Categories
Internet Security

WinRAR Bug is New and Dangerous Malware

Add Your Heading Text Here

Share it:

WinRAR is a popular program that extracts compressed files. It’s been around for years, and all this time it’s had a hidden vulnerability. Attackers can engineer compressed files so that they extract malware directly to the Windows operating system without warning. A host of malware is taking advantage of this newly-revealed vulnerability, so if you own WinRAR, you should patch it right away. NOTE: WinRAR does not patch automatically – you have to manually update your software to be safe.

Categories
Internet Security

iOS 13.2 tips: Check these security and privacy settings today

Add Your Heading Text Here

Share it:

If you are the type that is security conscious, here are some steps you should take to lock down an iPhone running iOS 13.2 and iPad running iPadOS 13.2.

iPhones and iPads are, out of the box, quite robust and secure platforms. But with a few tweaks you can harden that security dramatically without adding too much burden to your dat-to-day usage of the device.

#1: Block apps from having Bluetooth access

After you install iOS 13 you might find a whole swathe of apps such as Facebook asking you for permission to transmit data over Bluetooth. You can either allow or deny access when the prompts are displayed, or you can head over to Settings > Privacy > Bluetooth and make the changes there.

Note that this doesn’t affect audio streaming to headphones and speakers.

#2: Set brute-force protection

iOS has built-in brute-force protection to prevent an unauthorized user from trying to guess your passcodes.

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), enter your existing passcode, and scroll down to Erase Data.

After 10 attempts (toward the end there will be a time lockout to slow down the entry process), the encryption key will be deleted and your data wiped.

#3: Make sure iOS automatic updates are enabled

iOS 13 has the ability to keep itself updated automatically, which is a great way to make sure that your iPhone is fully patched.

This should be set up automatically, but you can check it over at Settings > General > Software Update and making sure Automatic Updates is enabled.

#4: Find your devices

iOS 13 has a cool new app called Find My which you can use to locate your friends and family, share your location, or find a missing device.

This app has two cool features, one is Enable Offline Finding that helps you find lost devices that aren’t connected to Wi-Fi or Bluetooth. The other is Send Last Location, which sends the device’s location to Apple when the battery is low.

#5: Control what Touch ID/Face ID is used to authenticate

Do you want the convenience of Face ID or Touch ID, or do you rather the additional protection that having to enter your passcode offers? iOS 13 allows you to switch Face ID/Touch ID on and off for:

iPhone Unlock
iTunes and App Store
Apple Pay
Password AutoFill

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), and enter your existing passcode to take control of this.

source: ZDNet

Categories
Internet Security

Major Airport Malware Attack Shines a Light on OT Security

Add Your Heading Text Here

Share it:

A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence.

Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” but which skated by antivirus solutions on the endpoints by adding a new tweak.

The malware “was modified just enough to evade the vast majority of existing signatures for it” according to Meir Brown, head of research at Cyberbit, adding that it was detected by only 16 out of 73 detection products on VirusTotal.

“The modification was really simple: the MD5 was modified, however, the attacker kept the use of the original tools and even the original file names…which is an indication of simple modification, nevertheless this was sufficient to evade most AV products,” he told Threatpost.

The malicious mining activity also raised no red flags with airport personnel, according to an analysis posted this week by the firm.

“Its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport,” the analysis noted. “The malware may have been used for months.”

This is the advantage of cryptomining for financially motivated threat actors, according to Brown: Persistence.

“We see growing usage of cryptominers in recent attacks and we see a trend to switch from ransomware to mining,” he told Threatpost. “Since ransomware attacks are more visible by nature they tend to ‘burn down’ faster. In this specific attack the malware was active for months without any indication.”

Cyberbit was tipped off to the presence of the malware while installing a security solution at the location. It observed the PAExec tool being used, which is a legitimate service used for running Windows programs on remote systems without having to physically install software on those systems. The suspicious part was that it was used several times in a short period to launch an application named player.exe.

Further, once up and running, player.exe was seen using reflective DLL loading, which the firm said is a technique for remotely injecting a DLL library into a process without using the Windows loader, thus avoiding having to access the hard drive. In short, it was clear that a remote user was attempting to stealthily access the network – multiple times.

