What’s new in the OWASP 2021 ranking?

David García    29 September, 2021

OWASP, the foundation focused on web application security, has recently updated its ranking of the most prominent risks. Let’s take a look at the new reorganisation of the top, commenting briefly on what aspects of security each of them touches on.

What is the “OWASP top 10”?

The OWASP top 10 is a fairly popular ranking in the world of web security and auditing, albeit nuanced and not without some controversy in the past. The list was first compiled in 2003 and updates have been published more or less regularly every three years since then.

Of course, the list is not representative of all risks in web applications. In fact, it is likely that some of the items on this list do not apply to certain types of applications, while other risks that are not on the list could critically affect them.

It should be taken as a “where the frontiers of the global risk map are moving”, rather than a detailed and particular blueprint of where the security emphasis should be placed.

The rankings are based on a study of a significant number of web applications and a survey of the industry, where practitioners indicate their greatest concerns about the various risks to their applications.

  1. In first place, we have a notable rise from fifth: A01:2021-Broken Access Control. This category covers all risks that allow an attacker to circumvent an imposed control in order to gain access to a resource. These types of vulnerabilities can emanate from the development itself to errors in the configuration during deployment. A simple example would be being able to access a privileged API because it does not correctly examine the access permissions of the source of the request.


2. The second place (climbing from third) goes to A02:2021-Cryptographic Failures. Cryptography is difficult, and if it is already complex to understand, it is even more difficult to apply its concepts in a practical and error-free manner. Add to this the fact that failures in cryptographic libraries are often cross-cutting. That is, a bug affects a myriad of libraries and programs that depend on them. Problems in the cryptographic chapter fill (rather flood) the audit reports: use of an obsolete hash function, insufficient encryption, insecure block cipher mode… and of course: absence of any kind of encryption…


3. The third place is a surprise, because after years of reigning at the top, injection vulnerabilities fall several notches. A03:2021-Injection groups together all those vulnerabilities in which the vector is the input of external code and is executed both on the client (browser) and on the server. In other words, both cross-site scripting and SQL injection. Undoubtedly, the progress made in terms of security, both in programming languages and in secure programming libraries and techniques, has something to do with this. It’s nothing to let our guard down, but it may be good news.

4. Fourth place goes to a new category, unheard of in the ranking: A04:2021-Insecure Design. However, it is an amalgam of possible flaws in the design and implementation of the logical controls that should ensure the correct functioning of the application. For example, allowing products in the shopping cart with a negative number of items, storing the credentials in clear text, etc. As we can see, it is a catch-all for all kinds of errors that put the security of the application at risk.


5. A05:2021-Security Misconfiguration moves up one place, from sixth to fifth. Although this category could be confused with the previous one, it is easy to see that it refers to aspects of security that need to be reviewed in the context of configuration rather than secure design and implementation. The clearest example would be allowing a web server to list entire directories or allowing traces of request execution errors to be published in response to a request. Typically, third-party products provide an open default configuration to create as few conflicts as possible. Adapting the configuration in a secure way should be part of the natural development and deployment cycle.

6. Sixth place belongs to A06:2021-Vulnerable and Outdated Components, which moves up from ninth. It is almost self-explanatory: that the application has vulnerable or outdated components and the most direct example would be a WordPress plugin that is outdated and vulnerable or abandoned by the developers. It is obvious that a system is not built and deployed and then forgotten about. Software has to be tended like a garden or the bugs will end up eating the fruits of the garden.

7. A07:2021-Identification and Authentication Failures was formerly known as Broken Authentication. It also features another major drop: from second to seventh place. Easily confused with access controls, identification and authentication is the first step in obtaining permissions and privileges at the application level. This category not only identifies risks at the point of authentication, but we are also capturing here the lifecycle of the user session. That is, aspects such as the robustness of the authentication token, the exposure of the token and its validity over time.

8. The eighth place is taken by a new category that covers certain risks that have been in many headlines: A08:2021-Software and Data Integrity Failures. This section takes care of everything related to the integrity and verification of sources when we install, update or have supporting infrastructure (continuous integration, …) Remember the “supply chain” attacks? Well, this new category is the result of recognising this type of attack as a critical and important threat that we cannot ignore. We must not only keep an eye on our domains but also on what we sit at our table.

9. A09:2021-Security Logging and Monitoring Failures moves up one place and updates its name. From Insufficient Logging & Monitoring to the current one, no wonder. An application generates an astronomical number of events. How many of these events are security alerts? And better yet, which of these are real and critical alerts? This chapter covers everything from the absence of event logging to the proper storage and management of events. There is no point in having done your homework in all other aspects and not knowing what is happening and not being able to act in time.

10. The ranking is closed by A10:2021-Server-Side Request Forgery as the industry’s number one concern (from the OWASP industry survey). It is practically the only category with a specific type of vulnerability. Not surprisingly, the vulnerability can pose a very high risk in a range of repercussions ranging from the discovery of exposed services on the internal network, access to non-public resources (files, databases, …) and even arbitrary code execution.

A new scenario for cybersecurity

This is the new scenario that OWASP paints in 2021. The changes are obvious, and although it is shown in an ordered list, we cannot weight the risk in relation to its position on the list. In fact, you only have to go through the security test guide to see how high the risks are.

The top is a tasting of what is the hottest or most important points, but we must not lose sight of the rest. Doing so can put us in an awkward position if we fail to give importance to chapters that do not fall into the ten categories listed.

