ElevenPaths Radio English #2 – Secure Homeworking

ElevenPaths    5 August, 2020

It is increasingly common to see companies that offer their workers the possibility of working from home, combining it with work from the office, and even companies that are born with that vocation and only offer the option of homeworking to their employees.

Unfortunately, during these past months in which the coronavirus has dominated practically all aspects of our daily lives, many companies have been forced to leave their offices. This has a number of information security implications that must be taken into account, both for companies and employees. It is very important to ensure that the handling of connections, backups and data from home does not generate information leaks or allow phishing attacks to succeed.

For this reason, in this new episode of ElevenPaths Radio, our CSA Diego Espitia reviews several events in which these measures were not taken into account and what consequences it caused to employees and companies.

Second episode of ElevenPaths Radio English now available

Discover more episodes of ElevenPaths Radio English:

ElevenPaths Radio English #1 – Skills of a Cybersecurity Professional

ElevenPaths Joins OpenSSF to Enhance Open Source Software Security

ElevenPaths    5 August, 2020
  • This new Open Source Security Foundation (OpenSSF) brings together leading technology companies such as Microsoft, Google, Red Hat and IBM, among others.
  • It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat.
  • ElevenPaths joins this Foundation as an Additional Founding Member.

The Linux Foundation has announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

ElevenPaths, the Telefónica ‘s Cyber Security Company, joins OpenSSF as a founding member. Rames Sarwat, Chief Revenue Officer of ElevenPaths, said that “the security of an enterprise application or services depends mainly on the security of all its components. The vast majority of business applications and services are not fully developed in-house as they make use of open source components that help accelerate the development cycle and extend their functionality. Therefore, it is essential to ensure that all open source components comply with the best practices of secure development and periodic reviews are carried out to positively impact all software that makes use of these components. Joining the Open Source Security Foundation is fully aligned with our vision and principles”.

Open source software has become pervasive in data centres, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Jim Zemlin, executive director at The Linux Foundation said: “We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit https://openssf.org

Governing Board Member Quotes

“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

Full press release

Click to access elevenpaths-joins-OpenSSF-open-source-security.pdf

ClipBanker Malware Tries to Stop Our Defence Tool CryptoClipWatcher

Innovation and Laboratory Area in ElevenPaths    4 August, 2020

The malware capable of modifying the clipboard to “switch” the crypto wallet still exists. To fight it, ElevenPaths developed CryptoClipWatcher, a tool that monitors the clipboard and alerts if there are any unnoticed changes. ClipBanker malware takes this into account and tries to stop the process before infecting.

The crypto clipboard hijacking technique has been common in malware for years. In 2018 we launched CryptoClipWatcher. Once installed, our tool will check whether, once a wallet or crypto address has been copied to the clipboard, it is changed before it is replaced with something else. We show here a video that explains how it works.

https://youtu.be/daOXXOFMPdI

ClipBanker Trojan, built in .NET, has been detecting our tool for some time now and trying to stop it. The last known sample we have checked is from May 2020. Let’s see how it works.

How This Malware Works

As we have mentioned, this malware monitors the clipboard to steal cryptocurrencies, but also exfiltrates private keys from the Wallet Import Format (WIF) through IP logger. The interesting point is how it protects itself from being analysed or stopped. To check if it is running on a virtual machine, it uses WMIC to query BIOS information, in particular it uses the command “wmic bios” and search for words like VBOX, VirtualBox, XEN, qemu, bochs and VM.

To detect antiviruses, it also uses WMIC to ask Windows Security Center which products are available. The query is:

ManagementObjectSearcher(‘root\\SecurityCenter2’, ‘SELECT * FROM AntivirusProduct’)

And then it looks up our CCW.

In the following function called CCW, it looks for whether there is a process with a specific name stored in the variable ccwProcessName.

The variable is obfuscated:

This is a base64 string and XOR f952db5f-fac5-4f65-8d60-db225f0c1c26 has been applied to it in base64. Once resolved:

Our application runs with privileges in the system, so the process can only be stopped if the malware runs with those privileges as well.

