Monthly Archives: May 2017

A Nation State-Looking Cyberattack that Wasn’t

A Nation State-Looking Cyberattack that Wasn’t

Symantec researchers uncover a cybercrime campaign with all the hallmarks of a state-sponsored campaign that didn’t even make much money for the attackers.

Cybercriminals—like other criminals—have a penchant for going after low-hanging fruit. Few bother using sophisticated tools or exploits to break into systems if easier options are available.

It is rare therefore to find a malicious attacker taking the exact opposite approach, as security researchers at Symantec recently discovered when chasing down a targeted attack that was flagged by the company’s automated notification system. The attack, on a Chinese automotive supplier’s website, involved the use of surprisingly sophisticated tools and targeting and techniques for what Symantec later discovered were relatively meager gains.

“Going into this investigation, we thought there was a good chance this would be associated with a nation-state attacker,” Symantec senior threat analyst Jon DiMaggio said in a blog. What the researchers uncovered instead was a campaign by a small parts shop in Moldova to steal and sell automotive diagnostic tools available legally for new at less than $1,100.

According to DiMaggio, Symantec’s investigation started when the company’s attack notification system discovered a custom keylogger along with two suspicious files back in March 2016. Symantec’s analysis of the malware confirmed a new backdoor Trojan, which it dubbed Bachosens. The malware, once dropped on a system, created several files, which were designed to look like a legitimate Java application on the victim computer, in order to avoid detection.

One interesting aspect of the attack was the backdoor’s use of a domain generation algorithm (DGA) to ensure that the command and control server with which it communicated would change based on the current date.

Attackers often use the DGA approach, instead of using a fixed IP address or domain, in order to make it harder for defenders to find and shut them down. Some malware can generate thousands of domains using their DGA. Bachosens itself though was designed to generate just 13 domains, DiMaggio said in the blog.

Symantec researchers had another surprise when looking into how the malware communicated with its command and control server. Unlike typical malware that use HTTP or HTTPS for communicating with a control server, Bachosens used DNS as the preferred communication method.

The author of the malware designed it to use DNS communications to establish contact with the C&C server. It then used the instructions encoded in the so-called AAAA response from the server to establish a covert communication channel between the victim computer and the C&C.

An AAAA is a 128-bit record type used by Domain Name Servers to communicate using IPv6 addresses, DiMaggio told Dark Reading. “Since this communication method is not intended for anything other than transmitting various records used to translate names to numbers, it is rare and a difficult task to use these records as a covert communication method to the adversary’s infrastructure,” he says.

Bachosens’ use of encryption and DNS records for communicating with the attackers infrastructure made the traffic appear legitimate. “This shows the attacker was cognizant of how detection works and had the ability to code malware in a way that would be more complex and difficult to detect,” DiMaggio says.  

The only other malware to use this type of covert communication was created by the NSA-affiliated Equation espionage group, he says.

The sophistication of the techniques initially led Symantec researchers to surmise they had discovered either a corporate espionage campaign, a financially motivated attack by an organized cybercrime gang, or a nation-state attacker with a sabotage motive.

Symantec’s subsequent research, aided by some rookie mistakes on the part of the malware author, ultimately revealed that the campaign was instead targeted at stealing data about a relatively inexpensive handheld diagnostic device for automotive repair shops.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Hack Department of Homeland Security Act Would Bring Bug Bounty Program to DHS

Hackers will soon be able to poke holes in networks and systems belonging to the Department of Homeland Security if four senators get their way and a bill is passed that would institute a DHS bug bounty similar to programs recently implemented for the Army, Air Force and Pentagon.

The bill, known as the Hack Department of Homeland Security (DHS) Act, was introduced last Thursday.

Sen. Maggie Hassan (D-NH) sponsored the bill, which would establish a bug bounty pilot program within the DHS. Senators Rob Portman (R-OH), Claire McCaskill (D-MO), and Kamala Harris (D-CA) are all listed as cosponsors, according to, which tracks U.S. government legislation, bills, and votes.

“Federal agencies like DHS are under assault every day from cyberattacks. These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help,” Senator Hassan said in a press release issued Friday.

“The Hack DHS Act provides this help by drawing upon an untapped resource—patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens. This bipartisan bill take the first step to utilize best practices from the private sector to harness the skills of hackers across America as a force multiplier against these cyber threats. I will work with members of both parties to move this important bill forward,” Hassan said.

The bill, listed as S. 1281 in the 115th Congress on, would help the DHS ensure that its website and data systems are free of unintended vulnerabilities, Hassan said. Under the bill, white hat hackers would earn money for identifying “unique and undiscovered vulnerabilities” in DHS’s networks and data systems.

