×Close
×Close
Traditionally in cybersecurity, technology is the central focus. Adversaries act; security controls respond. But Richard Ford of Forcepoint says it is time to change the dynamic with a shift to human-centered security.
The traditional, tech-centric approach cedes too much control to the attackers, says Ford, Chief Scientist at Forcepoint. "Essentially, they are playing the tune, and we're dancing to it," Ford says. "We're very focused on threats. When I think of human-centered security, it's that point of contact between the human and the data, and making certain that the data is most available and most valuable to you, but also most protected when it's most at risk."
In an interview about the shift to human-centered security, Ford discusses:
The rationale behind making the shift; The tools and skills necessary; How human-centered security will aid response to modern attacks such was WannaCry.Dr. Ford is the Chief Scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings more than 25 years of experience in computer security with knowledge in both offensive and defensive technology solutions. During his career, Ford has held positions with Virus Bulletin, IBM Research, Command Software Systems and NTT Verio. He has also worked in academia, having held an endowed chair in computer security, and worked as head of the computer sciences and cybersecurity department at the Florida Institute of Technology.
The latest ISMG Security Report leads off with a look at the growing industry of mobile spyware designed for the exclusive use of governments.
In the Security Report, you'll hear (click on player beneath image to listen):
University of Toronto's Cyber Lab senior researcher John Scott-Railton contend the Mexican government misused government spyware providers' products to target individuals that are neither criminal nor terrorist, but part of civil society. ISMG Security and Technology Editor Jeremy Kirk report on Australia's bid to get other nations to adopt tools to counter encryption; HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee explain the $115 million settlement for the Anthem data breach; and About the U.S. and Israel collaborating to find new approaches to thwart cyberattacks.The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our June 20 and June 23 reports that respectively analyze the apparent death of the Neutrino exploit kit and why organizations turn to paper when critical systems can't be secured.
The next ISMG Security Report will be posted on Friday, June 30.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
WikiLeaks has published a document detailing “Elsa,” a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to track people’s locations via their laptop’s Wi-Fi.
According to its developers, Elsa provides geolocation data by recording the details of Wi-Fi access points, including signal strength, in range of the targeted Windows device. The user’s location and movements can be obtained after the data is sent to third-party location services.
Once Elsa is planted on the target’s computer, it monitors nearby Wi-Fi connections even if the device is not connected to the Internet. Once an Internet connection is available, the malware can send the collected Wi-Fi data to a database containing the geographical location of wireless access points.
The document made available by WikiLeaks showed that Elsa leveraged geolocation databases set up by Google and Microsoft.
The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device.
“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” WikiLeaks said. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”
The user manual leaked by WikiLeaks as part of its Vault 7 dump is dated September 2013, which indicates that the tool may have been improved significantly if it’s still maintained by its developer.
Earlier this month, WikiLeaks also published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).
WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.
Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”
The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.
The hackers, who claim to possess exploits and secret documents stolen from the U.S. National Security Agency (NSA), particularly the Equation Group actor linked to the agency, announced last month that anyone could obtain parts of the data for a monthly fee of 100 Zcash (ZEC), which at the time was worth roughly $20,000.
The group announced on Wednesday its data dump for the month of June and said that they had “many many subscribers.” As a result, individuals and organizations that want next month’s files will have to pay double – 200 ZEC or 1,000 XMR (Monero).
The Shadow Brokers also announced that following requests from several individuals, they have decided to launch a so-called “VIP Service.” Those who want the group’s attention – to learn if they have exploits for specific vulnerabilities or intel on a certain organization – have to make a one-time payment of 400 ZEC, which is currently worth roughly 130,000. The hackers claim someone has already signed up for the VIP service.
A significant part of the statement published on Wednesday by the Shadow Brokers is a message to an individual the hackers call “doctor.” This person, who they claim to have met on Twitter, sent the hackers some “ugly tweets” and later deleted them.
The hackers did some digging and they discovered that the “doctor” is a former member of the Equation Group and they believe he is responsible for building many tools and hacking organizations in China. They also claim that this individual is the co-founder of a new security company.
The Shadow Group told “doctor” that if he doesn’t sign up for their next monthly dump, they will dox him (i.e. expose his real identity).
“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person's choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers said.
While many of the exploits leaked in the past months by the Shadow Brokers had little value, the recent WannaCry ransomware attacks demonstrated that the group’s leaks can lead to significant damage. The hackers’ requests for money were largely ignored until the WannaCry outbreak, but these attacks have made many realize that the group’s exploits can be highly valuable.