Read more:

https://owasp.org/Top10/

https://owasp.org/www-project-web-security-testing-guide/stable/

Data as a secure asset

Raúl Hernáinz Ortega    28 September, 2021

Data Management Summit as a preamble

We are approaching one of the events where Telefónica will be present, and not only present, but also participating with its best professionals. An event that we believe will be a firm commitment to bring the target audience closer to obtaining the value represented by data as knowledge. This is the Data Management Summit Spain 2021. An unbeatable opportunity to share experiences, guiding the community around the management and use of data within the technological landscape, encouraging the exchange of best practices that the various speakers will offer on different topics.

To the ‘sound’ of the European Union

The European Union is setting the pace, and in order to drive digitalisation it is working on generating a strategy to enable data sharing and commercialisation. This moment of transition is a perfect time to take advantage of this data. But be careful, making proper use of data does not mean “free bar”, and in all of this, the good use of data must be prioritised, with a focus on protection and privacy. It is necessary to talk about terms such as transparency, ethics, corporate social responsibility and, in short, data sovereignty and empowerment.

Blockchain as an enabler of exchange

And this is where one of the current trends that ensures the protection and privacy of the information generated is Blockchain technology. Exchanging information with guarantees and trust, complying with current regulations regarding personal data, means that the portability of this data can be as accessible as it is secure and anonymised. This was already stated some time ago in the fundamental motto that underlies the FAIR principles:

“Data as open as possible, as secure as necessary”

Under this motto and in the current context, the exploitation of personal and non-personal data to be consumed should require a specific design of authorship. With Blockchain, the traceability of information through a certification process is already a reality. By alluding to the concept of ‘security as it is’ and by means of a digital signature, it is possible to justify at all times what data is being shared and by whom, thus not only increasing security, but also guaranteeing non-repudiation. This constitutes an easy way to verify that sender and receiver have shared information, making it impossible to hide its obviousness and making it a suitable way to prevent fraud.

Conclusion

Guaranteeing the reliability, integrity and availability of data is essential. The data producer-consumer phenomenon as an e-commerce platform is becoming increasingly fashionable. And topics such as Data Sharing Agreements (DSAs), Smart Data Contracts (SDCs) or Data Marketplaces, making use of Blockchain technology, are undoubtedly of special interest and should not be missed at the event on the 27th and 28th of October.

Leave a Comment on Data as a secure asset
Raúl Hernáinz Ortega
Raúl Hernáinz Ortega

Graduated in Computer Engineering from the University of Alcalá (UAH), I am currently part of the Data Governance Unit (DGU) linked to providing business solutions and services within the area of Product and Operations in Telefónica IoT & Big Data, working as a consultant. With predisposition and enthusiasm to continue expanding my knowledge in this path aimed at the management and use of data as a valuable asset.

The Work of a Cyber Intelligence Unit in The Context Of Incident Response

Félix Brezo Fernández    27 September, 2021

Besides the work carried out by our colleagues in the forensic analysis, malware analysis or Threat Hunting teams, which we have reviewed in the articles in this series associated with incident response, there is an additional element to be considered: the support given by the cyber intelligence teams to the above and how we in the Telefónica Tech team manage the products derived from this work. In this last part of the series, we will review the objectives of this team, the work it carries out and how the material generated is used in the framework of an incident.

What do we mean when we talk about cyber intelligence?

Establishing points of consensus on the meaning of the concepts we are going to use is always a good basis for any communication exercise and the term cyber intelligence is an example of how the use (and perhaps also the abuse) of the term can end up distorting messages and confusing objectives. To understand what we mean when we talk about the cyber intelligence team within the incident response area, what better way to start than by answering what we mean by intelligence first and cyber intelligence second.

Although there are many definitions of intelligence, a fairly consolidated reference is that contained in the Glossary of intelligence published in 2007 by the Spanish Ministry of Defence and coordinated by Miguel Ángel Esteban. On page 82, intelligence is defined as the “product resulting from the evaluation, integration, analysis and interpretation of the information gathered by an intelligence service”. Therefore, by application of the prefix cyber- we can venture to say that cyber intelligence is intelligence related to computer networks.

In any case, the basic element is that intelligence as such goes beyond data or information feeds, even if these are used to generate the final product. It is not even just a context or a list of raw links to be reviewed when the time comes. It is a concrete product intended to support specific decision making which, in the case of security incidents experienced by our customers in the context of a ransomware incident, can end up being dramatic.

Material for technicians and decision-makers

Information tends to be confused and inaccurate, especially in the first hours of an incident, until the incident begins to be contained after the planned response plan comes into play, which, if lucky, will only have been implemented conceptually or in directed drills.  It is precisely in the context of this coordination and planning work that some of the target audiences for the products provided by the cyber intelligence team in the field of incident response can be identified.

  • The customer’s own interlocutors. They need to have visibility as much as possible of the type of threat they are facing and to know if there is a risk of possible exfiltration beyond the visible impact in the form of encryption, for example, or how to act in the face of certain actions of the attacker that may arise. It is important that the information is on the table to be able to manage both the expectations of information recovery and to help management teams to act quickly.
  • The response coordination team: the incident managers. As the organising party in an incident, they need to have visibility of the attacker’s known tactics, techniques and procedures, and potential vectors of entry and exploitation. The objective from a technical point of view is to have sufficient knowledge to operationally coordinate the necessary efforts and to be able to organise activities at the containment and investigation level, but also when coordinating forensic, log or malware analysis that may be required based on what is known about the threat and the state of the customer’s perimeter. At the same time, as part of this work it may be necessary to identify other action points that are not necessarily technical (legal, communication, etc.) but require immediate attention beyond the purely technological.
  • The team in charge of conducting the investigation. Forensics, malware analysts and log analysts will find their work easier if they have a good grounding in the attacker’s tactics, techniques and procedures. Without prejudice to the more in-depth analysis that takes place during the response itself, threat intelligence reports will allow them to narrow down the initial framework of the investigation and select preliminary targets with agility, especially at the beginning of the investigation.
  • The Threat Hunting team. With a very relevant specific weight in the containment of the incident as we have already seen in previous articles, this team is in charge of containing ongoing threats as soon as they are identified and identifying new subjects of investigation on which to perform triage and immediate mitigation actions for which additional context such as the techniques that the attacker is believed to have applied or the software he/she uses beyond the specific indicators of compromise is normally required.