This is the sample we have analysed: 5dd16f9e2351216d683038f772ef8ca07373eb04d4e97b3a031bb98c1dca25c9

How to learn Python: the most important skill for employers

Olivia Brookhouse    4 August, 2020

The application of Artificial Intelligence to optimize Big Data and provide Data Insights is becoming a necessity to all business processes, therefore programmers are in hot demand. Designing effective Machine Learning systems is not unique to tech companies, but rather universal to all sectors as it has many daily business applications. So why is Python the language every coder is racing to learn?

Python is a general-purpose universal language which is used not just in computer software design but in many real business applications such as providing solutions for decision making/recommendation, process automation, virtual personal assistant building, AI embedded products, E-Learning mechanical robots and many more in every sector. Python, like other coding languages helps us navigate through the mass of data we generate, optimize it, and ultimately inform.

A simple example of an algorithmic model is a recommender system , present in many online platforms such as Amazon and Netflix. The algorithm navigates through customer data of buying patterns to find appropriate products to recommend. The application of algorithms reduces time spent doing arduous tasks, in turn making us more efficient, but not replacing us as workers. Automation allows its workers to focus more on analysis, innovation and creative development. Computers still rely on humans to write them into the workplace, so being able to design these algorithms yourself is the best way to control automation. Coding can realistically improve most job roles in existence today.

Why Python?

Python is simple to read and write as it requires less arduous syntax, its instructions are more concise and direct. Released in 1991, mainly to back-end programming, it can now write a variety of applications, servers, desktop programs and apps. It is considered universal, not only due to its simplicity but due to its applicability. If you learn Python it can be translated to any industry because of its versatility.

The need for such roles increased after the explosion of cloud data and improved data management which allowed companies to store and optimize Big Data. English is the most important language in the world, but Python rules the digital world. Many coders learn Python as an additional language to more complex programming languages but beginners can learn it just as easily.

Where can I learn to code?

We have compiled a list of many free or cheap resources where you can learn Python. There are also more specific courses for specific Python applications. There are also many free Youtube series’ that take you through Python, step by step.

  1. Real beginner : Udemy
  2. Some previous experience in coding: Google edu , Udemy
  3. Python for Data Science and Machine Learning Bootcamp at only $19.99 from Udemy

Also read our series on learning Python for all audiences:

From where we are today, it’s harder to identify an industry that AI won’t disrupt than those that it will. Businesses will continue to take advantage of unique data assets and large databases, requiring coding tools to make sense of it. The impact of Machine Learning and Artificial intelligence is pervasive, and is common place in any industry that will advance digitally. The sky is the limit in terms of digital transformation.

To keep up to date with LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

Cybersecurity and Pandemic (I): People

Gabriel Bergel    3 August, 2020

Cybersecurity is even more important in these times of pandemic and increasing cyberattacks, yes, but in addition to being a business focus at the corporate level, it must also be an integral part of our lives.

At the beginning of this year we summarised it in a ElevenPaths Radio podcast (in Spanish): We like to analyse the current situation in three dimensions (people, cybersecurity and pandemic). Focusing on people dimension, in this post we will talk about nomophobia, phubbing, IAD and FOMO.

First Dimension: People

Today, smartphones have become the most important electronic devices in our lives, and we are completely connected. Social networks have become the de facto channel of communication and human relationship, and we make totally intensive use of the Internet, as you can see in the infographics published every year by Lori Lewis.

However, smartphones, social networks and the Internet have not only brought benefits, since for many (depending on your age and level of education) it has meant a forced and complex process of digital transformation. Therefore, in the digital world it is usual to observe little awareness of the risks existing on the Internet and lack of digital hygiene.

For some years now, we have been observing new pathologies and phobias derived from this intensive use, and we will analyse them in the following lines.

Nomophobia

This term comes from No Mobile Phone Phobia, phobia of not having the phone or not being able to use it, either because of lack of battery or data signal. If you feel uncomfortable leaving your phone, or nervous when you know you will lose service for a few hours, or even if you feel anxious about going without it, you may be experiencing nomophobia. Here is a very interesting note from RTVE about this (in Spanish).

This is very serious because different studies suggest that it affects more than 53% of users worldwide. There is even a test that measures the scale of dependency and addiction to smartphone and includes 40 questions.

Phubbing

This pathology derives from the previous one. It occurs when we are talking, in a meeting, having lunch or doing some activity of interaction with someone and that person stops paying attention and starts looking at the smartphone.

