Telefonica’s ElevenPaths Expands its Collaboration with Fortinet to Improve Industrial Sector Security

ElevenPaths    16 June, 2020

ElevenPaths and Fortinet partner to improve cybersecurity in infrastructure and industrial processes by delivering comprehensive OT, IT and IoT solutions to its customers

ElevenPaths, the cybersecurity company of Telefónica Tech, and Fortinet, a global leader in broad, integrated and automated cybersecurity solutions, announced today the expansion of their collaboration to offer new managed security services for industrial sector customers to provide advanced security for their operation technology (OT), information technology (IT) and Internet of Things (IoT) environments.

Through this expanded partnership, ElevenPaths is leveraging the Fortinet Security Fabric’s solutions for industrial controls systems to meet organizations’ growing demand for managed security services to ensure OT and IT environment are protected and compliant. ElevenPaths will offer its customers Fortinet’s OT security solutions with best-of-breed threat protection for corporate IT environments that extend from the data center, to the cloud, to the network perimeter, combined with the global reach and extensive experience of Telefónica’s security professionals to provide the best service to different industrial sectors.

“Many of our clients are undergoing digital transformations where OT and IoT technologies play a leading role. Although there are significant benefits to these technologies, they also introduce greater exposure to security risks that must be properly managed and addressed. Fortinet’s technology is an integral part of our cybersecurity offerings and strategy to ensure we’re addressing our customers’ new and growing security risks,” said Alberto Sempere, Director of Product and Marketing at ElevenPaths.

Fortinet has the most comprehensive suite of solutions for the protection of industrial environments in the cybersecurity market. As an established leader in OT security and safety, Fortinet is able to address a wide range of challenges from siloed IT and OT environments, providing instant protection of vulnerabilities and secure remote access, thus addressing the cybersecurity, safety and reliability challenges being faced by the OT industry.

“Fortinet and ElevenPaths have a longstanding partnership, working together to help our customers secure their rapidly evolving digital innovations. We’re thrilled to further expand our collaboration to combine ElevenPaths security services with Fortinet’s broad, integrated and automated Security Fabric capabilities to provide advanced security to OT networks and critical infrastructures,” said John Maddison, Executive Vice President of Products and CMO at Fortinet.

ElevenPaths is positioned as a leader in cybersecurity for industrial environments, bringing the knowledge of its multidisciplinary teams of experts, the capacity of its intelligent MSSPs that offer global managed services, as well as its experience as a critical communications operator and a provider of physical security services to offer a differentiating digital security proposal to its customers worldwide.

“The challenge of digitalization in the industrial sector is a reality in Latin America markets. Despite being a sector that is more resistant to change and evolving at a slower technological pace, the words savings, optimization, acceleration, and improvement are starting to be among the main concerns of OT and IT leaders. A partner, like ElevenPaths, that can reach the market, is key to supporting industrial sectors with Fortinet solutions to minimize cybersecurity risks, allowing organizations to take advantage of the visibility and added value delivered by new technologies to monitor and optimize real-time production processes, making them safer, simpler, more efficient and profitable,” said Joao Horta, Vice President of Sales to Service Providers at Fortinet for Latin America and the Caribbean.

Fortinet and ElevenPaths have been working together for several years, and in June 2016 they strengthened their collaboration by incorporating Fortinet’s Security Fabric platform into ElevenPaths’ managed security services. Now ElevenPaths will be leveraging Fortinet’s IT, OT and IoT security solutions, further expanding their strategic partnership. ElevenPaths is an MSSP Expert Partner working together in Europe and Latin America to strengthen the security of mutual customers.

ElevenPaths is also a Fabric-Ready technology alliance partner in Fortinet’s Open Fabric Ecosystem. The Fortinet Open Fabric Ecosystem is one of the largest in the cybersecurity industry with over 360 technology integrations, and extends the benefits of the Security Fabric to mutual customers, and enables them to attain advanced and comprehensive security across their infrastructure. 

Cybersecurity is one of the digital services offered by Telefónica that has recently been integrated, together with cloud and IoT/Big Data, into Telefónica Tech, a new unit that brings together these three businesses with high growth potential, focused on supporting its customers with their digital transformation.  

Press Release available here

Click to access ElevenPaths-Fortinet-NdP-ENG.pdf

Vendetta Group and the COVID-19 Phishing Emails

Miguel Ángel de Castro    15 June, 2020

In April 2020, a new player came on the cybercrime scene: the group called Vendetta. It has been observed that they are a prolific group focused on email campaigns mainly based on the Covid-19.

Their targets are distributed all over the world and their attacks have been detected in countries such as Australia, Mexico, Egypt, Romania, Austria or China. Vendetta chooses targets from the technological, business and government sectors that handle sensitive information. They have showed remarkable skills during this phase, since they select and analyse their targets.

Their standard attack procedure consists of sending malicious email attachments containing a malware that allows full control and theft of information from the victim’s system. The highly-accurate design of phishing emails, including details as well and a well-studied and targeted message, takes into account the global context on which the deception is based.

The malware used is not entirely self-developed, but it contains commercial software as well. It is versatile and with a low detection rate thanks to the use of packers and final payloads in memory. Malware weapon installs access point (usually .NET samples) using unknown and known packers in multiple layers that injects different modular RATS in memory. Finally, malware enables the intruder to gain total control and persistent access to target network via C2C. This group also performs additional delivery using hacked websites and proprietary infrastructure.

Vendetta Covid-19 Campaign

We have analysed the campaign of attacks carried out by this group during the period 03-05-2020 to 09-05-2020 and within the Covid-19 context. Below, we describe the analysis of a phishing email attack impersonating the director of the Taiwanese CDC. As a result of the analysis, we discovered more than 134 malware samples, multiple URLs and domains with strong links related to the Vendetta group.

Initial Discovery: Taiwan CDC Director Impersonation Attack

The email was first analysed 2020-05-03T22:43:15 from Taiwan. Antivirus detections over the email were very low. As we can read in the mail, the letter appears to be signed by Chou Jih-haw, General Director of the Taiwan Centers for Disease Control and Prevention. Within the text we observe that it is an attack aiming citizens of Taiwan, given the language used and the content. They are urged to carry out a Covid-19 tests at a Taiwan Centers for Disease. Given the behaviour of this group when selecting their victims, it may be thought that it was targeted against the Taiwanese CDC itself.

Translated the email, we can read:

It must be noted the quality and attention to detail of the email, a characteristic feature of the Vendetta group that it is quite unusual in regular phishing campaigns, usually with typographical errors, grammar mistakes, etc. This proves how specifically the attack was targeting Taiwan CDC and the effort the Vendetta group made to perform its attacks.

Within the attachments, we get a cdc.pdf.iso file containing the malware that the attackers used to infect the victims.