Further digging uncovered that PAExec was being used to escalate privileges and execute the coinminer in system mode, so the miner would take priority over any other application for the use of workstation resources. Then, the reflective DLL technique was employed to load additional DLLs from memory for the cryptocurrency miner, meaning that “the file is not fetched from the hard drive and would not go through file-based detection systems like AV and most NGAV systems,” according to Cyberbit

While in this case the attackers were looking to mine Monero cryptocurrency, the fact they were able to infiltrate the network remotely and spread laterally to 50 percent of all workstations – while remaining hidden – is alarming, Brown said – especially given the unique security issues and threat surfaces present at airports.

“With the increased convergence of IT and OT networks, we strongly urge airports to also ramp up the protection of their OT network, which is used to control physical airport systems,” the firm concluded.

source: Threatpost

Categories
Internet Security

Five sources to find malware samples for testing.

Add Your Heading Text Here

Share it:

In this article, we will list five sources where you can find malware samples for testing.

Usually malware researchers search for malware samples, analyze them statically or dynamically and build a defense system via python-yarato detect similar malware.

Those interested in analyzing malware samples can grab samples for testing by visiting the following sources:

ANY.RUN is malware service that provides a collection of tools for malware researchers to analyze malware samples and even generate reports. You can retrieve malware samples submitted by other researchers to analyze.

Das Malwerk

You can also download malware samples from Das Malwerk. Unlike ANY.RUN, Das Malwerk does not provide service or tools for malware researchers to analyze malware samples on their platform.

Thus, you need to have a pre-built malware lab to test those samples. If you want to download malware samples from Das Malwerk, you do so at your own risk.

Objective-See

Are you malware researcher looking for mac-based malware samples to test, you can find some from Objective-See.

Again, you download malware samples from Objective-See at your own risk.

  • theZoo

    theZoo provides a repository of malware samples for malware researchers via Github.

This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

You can collect malware samples too from HybridAnalysis.

Source: Michael

Categories
Internet Security

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Add Your Heading Text Here

Share it:

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” Microsoft explains.

At last, the malware drops the final JavaScript payload written for the Node.js framework that converts the compromised system into a proxy.

Nodersok Infected Thousands of Windows Users

According to Microsoft, the Nodersok malware has already infected thousands of machines in the past several weeks, with most targets located in the United States and Europe.

While the malware primarily focuses on targeting Windows home users, researchers have seen roughly 3% of attacks targeting organization from industry sectors, including education, healthcare, finance, retail, and business and professional services.

Since the malware campaign employs advanced fileless techniques and relies on elusive network infrastructure by making use of legit tools, the attack campaign flew under the radar, making it harder for traditional signature-based antivirus programs to detect it.

However, the company says that the malware’s “behavior produced a visible footprint that stands out clearly for anyone who knows where to look.”

In July this year, Microsoft also discovered and reported another fileless malware campaign, dubbed Astaroth, that was designed to steal users’ sensitive information, without dropping any executable file on the disk or installing any software on the victim’s machine.

Microsoft said its Windows Defender ATP next-generation protection detects this fileless malware attacks at each infection stage by spotting anomalous and malicious behaviors, such as the execution of scripts and tools.

Categories
Internet Security

How to set up a malware lab to analyze malware samples

Add Your Heading Text Here

Share it:

In this article, we will look at how to set up a lab to test or analyze malware samples statically.

Although Remnux advise malware analyst(s) can make use of its toolkit to reverse engineer malware, we will make use of another tool to reverse engineer malware.

We will make use of Remnux linux distribution(based on Ubuntu) to set up a malware lab.

With Remnux linux, we can:

  • Examine properties and contents of suspicious files
  • Investigate Linux and Windows malware
  • Examine browser malware
  • Analyze malicious document files

You can make use of the following steps to set up a malware lab:

Step 1:

You need to have Vmware on your windows machine or Virtual Box on your linux machine.

Step 2:

If you have installed and downloaded Vmware or VirtualBox, then you can perform the following to install Remnux linux and get it working.

If you are installing Remnux via Vmware, you can perform the following instructions:

(i) Open your Vmware and click on “Open a virtual machine” as shown below:

(ii) Afterwards browse to the download page and choose to the “Remnux Ova file” as shown below:

(iii) Choose a suitable name for the virtual machine and name for the storage path:

(iv) Click on the import button to import the new virtual machine.