The term comes from the union of the words snubbing + phone and was coined during an advertising campaign led by the McCann advertising agency for the Australian dictionary Macquarie. The agency asked its employees for proposals to designate a new word to describe this behaviour.

An Australian university student named Alex Haigh, who had been an intern at McCann while the campaign was underway, coined the term and in 2016 created the website Stop Phubbing to avoid (as he said) future couples from losing the ability to communicate face-to-face and relying on updating their status.

On the website, Haigh concluded in his research that 90% of teenagers preferred text contact over face-to-face contact and that 97% of diners said their food tasted worse when they were victims of this behaviour. Today, those figures are likely to have increased.

IAD

Another older pathology, considered the basis of the others, is the one known as IAD or “Internet Addiction Disorder”. If you play too much online video games, make compulsive online purchases, actively participate in social networks and because of all this you consider that the use of the computer and/or mobile phone interferes with your daily life, relationships with other people, etc. you may suffer from IAD.

This disorder was described in 1995 by Ivan Goldberg. Research by the US National Center for Biotechnology Information (NCBI) in 2012 indicated that its prevalence in American and European cultures was staggering: It affected up to 8.2% of the total population. However, other reports suggested that it affected up to 38% of the general population. If you think you may suffer from it, you can take this quiz created by Psycom.

FOMO

Finally, FOMO (Fear Of Missing Out) is the fear of missing something, a new anxiety that has emerged since the popularisation of smartphones and social networks. FOMO is the modern form of a typical fear: Exclusion. In a way, we are animals programmed to be part of a group, and currently social networks play the role of physical friendships. In the real world it is easy to ignore what is happening outside our field of vision, but in the digital world we are just a click away from knowing what our family, friends and acquaintances are doing at any time.

Given these behaviours and disorders, it is somewhat clearer why people have become the main target of cybercriminals.

We will continue developing this post in a second part, so keep an eye on our blog. In the meantime, we invite you to listen to the sixth part of our podcast “News with our CSAs” (in Spanish) on ElevenPaths Radio.

How do we talk to Aura in different countries?

Cristina de la Cruz    3 August, 2020

The implementation of Aura, Telefónica’s Artificial Intelligence, in Spain, Brazil, the United Kingdom and Germany has revolutionised the way customers interact with the company. Currently, and depending on the country, users can talk to Aura through devices, applications, WhatsApp and Facebook. 

The unstoppable growth of Artificial Intelligence has managed to optimise our navigation, facilitate our access to information and improve the way we communicate, radically changing our technology consumption. In the case of Telefónica, thanks to Aura, the customers’ experience has evolved in such a way that companies like Movistar (Spain), Vivo (Brazil) and o2 (United Kingdom and Germany) have incorporated Aura as a virtual assistant to simplify communication and make interaction with the services they provide to their customers easier.  

Aura is able to meet all kind of user demands, not only by responding unidirectionally to voice commands, but by anticipating customer requests. In this sense, Ana Molina, expert in experience design and research of Aura in Telefónica, explains the possibilities offered by Aura to improve the contact point with the customer: 

QUOTE: 

Through models and algorithms that calculate patterns, inferences can be made to know when users will run out of data, what is the most appropriate rate for their circumstances, or what is the next game or movie they will want to watch. Like this, Aura can give user-specific answers”.  

The constant progress of natural language processing (NLP) systems, together with the evolution and penetration of smartphones and smart devices, have led to a greater presence of virtual assistants. This is what Aura can do as a virtual assistant for users in the four countries where it is available. 

Talk to Aura through different devices in Spain 

In Spain, Aura is natively implemented in devices such as Movistar Home and Movistar+ Voice Remote Control. This allows users to access a wide range of Movistar services. Everything from using the functionalities available in Movistar Home, controlling the Movistar+ television or opening the Living Apps can be done by voice. In addition to talking to Aura through these devices, users can interact with the virtual assistant through the Movistar+ App to control Movistar+ content. 

Talk to Aura in Brazil: a multi-channel experience

Brazil is the country in which the use of Aura is more widespread, since Vivo’s Artificial Intelligence is present in more than 20 channels, such as: WhatsApp, Meu Vivo’s applications, Facebook, the website of Vivo and the Call Center. Through these channels, approximately 40 million queries per month are registered, most of them through WhatsApp. This instant messaging channel has positioned itself as the reference channel for making queries to Aura.