Similar to programs recently implemented by the U.S. Army and Air Force, hackers would haver to register with the DHS and undergo a background check to verify the individual isn’t a threat.

The bill was read twice last Thursday and referred to the Committee on Homeland Security and Governmental Affairs which will consider it before ultimately sending it to the House or Senate.

If passed the program would follow in the footsteps of the Department of Defense’s Hack the Pentagon program, launched last April, the U.S. Army’s Hack the Army program, launched last November, and the U.S. Force’s Hack the Air Force program, launched just last month.

Each program has used HackerOne’s bug bounty platform to help coordinate vulnerability reports between hackers and government agencies.

The programs have largely been a success. In June last year, Secretary of Defense at the time Ash Carter, said the DoD awarded roughly $75,000 to hackers as part of its Hack the Pentagon program. The program yielded 138 legitimate vulnerabilities. In January the Army announced that it had paid out close to $100,000 to hackers for finding 118 vulnerabilities in Pentagon public-facing websites.

“The networks and systems at DHS are vital to our nation’s security. It’s imperative that we take every step to protect DHS from the many cyber attacks they face every day,” said Sen. Portman. “One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do.”

Photo credit: Barry Bahler/DHS

from Threatpost – English – Global – thr…

Google Arms Gmail Security with Machine Learning

Google Arms Gmail Security with Machine Learning

Google rolls out four security updates to protect enterprise Gmail accounts from phishing, data loss, and other threats.

Google is adding four new security measures to protect Gmail business users from spam, phishing, data loss, ransomware, and other workplace security threats.

“Email attacks are constantly evolving, and the email attack vector is by far the preferred way for attackers to gain access to enterprise data,” says Gmail product manager Sri Somanchi. “We see all kinds of attacks, including phishing, malware, and ransomware attacks.”

Machine learning is a common theme in today’s updates. Google reports about 50-70% of the messages Gmail receives are spam, and machine learning helps block it with over 99.9% accuracy. It’s aiming to weed out spam with early phishing detection, Google’s machine learning model used to selectively delay messages for phishing analysis.

The system learns by comparing genuine messages with a similar pool of fake emails, Somanchi explains. It tracks attributes of each message to find details that differentiate suspicious from legitimate mails, and uses those indicators to perform future phishing checks.

Gmail’s phishing detection models integrate with Google Safe Browsing, a machine learning model for detecting phishy URLs. The two models combine techniques, like URL reputation and similarity analysis, to enable URL click-time warnings for malware links. The machine learning systems adapt as they find new patterns with the idea of improving accuracy.

Unintended external reply warnings are intended to help users think twice before sending sensitive data to third parties. If someone tries to respond to someone outside the company domain, they see a warning to verify whether they intended to send that email.

“Using forged emails to target enterprise users to reply with sensitive data has become an increasingly common phishing scam,” Somanchi says.

Contextual intelligence determines whether the recipient is an existing or regular contact, so warnings are not displayed unnecessarily. Given the potentially severe consequences of phishing attacks, he continues, the warnings are set by default and can only be disabled by an administrator.

Google notes that it has also implemented defenses against ransomware and polymorphic malware.

“We correlate spam signals with attachment and sender heuristics, to predict messages containing new and unseen malware variants,” Somanchi explains. “These protections enable Gmail to better protect our users from zero-day threats, ransomware and polymorphic malware.”

All of these features will be available to enterprise users over the next one- to three days. All are also available to consumers, with the exception of unintended external reply warnings.

Today’s rollout arrives nearly one month after a Google Doc phishing attack scammed more than one million users. Victims were tricked into clicking a link that enabled access to their Google Drive through OAuth authentication connections, giving the attacker permission to act on behalf of their account.

It also follows Google’s February publication of data highlighting security threats putting organizations at risk. Research found attackers send 4.3 times more malware, 6.2 times more phishing emails, and 0.4 times as much spam, to corporate inboxes than to personal email addresses.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

from Dark Reading – All Stories

Cybersecurity Insurance Lacking at 50% of US Companies

Cybersecurity Insurance Lacking at 50% of US Companies

While half of US security professionals say their companies passed on cybersecurity insurance, the figure is far higher in healthcare, according to a survey released today.

Cybersecurity is ramping up attention across corporate America, but only 50% of US security professionals surveyed say their organizations have signed up with an insurer, according to a study released today by FICO.