TYPEINDICATORNAMEDESCRIPTION
SHA2560aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f21349628.emlEmail with malware attachment
SHA25651B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255Bcdc.pdf.isoZipped file containing malware

Malicious Content Analysis

Once the malicious file cdc.pdf.iso has been decompressed, we obtain the file cdc.exe, a file developed in .NET and packed using an unknown packer. This threat is called RoboSki.

As we can see in the following screenshot, the malware uses a section of the binary to hide other components used by this threat. This is a method commonly used by Vendetta for creating its threats.

Once the sample is executed, the malware creates in memory a .DLL file containing a .png image, which in turn contains the shellcode encrypted in the pixels of the image.

When the shellcode has been executed, the malware will drop in memory the next payload. We can see ReZer0 Malware, packed using Eazfuscator.

After a series of memory dumps of different obfuscated payloads and after being unpacked and analysed, we concluded that the final payload contains the malware Nanocore RAT, as you can read on the project name.

TYPEINDICATORNAMEDESCRIPTION
SHA2560aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f21349628.emlEmail with malware attachment
SHA25651B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255Bcdc.pdf.isoZipped file containing malware
SHA256d5d3cf535b3313077956d5708225cf8029b039ed0652ee670ce25ea80d2b00c0Cdc.exe.NET packed PE file containing malware RoboSky attributed to Vendetta Group
SHA25619B5353BF8A69A64536C865A4890B69EE1DCD59445968E1CFD94C62E1A97B11ECdc.exe_unpacked.exeUnpacked .NET packed PE file containing Nanocore malware
IP172.111.188.199 C2C

Links with Vendetta group

The malicious attachment has been attributed to the Vendetta group due to the following factors:

  • The tree attack observed to Vendetta group always includes the same pattern:
    • High quality crafting phishing email
    • .NET Malware RoboSki as first stage of malware
    • Memory observation of Rezer0 Malware
    • Rezer0 drops in memory the next stage of the attack, in this case Nanocore RAT
  • C2C IP: 172.111.188.199 used previously by this group.
  • Pdb path that contains a username named Vendetta:
  • Common resources in the samples used by this group. The project CxFlatUI (this project can be found on GitHub and belongs to “HuJinguang” user) is used by Vendetta group as code base to create their threats.
  • As a result of the use of CxFlatUI project as code base, EXIF metadata with CompanyName and FileDescription values match with other samples belonging to this group:
  • Analysis genetic malware database Intezer: It has been possible to identify genes and strings belonging to Vendetta group in the sample analysed.

Performing the pivoting phase through the CompanyName, ProductDescription, extracted payload from memory, etc. it has been possible to detect 134 samples that could be directly related to Vendetta. The group used them initially (they have been seen for the first time) during the time range from the 3rd to the 9th May 2020.

The tools used by the Vendetta group are tools such as Nanocore RAT, AgentTesla, Remcos and Formbook, ReZer0 but we can also find Azolurt, Warzone RAT (Ave Maria) or Hawkeye and also to some extent generic malware samples. They use different manual packers and known ones such as ConfuserEx, Eazfuscator, IntelliLock  or iLProtector.

The following picture shows the cluster graph resulting from the genetic analysis of the 134 samples related to Vendetta. We can see how this group uses of the different types of RATS that we have identified as belonging to the Vendetta arsenal.

We found a sample that does not meet the usual pattern, since this time it is not an executable compiled using PE32 executable for MS Windows .Net. Instead we found a MZ for MS-DOS. The language detected in the resources of this binary includes UK English and US English, when generally that value is neutral in the samples analysed in .NET.

As far as the certificate is concerned, there is a chain of certificates, but it ends in an unreliable root certificate.

TYPEINDICATORNAMEDESCRIPTION
SHA256080ff06496d8b6b5e6307059e378ed7052e381a6f130d89385c778edf32ae996Vdnoenr.exePredator the Thief
SHA2569fbb3df3c9b58626be3f9e66e8b4abd811a8069839374ade15cc405eb3b4d816sr3S0CjtBE.exeVdnoenr.exe unpacked
MUTEXcjF0OHM0   Mutex Created
MUTEXIESQMMUTEX_0_208 Mutex Created
DOMAINSbbc-news-uk1.space DNS Resolution

We also found text strings related to AutoIt, a widely used trend to build the initial dropper for its anti-virus evasion features.

“AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions.  The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead.  See the DllCall() documentation for details on changing the calling convention.”

“AutoIt has detected the stack has become corrupt.”

Once it has been analysed, we observe it has been packaged using mpress_packer 2.19 containing a large amount of the Predator the Thief malware code, a very versatile commercial infostealer both for its wide number of features and for its modular design.

After the analysis of the communications made by the 134 related binaries, several indicators of compromise belonging to the Vendetta’s malicious infrastructure have been obtained. The complete list of associated indicators can be found in Annex 1.

Conclusions

After the analysis, we can conclude that the Vendetta group stands out, not so much for the use of very new pieces of malware, since they generally work with commercial products from the malware market, but rather they place special emphasis on the recognition and preparation phases. They select targets for specific campaigns, not addressing mass distribution and allowing the context used, in this case the one caused by the Covid-19, to play in their favour.

They prepare emails with great attention to the details and care, both visually and in terms of the content, using different languages and with a tone of urgency and authority that undoubtedly increases the chances of success in this type of attack.

