[vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text] Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware. The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software. The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue. The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group. “An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian. “The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.”” Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups. Unfortunately, its software is known to have been abused to spy on journalists and human rights activists. In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular. In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware. According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control. On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_single_image image="343" img_size="full" alignment="center" qode_css_animation=""][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text]The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond. Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group. The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi. In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi. Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology. NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab. It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel. The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”. “We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division. If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter” Thank you[/vc_column_text][vc_empty_space][/vc_column][/vc_row]...

[vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text]On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding a classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub repository where I proposed a new testing-set based on a modified version of Malware Instruction Set for Behavior-Based Analysis, also referred as MIST. Since that day I received hundreds of emails from students, researchers and practitioners all around the world asking me questions about how to followup that research and how to contribute to expand the training set.[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_single_image image="360" img_size="full" qode_css_animation=""][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text]I am so glad that many international researches used my classified Malware dataset as building block for making great analyses and for improving the state of the art on Malware research. Some of them are listed here, but many others papers, articles and researches have been released (just ask to Google). Big data: deep learning for detecting malware AI and Machine Learning for Cyber Security Wiki Toward Collaborative Defense Across Organizations Modelling Malware-driven Honeypots Trust, Privacy and Security in Digital Business: 14th International Conference, TrustBUS Design and Implementation of Malware Detection Scheme Machine Learning For Cybersecurity … Today I finally had chance to follow-it-up by adding a scripting section which would be useful to: (i) generate the modified version of MIST files (the one in training sets) and to (ii) convert the obtained results to ARFF (Attribute Relation File Format) by University of Waikato. The first script named mist_json.py is a reporting module that could be integrated into a running CuckooSandBox environment. It is able to take the cuckoo report and convert it into a modified version of MIST file. To do that, drop mist_json.py into your running instance of CuckooSandbox V1 (modules/reporting/) and add the specific configuration section into conf/reporting.conf. You might decide to force its execution without configuration by editing directly the source code. The result would be a MIST file for each Cuckoo analysed sample. The MIST file wraps out the generated features as described into the original post here. By using the second script named fromMongoToARFF.py you can convert your JSON object into ARFF which would be very useful to be imported into WEKA for testing your favorite algorithms. Now, if you wish you are able to generate training sets by yourself and to test new algorithms directly into WEKA. The creation process follows those steps: Upload the samples into a running CuckooSanbox patched with mist_json.py The mist_json.py produces a MIST.json file for each submitted sample Use a simple script to import your desired MIST.json files into a MongoDB. For example for i in **/*.json; do; mongoimport --db test --collection test --file $i; done; Use the fromMongoToARFF.py to generate ARFF Import the generated ARFF into Weka Start your experimental sessions If you want to share with the community your new MIST classified files please feel free to make pull requests directly on GitHub. Everybody is using this set will appreciate it.[/vc_column_text][/vc_column][/vc_row]...

[vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text] Introduction During the last month our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.   Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_single_image image="366" img_size="full" alignment="center" qode_css_animation=""][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text] Technical Analysis The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection. Sha256 f3e8f68c31c86d431adea1633c875c32434a42aee5ed70af74af5c5e5aa58883 Threat Custom Email Stealer Brief Description Executable of the email stealer Ssdeep 12288:tlICpzmDFPJ+d7SQX5PsTrKjL43vNa77pu:XI+mDFx+d7vcrKv43X [/vc_column_text][vc_empty_space][vc_column_text]Firstly, we noticed this secondary component was well protected against antivirus detection, in fact the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be victim of previous hacks or not. Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_single_image image="367" img_size="full" alignment="center" qode_css_animation=""][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_column_text]Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:[/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_single_image image="368" img_size="full" alignment="center" qode_css_animation=""][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="full_width" angled_section="no" text_align="left" background_image_as_pattern="without_pattern"][vc_column][vc_column_text]The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems. In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware. [/vc_column_text][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_single_image image="368" img_size="full" alignment="center" qode_css_animation=""][vc_empty_space][/vc_column][/vc_row][vc_row css_animation="" row_type="row" use_row_as_full_screen_section="no" type="grid" angled_section="no" text_align="left" background_image_as_pattern="without_pattern" z_index=""][vc_column][vc_column_text]As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample. As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess: Figure 7: Outlook process search routine The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded: Figure 8: C2 connection routine The last routine being analyzed is the credential harvesting inside the entire filesystem. Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection. Figure 9: Autodeletion batch script Analysis of Exposed Emails In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data. Figure 10: Distribution of TLD As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs. Figure 11: Geolocation of emails TLD exposure The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences. Conclusion Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks. Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups  in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past. Indicators of Compromise Dropurl: bullettruth[.com/out[.exe C2: nettubex[.top/es/es[.php 178.48.154.38 5.253.53.236 87.241.136.1 197.255.225.249 95.140.195.178 186.74.208.84 86.61.75.99 86.101.230.109 89.47.94.113 130.204.181.90 78.90.243.124 Hash: 104dae7457c10b7fe6c42a335f2a57ff708ff20d70597fbaa5fe0083c1c628c7 e4b40cba02dc1de1a1c2ed2001d39a87c476c11ca08f09a80fd3f1fbaae0daeb f3e8f68c31c86d431adea1633c875c32434a42aee5ed70af74af5c5e5aa58883 899bfac53c3439a7ea68f9a5bbff2733ebf7b9158f18ef5d03360a09b18b5e0d   Yara Rules   import "pe" rule EmailStealer_201905 { meta: description = "Yara rule for EmailStealer" author = "Cybaze - Yoroi ZLab" last_updated = "2019-05-14" tlp = "white" category = "informational" strings: $a1 = { 80 F2 F3 00 56 53 A7 } $a2 = { 4D 26 9A 00 56 4B AC 55 } $a3 = { 1C 4A 77 00 00 89 B4 B7 } condition: uint16(0) == 0x5A4D and pe.number_of_sections == 3 and all of them } Searched Extensions   .msf; .dat; .pst; .ost; .asp; .cdd; .cpp; .doc; .docm; .docx; .dot; .dotm; .dotx; .epub; .fb2; .gpx; .ibooks; .indd; .kdc; .key; .kml; .mdb; .mdf; .mobi; .mso; .ods; .odt; .one; .oxps; .pages; .pdf; .pkg; .pl; .pot; .potm; .potx; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps; .pub; .rtf; .sdf; .sgml; .sldm; .snb; .wpd; .wps; .xar; .xlr; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xps; .3dm; .aspx; .cer; .cfm; .chm; .crdownload; .csr; .css; .download; .eml; .flv; .htaccess; .htm; .html; .jnlp; .js; .jsp; .magnet; .mht; .mhtm; .mhtml; .msg; .php; .prf; .rss; .srt; .stl; .swf; .torrent; .url; .vcf; .webarchive; .webloc; .xhtml; .xul; .asf; .asm; .cgi; .class; .cs; .dtd; .fla; .ged; .gv; .icl; .java; .jse; .json; .lua; .mb; .mod; .msp; .obj; .po; .ps1; .py; .sh; .sln; .so; .sql; .ts; .vbe; .vbs; .vc4; .vcproj; .vcxproj; .wsc; .xcodeproj; .xsd; .apt; .err; .log; .pwi; .sub; .ttf; .tex; .text; .txt; .accdb; .b2; .crypt; .crypt5; .crypt6; .crypt7; .crypt8; .crypt12; .db; .dbf; .dbx; .sis; .awb; .bin; .cdi; .cdr; .csv; .eap; .efx; .gam; .gbr; .gtp; .mpp; .msc; .mts; .otf; .nbk; .nbp; .ndb; .prj; .rtp; .sav; .scppy; .tax2010; .tbl; .tmp; .vcd; .xml; .xsl; .xslt; .bak; .dmp; .gho; .ghs; .v2i; .zip; .asx; .iff; .inf; .temp; .ai; .aif; .amr; .apk; .bp1; .ccd; .cdw; .dds; .dmg; .dxf; .ext; .ics; .ini; .m4p; .max; .md0; .mng; .mp3; .mpa; .msu; .nrg; .pak; .part; .pkpass; .psd; .rnd; .rom; .spl; .swb; .svg; .xla; .application; .appref; .cfg; .conf; .config; .cpl; .cue; .deskthemepack; .diagcfg; .ds_store; .iso; .pdi; .plist; .reg; .scr; .theme; .themepack; .thm This blog post was authored by Luigi Martire, Davide Testa, Antonio Pirozzi and Luca Mella of Cybaze-Yoroi Z-LAB[/vc_column_text][/vc_column][/vc_row]...

Torrent Risks: An Analysis by Z-Lab Yoroi / Cybaze Malware delivered through good Reputation Torrents Report del 14 marzo 2019 Authors: Davide Testa, Luigi Martire, Antonio Farina, Antonio Pirozzi, Pierluigi Paganini Scarica il report da qui ...

Cisco addressed two DoS vulnerabilities in CISCO ESA products that can be exploited by remote unauthenticated attacker. Cisco fixed two denial-of-service (DoS) flaws in Email Security Appliance (ESA) products that can be exploited by a remote unauthenticated attacker. The first flaw tracked as CVE-2018-15453  has been rated as “critical,” it is a memory corruption bug caused […]

The post CISCO addresses DoS bugs in CISCO ESA products appeared first on Security Affairs.

...

Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups. Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According […]

The post Alleged Iran-linked APT groups behind global DNS Hijacking campaign appeared first on Security Affairs.

...

Experts disclosed three flaws in the systemd, a software suite that provides fundamental building blocks for Linux operating systems. Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions. […]

The post Three security bugs found in the popular Linux suite systemd appeared first on Security Affairs.

...

Kaspersky was a long accused to support Russian intelligence, in an ironic turn, source now revealed it helped to catch alleged NSA data thief Kaspersky was a long accused to support Russian intelligence in cyber espionage activities and for this reason, its products have been banned by the US Government and EU Parliament. The company […]

The post Ironic turn … Kaspersky Labs helped NSA to catch alleged data thief appeared first on Security Affairs.

...

Google released its security patches for Android in 2019 that addressed tens of vulnerabilities in the popular mobile OS. Google released the first batch of security patches for Android in 2019 that addressed tens of flaws, the most severe of them is the CVE-2018-9583 issue. The CVE-2018-9583 flaw is a critical remote code execution vulnerability affecting […]

The post First Google security patches for Android in 2019 fix a critical flaw appeared first on Security Affairs.

...

Tens of state attorneys general announced a $1.5 million settlement with The Neiman Marcus Group over a 2013 data breach. Tens of attorneys general announced this week a $1.5 million settlement with The Neiman Marcus Group LLC over a data breach suffered by the company in 2013 and disclosed earlier 2014. 43 states and the […]

The post State attorneys general announced a $1.5 million settlement with Neiman Marcus appeared first on Security Affairs.

...