Thus, in the framework of incident response, the deliverables of cyber intelligence teams go far beyond the mere identification of specific observables, although, of course, these are also provided. We are talking about providing technical analyst teams with specific tools that enable them to pinpoint specific malicious behaviour on the machines they are analysing and to provide the necessary support on threat behaviour in a timely manner.

Intelligence that is not shared loses effectiveness

The timeliness of the intelligence products generated has a lot to do with what we deliver and how we deliver it, but more importantly, when we deliver it and how confident we are in what we attach to our reports and deliverables. It is about making sure that the recipient will interpret what we say as it is written and unambiguously: it is a matter of speaking the same language so that sharing takes place in a structured way, with no room for doubt about what is stated forcefully and with absolute transparency to point out those aspects that need to be taken with reservations.

The work of the analyst teams is therefore no longer so much a one-off action/reaction task, but the result of continuity efforts maintained by a team that has to be aware of the threats and that has to be able to convey this information in an orderly, clear and consistent manner. And part of that work, of course, has to be done after incidents, closing the loop. Because the work of analysis does not end when the response team leaves the incident, but with the review of the lessons learned from the incident in order to integrate what has been learned into the team for the future.

In any case, if we understand communication as the transmission of signals by means of a code common to the sender and receiver, establishing a common framework on the level of trust is fundamental. This is what the STIX intelligence sharing standard (currently in version 2.1) does in the definition of the confidence attribute with which each of its objects can be catalogued between 0 and 100 using different credibility scales such as the one known as the admiral’s scale proposed in the US Army’s Field Manual 2-22.3.

The aim of these scales is to give the analyst the possibility of expressing different degrees of certainty about each object and to avoid failing to document behaviour for fear of having to take a binary assessment (confirmed/unconfirmed). Thus, the fact that there is evidence with questionable credibility at a given moment is relevant because only if it is documented and recorded will it be possible to correlate it in the future, which reminds us of the importance of the time factor when making the assessments included in the reports.

Time factor

It is clear that an intelligence unit will accumulate knowledge over the years that can be built up and integrated for the future. Storing it in a consistent and reusable way is critical as we have seen, especially if it is to be available just when it is most needed in the form it is needed. But in incident response, the pressure and timing of decision-making is decisive.

Indeed, one of the aspects that most differentiates the analytical professional in incident response from a purely academic or research profile is that he or she works precisely against the clock and under uncertainty. Those dealing with the reality of an incident must cope with the gradual arrival of information, the unavailability of some of it when it is most needed, and the pressure being experienced by a client who is inundated with calls from concerned customers and suppliers and who has to meet statutory reporting obligations. All this while trying to contain a threat whose impact is only hinted at by the massive encryption of computers and while trying to ensure that backups and systems are impacted as little as possible.

In academic research, the urgency is not as immediate and with days or weeks to spare we have more options to review the details of all the scenarios, look at them in depth and learn accordingly. The reality of an incident where our clients have factories or entire areas shut down is unfortunately much more dramatic. It includes Hunting colleagues with specific operational needs that cannot be extended in the form of indicators and behaviours to block and forensic colleagues who need context and clues on which machines to start the search for patient 0 and to understand how, why and up to what extent the threat occurred.

This is where time – understood both in terms of effort and timeframe – is key to getting tactics, techniques and procedures known from similar threats to their intended audience: both at the operational level for containment and mitigation, and at the strategic level to support the decision-maker on the possible scenarios that lie ahead. It is right there, when things don’t seem to be working, where the different areas of the response team can help working side by side to recover that longed-for normality. Against the clock, but right in time.

Cyber Security Weekly Briefing 18-24 September

Telefónica Tech    24 September, 2021

Malware campaign using TeamViewer on websites under IIS

Malwarebytes researchers have observed a malware distribution campaign since the beginning of September that makes use of previously compromised pages running on Microsoft’s Internet Information Services (IIS) web server. The attack vector consists of displaying a fake expired certificate alert such as “Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE.” which, in turn, suggests the user to download a malicious “update installer” that actually obfuscates the known TVRAT trojan. Once the victim executes the malware it will install itself alongside the TeamViewer remote control software, giving the threat actor direct communication with its command and control server and full control over the compromised computer. So far, the specific methods used to compromise IIS servers are not known exactly, although different exploit codes are available and were patched by Microsoft itself last May (CVE-2021-31166).

More info: https://www.bleepingcomputer.com/news/security/hacked-sites-push-teamviewer-using-fake-expired-certificate-alert/

BulletProofLink: massive phishing campaign

Microsoft security researchers have published details of a massive phishing-as-a-service (PHaaS) campaign that uses a hosting-like infrastructure and offers different services to threat actors, such as phishing kits and templates. According to research, BulletProofLink, as this campaign is called, goes beyond traditional phishing kits, because after an initial registration on its portal for a fee of $800, it offers a comprehensive service with hosting, domain generation, email sending, credential collection and stolen logins, which can then evolve with modifications to phishing templates from among the more than 120 available. However, Microsoft has already warned that BulletProofLink’s operators trick their own customers by storing the stolen credentials from the attacks and then selling them on other underground forums. It is estimated that the campaign has used more than 300K unique newly created subdomains to date, which is evidence of the scale of the impact of this campaign.