In the channels where Aura is present, customers can interact in writing or by voice, making personalized queries about their bill, data consumption, balance or recharge, activate promotions or ask about their contracted products. Another channel in which the integration of Aura in Brazil stands out is the Cognitive Call Center, in which Aura offers personalized telephone service and responds, fundamentally, to queries from prepaid users and Control customers. 

Ask Aura in the UK through the o2 website and the My o2 app 

In the United Kingdom, Aura is available under the o2 brand in the help section of the commercial website. Aura responds in a generic way to the questions that users may raise regarding data usage, WiFi settings, the location of the nearest o2 store or inquiries related to services and promotions. Aura is also available as a virtual assistant in the My o2 App, where users can receive personalized answers related to data consumption, monthly bills, or the available balance. 

Aura guides your Facebook and web queries through an authenticated user in Germany

In Germany, users can ask generic questions from O2’s Facebook account, which Aura answers automatically. However, the best way to take advantage of the virtual assistant is through the O2 website, as users can not only ask generic questions, but make personalised queries about their available balance and the rate they have contracted. They are also able to make a recharge or access their bill information immediately. All this thanks to the recent launch on the country’s commercial website, where users can access Aura with an authenticated user so that the virtual assistant can answer their queries.  

Thanks to the development and implementation of Aura in these four countries, it has been demonstrated that Telefónica is meeting the objective of improving customers’ digital lives, simplifying their relationship with the company thanks to artificial intelligence. 

Cybersecurity Weekly Briefing July 25-31

ElevenPaths    31 July, 2020

BootHole: Vulnerability in GRUB2

Eclypsium researchers have discovered a buffer overflow vulnerability in the GRUB2 bootloader that could be used to execute arbitrary code during the boot process. It has been named BootHole. This security flaw (CVE-2020-10713), which has received a high severity rating (CVSS of 8.2), would affect both Linux and Windows systems, and could allow attackers to install malicious bootloaders to gain almost total control over the vulnerable device. Eclypsium warns that mitigating this threat will require the release of new installers and bootloaders for all versions of Linux and Windows. Some companies, such as Microsoft, have issued a security advisory on this issue.

More info: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

Doki: New Malware Targeting Docker Servers

Intezer researchers have discovered a new backdoor for Docker servers running on Linux which they have named Doki and which implements a previously unknown technique. This malware uses an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way. By doing so, Doki manages to generate Command & Control domain addresses dynamically. Doki has managed to stay hidden for over six months despite samples were publicly available on VirusTotal.

More details: https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

Emotet Evolves in the Sending of Mail

Emotet malware has been found to be stealing attachments to increase the authenticity of emails used in its campaigns. This is the first time this malware is using this technique, as there was no attachment stealer module in the malware code before, which was added around 13 June according to Marcus ‘MalwareTech’ Hutchins. Since its first identification in 2014 as a banking Trojan, Emotet has evolved into a malware botnet used by threat actors to infect with different malware families. After 5 months of inactivity, it has returned to life with massive mail campaigns camouflaged as payment reports, invoices or shipping information, compromising victims with TrickBot Trojan or, more recently, with QakBot malware.

Learn more: https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/

Alerts on Cyberattacks and Industry Vulnerabilities

The U.S. National Security Agency has warned, together with the Cybersecurity & Infrastructure Security Agency (CISA), of the possibility of imminent cyberattacks against the industrial sector. This is a trend marked by the 2017 TRITON attack that could lead to similar attacks affecting Safety Instrumented Systems (SIS), the last line of defense for OT systems. For its part, ICS-CERT has issued an advisoryabout several vulnerabilities in Schneider Triconex SIS, of which the most critical flaw stands out, classified as CVE-2020-7491, with a CVSS v3 of 10. This corresponds to improper access control that would allow unauthorized access and a potential takeover by a threat actor. Schneider Electric has already fixed these issues in the latest versions of its TriStation and Tricon Communications Module (TCM) products. However, ICS-CERT would like to emphasize the features of the OT devices, which are often not updated or provided with security standards at the level of current attacks.