Annex 1: IOC related to Vendetta group

bcaf5698e3d5291c284e0ea40deec27e69c4942049f1c90a4e334e066485dfa9
b2bccd13743ac9153a8b731af82d6b19fa7395dd16596a3b5f783f1092419c3a
92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347
c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a
147e92a20eaa350aef112cd3110af132aa9667af4e8eb90d345d4b7da8cea95c
b26960e8083466e40ebbfcc6dfe93c4080a516d6260e1a2900ce7649fc44442e
c315112980543e9046f7b3167586d3a5ba25734aac85679542adaca7867f3ef7
713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142
20eb672944019e3a3520f9c3bac67acbfff3700fa27aec05bfe96129a77b6437
bbf20efcdbae1950b49b4f121f17baee19a5d638983e96a954bd6e602fb35b16
0f525a06128b217d0081ee6d81a2d2fe04e9ecd20cf0e0fa7c99aaa9ed83154d
f4f76522a5a1a8f056d53bfea97293f503b6bc703cf37ff60dd8b47f47ecaaaa
dcaf6aed333996a431610306d24a90e7bb27035cdeb93901c1e1b00626877e78
736d65eea1acec603391ea9dc50b880c83a1ef4de69cdc6649e79dab9eeea392
12025c0f03e21ce62c476f6d5a95d3de80ef8ad59fc3a552550d0c9e927458e4
42e7b0bc64037556ec415d6f869b09205a85d746550ad196c07d4be7ae739155
2fdeeae131f4bc6dd0fb7e2ebdcc379fadf314203f0de0e2b1e4a90aabf20b1f
1eda6158b488a4f6635255b406b59933d4dc6877e1cac1bb85e1d9bfd9cd7f62
e4bb158234319609a3d891e08f7ae6d6deee7fac7138639a8954dae5f281eea8
90a9045fefcc8463e698c79a594247fa002b0badf6846b200eef6a8bf47ca53d
170914b423f415bdf562a5ee3eff48808d4b0731013bcdf870bfdf2bcded8caa
8e9d9d8dfe961ede4406310aefed0eab63e52f29ad2c557eed012e298e644a43
e67f30ee8be83b021b5ba3ebe65e610fc1a50ce3f3cb1c081f62ada165d84186
7f84806700f99b46ccda77e5a87922e88cb5bf5694624455cc040324524a6f86
6e53e6f7bd88850c3771be189fb16601e0f2bcbf6f80a7baa7990bbc77e28491
d65c09f664bfd72f66e988c6a83bb29f94ab3c22968f76977f3d30500848f621
3e7e66fbf0442436122d17de23a4ff3b217edd9111c97eec4e05e22b2fe72046
123d231401b30d6f5ea191832456133eba46c1d77ac5717ee4a3abe050f1664b
cd41beb4d2b564bf1a91656755247e37487c7dd24d22cae84c9de2428535c7c0
9a09ddc92cdd2f9ef6f019b075c62ea781778ac50850b5c79dc9f5a000a2da8b
148cadfe967abcc303b8deecbbb030efd3ee9b49424246b8975f8f7e54ae2c36
f37fbb193f6ba57d318e7f5333fa7870282de9b3322e024c65d89977d2ec594c
0360c343788f8fe1ec3e57514ee4ced37503c9271741ce3688afe5086135f8f0
7e9657bb8f4920565b2cbdc1add6d78026fc4e8047632ba077463e5991e105ee
60ad4364f4a6c17082d929b810116a71e6730ed7ad0ca750624976b043f04499
4203720a4d4d988958a592e89d937e987e95fe7d8b7417a70d88ff62c5dbd77b
e64c94e34a8b4174fe920c0968019f46574d172bc270a424d66a80295694a7d7
060a16518824101a132d9816abde0b03fec08b29beb9415c217ec0e1f2cf7793
20edc5b15578c2714fd64a6577a5bd1fbbb13434dc2e900e3b7c568537206050
0eb506623215bfd28e3f1b9f7f34b0fc254b0a2fe8a91f5cd0a62f26bd739169
1a1025e072db46f1c469e3d9758147a97a57bc33da3ab2c0e2d93c52759176bf
73521003fe09aecd04a3b01d252a3c49037c35c188c8a19624fe6367a6f2cc00
539900a999853a6783c7e700987248efd3307604d5ca3cc4bdc3e69cf3489e06
8fae14da82a6d0df4b14d205e91bb068cb57c79c8267b8a50fc12a07da395b50
0b44ede8d91f14918ec469990ff81f496d85fed73b744f317928f1bfb92463d1
766f2988c9aae96c380e1628fefdd981c84ce9cf7fbbdd8dc03c365377443c2c
286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785
d5f347be26d404ab0fb1ea2eb8b2d4d3fd308306952129c871e03bd916818c8d
e30672336261f66449f9e3e1f7e4fd6ba381e6046cdb5c9ba0088c576aca5176
1d748a0cc73a641e1d10a372a2f47901527f759cbe540109068323315a2f63c0
d5d3cf535b3313077956d5708225cf8029b039ed0652ee670ce25ea80d2b00c0
219760dead477932b0a969b38ecc8d7ee41b2da4de72f32700f905cd705c340f
f4ad5a582c73b80900d35c87421f1d6076cd4fe994b65417223aedaab76b806e
2f9b92ba539de2cd1fdd35725fb144f72e4809d9c43dd79a6e2fb403ea07001c
774cabba771d38532276d09fea65d562a9eac297737d74e937695877d21f1958
5a67dee45b2e60de47e22739c8be8614f31cdb4acbaf554f37d06ea41ddd8762
97b8bdb2c3d831301d68b883fea274703bd497462caa192f6a09130a0f42d10c
201aab86deb0b609b895f6934d5a87b56384cdf01dbfce5e5bb2e970f91bb919
4e59193170ad7a1da7d91bea0028bb8107a3a305cd91a353822e23924ceda25b
2a07d219f5444c0bdf0942f2157f623efc400dcba8594d3eafa2f5dc0fd5836b
5521ef291f90c10acfd6e796a6ad2cb099a14da80bd09c6e8ffe0710c8eb547c
f57374520bfbf5f5afbbfe8c8cf762f95e05cf050fe959d731d49b77f4776cba
e2d6119bb484c9e5f5a7107b4687553416208badbb881df4328bec5146d08509
0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796
3eeedb9932e7f8b09dfb11dd48a50cb473ec777e1c7d0cf1ce6c21623e86549a
d6a03be138abc31b13e2c70092dfd8ee73e59a52c5881fe2ac477f9c9cec539e
e16ba0ace7b0abc8bf1cd0d89ecb591ce94210cb2192196a756fe1c554e03d62
705e6b3291082ab445e179e9e65464f3d7809f266ca5644707f67b59c531ab43
3996059fe34930b9d9f584bda6d7e784a2295ae3d988255e97857b9928b5c955
424ffe0e02a6f89682d55c7e051538705a067dbb87ad5daa9379ac70593da268
016b1bc90d2a25f17ae03f0a29bf8297dfd33fd718e02e318f4a64d192fceb60
5de3d93e65bc78582772de69a6663ccef69fa056f9cf7fe44cd3011d03104b59
af9ff2feb141ada2c8ca807fb12326dcb0d377d372d13955c33ca6aef378b387
d3ccfc7eefe685bc703f2975cde7560c851f7e28f8fac127baf54b24ede4ca91
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
b3347d03d6ab008c67cb3c819b545ea82fd5d0eb8e92050af7daebb35c803ad4
5a0e68a086ea94b7601121e52f03bb29faab5d1da95ced80a11218034e8d2944
01c7dd686988aded4a1730159eaaa2f4ecfb9f53dc93a3f9ba0503b7698aa454
2ae8f7e54b2c1568faa2071facfbab5f1f66e77cca38fd755c66c56f048abab3
7f98aba8439fcc1f2b54cbb1a12f1a8f4752d65e0fb8ee7fbdd206e2f0db5b99
6c22a397528ff1fe394044d94134af1d81ab8ef5ce82dd65283586ac6d9319c0
d79ff402299dcf2d71c104beb763f0e3893eb857622cc07d8969aa08541950f9
15b7b01be91b632db911f41473c68e5d3d1e705f1738214aa2827b8f6b060b87
cf27ba547b3b778e771324406fd4e95b992a1664826d179cf7af0d4f8dd1bc0a
43ca549fc5b4e817a872ea9d53f1a17949a7a2d80d67a2b2f37907b021da818b
a563a898ce1c8dcac374ef8a468e39a185ca3b010f1a41b60731a7beac23f846
4c886afcf091e440b12ade502e4b8dcd2e9995cb2c10d7c0f8fd16e736d6fca6
2e268914ba79bc7c7ac43a39b6dc463d56e32f6e43ff8cfb4aa19e43aefd8ffb
3363075fd1a09ada8858a47b099c702028f26705c5967633ee92f341817db3b3
14e7b4f4f4e98ecb3aad0e67857b3fbbca1d314ecdaa0b1aab122e1d97954977
eddcaacc8947b326dd6998c90175846c76375ee953074668354ac72dba27ffdf
f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a
388b67c9e243a4156343e3f2c6b640df04f1803a2eed2b66ff88ee698e348880
44e50aaa49e93786e5e228983b0b1daddf8ad88baacc627e7667ea749d64cdfe
5b6b8e78568b828610d9d85128e14e34938614f7fc2885569995834678da14b2
fe376b2372b224037d4ab183527213a3731e8a141a74cbdabd1c00eb52da6323
cd9b154f848a6f37a110de136034cbf5190600da5687bb6259f19addf2e2759a
82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c
b590b1181625df5cc62b8716449c07faf158411381babca4d22988c5d852aafa
bacaaa40e0f3b6cba3fc498dfbd6f2d198a767453cd8513acdbafa9fefaeed2a
c1b451ce8ae3ab62b5cdfd52793c5cf4e57efbc39012c4139d1b8958b202f6d1
895225b53f54d122a60d52a692acfe09a4fb64fbc2bea01746d2ec3f12e3a564
0627b6c0e68d720dbeafde9231c6a2a1652a7c6e1d7b8816fc8c829e793c0847
26ff94fc13fe6281062a8b36abed5e25e350dd441a31b8acc910292fd67c4805
6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898
67669c698454edaee7a64ddeb26eea619e2946939a4d71b5299b9fef7c4252a1
f3eb876bdd52d2f6fb8a8dfe28fcff50129a1fd88f76b3e99c500357c36ff862
bb8510a80af2965bdca1fdb2218ebfaa2a72402c0b767c3fde6b7807baa647b5
0756d1e1046fc633cd6796b320ba230db24e73c238c7ceb4dd20096ff366502b
246366b847f40185b79d4b7dccd159a0ea49b16043baa6c2898ad6dc88fcf0a0
4e4b0f2b45295ae88dc7cd1e2846788f54a22905bf6cf289519f609e41dda2a4
eceba2e6a2c1be781eaa0dd185fae4061a47c5cda10934672723f9ce06332ff4
7b5e89ca46752ad31a046d9b1ef6ab2ceb8289e1dcf8c68556df0a2b27f8acb1
230768a8b1c1a0f8ee13a9d91a67742f3c0dac9d1bb5218a59362b6ddfd07284
5456f58b7112cbc0cccb10f8da3b6edb96712a08dfc09729aad2f60bd62be4fc
28240d3260b1ea8df33747d3d6c9be6685f83dbc4c40d6c90b2622054dd79b4b
38540db35f6786084fa896cb52297141625d5e8da335e8b539fda1683cda5f86
a9d9dd9c8a720a43790c0218adfc255ef41a3b5f1be8b1e0d0e9931a24225493
47dcbf01785cbe9d614186a2fa97706470ef31008ce7d09f2bbcae8d96c073f0
2656b3ff415a282bab5d844689e62e93e2f6ff089529bda9377bbb58cce17880
59674d38de995cca06bb45e523d6c080eae1d717ec632932d28c0dd648b1086d
d3db87b88e8b020f212e9707d8efb3888eccf436fd30658966e6db0e90e46f04
7dac4a54cfc927b195a3b35b031b7653622dc95706324122e39c6ed1f1767259
0245bb4c69fc027f53b3f5c41ed13a515a81c9b0bb12700df6688554ce248d70
d4d23638d8c40ac1f052c82c4302aa3403378afdb65cab1bc582396c2ae7757a
32ae82bfe98d50ecd5d6a7267854c8e09f353c980d4bd526de6128202b884cb2
080ff06496d8b6b5e6307059e378ed7052e381a6f130d89385c778edf32ae996
4791a5bcad2a0ea8e525bf24dc5c480ead507f0a888b31134fc26799167a2f94
1745870e72b522d26907dd2a6b9005804bf5aa390df6cc9cac32d3cd1d118cfc
795f59666238d3e1d5ae55f2f43b4b85e040488444865f23f3d3d43b26451203
1cadbfc60a4a24b71e3024cec9bcb7a451f6dc2ac61f714e060925e927e41d2d
1c964f7b4a1f588cab0f3a68eb987905b9d5b4d3121db07af0e26b291db6f1b7
0513703f3cdd9baff067432764336311825131de68252c8e20392e08e55c15f7