All the details: https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/

Microsoft Exchange Autodiscover bug allows exfiltration of credentials

Amiter Serper, security engineer at Guardicore, has discovered a new bug implementation in Autodiscover Microsoft Exchange protocol which could allow credential exfiltration. Autodiscover is a protocol that Microsoft Exchange uses to provide their customers an easy and automatic way to configure the Exchange client and its different applications such as Outlook. Once the client is installed, it requests the username and password and then tries to use Autodiscover in order to build different URLs based on the user email. In case of none of these autogenerate URLs respond, a back-off phase is initiated that tends to fail because it tries to resolve the Autodiscover.TLD part. Serper seeing that whoever owns this Autodiscover.TLD domain would receive all requests that do not reach the original domain. To try the bug, Serper and his team purchased different Autodiscover domains with different TLDs, receiving requests from many customers from multiple industries. After testing, Guardicore reportedly obtained more than 90,000 unique credentials from different applications such as Outlook and more than 350,000 Windows domain credentials, determining that the impact is global.

Learn more: https://www.guardicore.com/labs/autodiscovering-the-great-leak/

New 0-day vulnerability in Apple exploited on iOS and macOS devices

Google security researchers have reported to Apple a new 0-day vulnerability affecting iOS and macOS devices. Also, Apple itself has acknowledged that this flaw may be being actively exploited on the network by threat actors. Specifically, the vulnerability is located in the kernel of the XNU operating system, which has been registered under CVE-2021-30869 and for the moment has not been assigned its criticality under the CVSSv3 scale. However, it should be noted that this is a “type confusion” type bug that can lead to the execution of arbitrary code on a compromised device, so its criticality in any case is considered high. It should be noted that during this year 2021 alone, Apple has already had to resolve more than 10 0-day vulnerabilities. In this case, the corresponding patches that solve the problem are already available for the following affected devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, iPod touch (6th generation) with iOS 12.5.5 and Mac with security update 2021-006 Catalina.

Full info: https://support.apple.com/en-us/HT212824

If you own any Apple devices, run to update them

Diego Samuel Espitia    23 September, 2021

On September 13, Apple surprised its users with a system update on iPhone, iWatch, iPad and macOS, something that doesn’t happen very often and less often comes with an official release from Apple indicating the importance of installing the update.

All this due to a report from Citizen Lab, where they confirmed that with a malicious PDF document it is possible to exploit the vulnerabilities CVE-2021-30858 and CVE-2021-30860, to execute commands in iOS and macOS. Terrible for the user but you have to know what it means and where this threat comes from.

It all started in February 2021 when the company Forcedentry was analysing an IPhone taken from a Saudi activist and found to be infected with spyware of Israeli origin, called Pegasus, from the company NSO Group. They discovered that there was a totally unknown 0-day, 0-click (no user intervention required) vulnerability that could be effective on any Apple-branded device.

However, in the initial research it was thought that iMessage was the way to exploit this weakness until on 24 August, Citizen Lab published a report showing that these vulnerabilities could and were being exploited using PDF documents containing hidden commands that run on systems and give attackers access to information on these devices.

The most serious aspect of this threat is that it is completely invisible and undetectable to the user. At the very least it has been used by NSO Group, as announced by different media in the week of 14-27 August, when research was made public claiming that activists at the Bahrain Human Rights Centre between June 2020 and February 2021 had been spied on using this attack in conjunction with software known as Pegasus

How it affects you …

There is no doubt that we all handle data and contacts, and our devices are connected to the Internet, so knowing that there is this vulnerability that nobody knew about (0-day) and that allows you to take control and spy on mobile devices and computers of the Apple brand is undoubtedly an opportunity that attackers will not miss.

This set of circumstances makes any IPhone, IPad, IPod, IWatch and MacOS user a potential victim of this threat from now on. Unfortunately for Apple, this is not the first case this year, nor is it the first case originating from the investigation into the Saudi activists’ mobile phones, from which the following threats have been reported:

  • In January, three 0-days affecting iOS that were being actively exploited.
  • In March, a 0-day reported by researchers but not confirmed to be exploited.
  • In April, a 0-day for iOS and a 0-day for macOS, actively exploited by the Shlayer trojan and leading to a flood of signatures for macOS.
  • In May, three more 0-days that allow commands to be executed on mobile devices by simply visiting a website, plus a macOS 0-day that bypasses the system’s privacy protections.
  • In June, two 0-days actively exploited to affect older mobile devices.

What to do…

It is time to keep Apple devices up to date, immediately install the updates that were released between 13 and 15 September in the https://support.apple.com/en-us/HT201222 bulletin and in the https://support.apple.com/en-us/HT212807 bulletin.

This fixes the weaknesses detected by Citizen Lab and some other researchers, mitigating the possibility that criminals can exploit it and access the information on the devices or deploy malware for espionage or kidnapping.

If you have an IPad, IWatch or a Mac, you should install the updates as soon as possible, because once they are public, they are more likely to be exploited by different criminal groups in cyberspace.

DFIR services in a ransomware incident response

Víctor José González Arcos    22 September, 2021

As we saw in the first post of the series, the IR (incident response) process in case of attacks using ransomware is fundamental, relying on the work of several groups that, providing different roles, form a single working team to help the affected company recover in the shortest possible time.

