted on web servers, which include malicious .doc or .xls files that execute malware recovery code if opened. They also use the DocuSign platform as a lure to enable macros. Squirrelwaffle presents an IP blocklist of security firms in an attempt to evade detection and analysis. Finally, researchers report that this malware is considered to be a reboot of Emotet, and warn that campaigns may escalate over time as the size of its botnet increases.

Information: https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html

​Vulnerabilities in Diebold Nixdorf ATMs

Researchers at Positive Technologies have discovered vulnerabilities in Wincor Cineo ATMs, owned by Diebold Nixdorf, which feature the RM3 and CMD-V5 2 dispensers. Two vulnerabilities with a CVSSv3.0 score of 6.8 have been discovered. Exploitation of these security flaws could allow cash withdrawals by accessing the USB port of the dispenser controller, where a malicious actor could install an outdated or modified firmware version to bypass encryption and allow the ATM to dispense cash. The first vulnerability, CVE-2018-9099, was detected in the CMD-V5 dispenser firmware in all versions. The second, CVE-2018-9100, was identified in the firmware of the RM3 / CRS dispenser, also in all versions. The attack scenario consists of three steps: connecting a device to an ATM, loading outdated and vulnerable firmware, and exploiting security flaws to gain access to the cassettes inside the safe. The researchers urge credit organisations to request the latest firmware version from ATM manufacturers to fix the vulnerabilities.

More information: https://www.ptsecurity.com/ww-en/about/news/positive-technologies-demonstrates-how-attackers-could-hack-diebold-nixdorf-atms/

​​0-day vulnerability in Windows

Security researcher Abdelhamid Naceri has revealed details of a 0-day elevation of privilege vulnerability that affects all versions of Windows, including Windows 10, Windows 11 and Windows Server 2022. The researcher already alerted Microsoft to the flaw, which is listed as CVE-2021-34484, and which they reportedly fixed in August. However, after examining the fix, Naceri discovered that the patch was not sufficient and that he was able to exploit it with a new exploit that he has published on GitHub. However, the fact that the bug requires the attacker to know the user’s name and password is likely to reduce its use in widespread attacks compared to other elevation of privilege vulnerabilities.

All details: https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html

Facebook affected by compromise of JavaScript development packages

Diego Samuel Espitia    27 October, 2021

Programming languages such as Python and JavaScript, which in 2021 are competing for the top spot according to programmer ratings, are found in the services that we find on the Internet or on mobile phones and with which we interact every day.

Figure 1

For these developments to work and communities to grow at these rates, it is necessary to abstract the complexity of the languages, which is why most of them have repositories where communities make available packages that simplify development tasks.

For example, in the PyPi library for Python, we made available to the public a package that allows you to use DIARIO from any development done in this language and thus simplify the detection of malware embedded in documents, protecting the privacy of your information.

However, third-party packages have become an attack vector that criminals are taking advantage of more and more every day and which we have been talking about and studying since the end of 2019, allowing us to generate an opensource framework that allows developers to analyse the packages they are going to use from development libraries, called PackageDNA.

Unfortunately, this type of attack is in the news again when one of the compromised packages puts one of the main companies in the technology sector, Facebook, at risk. Recently, one of the packages that this company uses (and many others) in its developments to recognise which operating system is accessing its services from was reported as compromised on its own GitHub.

The compromised package is UA-parser-js, one of the most used with just over 8 million downloads in a week and with 1219 packages that use it as a dependency.

Figure 2

As can be seen, the system reports that it has 52 versions. Versions 0.7.29, 0.8.0 and 1.0.0 are given as compromised in the GitHub advisories, but none of these are available in the library anymore.

Figure 3: Available versions of ua-parser-js

When trying to analyse all versions with PackageDNA, we found that the NPMjs library only allows downloading the latest versions.

Figure 4: PackageDNA analysed versions of the UA-parser-js package

In the analysis, a suspicious TypoSquatting library is detected (note the ua-parsers.js, which is not exactly the same as ua-parser-js) and by following the link to the library in question, we can see that it has already been decommissioned.

Figure 5: Possible typosquatting package from ua-parser-js

Although this package was decommissioned, it is still possible to download it and scan it as if it were local on PackageDNA, but fortunately it does not contain any malicious reports. The developer is not the same as the original ua-parser-js. His nickname is joenix and he has 172 packages in the NPM library.

Figure 6: Developer of the possible typo package of ua-parser-js

Another detection made by PackageDNA is the use of dependencies on an Audio Video Media Codec, which is rated as high in confidentiality risk and critical risk severity.

Figure 7: AppInspector detection on UA-parser-js

This is further evidence of the need to implement code security reviews of the packages required by developments, as they can be compromised at any time and put the services they deploy at risk.

It is becoming increasingly common to find this type of threat and criminals continue to look for loopholes that can be used from the supply chain to affect larger targets or deploy threats that generate profits, as in this case where the compromise inserted a cryptominner into the system..