Cybersecurity Weekly Briefing 6-12 June

ElevenPaths    12 June, 2020

Enel and Honda Compromised by Snake Ransomware

Italian energy corporation Enel and Japanese automotive giant Honda were hit last weekend by ransomware attacks that would have impacted on their IT systems. The responsible for the compromises is Snake ransomware (also known as Ekans), according to the analyses carried out by the independent researcher @milk3am on the basis of the two malware samples uploaded to the VirusTotal platform. The research on the attack vector is inconclusive, but it is likely that it was due to public exposure of Remote Desktop Protocol (RDP) services from both companies, as suggested by other sources. Regarding Enel, only its Argentinean subsidiary, Edesur, has admitted to suffering from a computer issue that is “making it difficult to help to clients by telephone, social networks and the use of the Virtual Office”. For its part, Honda has admitted to BleepingComputer that they are experiencing issues within their computer network, while stressing that production continues smoothly and that the impact on their customers is zero. Researchers estimate that the affected networks would include both Europe and Japan. Snake is a ransomware that emerged at the end of 2019 and has among its modules specific capabilities to terminate processes associated with ICS/SCADA software. Last month, a major distribution campaign was announced, affecting at least one other large corporation in the health sector, the German company Fresenius.

More info: https://twitter.com/milkr3am/status/1269932348860030979

New Campaign Impersonating the Spanish ITSS

In the last few hours, a new fraudulent campaign has been detected. It is trying to impersonate the Spanish Labor and Social Security Inspectorate. This time, the e-mails come from the senders @itss.se, @itss.com, @itss.es and @itss.app, and the subject of the message is “Denuncia Oficial XXXXXX, se inició una investigación contra su empresa” [Official Complaint XXXXXX, an investigation against your company has been launched]. In these messages, they report an alleged investigation against the company for possible infringements and indicate that the complaints are attached in the Excel document included in the email. In case a victim opens this malicious document and enables its execution, he or she will be infected with a malware belonging to the Smoke-Loader family, with password theft functionalities. 