Our NextDefense services include a specific branch in their proposal to cover these types of services.

In this second post of the series, we are going to review the role played by the members of Telefónica Tech’s DFIR (Digital Forensics and Incident Response) services team within the global IR process.

DFIR team composition

The team is made up of a group of multidisciplinary professionals, mostly senior profiles, whose professional career has always been linked to security in any of its specialities.

This diversity of roles makes it possible to be prepared for any evolution in attackers’ techniques, tactics, offensive procedures and anti-forensic methods, regardless of the specific characteristics of the actor and the attack.

In the case at hand, security incidents using ransomware, it is necessary to combine resources from different groups:

  • DFIR
  • Threat Hunting (occasionally combined with EDR monitoring services)
  • Threat Intel (Threat intelligence)

Within these disciplines, DFIR has three distinct roles that are involved in very specific ways within the IR process:

  • Incident Handler (IH): He/she coordinates the security incident, liaising between the client and the different teams to keep track and facilitate communication, assigning tasks to the different parties and ensuring that the whole IR process evolves in the right way.
  • Forensic Analyst: This is the specialist with the capacity to carry out investigations (local and remote) on any system or support with information, and whose purpose is to obtain evidence that allows progress to be made during the investigation.
  • Malware Analyst: The specialist who performs static and dynamic analysis on viruses and other malicious artefacts that may be found on the computers processed by the forensic analyst, the role threat-hunter or by the customer himself.

Preparing the IR process

When a new incident response process is initiated, the DFIR services team organises the work and prepares to perform the first tasks. Cloud spaces are created (to be used for evidence sharing) and also used to analyse the ransom note itself, the extension of the encrypted files and even which corporate domain the affected company has. Waiting for the initial meeting with the client, the assigned people internally review the available information and prepare all the content for these first steps with the client. This first working meeting will be one of the most important.

All this preparation before the first meeting is used to review the knowledge one might have about the specific actor: whether he usually exfiltrates data, which entry route he usually uses, which tools he deploys and even if the company has exfiltrated credentials in black markets. The first day of the process and, in particular, the first meeting, are crucial.

Start of response

Once the first meeting takes place and the actual response process begins, initial work streams are created for all groups (including the client and third parties), tested at each incident and improved at the end of each incident. Some examples are:

  • The Incident Handler will take control of the process and start organising all the working groups, activities, meeting plan, etc.
  • The Threat Intel team will request a series of data from the customer to produce actionable cyber security intelligence (to be discussed in the next post).
  • The forensic analyst will collect all events/objects that may harbour information from the attacker. This will produce the first IOCs (Indicators of Compromise) that will allow e.g., blocking to start the containment and eradication phases of the threat. If malware elements are present, a malware analyst will be added to the team to perform the corresponding tasks.
  • The Threat Hunting group (often in combination with other Telefónica TECH monitoring services) will support the deployment (when necessary) of an EDR platform, carrying out alert analysis and threat research on this platform. Specifically, in the last post of the series we will see the work of this team.

Performance during the IR process

The incident response process follows a routine of meetings (more executive) or checkpoints (more technical) throughout the work period (a couple of weeks, on average). In these meetings, the joint working team (customer, Telefónica TECH team and possible third parties) will review the work in progress, sharing knowledge and assigning new tasks to everyone (being reviewed at each checkpoint).

The forensic profiles of the DFIR team will work intensively in this iterative process and throughout the agreed work period: they will carry out their investigations with the different types of evidence available, they will rely on malware analysts (if necessary) and they will gradually create the incident narrative that will be explained to the client at the next checkpoint. They will identify and communicate the IOCs found to the different groups to support containment and eradication, while tracing the timeline that will be reflected in the report that will be delivered to the client together with the identification of the first system found to be compromised (becoming “patient 0”), the entry vectors used to enrich the recommendations that will serve as points of improvement of the affected infrastructure and everything relevant to the network (and the attacker) that must be communicated to the client.

Subsequently, and only in cases where there might be a publication of information (not all ransomware attacks involve data exfiltration), threat intelligence analysts will try to monitor their Hall of Shame (usually public boards where exfiltrated information is disclosed) in order to assist customers in the most important aspects concerning data privacy and GDPR, among other actions. This block of activity will be explained in the next post in the series.

In short: the work of the DFIR group within a ransomware incident, as we understand it at Telefónica TECH, is a constant process of investigation and exchange of knowledge of forensic and malware analysts with other groups (threat intelligence and Threat Hunting, above all). In each action, the client and the other roles and groups will learn about the progress achieved in DFIR thanks to the intermediation of the Incident Handler (perhaps a new IOC or the identification of patient 0) and in turn, these groups will be able to extend the information to the DFIR specialists to refine the next steps of their investigation.

Completion of forensic and malware analysis work

When the investigation work in an IR process is completed, a final investigation report is generated and follows a structure that is regularly revised to ensure maximum usefulness to the client. Regardless of the country/region of the incident or the language used, the report always has the same format and structure.

In some cases, clients request an advance version of the report to share with law enforcement, insurance companies, auditors, partners, suppliers or customers.

To provide peace of mind, once the final investigation report has been shared with the client, the IR process usually continues with an agreed 24×7 monitoring of the EDR where the entire team may be reactivated.

In these final stages of the IR process, a final meeting will be held with the client where the report delivered will be reviewed in detail, resolving any doubts that may have arisen and explaining the most important aspects of the narrative of both the incident and the recommendations.