For more information: https://us-cert.cisa.gov/ncas/alerts/aa20-205a

Cerberus Trojan Source Code Goes to Auction

Cerberus Trojan development team has broken up and the source code of the malware will go to auction, according to a team’s post on a Russian underground forum. This is a Trojan mainly affecting Android and operating since 2019. It would be generating about 10,000 dollars a month in profits, according to one of Cerberus managers. After infecting a device, the Trojan acts by creating overlaps in services created by banking applications, stealing credentials and leaking this data to the Command & Control (C2) servers. There have even been cases that show its capability to intercept multi-factor authentication (MFA) mechanisms. The announcement made by the threat actor indicates that they expect to generate up to $100,000 with this sale, offering the possibility of the entire package to the highest bidder, including .apk malware and C2 servers.

For more information: https://www.zdnet.com/article/cerberus-banking-trojan-team-breaks-up-source-code-goes-to-auction/

Artificial Intelligence: a companion to fight loneliness

Olivia Brookhouse    30 July, 2020

Today is International friendship day, a day where we can celebrate all those individuals around us that bring us joy daily. Whilst we might imagine the youth population to be celebrating the most, publishing on social media and sharing photos in their group chat, they may actually feel lonelier than we think. It is reported that 40% of the 16-24-year olds surveyed last year reported that they often, or very often, feel lonely despite being in frequent contact with their friends. This is compared to the over 75’s whom only 27% declared themselves as feeling lonely. So why are friends so important and how can AI help?

The importance of friendship

Friendship is the ultimate antidote to loneliness. Friendship helps protect the brain and body from stress, anxiety, and depression. Plus, the ability to choose who these friends are, means that we can surround ourselves by positive people. Anyone who has been through a significant milestone in their life will now how good it feels to be able to share with those closest to you.

Research shows that you only need to have 4 or 5 really close friends to see the health and social benefits. But many people find it hard to push themselves out there to meet new people.

So, we ask ourselves, how can technology and more specifically, Artificial Intelligence provide a solution to loneliness amongst the youth population or give them the confidence to go out and make human friends.

Can technology help?

Whilst many may believe that technology and more screen time is not the answer to youth loneliness, technology is already integrated into most areas of their lives. Therefore:

  1. AI companions will be integrated into young people’s existing social lives and social platforms
  2. As digital natives, young people are the most open to AI companions

They are digital natives and therefore technology must be part of the solution. Denying the influence technology could have for good is ignorant and we must put ourselves in the shoes of young people, where technology runs through their veins. Screens have the ability to both isolate and connect depending on how you utilize them. Two of the most popular forms of content are gaming and social media, both of which rely heavily on users to directly interact and participate in the content. Particularly in gaming, participants are in constant interaction to work together and learn new skills.

The reality is that young people’s lives operate online and therefore the solution must be built within the existing structures to have a real effect.

The AI chatbot to the rescue

AI chatbots, like those we often see on our favourite retail site can quickly become very in tune to our emotions and thoughts to provide support.

“The primary goal of social chatbots is to be AI companions to serve users’ needs for communication and emotional support.”

Artem Rodichev, Replica 

Emotion AI, also known as Affective Computing dates back to 1995 and refers to the branch of Artificial intelligence which aims to process, understand, and even replicate human emotions. The technology aims to improve natural communication between man and machine to create an AI that communicates in a more authentic way.

Using Natural language processing these chat bots can process, understand, and respond to language in an authentic way to offer and personalized support. Overtime, the AI will learn patterns in your speech and remember key facts, much like a friendship. AI and neuroscience researchers agree that current forms of AI cannot have their own emotions, but they can mimic emotion, such as empathy. Synthetic speech also helps reduce the robotic like tone many of these services operate with sound more realistic.

Replica is one of the leading companies in the field. Their app, with over 2 million signups which currently has an 85% satisfaction rate. Users are able to send photos, chat about their day and work through their problems and receive meaningful responses in return. Each chat bot has an individual personality to provide consistency in conversations and offer “real” opinions about given subjects based on the personality type it has been assigned.

These types of applications have the ability to have a great effect on mental health and loneliness. It would be amazing to see these types of platforms integrated within existing social media apps to provide integrated solutions.

Does this mean that AI can replace human beings in this sense?

Gershenson, who holds a doctorate in the design and control of self-organizing systems from the Vrije Universiteit Brussel, says that although AI has defeated man in some respects, such as chess, we are a long way from a machine replacing a human.