Some members of the infosec community decided to launch a crowdfunding initiative to acquire Shadow Brokers exploits via the monthly dump service in an effort to help prevent a future WannaCry-like incident, but they ultimately decided to cancel the project due to legal concerns.
Related: "Shadow Brokers" Data Obtained From Insider: Flashpoint
Related: Shadow Brokers Release More NSA Exploits
Barracuda Networks this week announced its new Sentinel product: an artificial intelligence (AI) powered spear-phishing and business email compromise (BEC) realtime detection and prevention solution. It marks the second company in a week, following GreatHorn, to use AI to combat social engineering.
"The threat has grown exponentially over the last few years," Asaf Cidon, vice president of content security services at Barracuda, told SecurityWeek. "According to the FBI's latest figures, more than $5 billion has been lost to BEC fraud between 2013 and 2016 -- with a 2,370% growth in spear-phishing between the beginning of 2015 and the end of 2016. BEC has become so pervasive because it is simple to do: anyone with an email account and a little on-line research into the target can produce a compelling fraudulent email."
Not only is BEC easy to produce, it is also hard to detect. While many other email-based attacks include a payload -- from a link in the body to malware in the attachment -- BEC fraud has neither. It relies entirely upon social engineering that traditional defenses cannot detect.
"This problem led us to build Sentinel," said Cidon; "an AI-based platform for real-time spear-phishing and cyber fraud defense. It relies on three individual layers to provide a comprehensive solution: artificial intelligence for fraud detection; DMARC for protection against domain spoofing and brand hijacking; and simulated attack training for identified high-risk staff."
The AI layer is the most important, he suggested. With access to millions of mailboxes, Barracuda has taught its AI to recognize fraudulent emails. It does this in two ways. Firstly, it fingerprints communication patterns within the customer organization. It learns, for example, how the CEO normally communicates with the finance team. Deviations from this pattern -- such as the sudden use of an email address not used before -- immediately flag the communication as worrying.
But Sentinel also analyzes the email content for style. In an example given by Cidon, the AI engine detected urgency (use of the word 'need', and termination with a question-mark) and sensitivity (use of 'bank transfer'). 'Urgency' is an archetypal element of social engineering. When the content analysis is coupled with the metadata fingerprint, other indicators such as the use of an external email address in either the from or reply-to fields are sufficient for the AI to recognize and quarantine the fraud.
The second layer of Sentinel sets up DMARC (Domain-based Message Authentication Reporting & Conformance) to prevent outbound domain spoofing. One common technique used by criminals is to spoof the organization's domain in order to send apparently official messages to customers and partners to steal credentials and gain access to accounts. This layer of Sentinel helps prevent spoofing-based spear phishing and brand hijacking.
The final layer is anti-fraud training for high risk staff. The AI part of the product is used to identify high risk personnel. The product then offers a set of tools to periodically and automatically train and test the security awareness of these employees with simulated spear phishing attacks.
Sentinel currently works with Office 365. However, Barracuda also offers a set of APIs designed to make to make the functionality easily extensible beyond email to additional messaging platforms such as G Suite, Slack, social media, and others: "In fact," said Cidon, "to any platform used by organizations for business communication."
Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current 'NotPetya' outbreak -- both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP -- highlights the problem.
Information obtained by Steve O'Connell, a member of the London Assembly and a Conservative Party spokesperson for policing and crime, shows that the Metropolitan Police Service (MPS, or the Met) was still using 18,293 XP machines on their network at the time of providing the information. Since XP is no longer supported by Microsoft, it is left vulnerable to any new exploits such as EternalBlue and DoublePulsar -- and it appears that only the tendency for WannaCry to crash XP rather than infect it prevented the worldwide outbreak from being far worse than it was.
The Met's position is more precarious than implied by O'Connell's figures. Last month, the UK's data protection regulator, the ICO, published findings (PDF) from a consensual audit of the Met. While finding some areas of 'good practice', it also noted other areas in need of improvement.
In particular, one area for improvement includes the continued use of XP on some desktops and laptops leading to "a residual risk to personal data." But in relation to WannaCry and NotPetya, this risk is magnified by weaknesses in both the Met's backup and business continuity procedures. "Backup arrangements for file systems are not tested to ensure that they are recoverable in the event of a disaster."
Furthermore, "The database used to store BC information is unsupported and not backed up."