More info: https://s2grupo.es/es/campana-de-phishing-inspeccion-de-trabajo-seguridad-social/

SAP Bulletin – June 2020

SAP has released its June 2020 Security Patch Day with two critical vulnerabilities, four high severity and 12 medium severity. The following are particularly noteworthy:

  • CVE-2020-1938: With 9.8 CVSSv3, this is a vulnerability in Tomcat JSP engine and servlets that exploits Tomcat trust when handling http requests from the AJP connector. This can be exploited to access arbitrary files from anywhere in the web service and process them as JSP, leading to remote code execution.
  • CVE-2020-6265: With 9.8 CVSSv3, this is a default credential vulnerability (hard-coded credentials) in SAP Commerce and SAP Commerce Datahub that allows access control to be bypassed if the default credentials are known.
    Exposure is maximum for both vulnerabilities as they lack complexity, so they can be exploited without prerequisites or need for interaction. They also have maximum impact on the CIA triad.

More info: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

New Vulnerabilities in the SMB Protocol

Two significant publications affecting vulnerabilities in the SMB protocol have been released in the last hours:

  • Firstly, ZecOps analysts have discovered a new vulnerability, SMBleed (CVE-2020-1206). This is a bug that allows data to be remotely extracted from kernel memory and, if used together with SMBGhost, can cause remote code execution prior to authentication. This bug affects only very recent versions of Windows and is neutralized by the same mitigations implemented for patching SMBGhost.
  • On the other hand, a remote code execution vulnerability (CVE-2020-1301) has been detected. It exploits a bug in the SMBv1 protocol, the use of which is not recommended by Microsoft. An attacker authenticated with credentials to access a remote network folder could execute code of their choice. The discoverers of the vulnerability point out as a mitigating factor that the share must be a hard drive. It has also been speculated that there might be another path of exploitation which remains unclear. This bug affects all versions of Windows and has been included in the June update bulletin.

More info: https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/

eCh0raix: Ransomware Targets QNAP NAS Devices

Bleeping Computer has warned that the eCh0raix ransomware operators have launched a new campaign against storage devices connected to the QNAP network. The activity of the group started in June 2019 and was reduced in the last months due to the competition with other groups such as Muhstik and QSnatch, also targeting QNAP NAS devices. However, and possibly as a result of a publication detailing three critical vulnerabilities in these devices, it has been detected an increase in users who have been affected by a ransomware that has finally been attributed to eCh0raix. Traditionally, the group focuses its attacks on exploiting old unpatched vulnerabilities or performing brute-force attacks to guess weak passwords. Exploits for new vulnerabilities may have been incorporated, and this would explain the upsurge in group activity, so users are advised to update their devices as soon as possible.

More info: https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/

What role will Data Governance play in the Digital Transformation after COVID-19?

AI of Things    12 June, 2020

The current digital transformation process companies are facing is causing a deep cultural change in daily business tasks, organizational processes, business roles and competencies, in which making a good use of disruptive technologies, and minimizing the impact of this digital acceleration towards a stable strategy has become a new challenge.

COVID-19 presents an even bigger challenge, and a change of mindset is needed, developing new processes, methodologies and further promoting business continuity.

This need for change management, places companies at different preparation or maturity levels to deal with arising initiatives. Hence, an assessment of features and capabilities is needed in order to:

  • Identify strengths and opportunities
  • Detect threats and weaknesses
  • Measure and monitor the accomplishment of objectives
  • Establish an action and contingency plan that supports the above mentioned aspects

Fortunately, companies do not start from scratch, they have been working hard in recent years. Finding out their internal capacities to detect environmental needs is a step they have already earned.

Some basic characteristics that will help to define the maturity level of an organization will be the following:

  1. Knowing the business model: Having a 360º vision of the data types used, location, criticality and price will facilitate the development of analytical models by means of Machine Learning and Artificial Intelligence techniques, enabling better decisions-making. Data Governance divides data into two hemispheres (business hemisphere and technical hemisphere) and sticks them like glue in order to act as a necessary enabler for solid models.
  2. Organizational model: Decisions are made by multidisciplinary roles involved in business initiatives. Thus, a channel that promotes Corporate Social Responsibility is needed and it can be implemented through governance tables that will act as a transformation centre.
  3. Converting data into value: Minimizing complexity, eliminating redundancies, making data more reusable, knowing its origins and its lifecycle or lineage requires a comprehensive process of understanding, processing and cleansing tasks that enables to measure and monitor the operational business value.
See full size

Bringing together the above aspects helps to unify criteria and ideas, eliminate ambiguities, and speak a common language. Ultimately, it enables a single entry and source of truth that provides trustworthy and reliable results demanded by customers through centralized, decentralized or hybrid business approaches.

As people, we also know about becoming mature, and from Data Governance we feel that there is no better time than now to be more human, caring and closer than ever. We consider that “it is essential to seek for the true master of our lives, that engine machines do not understand, the one does not know about processes but that makes them bigger: our heart”.

Written by Raúl Hernáiz Ortega

To stay up to date with LUCA, visit our Webpage, subscribe to LUCA Data Speaks and follow us on TwitterLinkedIn YouTube.

Interpretation and Evolution of MITRE ATT&CK: More “Horizontal” Coverage Doesn’t Mean Better Protection

Cytomic Team, unit of Panda Security    10 June, 2020

MITRE ATT&CK matrix has become the standard for classifying potential behaviour of opponents. Its popularity has been growing in the last two years. The advantages of this framework for vendors are clear: they can now map, adapt and improve their detection capabilities. The benefits for other cybersecurity actors are clear as well, such as Red Teams, who can now better emulate the activity of opponents. Or for cybersecurity managers, who can better and more systematically assess their defences and identify gaps. ATT&CK is a large database used to identify common tactics, techniques, and procedures (TTPs) used by advanced persistent threats against computer platforms.

MITRE now incorporates significant changes to its ATT&CK Matrix. On March 31st, as an evolution of the model and part of its roadmap for this year, MITRE released the beta version of the new matrix. New techniques, some discontinued, changes in names and descriptions, and perhaps the newest change: the introduction of sub-techniques, thus adding one more level to the structure of the matrix. In this way, now we have tactics, techniques, sub-techniques and procedures. In total more than 340 techniques and sub-techniques mapped into the 12 tactics that make up the columns of the matrix. A titanic effort by MITRE, that with this update makes available the most complete and systematic catalogue of cyberattacker’s behaviour to date.

Figure 1. Example of techniques grouping several sub-techniques in the new version of the MITRE ATT&CK matrix (beta)
Figure 1. Example of techniques grouping several sub-techniques in the new version of the MITRE ATT&CK matrix (beta)

Using MITRE ATT&CK to Evaluate Security Products

Despite the great progress brought by this initiative, there is some confusion regarding the interpretation of the application of the model, especially when evaluating security solutions.

“ATT&CK assessments should define the type of coverage to be measured, according to the objectives of each assessment. More ‘horizontal’ coverage does not mean better protection.”