In spite of the fact that technology is capable of learning what empathy is, they are not people and they don’t care about anything. They can learn, but they cannot develop real feelings as we humans do. It may be similar to what a person can show, but it is not the same. Human company will always be required too!

Read the post in spanish here

To keep up to date with Telefónica’s Internet of Things area, visit our web site or follow us on TwitterLinkedIn YouTube.

Can Artificial Intelligence understand emotions?
What is Natural Language Processing and its Use Cases?

#CyberSecurityReport20H1: Microsoft Fixes Many More Vulnerabilities, but Detects Far Fewer

Innovation and Laboratory Area in ElevenPaths    28 July, 2020

Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just launched another release of our own cybersecurity report, summarizing the most significant information from the first half of 2020. The report’s philosophy is providing a global, targeted and useful vision on the most significant data and facts on cybersecurity. It is addressed to cybersecurity professionals and enthusiasts, in a simple and visually-appealing format.

Given all the above, this report aims to summarize latest information on cybersecurity (ranging from security on mobile phones to cyber risk, from the most important news to the most technical ones and the most common vulnerabilities), while covering most aspects of the field, in order to help the readers to understand the risks of the current outlook.

The information here presented is mostly based on the collection and synthesis of internal data that have been contrasted with public information from sources considered to be of quality. Let’s examine below some points that we consider important.

#CyberSecurityReport20H1: General Data

With regard to Microsoft, the total number of bugs discovered and fixed is more than 600 during this half-year. We consider that most of these flaws may come from vulnerabilities found in 0-days or under other circumstances where the author is not known and the vulnerability has not been reported anonymously. In such cases, Microsoft do not attribute the finding to anyone in particular. This difference between attributed and ‘non-attributed’ vulnerabilities (which is not the same as ‘anonymous’) is represented in the following chart.

Qihoo is again the most popular with a total of 237 vulnerabilities reported to Microsoft so far this year. But compared to the previous quarter, the numbers have changed substantially.

Qihoo and ZDI report the highest number of vulnerabilities but Google falls heavily. While last half year it was in fifth place, this half year it has fallen to 14th place. Microsoft, which was in third place, falls to sixth. Google goes from discovering 35 in the last half of 2019 to only 5 in this first half of 2020. Microsoft drops from 48 to 17.

Has the pandemic impacted the major vendors? Have they spent less time on vulnerability research? On the contrary, Qihoo not only continues to be the first company to find Microsoft security flaws, but has also substantially multiplied its number, from 79 to 237 this half year.

Especially if we compare it to the previous semester:

Smartphone Vulnerabilities

This time it is worth noting the statements of the exploit acquisition company, Zerodium, who reported that they were temporarily suspending the purchase of iOS exploits due to a high number of submissions. 13 has not been a good version for iOS.

Alternatively, researchers can submit their findings to Apple’s security reward program (Apple Security Bounty), open to the public since late December last year. Rewards range from $5,000 to $1 million.

In total, 60 CVEs have been patched on iPhone in the previous half year. Of these, 5 were critical and allowed arbitrary code execution. Figures show a clear decrease (although we must wait for the second half of the year), but it has not been a good year for iOS in terms of security.

On the other hand, the number of vulnerabilities leaves no room for doubt. Android is a popular platform for vulnerability hunters. This does not mean that it should be considered insecure. It is simply more attractive or interesting for various reasons, including the reward program and the marketing of exploits.

Concerning the BitSight data, in Spain there is a very different leading malware from the other European countries. Malware firms such as AllSharezDownloader and AndroidBauts are leading, while in Europe they are not representative.

More Conclusions

  • In the field of smartphone security, the high number of exploits for IOS 13, the announcement of IOS 14 and Android fragmentation have marked the first half of 2020.
  • With regard to vulnerabilities and weaknesses, there has been a clear decrease in the figures for vulnerabilities (especially Level-10 ones) but the three vendors with the highest number of associated CVEs remain the same. Regarding weaknesses, those where insufficient or no security configuration is key in the management of user permissions stand out, allowing an escalation of permissions.
  • The APT groups have also introduced “SARS-CoV-2” factor in their operations. Some to make a profit, and others in cyberespionage operations to find out “the truth” about the virus.
  • This half year Microsoft has exceeded 100 fixed vulnerabilities every month, Qihoo has identified 237, many more than the previous quarter and substantially replacing Microsoft itself and Google, which were the other companies that found the highest number of bugs in Microsoft software.
  • BitSight’s data shows that the unbreakable Conficker is once again on the throne of the most aggressive threats, while we also note a worrying fact: In most sectors there is a substantial increase in the time required to neutralize a threat.