As we have seen, the incident response process of Telefónica TECH’s DFIR team works in a fast and organised way, following a specific methodology followed by all the groups, to cover all the phases of the IR process. These roles and their methodology are key to resolving this type of incidents.

Download our new guide created in partnership with Palo Alto to help you prepare, plan, and respond to Ransomware attacks

The human factor: a key element of cyber security

Cristina del Carmen Arroyo Siruela    20 September, 2021

When it is said that a server needs to be bastioned, cybersecurity personnel have an idea of what it is and what it consists of. But what about securing or securitising people? Employees are company assets and as such are involved in the cycle of generating a service, system or product. Is it enough to simply bastion systems and networks and improve productivity processes to be secure? What is the importance of the human factor in cyber security?

The article Threats and major cyber-attacks in 2021, highlights the most notable attacks in 2021. Both ransomware and phishing are highlighted, and both require, in most cases, especially phishing, human interaction.

In fact, it has been established that 1 in 5 security breaches originate from a direct or indirect employee error, in most cases unconsciously.

Changing passwords, an action carried out periodically by users, is considered a tedious and repetitive action, where users incur in the use of the same patterns of passwords or the use of those already used in public networks.

This prevents them from seeing and understanding the importance of this type of actions on the generation of services or products.

The human factor is a key element of security, as it is involved in all the operational processes of an organisation.

The human factor in cybersecurity

There have been major improvements in applications, hardware, application of AI and Big Data, training and other security actions. Some of these are aimed directly at people, such as training and awareness.

But if there is a growing awareness of cybersecurity in companies, why is the human factor still considered a weak link in cybersecurity?

The human factor should be considered as a basic element of cyber security, taking into account that all cyber security actions, in one way or another, require human interaction at some point. Both technical actions (bastioning a firewall) and cybersecurity training actions (designing a training plan), as well as defining a security structure, are designed by people.

To address the problem of human error, some professionals have designed methods based on human factor risk analysis. In this analysis, the different risks associated with the human factor and systems are evaluated, and different values are given to each of the risks, according to the methodology itself.

Based on the results obtained, security managers can identify those systems and classes of users most exposed to risk or vulnerable, and take decisions and measures to mitigate these risks, without impacting the rest of the environment. It is these types of actions and measures that can help strengthen and improve the relationship between cybersecurity and the human factor.

Security is part of the corporate culture

Commitment to security must be part of the business culture and not a handicap in terms of productivity or service generation. The message that safety belongs to everyone and that it must be applied jointly and in a participatory manner must be reinforced.

This requires cybersecurity plans in which multiple areas participate, contributing their knowledge and ideas and carrying out joint cross-cutting actions. The success of these initiatives requires the leadership of security-related figures such as the CISO or DPI (Directorate of Information Protection).

A company’s management must have first-hand knowledge of cybersecurity plans and be able to convey this to its employees, always advocating a global commitment.

Cybersecurity is increasingly a recurring topic in company committees and meetings, approaching the importance of strategy or budgets.

The commitment of all members of an organisation to cyber security will help to reduce the occurrence of cyber incidents and, in some cases, reduce the impact of a cyber incident and make recovery more effective.

Security by default and underlying principle

Not all organisations carry out an analysis after an attack to find out what the error or vulnerability was. This means that the cyber-attack or a similar attack may be repeated because the weaknesses and vulnerabilities, whether structural, organisational or technical, are not known.

The concept of security by default and basic principle should be applied to the basis and structure of an organisation, to the internal processes of the company, and to the way employees act at all times, and should and must seek the global involvement of the organisation.

We can take as an example the world of development, where security by default is more widely established as an almost indispensable requirement and as part of the basic design of the product, from the phase of the minimum viable product (MVP) onwards.

Security policies and procedures are insufficient to protect an organisation, especially if they are unknown or not enforced by employees.

It is the actions of users, whether by applying technical measures such as training or taking security actions, that protect organisations. This is to remove the stigma that security by default hinders or impedes internal processes and work functions in general.

However, lack of training or lack of qualified IT security personnel cannot be ruled out as one of the main causes for implementing security by default measures.
This is a handicap for companies that require qualified personnel with the necessary skills to perform security functions.

The human firewall is awareness and training

There is no silver bullet to fully reinforce the human factor and prevent it from being the weak link in cyber security. Initiatives to encourage cyber security training, awareness raising, team-blue team network exercises, phishing campaigns and reinforcing training are all actions that will help corporate cyber security but will not prevent cyber attacks and in some cases will not be sufficient to mitigate or contain them.
However, the best human firewall is investment and action in awareness and training.

Currently, there are many types of training, capacity building, initiatives, but it is recommended to innovate in order to capture the user’s attention, for example, through “gamification” type actions, which encourage the user’s own participation and interaction.

Another type of cybersecurity awareness initiative that could be more stimulating is the reward and recognition of those employees who participate in the detection of vulnerabilities, security flaws, both at technical and management level, as opposed to continuously sending out unmotivating and not very visual awareness pills.

Awareness and training initiatives are treated as important topics in large corporations and a large part of the budget is dedicated to them, but it is still an unfinished business in small and medium-sized enterprises.

According to PwC’s Digital Trust Insights 2021 report, 55% of the companies participating in the study increased their cybersecurity budget during 2021. Training is a key consideration in cybersecurity. Training should not only focus on the development and improvement of hardskills, but also value and encourage the development of softskills in all staff.

The best weapon against cybercriminals is investment in awareness and training of the human factor, a key element for companies.