(v) Finally power on the new virtual machine to start Remnux linux as shown below in the screenshot: 

Now we have successfully set up a lab to statically analyze malware samples.

In our next article, we will look at how to make the test lab air-tight before we test malware samples.

Author: Michael

Categories
Internet Security

Introduction to Linux Malware Analysis (PART 2) : Object File and Executable/Binary file

Add Your Heading Text Here

Share it:

In our previous article, we looked at the different phases of gcc compilation and different type of output generated by gcc compiler .

In this article we will examine the contents of both object and binary/executable file and the difference between static and dynamic libraries.

Object File:

Object file contains machine code/instructions that are executable by the processor.

However there is a bit of work to do before it can be executed by the processor.

One main difference between object and binary file is that reference to both static and dynamic links are resolved or not known.

These references are not resolved because files are compiled independently(by the assembler) from each other.

We can view different sections of on object file using objdump tool.

Usage: objdump<option(s)> <file(s)>
 Display information from object <file(s)>.
Objdump tool can be used to disassemble a binary/executable file as well as extract section from an object file.

This command simply instruct the objdump tool to show read-only section from the object file(in ELF format).

objdump -sj .rodata example.o

example.o:  file format elf64-x86-64
Contents of section .rodata: 

0000 48656c6c 6f2c2077 6f726c64 2100  Hello, world!.

The .rodata section stores only constant values. Inside the .rodata section, we have the string value "Hello, World!"

We can also use the objdump tool to disassemble all the code in an object file in Intel syntax as shown below

objdump -M intel -d example.o

compilation_example.o:  file format elf64-x86-64

Disassembly of section .text:

00 0000 000 000 0000

 

0:55 push rdp 1:48 89 e5 mov rdp, rsp 4:48 83 ec sub rsp, 0x10 8:89 7d fc mov DWORD PTR [rbp-0x4],edi b:48 89 75 mov QWORD PTR [rbp-0x10],rsi f:bf 00 00 mov edi,0x0 14:e8 00 00 call 19<main+0x19> 19:b8 00 00 mov eax,0x0 1e:c9 ret 1f:c3 leave

 

As you can see, it has only one main function. You can check on wikipedia for in-depth information on assembly language.

Binary File:
Linker or the link editor is responsible for relocating or linking all object files to a particular/specific memory address. This process creates a binary executable file.

In a binary file, symbolic references to static libraries are resolved. Whilst references to dynamic libraries are resolved during runtime or when the binary file is loaded into memory.

The following command disassembles a binary file with objdump tool:

objdump -M intel -d a.out

a.out:     file format elf64-x86-64

Disassembly of section .init:

Disassembly of section .init:

0000000000001000 <_init>:

1000:   48 83 ec 08             sub    rsp,0x8
1004:   48 8b 05 dd 2f 00 00    mov    rax,QWORD PTR [rip+0x2fdd]        # 3fe8 <__gmon_start__>
100b:   48 85 c0                test   rax,rax
100e:   74 02                   je     1012 <_init+0x12>
 1010:  ff d0                   call   rax
 1012:  48 83 c4 08             add    rsp,0x8
 1016:  c3                      ret  

Disassembly of section .fini:

0000000011c4 <_fini>:
11c4:   48 83 ec 08             sub    rsp,0x8
11c8:   48 83 c4 08             add    rsp,0x8
11cc:   c3                      ret  

This not the complete content of a disassembled binary file. As you can see there are more sections in a binary file than in an object file.

We will need these sections to do a static analysis of an infection file.

In our next article, we will learn how to examine an infectious file via the static analysis method. 

Categories
Internet Security Uncategorized

Time to Install apt-transport-https !!!

Add Your Heading Text Here

Share it:

The apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines.

The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place.

The APT utility doesn’t properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages.

APT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable.

If the first server somehow fails, it returns a response with the location of next server from where the client should request the package.

A malicious mirror—can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root.