The ICO's conclusion was that "The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance [with the Data Protection Act]."
The combination of a vulnerable system and untested recovery capabilities is particularly susceptible to ransomware -- and even more so where the ransomware attacks are more intent on mischief than collecting ransoms, as seems to be the case with both WannaCry and NotPetya. The threat to, or potential loss of, personal data stored by the Metropolitan Police is particularly concerning.
"It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications," warns O'Connell. But, of course, things are never so simple. SecurityWeek reached out to the Met to confirm O'Connell's figures, and received the following statement:
"The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment - including its desktop computers.
"However, the upgrade programme is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely.
"Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness.
"We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running Previous XP to around 10,000."
The spokesperson did not know, and was unable to find out in time for this article, whether the Met has patched all its Windows systems (not just the XP ones) against MS17-010 vulnerabilities (also known as the EternalBlue vulnerabilities) after the WannaCry outbreak. However, he did add, "The entire Met ICT estate has a number of layers of industry-leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un-impacted by the cyber-attack and our security checks continue."
The complicating factor of legacy software on legacy systems is a problem, and not just for the Met. "I'm sympathetic to the fact that financially stretched government agencies and public services may not feel that an OS upgrade is the best use of scarce resources," independent security expert David Harley told SecurityWeek.
"Sometimes," he continued, "there are technical reasons for not upgrading a system required to run specific software or peripherals. There may be systems for which an OS upgrade is expected to damage functionality for other reasons, such as underpowered hardware. There are systems that may not require updating because they're fully air-gapped, I suppose. And the risk from running systems that can no longer be updated is sometimes overhyped: there's plenty of malware that doesn't rely on unpatched Windows versions to allow it to execute."
But none of this means that organizations can relax their efforts to upgrade XP systems. "Nonetheless," concluded Harley, "the risk of attack by malware that makes use of vulnerabilities in unpatched machines (such as the new Petya variant that apparently makes use of EternalBlue) is quite significant enough to make it unwise to rely on systems that are no longer normally updated, even if the agencies concerned are taking advantage of rare events like Microsoft's XP patch in May... After all, dangers to their data, systems and internal processes don't only affect their 'business' but all of us."
The bottom line is that 10,000 XP systems still in use by the Metropolitan Police Service is really 10,000 too many.
Petya/NotPetya Ransomware May Not be a Financially Motivated Attack, Researchers Say
The Petya/NotPetya outbreak that originated in Ukraine on Tuesday but spread globally within hours might have been more than a financially motivated ransomware incident, security researchers suggest.
The attack caught security researchers’ attention because the same EternalBlue SMB exploit employed by WannaCry was used to spread to new machines, and because of the fast pace at which reports of infections started to emerge worldwide.
The malware used in this attack, however, wasn’t WannaCry, but a variant of the Petya ransomware that first emerged in March 2016. Also referred to as Petya.A, Petrwrap, NotPetya, exPetr, and GoldenEye, this Petya variant features a different encryption algorithm implementation than before and is targeting different file types than previously observed variations.
While the exact number of victims isn’t known at the moment, Kaspersky Lab has already confirmed over 2,000 attacks, most of which occurred in Ukraine. During a phone call, Bitdefender’s senior e-threat analyst Bogdan Botezatu confirmed to SecurityWeek that Ukraine was hit the most: “We’ve seen some hits in other countries, but Ukraine was ravaged.”
The Petya/NotPetya attack hit a total of 65 countries, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. In Ukraine, more than 12,500 machines were affected by the ransomware attack, the tech giant says.
The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others.
Jury still out on initial infection vector
What Botezatu couldn’t confirm as of now was the initial infection vector. “We know how the ransomware moves within a network once it has compromised a machine, but we can’t find evidence of the initial infection vector,” he said.
While Microsoft and Cisco suggest that the legitimate updater process of tax accounting software MEDoc was compromised and used as the initial infection vector, the Ukrainian company has already denied the allegations [Ukrainian], and Bitdefender says they confirmed breaches in organizations that don’t use the software.
Kryptos Logic suggests that a zero-day vulnerability might have been used, given that Petya/NotPetya is limited to spreading only to computers in internal networks, and because a spam campaign wouldn’t be as effective.
“We believe to reach such a velocity, this can accomplished by attacking update systems or software packages with 0-day vulnerabilities,” the company says.
Spam email was also considered a possibility, but “likely [wasn’t] responsible for the large number of public sector organizations hit in Ukraine,” a Kryptos Logic security researcher going by the name of MalwareTech says.