Firstly, and following the publication of the results of the first EDR-type product evaluation carried out by MITRE in 2018 (called Round 1), some participants – not MITRE -, tried to equate the degree of detection coverage of the techniques with a higher protection quality or effectiveness. MITRE itself points out that ATT&CK documents the known behaviour of opponents and does not attempt to be a checklist.

Not all these behaviours can or should be used as the basis for sending alerts or data to an analyst. However, it is tempting for a vendor to display graphs representing a greater degree of coverage of the matrix techniques, regardless of the tactic they belong to. Therefore, the concept of coverage can be misleading. The techniques (and now the sub-techniques as well) can be implemented in many changing ways (procedures) by the attackers, and it is very difficult to know all of them a priori. The result can be different if one or another procedure is evaluated for the same technique and product.

In a study published by OPTIV in 2019, we could verify the different behaviour of several security products, testing several procedures for the same technique vs. testing just one (reference). Therefore, more horizontal coverage does not necessarily mean “better” product.

In fact, not all tactics may have the same weight or importance for an organisation evaluating a given product. For example, if the actual protection capability (including prevention) is being assessed, then special attention should be paid to deeper, more procedural coverage for “left-sided” tactics in the matrix. By doing so, attackers’ attempts to gain initial access to target systems, malicious code execution, or attempts to gain persistence on those systems will be blocked.

These considerations must be established according to the objectives of each organisation when considering the use of ATT&CK. The use cases may be different, and therefore the relative weight and type of coverage for tactics and techniques may be different as well. This is not covered by the framework itself. To complete this point, we should also remember that some evaluations require products to have prevention and blocking functionalities disabled, as occurred in the Round 1 carried out by MITRE, previously mentioned. Otherwise, it would not have been possible to evaluate the detection capabilities of the products.

Model Evolution

Currently, we are waiting for MITRE to publish the results of a second product evaluation (called Round 2). The number of techniques and the complexity inherent in the testing of security products means that this work requires increasingly more effort. At the same time, other security solution testing companies are also working to adapt their testing and mapping to the MITRE model while emulating real attack scenarios, without the limitations outlined above. Without a doubt, there is still a long way to go in this area.

“The model will evolve to include the perspective of defenders and the systematisation of analyses and forms of prevention, detection and response.

In the future, we also expect greater attention to other interesting projects (from MITRE and others) focused not only on the behaviour of opponents, but also on the cataloguing of defences to detect them systematically, as is the case of LOLBAS (Living Off the Land Binaries and Scripts). A compilation of LOLBAS techniques is available on GitHub. Another example from MITRE itself also focused on the defender’s perspective is the Cyber Analytics Repository (CAR) project: compiling analyses that can be used by defenders to detect attacks, also mapping them with the ATT&CK matrix. Therefore, the model will be extended to include the systematisation of defences, from prevention to detection and response.

AMSIext: Our Extension That Detects Malware in the Browser Memory

Innovation and Laboratory Area in ElevenPaths    8 June, 2020

Anti-Malware Scan Interface (AMSI) is aimed at solving a lifelong issue in the antivirus industry: detecting what does not “touch disk”. It was introduced in Windows 10 and is aimed at establishing a native communication channel between the operating system and the antivirus without the need to touch disks, I/O calls, etc. That is, connecting the memory with a detection system in a simple way. This is ideal for the obfuscated script calls that evaluate and rebuild their malicious payload in memory, but they are not detected in disk. That’s why Microsoft already connects Powershell and Office to AMSI, so that the memory of these processes is analysed. But what about browsers? Our extension fixes that.

Malware Evolution

At first, it was the virus: assembly code snippets concatenated to the files by modifying their entry point. Later, this technique was twisted and improved to its limits. The aim was automatic execution, reproduction, independence from “host” (malware is standalone for some time now) and to go unnoticed on the antivirus radar.

“Touch disk” seems to be the premise for infection but also a punishment, because that’s when antiviruses start scanning. If the malware managed to bypass this toll, it could run away from detectors. This technique was called fileless and sought an ethereal formula to subsist in memory as much as possible, avoiding touching disk or delaying it as much as possible − not landing on the disk, which is tightly controlled by the antivirus. Fileless has been improved to such an extent that there is already a native formula on Windows to mitigate it as much as possible. AMSI is a system that makes it easy to connect any information flow in memory by using the antivirus.

How AMSIext Works

Our extension connects the browser to AMSI. It transmits to the AMSI system (static) all potential scripts that pass through the browser before reaching the disk and analyses them to stop browsing if necessary. It works in two ways:

  • If it detects webpages or files with the following extension: js, ps1, vbs, hta, vb, vbe, bat, cmd, jse, wsf, ws, msh, msh1, msh2, mshxml, msh1xml and msh2xml in the browser, even just one webpage pointing to them, the website will be blocked. This prevents the script from needing to touch disk to be detected by the “traditional” antivirus.
  • It adds a right-click option to quickly submit any script to ASMI.

Once sent to AMSI, Windows Defender (usually, although other antivirus can be assigned) will evaluate how malicious the script is. The extension does not perform the evaluation itself, it acts as an interface between the browser and AMSI, which in turn sends it to Windows Defender.

In short, it is a very simple formula to protect ourselves from malicious scripts much earlier than usual. The system, in case Windows Defender makes a mistake, has the possibility to create a white list of domains.

This video explains how it works:

AMSIext is available for Chrome and Firefox and is in beta (with many potential improvements, including the logo) and we will be updating it in the future.

We hope you find it useful.

Cybersecurity Weekly Briefing 30 May-5 June

ElevenPaths    5 June, 2020

Security Breach in 8Belts

vpnMentor researchers discovered in mid-April a data breach in the 8Belts language learning platform due to an improper configuration on an Amazon Web Services S3 bucket. This breach has exposed the data of more than 150,000 individual and corporate users worldwide. This data (the oldest dating back to 2017) includes private information such as names, email addresses, phone numbers, birth dates, IDs, country of residence and Skype usernames. In addition, the records also included 8Belts’ technical information that could be exploited by threat actors to gain even more access to the platform. On their website, 8Belts claims to have several large multinationals as clients, from sectors such as the automotive, banking, retail or sports, some of them based in Spain. 

More info: https://es.vpnmentor.com/blog/report-8belts-leak/

Expiration of Sectigo/Comodo Root Certificate

On May 30th, the root certificate “AddTrust External CA Root” issued by Comodo CA (now Sectigo) and operational since 2000 expired. The measure mainly affected the access to services, websites and APIs via legacy systems such as Windows XP and Internet Explorer 6, since these systems do not recognize more recent certificates such as “COMODO RSA CA” & “USERTrust RSA CA”. Despite this, during the weekend several entities such as Namecheap or Proximus indicated that they were having issues arising from the incident. The confusion was partly caused by the fact that the company apparently did not warn its users individually of the revocation, although it did publish a statement on its website. As a result, users who tried to connect to the affected websites found issues to establish secure connections, so providing the service would be impossible.