Since apt-get is part of many major Linux distributions including Debian and Ubuntu, who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.

source: THN

Categories
Internet Security Uncategorized

Best Encrypted Email Services for Infosec Ops

Add Your Heading Text Here

Share it:

In today’s  world, almost everybody wants some level of privacy. Having a certain level of privacy is deemed as a “good thing” for professionals who spend most of their time online. There are several mail services claiming to be the world’s most secure email services.  Some of these  “encrypted email services” are not secure and reliable as they suggest to privacy practitioners. Fortunately, our infosec team analyzed and gathered some of the best encrypted email services for infosec ops and privacy practitioners.

 ProtonMail:

ProtonMail  is one of the best-encrypted email services that you can use to secure your email communication. The service has various features that make it one of the best services that you can use to keep your communications secure and free from hackers. It uses end to end form of encryption.  This form of encryption means that the messages are encrypted when they are being sent. You can use this email service if you are interested in secured email service. Protonmail is based in Switzerland.

Posteo.de:

Just like Tutanota,  Posteo.de is a German-based encrypted email service. Posteo has good features for its clients. Basically, clients have to pay about 1EURO to use the service for a month. This  includes access to some of the most important features of the service such as POP3 and IMAP support.  When you are signing up, you do not need to provide your personal information. This feature separates Posteo.de from the rest.

Mailfence:

mailfence.com is another alternative for infosec ops and privacy practitioners to consider. Mailfence, based in Belgium is controlled by  a belgian firm known as ContactOffice. Mailfence offers features to users such as Integrated Keystore, Two-factor authentication, and OpenPGP (end-to-end encryption) . Unfortunately, Mailfence is not accepting new registration but you can sign up later this year.

Virtru

Virtru is an email encryption and digital privacy company based in Washington D.C.  The company was established by ex-NSA security analyst John Ackerly in 2012. Virtru provides email encryption service for Google Apps, Microsoft, and Salesforce.You can also use Virtru free extension alongside with Google Chrome, Android and iOS apps.

Tutanota:

Tutanota is an open-source end-to-end encrypted email software and freemium hosted secure email service just like Virtru and Protonmail. It provides encryption services for both premium and freemium users. In addition, it allows users to send and recieve encrypted messages from regular email service users.

There are other companies offering encrypted email services just like Tutanota. Thus, you are not limited to the afore-mentioned.  But bear in mind that security is not 100%. Companies offering email encryption services for clients could also be compromised by sophiscated hacks.  However, it is quite safer to use those above than regular email services.

#ISA_informs

#ISA_ltd

Categories
Internet Security Mobile Phones Uncategorized

“TROJAN LOAPI” HUNTS PORNOGRAPHIC LOVERS!!!

Add Your Heading Text Here

Share it:

It seems virus writers are yet to give up on developing on different kinds of unpleasantness to frustrate android users who are fond of downloading adult-rated android application and anti-virus application from third-party stores as well as Google playstore onto their devices.

 A Trojan horse or Trojan is another kind of malware usually disguised as legitimate software. Hackers use trojans to gain access to users’ systems.

Unlike other trojans, this particular one is programmed to overheat your device as a result of the prolonged operation of the processor at maximum load. In addition, it can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources as well as sign up users to paid services secretly.

HOW TROJAN LOAPI OPERATES:

Users attract the Loapi Trojan by clicking on an ad banner or by downloading a fake AV or adult-content app . As stated earlier,  fake av or adult-content app are common vehicles used by Loapi to gain access to user’s devices.

After installation of fake apps, Loapi asks for administrator rights . Notification to grant Loapi administrator right appears on the user’s device screen until the user finally accepts Loapi administrator demands.

If the user later tries to deny Loapi of administrator rights, it locks the screen and closes the settings frame.

Furthermore, if the user tries to download apps to protect his device against malware and trojan, Loapi declares them to be malware and orders their removal.

Loapi heavily relies on frustrating users in order to prevent them from downloading legitimate anti-virus apps to wipe out other similar trojans.

HOW TO AVOID TROJANS:

  •     Deactivate installation of apps from unknown sources. In Settings go to Security and ensure that the Unknown sources checkbox is not selected.
  • Get a reliable and proven AV for Android and regularly scan your device with it because Google playstore is safe too. Doing so adds another layer of security.

#ISA_informs

#ISA_ltd