According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, the website of Ukrainian City of Bahmut (Бахмут) might have been used as a secondary initial infection vector after being hacked and repurposed to serve the malware.
Encryption starts within an hour
The Petya/NotPetya variant used in this attack wouldn’t start encrypting infected computers immediately, but would wait for up to 60 minutes before doing so. However, given that the malware reboots the machine before starting the encryption, the delay window is supposedly used for credential gathering and network scanning operations.
“There appears to be a significant delay between running the malware and the beginning of the encryption process. Given that the malware reboots the machine, this is almost certainly to allow a reasonable amount of time to propagate across networks,” Forcepoint points out.
What fully set Petya/NotPetya apart from previous variants was the use of several tools for lateral movement. In addition to a modified EternalBlue exploit, the malware employs the EternalRomance exploit, Mimikatz for credential gathering, and WMIC (Windows Management Instrumentation Commandline) and PSExec for spreading within the compromised network.
The use of several tools allows the ransomware to compromise even up-to-date systems, and reports of companies that patched against EternalBlue but still got infected already emerged. As long as a single computer in the network is compromised, the malware can spread to the remaining ones, it seems.
“Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts calls DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with stolen credentials. It then tries to execute remotely the malware using either PSEXEC or WMIC tools,” Microsoft explains.
As soon as the encryption process starts, the machine is rebooted and the user is informed that the disk is being checked for errors. The same tactic was used by previous Petya variants: the malware would encrypt the Master Boot Record (MBR) while pretending to perform a check disk operation.
Petya/NotPetya uses an AES-128 key to encrypt all targeted files. It then encrypts the AES-128 with the attacker’s public RSA-2048 key and saves it to a README file. Because both keys are securely generated, this solid encryption scheme prevents researchers from creating decryption tools for the malware, “unless a subtle implementation mistake has been made,” Kaspersky says.
Paying not an option to recover files
While this has been said over and over again, it can’t be truer than in Petya/NotPetya’s case: paying is by no means a valid option. The main reason for this is that the attacker no longer has access to the “This email address is being protected from spambots. You need JavaScript enabled to view it.” email address listed in the ransom note.
Midway through Tuesday, soon after learning that the email address was being used as part of a malware attack, Posteo decided to block the account straight away. The action is part of the company’s policy of not tolerating the misuse of its platform.
“Since midday it is no longer possible for the blackmailers to access the email account or send emails. Sending emails to the account is no longer possible either,” Posteo notes in a blog post.
While this seems like a logical step to take when encountering email accounts used for nefarious purposes, Posteo’s action certainly did more to hurt victims than help them, as they can no longer contact the attackers to ask for the decryption keys in exchange of payment proof.
The Bitcoin address the attackers ask victims to pay the ransom to already shows 43 transactions and 3.87408155 Bitcoin received, most probably in payments. Petya/NotPetya demands a $300 ransom from its victims.
Not a financially motivated attack
Despite using ransomware, the attack might not have been financially motivated, but rather aimed at data destruction or data theft, security researchers suggest.
“Many companies may be tempted to pay the ransom to get their systems back online. In this outbreak, it appears that the attackers never even attempted to be able to restore files to victims,” IBM’s Diana Kelley notes.
Bogdan Botezatu too notes that this campaign “might not have targeted financial gains but rather data destruction.” He further explains that the use of “a regular, non-bulletproof e-mail service provider,” is the first piece of evidence that the attackers weren’t really interested in getting paid.
Botezatu also told SecurityWeek that there are signs suggesting that the attack was initially targeted at specific companies, but became a global incident after getting out of hand.
He also cites “the lack of automation in the payment & key retrieval process” that “makes it really difficult for the attacking party to honor their end of the promise,” and the fact that the chosen payment confirmation option is rather difficult: “the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” [which] is prone to typos.”
According to Recorded Future, there are reports that the Loki Bot information stealer might have been used in this attack as a secondary payload, suggesting that data theft could have been the purpose of the outbreak.
"Vaccine" available
Unlike the WannaCry outbreak, which was slowed down when a security researcher registered a kill-switch domain, no such option is available in Petya/NotPetya case. However, a vaccine is available, supposedly effective in preventing the ransomware from infecting compromised machines.
Discovered by Cybereason Principal Security Researcher Amit Serper, the vaccine involves the creation of a file named perfc (with no extension name) in the C:Windows folder. Other security researchers also confirmed the finding.