More info: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

RCE Exploit for SMBGhost Released

A proof of concept to exploit the critical flaw (CVE-2020-0796) on Microsoft’s SMBv3 protocol has been released. While PoCs to perform denial of service and privilege escalation attacks by exploiting this vulnerability had already been released, this new exploit would allow remote code execution on vulnerable systems. It is expected that in the coming days other researchers will publish a refined version of this exploit.

More info: https://github.com/chompie1337/SMBGhost_RCE_PoC

Details on Vulnerabilities in SAP Adaptive Server Enterprise

Trustwave researchers have published the details of 6 vulnerabilities in SAP Adaptive Server Enterprise:

  • The first critical bug (CVE-2020-6248) is an arbitrary code execution issue that would allow corruption of the Backup Server configuration file.
  • The second (CVE-2020-6252) is an information disclosure bug affecting the Cockpit component in default installations of SAP ASE on Windows.
  • The third vulnerability (CVE-2020-6241), a high-severity one, is a SQL injection in global temporary tables handling routine, that would allow standard users to connect to the server and elevate their privileges to administrator.
  • The fourth one (CVE-2020-6243), with 8.0 CVSS, would allow arbitrary code execution.
  • The fifth (CVE-2020-6253), a high-severity one as well, is a privilege escalation vulnerability via SQL injection in WebServices.
  • The last one (CVE-2020-6250), a medium-severity vulnerability, is a bug where cleartext passwords were found in the installation logs.

 These vulnerabilities were already fixed by the company in mid-May.

More info: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/system-takeover-through-new-sap-ase-vulnerabilities/

New Version of Metamorph Banking Trojan

Bitdefender security researchers have published an analysis of a new malicious campaign carried out by the banking Trojan Metamorph. This malicious software is mainly targeted at Brazilian users and its main attack vector is office documents containing malicious macros and sent via email as part of phishing campaigns. This time, it has been reported that the technique used is DLL hijacking − with the aim of hiding its presence on the infected system and escalating privileges. In addition, the methodology used is to force a legitimate application to execute third-party code by replacing a code string with a malicious one. By doing so, threat actors are replacing the legitimate DLL with a DLL containing malicious code, so the application loads and runs the malicious code. In this new campaign, they have employed legitimate software such as Avira, AVG, Avast, Daemon Tools, Steam and NVIDIA. This way, if any of these products request higher privileges, the victim will not be suspicious and will consider them legitimate. However, since their DLLs have been modified, they will be used to steal victim’s bank credentials or other data.

More info: https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf

The Big Data and IoT applications fighting coronavirus

Olivia Brookhouse    5 June, 2020

The coronavirus pandemic has truly turned our lives upside down, changing how we work, study and interact in every way. The global health crisis has tested every government’s ability to cope with the healthcare necessities and technological requirements to control the virus and save lives. Whilst some of these applications have been scrambled together in a few weeks, many of these technological advancements existed before these times but have never been more critical. Technologies, such as Big Data, IoT and Artificial Intellgience have proved their value when they were needed most.

1. Big Data Track and Trace

Big Data has become somewhat of a buzzword in the last few weeks as a means to combat the rapid spread of Covid-19. Since Mid-March, the world health organization has actively spoken out about the importance of widespread testing and tracing to combat the virus. Gathering this data on a national scale is the best way to ensure this information has the most power to do good. Whilst some countries such as Germany, South Korea, Hong Kong, New Zealand, and Canada mounted an early response to initiate track and trace regimes, others were slower on the up take.

These responses are often two-fold:

  • Anonymous tracking of groups of people to gain an aggregated overview of mobility patterns, and
  • Specific tracking of those with symptoms or a positive test result.

In the first scenario, using Artificial Intelligence, these systems can draw out trends in mobility data to predict possible epicenters of the virus and alert those in these areas of the possible risk.

In the second scenario, a more targeted tracking response, once you report symptoms or receive a positive test result, those who have downloaded the specific track and trace apps can be identified and monitored. The app can then automatically identify those who you have may come into contact with, in the days preceding your contraction of the virus. This Data is incredibly valuable to halt the spread of the virus, making people aware of their risk level even when they may be A-symptomatic.

The UK has been criticized for its poor implementation of a nationwide track and trace system with it only being released this week, 9 weeks after lockdown began. The slow uptake to implemente some of these technologies to fight Covid-19 has been extremely detrimental.

2. AI and IoT for disease Identification

We have seen in many countries the difficulties of implementing nation wide testing. This is where companies have created innovative AI and IoT smart solutions to detect possible cases of the virus. Smart cameras with built in facial recognition technology and temperature detection software can detect fever and possible breathing irregularities, common symptoms of the virus.

Movistar has installed temperature detection software in its retail locations to ensure safe reopening practices in the coming weeks. Smart IoT devices can also be built into PPE to identify in real time if the individual’s temperature rises above a safe level.

3. Disease treatment

Using the AI algorithms and its computing power, Google’s DeepMind division published the findings to develop treatments. Benevolent AI uses Artificial intelligence systems to build drugs for severe disease treatments and they are helping the efforts to treat coronavirus. Within weeks of the outbreak, it used its predictive capabilities to suggest existing medicines that might be helpful

4. Robotic hospital assistance

Processing patients in hospitals is a time-consuming process which can be critical. This is why hospitals around the world are taking advantage of smart robotics to fill the spaces due to staff shortages and increased admittance. In china, robots were mobilized to deliver medicine across the hospital, clean and process admittance procedures. Since robots cannot contract the virus themselves, there is no risk when interacting with patients.

5. Remote healthcare

Due to the crisis, doctors are starting to innovate their services due to necessity. Now that patients cannot be seen in person, you must reach them through other means, and this is where healthcare has had to innovate. Healthcare is a sector that as often lagged behind other sectors in terms of digitalization due to strict regulations. For the first time for many practices, people are able to receive remote care through video conferencing and applications. These applications make use of AI powered chat bots and diagnosis tools to get to the bottom of your conditions. AI is not a threat to the medical profession; it is a doctor’s best assistant. Read more here.

To keep up to date with Telefónica’s Internet of Things area, visit our web site or follow us on TwitterLinkedIn YouTube.

Telemedicine, the new age of Healthcare

#CyberSecurityPulse: Non-Headlined Technical News with RSS and Website

Innovation and Laboratory Area in ElevenPaths    4 June, 2020

#CyberSecurityPulse is a Telegram broadcast channel where we post a summary of the news we consider most interesting in the world of cybersecurity, with the particularity that the news does not include headline. They must be entirely read to understand the message or the reflection. A contradiction in the times of rapid consumption of imprecise headlines, but perhaps more necessary than ever.