Cyber Security Weekly Briefing 11-17 September

Telefónica Tech    17 September, 2021

S.O.V.A. – New Android banking trojan

Researchers at Threat Fabric have discovered the existence, at least since the beginning of August, of a new banking trojan for Android which they have named S.O.V.A.. The main objective of the trojan is to collect personally identifiable information (PII) from victims. It is a trojan that contains functionalities that are common in this type of malware, such as the ability to carry out overlay attacks, keylogging or manipulation of notifications; but it also includes other less common functionalities, such as the theft of login cookies, which would allow attackers to access valid user logins without needing to know their credentials.

At the moment, the trojan is under development, and the authors are reportedly advertising it on underground forums with the intention of being able to test it on multiple devices and implement the necessary improvements. According to researchers, adaptations of the malware have already been detected, available for the impersonation of banking institutions mainly in the United States and Spain, although in their advertisement the authors offer the possibility of adapting it against other entities according to the buyer’s needs.

More details: https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html

​​Vermilion Strike: Unofficial version of a Cobalt Strike Beacon

Last August, Intezer researchers discovered an unofficial version of a Cobalt Strike Beacon for Linux and Windows systems. This Beacon, called Vermilion Strike, was reportedly developed from scratch by unknown threat actors, without sharing code with the official version, and is being actively used against organisations around the world. Vermilion Strike uses the same protocol as Cobalt Strike to connect to Command and Control servers and has remote access capabilities such as uploading files, executing commands and modifying files. The threat has been active since August and is being used in targeted attacks against telecommunications companies, government agencies, technology and financial institutions around the world. The ultimate goal of the attacks seems to be focused on cyberespionage.

All information: https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/

Operation Harvest: Long-running cyber-espionage campaign

McAfee researchers have published an analysis of a long-running operation they have named “Harvest”. The discovery of this activity began with the analysis of a malware incident that grew into a highly sophisticated cyberattack that would have lasted several years. The threat actor began its incursions by breaching a victim’s web server, generating persistence and installing tools that would be used for information gathering, privilege escalation, lateral movement and file execution. The tools used include PSexec, Procdump, Mimikatz, RottenPotato and BadPotato.  In addition to a wide arsenal of tools, the threat agent used PlugX and Winnti malware to escalate privileges and backdoor the victim’s infrastructure. According to the analysis, the researchers believe that the incursion was carried out by a Chinese actor that shares links with APT27 and APT41. Its main objective was to maintain its presence within the victim’s infrastructure in order to leak intelligence information for commercial or military purposes.

More: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/

​​​Additional details on the 0-day exploitation campaigns in Microsoft MSHTML

Microsoft researchers have published a detailed analysis of the first detected attacks exploiting the CVE-2021-40444 vulnerability, as well as their potential attribution. The first campaigns date back to August, with emails under the guise of legal or contractual agreements where malicious documents were hosted on legitimate file-sharing sites for the distribution of loaders with Cobalt Strike beacons. The final payload was not marked by Windows systems as downloaded from an external source, so it was executed directly, without user interaction, thus demonstrating the exploitation of the vulnerability. According to Microsoft, the authorship of these initial attacks points to DEV-0365, a developing group that includes a cluster of fraudulent activities associated with Cobalt Strike infrastructure. However, they also indicate that some of the infrastructure that hosted the initial malicious documents can be linked to BazarLoader and Trickbot payloads, activity associated with threat actor DEV-0193 (also known as UNC1878 or Wizar Spider). Despite these links to generic actors, Microsoft wanted to differentiate this vulnerability exploitation activity to a new group called DEV-0413, as they indicate that we are not dealing with generic campaigns, but that the phishing emails were closely aligned with the business operations of the organisations being attacked. Over the past few days, in addition to Microsoft’s investigation, security researchers on Twitter have also been warning of the detection of spam campaigns that are distributing the Ramint trojan by exploiting the same flaw.

More information: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/

​​OMIGOD: Vulnerabilities in the cloud supply chain

Wiz researchers have recently discovered a number of vulnerabilities in the Open Management Infrastructure (OMI) software agent, which is integrated into many of the most popular Azure products. These are four vulnerabilities listed as CVE-2021-38647 CVSS 9.8, CVE-2021-38648 CVSS 7.8, CVE-2021-38645 CVSS 7.8, y CVE-2021-38649 CVSS 7.0, collectively referred to as “OMIGOD”. The risk is in customers using Linux virtual machines in the cloud because the OMI agent runs automatically and without the knowledge of users when enabling certain services in Azure (e.g. Log Analytics, Diagnostics, Configuration Management, etc.), so these vulnerabilities in OMI could allow a potential attacker to escalate to root privileges and execute malicious code remotely. Microsoft has released the patched version of OMI 1.6.8.1., so it is advised to update it as soon as possible, since according to the researchers thousands of Azure clients and millions of connection points are affected.

All details: https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Telefónica Tech at the top of the IoT and Big Data podium

Bernardo Campillo    16 September, 2021

Today we want to revisit with you some good news that we received in mid-June, a little before the holiday season in July and August, a little before summer, the Olympics, the Tour and the Vuelta a España, and that made us go on those well-deserved holidays with a little more joy (if that’s possible).

As many of you will remember, GlobalData, one of the world’s leading analyst houses, evaluated Telefónica Tech IoT&BigData’s capabilities in the IoT field in particular and considered us Leaders in the latest update of its report“Global Industrial IoT Services: Competitive Landscape Assessment”.

To be precise, despite the name “Industrial IoT”, this is actually a global review exercise of our entire portfolio of products and solutions, professional capabilities and ability to execute projects for our clients and how this compares to our global competitors, both telcos and IoT-specific companies. So, in an Olympic year, we are on the podium of the IoT Olympics.