Future plans for purchasing cybersecurity insurance in the US also remains grim, according to the survey, which included 350 security executives from across the globe. including the US, Canada, UK, and the Nordics. The survey found that 27% of InfoSec pros in the US report that their organizations have no plans to sign up for cybersecurity insurance.

Meanwhile, although 61% of survey respondents expect the level of attempted breaches to rise next year, only 16% of US companies have cybersecurity insurance that covers all risks, the survey found.

In the healthcare industry, the situation is far more stark. It turns out that 74% of security healthcare professionals say their organizations do not carry cybersecurity insurance. And on top of that, none of these healthcare organizations have insurance that would span all cybersecurity risks.

Read more about the FICO study here. (Registration required)

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

The Case for Disclosing Insider Breaches

The Case for Disclosing Insider Breaches

Too often organizations try to sweep intentional, accidental or negligent employee theft of data under the rug. Here’s why they shouldn’t.

Stolen credentials are often the entry point attackers use to access sensitive data, and often the first thing to come to mind is a cyber activist with an ax to grind, or a state-sponsored crime ring bent on financial gain or IP theft. But executives would do well to recognize that their own employees can play a significant role in compromising their organizations’ cybersecurity. Insider threats – accidental and inadvertent, or deliberate and malicious – are becoming increasingly common as technology rapidly evolves and employee education struggles to keep pace.

We rarely see accurate data regarding the scope of the problem when it comes to accidental or negligent employee insider threats. And unfortunately, organizations often try to sweep these breaches under the rug. As a CISO, I can sympathize with many organizations’ hesitation to include full breach details. Here’s why:

  • It will tarnish their brand. Companies want their customers to trust them especially as they are the keepers of more customer data than ever before. A breach can seriously erode that perception, and get customers thinking twice before they buy next time.  
  • It’s expensive, and embarrassing! Regardless of the fact, many companies feel a breach reflects a failure on their part, and revealing the details may open them up to further questions about their practices and policies. Plus, cleaning up after a breach can also be very costly.    
  • They aren’t required to disclose the breach. Right now, there are a patchwork of breach notification laws that can vary by state, industry and breach type. However, with emerging regulations such as the GDPR, we can expect to see a change.

These are all valid concerns. And although on the surface the consequences seem to greatly outweigh the benefits, hear me out…

I think organizations should seek to help one another by fully (or at least to the furthest extent possible) disclosing insider breaches whether they are malicious or inadvertent. This would help organizations better understand their adversaries and demonstrate where they need to focus cybersecurity training and education efforts.

Not convinced?

During the summer and fall 2016, a DuPont employee copied and removed thousands of files containing DuPont’s proprietary information including formulas, data, and customer information. Shortly after, the employee announced his retirement while simultaneously opening his own consulting business. Prior to his exit, another DuPont employee caught him taking photos of DuPont’s equipment with his personal phone. Without going into too much detail, the incident was reported up the management chain and naturally escalated from there. DuPont brought the alleged theft to the FBI and disclosed all the information they had up to this point.

The employee was at DuPont for 27 years. This, no doubt, could have seriously damaged DuPont’s reputation if they had not taken the appropriate approach. DuPont had the ability to quickly and quietly sweep this under the rug. Instead, the company gathered as much information as they could, reported the insider to the authorities, and demonstrated how it is very possible for other organizations do the same.

I applaud DuPont’s approach and will use this example to break down the advantages of disclosing insider breaches:

  • You get in front of the story (and the backlash). Suppose DuPont decided to keep this information to themselves. There is a good chance that eventually someone, somewhere would have figured it out. Instead, they were direct and upfront about the incident.
  • It enables companies to band together. We learn from each other’s mistakes! I have no doubt that organizations caught wind of DuPont’s approach and trained their employees on spotting insider threats. If it had been due to negligence or an inadvertent mistake, this would have also been a teachable moment.
  • There’s data for developing mitigation strategies. This can help inform an organization, or even best practices within an entire industry. Data can help reveal where the threats are and the scope and size of the problem.

So, the real question is, will organizations’ mentality ever change? When will they begin to realize the benefits of disclosing breaches to help one another out and work toward the greater good?

In highly regulated industries, we are beginning to see change. As regulations around data become more prevalent (as we are seeing in the EU and beyond), publicly-traded companies will be required to explain how breaches occurred within a fully developed breach report. It’s the smaller and self-contained industries and businesses that we will continue to rarely hear about; they tend to keep the classified information that they contain and clean up in-house.

Insider threats are some of the most serious threats a company can face. By disclosing and sharing the comprehensive data we collect on real-world incidents, we can better educate employees, reduce the success of malicious actors and build more secure environments and stronger overall organizations. 