Now, #CyberSecurityPulse, after more than a year of activity with more than 3,500 subscribers, can be consumed by:

Our Telegram channel (only in Spanish): https://t.me/cybersecuritypulse

Our website (both in Spanish and English): https://cybersecuritypulse.e-paths.com

Direct RSS

For those who still use RSS in a “pure” way, you can access CyberSecurity Pulse through the following link: https://cybersecuritypulse.e-paths.com/en/feed

More practical? Feedly (a way to consume RSS), also have it here.

Thank you for sharing and we hope you find it useful.

The Security behind Apple’s and Google’s API for Tracing COVID-19 Infections

Gonzalo Álvarez Marañón    3 June, 2020

How to stop the spread of COVID-19? At the moment, there are only partial answers. Among them, contact tracing has proven to be effective since the 19th century: identifying as quickly as possible people who might have been exposed to the virus. Unfortunately, it is a laborious and slow process that relies on face-to-face or telephone interviews and requires delicate detective work.

Aren’t we supposed to live in the 21st century? Why not use the smartphones that everyone carries in their pockets to keep track of potential infections? Let our devices keep track of contacts and, if someone is later found to be infected, automatically notify those who had been near that person.

Everyone Wants Their Own Tracing App

Driven by this idea, governments around the world embarked on a breakneck race to develop apps, services and systems for tracing infections, with greater or lesser respect for privacy.

Concerned about citizens’ rights, several research groups have developed privacy protocols, including the TraceTogether team from Singapore; the Private Automated Contact Tracing (PACT) group, led by researchers from the Massachusetts Institute of Technology (MIT) in Cambridge; and the Pan-European consortium Decentralized Privacy-Preserving Proximity Tracing (DP-3T).

Such is the amount of contact tracing apps and the confusion generated by them that MIT launched the Covid Tracing Tracker project to track the trackers. As of May 22, 25 automated tracing efforts for individual and significant contacts worldwide have been documented, including details on what they are, how they work, and what policies and processes are in place regarding them.

Apple and Google Burst into with Their Technological Proposal for Exposure Logs

In the beginning of this tracing app fever, on April 10th Apple and Google signed an unprecedented agreement to jointly develop a Bluetooth-based tracing technology. The two rivals worked on their API with an unwavering goal: privacy first. They clashed with many governments that did not share their zealous protection of privacy, such as France or the United Kingdom and their Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), who advocate for centralized schemes with geolocation via GPS.

But all their claims fell on deaf ears: either they played according to the rules developed by Apple and Google, or they created their apps on their own. Finally, governments and public institutions had no choice but to surrender to the evidence: no one can compete against the partnership of two technological giants like Apple and Google. So, finally, on May 20th Apple and Google announced that their API was ready for exclusive use by public health agencies and will be used in 22 countries:

«What we’ve built is not an app—rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps»

If you have installed the latest update for their respective operating systems, you can check that support for installing apps is already available.

How the Apple and Google Exposure Notification API Works

In this presentation, Apple and Google explain how it works in a simple way:

  • Alice and Bob own an iPhone and Android phone, respectively, both with a health application using the Exposure Notification API. On Thursday, they meet sitting on a bench and chat for a while. During this time, each of their phones is transmitting totally anonymous and changing identifier beacons while collecting the identifier beacons transmitted by the other person. Their phones know that they have been in contact and store that data on the device itself, without transmitting it anywhere else.
  • A week later, Bob shows symptoms of COVID-19, goes to his medical centre and is positively diagnosed for the disease. He opens his health application, verifies his diagnosis by using the documentation from his official health care provider, and his phone uploads the last 14 days of his identifier beacons to a cloud server.
  • Later that day, Alice’s health application downloads a list of all the beacons of everyone who has recently tested positive for COVID-19. Because of her contact with Bob, Alice receives a notification informing her that she has been exposed to someone who has tested positive for Covid-19. Alice does not know that it was Bob who tested positive for COVID-19 because no personally-identifiable information was collected. However, the system knows that Alice was exposed to a COVID-19-infected person for 10 minutes on Thursday, on the basis of the strength of the Bluetooth signal between their two phones.
  • Alice follows the steps provided by the health application, that tells her what to do after exposure to COVID-19. If Alice later gets infected with COVID-19, she will follow the same steps mentioned above to alert people she has been in contact with, allowing everyone to better control their potential exposure.

Restrictions Imposed by Apple and Google for Public Health Apps Using Their API

Do you want to use the Apple/Google Exposure Notification API in your app? You will need to follow a few restrictions if you want to get it approved:

  • Apps must be created by or for a public health agency.
  • Only one app per country is allowed, to ensure that there is no fragmentation and to promote high user adoption. However, different versions per state or province are allowed.
  • Explicit user consent required.
  • Do not collect or use GPS location data from your phone.
  • Bluetooth beacons and keys do not reveal user identity or location.
  • User controls all data they want to share, and the decision to share it (including a positive test result).
  • People who test positive are not identified to other users, Google, or Apple.
  • Apps will only be used for exposure notification by public health authorities for
  • COVID-19 pandemic management.
  • No other use of user data, including targeted advertising, is permitted.
  • It does not matter if you have an Android phone or an iPhone – works across both.

Two Major Challenges Ahead

Beyond privacy concerns, with or without Apple’s and Google’s help, these apps continue to face several difficult challenges that underscore their usefulness and necessity. Two may be stood out:

  • Accurate proximity measurement: A key practical challenge for Bluetooth phone contact tracing is making accurate measurements of how close two devices are. Bluetooth technology measures the distance between devices based on the strength of the signal, but this strength can be affected by many factors, such as phone orientation and indicators of outdoor versus indoor. For example, if two people are standing back to back holding a smartphone in their hands, they may be detected as keeping the established social distance when they are actually touching each other. If we want to use these apps to monitor the coronavirus, we will need much better data to measure distance. At MIT’s Lincoln Laboratory they are carrying out experiments with mobile robots equipped with smartphones to improve the accuracy of distance measurement:
  • Adoption by critical mass of citizens: Another challenge to make the system effective is to ensure that enough people download the application – at least 60% of the population. The problem is that not everyone has an iPhone or an Android smartphone. As a matter of fact, the most vulnerable groups, such as the elderly and the socially disadvantaged, have the lowest adoption rates for such devices.

Technological Mirage or Crucial Weapon in the Fight against the Virus?

Although no one doubts the effectiveness of contact tracing in curbing the spread of pandemics, these apps are born into the controversy, and criticism is heard from all sectors. There are doubts about their effectiveness, their massive adoption, and their guarantee of privacy. However, according to Dr Michael J. Ryan, Executive Director of the WHO Health Emergencies Programme:

«Perfection is the enemy of the good when it comes to emergency management. Speed trumps perfection … The greatest error is not to move. The greatest error is to be paralyzed by the fear of failure. If you need to be right before you move, you will never win».

The next few weeks will show whether these apps are the geek’s dream of a hypertechnized society or an essential partner in the fight against the coronavirus. At the very least, we had to try.