In its final report, GlobalData highlights the following as Strengths of our commitment as Telefónica IOT&BigData Tech :

  • Industry experience, as we already manage over 35M IoT connections (including all types of technologies: mobile, fixed, LPWA, satellite, etc.) for many high-profile global clients.
  • AI of Things vision: The combination of the ecosystems and capabilities we had for IoT and BigData/AI that we have executed in recent months is seen as differentiating since we can offer a real e2e2 with more value to our clients and their businesses.
  • Our Industry 4.0 proposition: In addition to the capabilities already recognised in previous versions of the report (e.g. special connectivity solutions across LTE and 5G Private Networks), this year we have extended our offering with specialist partners in this space, being able to offer not only connectivity, but more complex and valuable use cases.

We can consider that the improvement in the overall position is due to the fact that, of the 7 areas evaluated, we have maintained our position in five of them and have improved in 2 of them, which are also seen by GlobalData as key in their considerations towards potential IoT service clients. We have specifically improved in the areas of:

  • Value Services (from Very Strong to Leader): Our capabilities in Professional Services, Consulting, Security and Data Analytics are evaluated very positively.
  • Partnerships (from Strong to Very Strong): The universe of commercial partners (i.e. Partnership Programme as a resale channel) and application partners (e.g. Geotab, Edge solutions with Microsoft, with AWS, etc.) is highlighted.

In the attached graph you can see how we have been rated and how those ratings compare with the market average .

This Leaders rating is, in fact, an improvement on the “Very Strong” position we had in GlobalData’s previous analysis of this type of services and therefore confirms that we are heading in the right direction in terms of how we are building our capabilities and solutions, how our strategic vision has improved and the enhancement of the execution capabilities we have in this ecosystem, both in terms of products and more specialised projects.

Finally, I just want to remember that this achievement is the fruit of the whole company. I believe that we are a team and we are all pulling together at all times.

Let’s go for the next medal or world championship or whatever they put in front of us, Telefónica Tech!!!!

PackageDNA Our Development Package Analysis Framework That Made Its Debut at Blackhat

Diego Samuel Espitia    15 September, 2021

After several months of research and development, during the BlackHat USA 2021 Arsenal event, you saw our deep analysis tool for development packages called PackageDNA, in the talk “Scanning DNA to detect malicious packages in your code”. Its goal was to showcase the library analysis framework that was programmed to help developers and companies validate the security of packages that are being used in their code.

Esta herramienta cuando nos planteamos en el equipo de innovación analizar el malware que se oculta dentro de las librerías. From time to time, it was made public that some libraries were supplanting the original ones, for example in this example from late 2018 in which a couple of libraries in PyPi were alerted. The story would repeat itself often since then, but how to do the research without a tool to make the search easier? Our initial idea was to take the PyPi packages only, but we set ourselves a bigger challenge and the idea evolved to take the libraries of the main programming languages. So it became a framework, which should show for each package it parsed in PyPi, RubyGems, NPM and Go, the following data:

  • Metadata of the package.
  • HASH of all the files it contains.
  • Detection of possible IoC, such as IP’s, Hash, URL’s and emails.
  • Static analysis of the code, with an open-source tool for each language.
  • Analysis using AppInspector, Microsoft’s open-source tool for identifying malicious components.
  • Validation of suspicious files against Virustotal.
  • Validation of CVE report on GitHub, taking into account the specific version of the package.
  • Validation of packages generated by the same user within the library and in other programming languages.
  • Checking the possible typosquatting of the package in the same library.

This resulted in a powerful framework that allows a deep analysis of the libraries being used in the code being analysed or created, but also gives security analysts a static view of the security of the code, a view of the attacker’s behaviour and data for threat intelligence.

How to use PackageDNA?

The famework is developed in Python3 with an interactive console that allows the user to simply select what they want to do, the first screen the user sees is as follows:

You must start with option 7 the configuration of all external tools that are associated with the use of the framework (all are free to use or open source developments) as you can see in the following image is only correctly load each value.

Once everything is configured, the user can do the following with the PyPI, RubyGems, NPM and Go libraries:

  1. Analyse the latest version of a package.
  2. Analyse all versions of a package and compare results between versions.
  3. Load a list of packages with specific versions.
  4. Upload a local package for analysis.

For threat intelligence analysis, you should select option 4 in the initial panel and it allows you to enter another panel where you can perform.

  1. Searches for the packages generated in each of the libraries and developments uploaded to github using the username you want to investigate.
  2. Analyse the typosquatting and brandsquatting found in a specific library of a package.
  3. Search for code segments within a specific package.

While the tool is designed without a database to store all searches, there is an option to review the results of the analysis performed and stored locally on the machine.

Having the information initially in the console, but with the option of viewing it in the browser through Flask, as shown in the following images.

Attacks on the software supply chain

During development, attacks on the software supply chain were gaining prominence around the world, with reports of several packages being detected as malicious in many libraries that were within our scope, so we couldn’t have had a better testing scenario.

In fact we were able to analyse the versions of maratlib, a PyPI package that was deployed for malicious cryptocurrency mining and that spoofed a package commonly used in mathematics called matplotlib.

When running the tool and using the comparison on the two versions, we could clearly see the malicious code segment that is detected by AppInspector and that is present in only one of the versions loaded in the library.

But we can also look at the other packages in the report that are generated using typosquatting techniques.

So, with this framework we hope to provide the community of developers and code security analysts with a simple but powerful mechanism to achieve their goals. You can download it for free at https://github.com/telefonica/packagedna and we are open to your comments and contributions to improve the tool.