Check out the all-star panels at the ‘Understanding Cyber Attackers & Cyber Threats’ event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

With 15-plus years of leadership experience implementing vendor security risk and assessment programs for startups and Fortune 500 companies, Jackson defines the security road map for SecureAuth’s suite of adaptive authentication and IS solutions. Prior to joining SecureAuth, … View Full Bio

More Insights

from Dark Reading – All Stories

Patches Available for Linux Sudo Vulnerability

Red Hat, Debian and other Linux distributions yesterday pushed out patches for a high-severity vulnerability in sudo that could be abused by a local attacker to gain root privileges.

Sudo is a program for Linux and UNIX systems that allows standard users to run specific commands as a superuser, such as adding users or performing system updates.

In this case, researchers at Qualys found a vulnerability in sudo’s get_process_ttyname function that allows a local attacker with sudo privileges to run commands as root or elevate privileges to root.

An alert on the sudo project website says SELinux must be enabled and sudo built with SELinux support for the vulnerability to be triggered. Sudo 1.8.6p7 through 1.8.20 are affected. Users should update sudo to 1.8.20p1.

“On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for,” the sudo advisory said. “A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”

Qualys declined to comment for this article.

“This issue, if exploited, allows the attacker to circumvent the controls and do more than they are supposed to do,” the Red Hat security team told Threatpost. “The attacker has to already be on a server and granted access to commands via sudo for the vulnerability to be used.”

Red Hat said it released fixes yesterday for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux Server and Red Hat Enterprise Linux 7, as did a number of other distributions including Debian for its wheezy, jessie and sid releases, and SUSE Linux for a number of its products.

Qualys said it will publish its exploit once systems have had time to patch.

“On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command’s output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command’s stdin, stdout, and stderr,” Qualys researchers wrote in an advisory published on the OSS-Security mailing list. “This allows any Sudoer user to obtain full root privileges.”

from Threatpost – English – Global – thr…

News in brief: NASA sends probe to the Sun; subway gets phone coverage; Facebook pushes back

Your daily round-up of some of the other stories in the news

NASA to send probe to the Sun

Boldly planning to go where no human – or spacecraft – has gone before, NASA is to send a probe 93m miles to the Sun. The probe, which will launch next year, has been named the Parker Solar Probe in honour of Eugene Parker, the astrophysicist who predicted the stream of plasma that flows out from the sun and into space, the high solar wind.

The probe was announced earlier this week, but NASA said on Wednesday that it had decided to name the probe after Parker at a ceremony at the University of Chicago where Parker, who turns 90 in just over a week, is the S. Chandrasekhar Distinguished Service Professor Emeritus.

Parker said: “The solar probe is going to a region of space that has never been explored before. It’s very exciting that we’ll finally get a look. One would like to have more detailed measurements of what’s going on in the solar wind. I’m sure there will be some surprises. There always are.”

The probe is due to launch in July next year and will get as close as 3.9m miles from the solar surface, where it will have to withstand temperatures of up to 2,500 degrees Fahrenheit.

Subway to get cellphone coverage

As any visitor to London – or native Londoner – knows, talking to other human beings is something of a taboo on the British capital’s subway system, known as the Tube. Chatting to another passenger is right up there with standing on the left of the escalator (that’s the side you use to walk up or down), not moving down inside the carriages to make room for others and stealing candy from babies.

So the news that it could soon be possible to have a mobile phone conversation on the Tube has predictably been greeted as one of the worst things possible by Londoners: Twitter users said it was a “truly horrific idea“, the “worst idea ever” and bemoaned “the horror“.

Tube passengers already have Wi-Fi at most stations – though not in the tunnels between stations – and the move to extend mobile connectivity to the network is the result of an initiative from the mayor, Sadiq Khan, who is due to invite bids from telecoms providers next week, said the FT.

Facebook warns of effect of new law

Facebook continued to push back against moves across the EU to curb the spread of fake news and hate speech earlier this week, criticising a new German law that could force Facebook and other social media providers to pay a fine of up to €50m if they don’t take down infringing content within 24 hours.

Facebook warned that the new law, which has been approved in Germany but hasn’t yet come into force, could mean legal content would be deleted, saying: “The draft law provides an incentive to delete content that is not clearly illegal when social networks face such a disproportionate threat of fines.”

The California company made the not unreasonable point to Engadget that the law “would have the effect of transferring responsibility for complex legal decisions from public authorities to private companies”, and added that it believes that the proposal isn’t compliant with EU law.

Catch up with all of today’s stories on Naked Security

from Naked Security – Sophos