You can access the full report on our website.

Conti, the Fastest Ransomware in the West: 32 Parallel CPU Threads, but… What for?

Sergio de los Santos    27 July, 2020

Anyone who thinks that “retail” ransomware that infects system users and claims a ransom is a threat, may not be aware of the ransomware used against company networks. After years among us, ransomware has developed. It has industrialised, specialised and acquired a sophisticated appearance to target far more lucrative victims. Conti, the fastest ransomware, is just one example of the speed at which they are developing. Let’s look at some of its tricks and why they are used.

Carbon Black has led the analysis of Conti’s latest version, discovering new levels of sophistication, because where the real action and true innovation in malware takes place is in the attacks directed at companies. These attacks are usually disguised as regular e-mails with attached files, such as an Excel or Word file with macros or that exploit Office’s vulnerabilities.

They move laterally until they become attached to a specific server and wait to strike. From here, they launch data hijacking attacks and ask for millionaire ransoms in exchange for the company to continue with its normal operation. The crafted ransomware that affects user systems is an annoying prank compared to this. But let’s see how these attackers have become more sophisticated and why.

The Fastest in the West

Conti uses 32 simultaneous CPU threads. These allow it to encrypt a whole hard-disk quickly or any other file that gets in its way. It is like sending 32 copies of a “normal” ransomware in parallel. Why do they do this? Why do they want to go so fast?

These attacks are usually launched when they are already located in a powerful server availing itself of all the privileges within the company’s network (normally in the local domain control). The system is assumed to be powerful in CPU and capable of launching all these threads. It also allows it to attack systems with a hard-disk that has the capacity to store large amounts of data (also backup). The faster the ransomware, the simpler it will be to go unnoticed by any alert system, whether it is reactive or preventive. It will always be too late.

Hide the Hand That Throws the Stone

Another interesting feature of Conti is that, again attached to a server, it can attack the surrounding network and encrypt the shared drives of neighbouring systems. In this way, network administrators will not know where the attack is coming from because it is natural to think that the machine containing the encrypted files is the infected one. Not at all: patient zero can be far, triggering very fast encryptions willy-nilly.

ARP Avoid Making Noise Using ARP

To find out which machines are around you, you have two options: analyse the IPs of the network itself and go through the range, or use an ARP-a and find out which machines you have recently contacted. This is exactly what Conti does.

For Conti, a Locked File Is Not a Problem

If you are on a server with a rich database, normally your data will always be “locked” by the operating system or the database itself. Encrypting them will be impossible because you cannot handle a file that belongs to a process holding it exclusively. From the attackers’ point of view: How to encrypt it then?

First, Conti kills any process including “sql” in its name. Very few families use in addition the trick used by this ransomware to encrypt the files, which consists of using Restart Manager, the formula that Windows itself uses to cleanly kill the processes before shutting down the operating system. It is like killing processes cleanly like Windows before rebooting, but without the need to reboot.

And this is also where you need speed and the reason for having 32 threads. Killing a critical process is very noisy, administrators will notice right away that something is going wrong. From a malware point of view, if you have a lot of heavy files, the best option is to encrypt them quickly after killing the parent process if you want to achieve your goal.

Encrypts All Extensions Except exe, dll, lnk, and sys

Conti is very aggressive. Most “homemade” ransomware looks for potentially useful extensions for the victim. Documents, photos, data, etc. Conti encrypts everything but executables, binaries, and drivers. To speed up, it avoids some system directories.

Of course, all this does not prevent ransomware from having the usual technologies for this type of attack. From the deletion of shadow copies (although in a special way) to the public keys that encrypt the 256-bit AES key embedded in each encrypted file. Finally, the value of the analysis of this sample is greater when it is known to obfuscate its own code in a special way. Conti tries to hide every string, every system API call using a different algorithm for it with different keys, and so up to 277 functions (algorithms) used internally only to de-obfuscate itself “on the fly”.