Loading...

Follow Seqrite Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Estimated reading time: 1 minute

The recent zero-day vulnerability CVE-2018-15982 in Adobe Flash Player enables attackers to perform a Remote Code Execution on targeted machines. Adobe has released a security advisory APSB18-42 on December 5, 2018 to address this issue. According to Adobe, the in-wild exploit is being used in targeted attacks.

Vulnerable Versions

  • Adobe Flash Player 31.0.0.153 and earlier versions for Desktop Runtime, Google Chrome, Microsoft Edge and Internet Explorer 11.
  • Adobe Flash Player 31.0.0.108 and earlier for Installer.

About the vulnerability

This is a Use after free vulnerability in Adobe Reader which allows attackers to perform a Remote Code Execution on targeted machines. The vulnerability allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. After successful exploitation, attackers can take control of the vulnerable system and executes extracted malware.

Reportedly, the vulnerability is currently being exploited in the wild through a malicious Office document. This Office document is an initial attack vector which executes malicious Flash file. According to the advisory, the malicious office document was spread via spear-phishing attack.

Seqrite EPS Detection

Seqrite has released the following detection for the vulnerability CVE-2018-15982:

  • Exp.SWF.CVE-2018-15982.A
  • Exp.SWF.CVE-2018-15982.B
  • Exp.SWF.CVE-2018-15982.SL

Security Labs is actively looking for new in-the-wild exploits for this vulnerability and ensuring coverage for them.

References

https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

Subject Matter Experts

Prashant Tilekar | Security Labs

The post CVE-2018-15982- Adobe Flash Player use after free (Zero Day) vulnerability alert! appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

Remote Desktop Protocol (RDP) attacks can be extremely dangerous, whether from an enterprise or a single user point of view. They are basically backdoors which allow external users to access and use a system over the Internet. The United States’ Federal Bureau of Investigation (FBI) has defined RDP as, “a proprietary network protocol that allows an individual to control the resources and data of a computer over the Internet. This protocol provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface.”

RDPs can actually have several benefits. It can allow users to access their systems and do urgent or critical work when they are away. Unfortunately, unsecured RDPs are exploited by criminals to access enterprise networks. It is a top vector for ransomware – the SamSam ransomware attack infected close to 10,000 systems of LabCorp through a brute force attack on an RDP server. Other forms of an attack exploiting RDPs were CrySIS Ransomware, CryptOn Ransomware with Dark Web Exchange of stolen RDP login credentials.

A spate of RDP attacks

Other forms of ransomware attack through RDP brute force vectors are the Dharma ransomware outbreak, Lime ransomware, the Morto worm, a variant of Troldesh ransomware, Shrug2 and many many more. While Seqrite’s range of services are well-equipped to handle these type of attacks with the company recently revealing that it has successfully blocked more than 35,000 RDP-based based attacks on Indian enterprises every day, we cannot afford to be complacent as new variants are continuously emerging. In fact, the FBI also recently released an advisory highlighting these kinds of attacks and educating the public about them.

Some of the chief causes of RDP attacks are the following:

  • Weak passwords which can be easily crackable or guessable making it even easier for criminals to access a system
  • Outdated versions of RDP which are prone to new vulnerabilities
  • Unrestricted access allowed to RDP ports
  • Unlimited login attempts allowed to a RDP port

Seqrite products help in preventing these kind of attacks due to the following specialized features:

  1. Anti-Ransomware
    Specially designed to counter ransomware attacks. This feature detects ransomware by tracking its execution sequence.
  2. Firewall
    Blocks malicious attempts to breach network connections.
  3. IDS/IPS
    Detects RDP brute force attempts and blocks the remote attacker IP for a defined period.
  4. Virus Protection
    Online virus protection service detects the known variants of the ransomware.
  5. Behavior-based Detection System
    Tracks the activity of executable files and blocks malicious files.
  6. Back Up and Restore
    Helps you take regular backups of your data and restore it whenever needed.

But don’t become complacent

However, it is always a good idea to follow certain precautions as well:

  • Disable or minimize RDP use as much as possible

At its very core, RDPs can be dangerous and it is best to minimize usage of it as much as possible or in the best case scenario, disable it if it is not needed. If required, minimize usage as much as possible and follow very strict precautions.

  • Back-up data regularly

Back up your important data regularly and keep a recent backup copy offline. Encrypt your backup. If your computer gets infected with a ransomware, your files can be restored from the offline backup once the malware has been removed.

  • Use strong passwords

Use passwords with a mix of alphanumeric and uppercase-lowercase characters making it even tougher to be cracked. Two-factor authentication is an additional security measure which can be deployed.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post How to prevent Remote Desktop Protocol (RDP) attacks appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

For any enterprise which has some sort of association with the financial sector, it is important to be familiar with the threat of Emotet. Yes, Emotet, a part of the banking Trojan family which is distributed through various different techniques and channels via spam campaigns. Reported first in 2014, this malware has continued to pop up in different forms and formats through regular intervals. Recently in July 2018, the United States Computer Emergency Readiness Team (US-CERT), a part of the Department of Homeland Security, released an alert about malware.

‘Costly and destructive malware’

According to the US-CERT notice, Emotet is, “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

It goes on to add that “Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.”

When a United States security agency decides to release a detailed alert for a particular type of malware, it is always a cause of concern. Around the time this alert was noticed, the Seqrite blog also did a detailed analysis of the Emotet malware and its evolution, which can be read here.

Mode of operation

In a nutshell, this malware spreads through PDFs and JS files attached in emails. It was also noticed that it was spreading through MS Office Word documents with macros disguised within it. Phishing emails are sent with suspicious attachments or links which lead to infected files. These files contain infected macros creating several copies in the system folders. After taking details of each running process, the malware starts encrypting the data and sends it to malicious servers.

There has been a spike in Emotet activity in November 2018 with the modus operandi being similar: malicious Word and PDFs which are presented as legitimate financial documents like invoices, bank statements, alerts, etc.

Security tips

At this point, it is important that enterprises take proper security precautions to protect themselves against this rampant threat. A few measures they can employ to protect against the Emotet malware campaign are:

  • Use cybersecurity solutions which offer proper spam and email protection. Seqrite’s Endpoint Security (EPS) solution offers spam protection which scans endpoint inboxes for spam, phishing attacks and unsolicited mails.
  • Employ email protection even at the network level. Seqrite’s Unified Threat Management (UTM) solution offers Gateway Mail Protection which scans incoming/outgoing mail and attachments at the gateway level to block spam and phishing attacks before they enter the network.
  • Keep network and systems updated with the recent patches.
  • Create policies regarding suspicious emails so that all employees are aware of the course of action in the event of receiving a suspicious mail.
  • Create proper awareness about phishing and social engineering by running training programs and ensuring compliance among employees about Emotet and other similar forms of malware campaigns.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Tracing the story of Emotet malware campaign appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

The worst has happened. Your database has been breached and the company is scrambling for cover. Every second seems to be a time bomb and your IT security team is working overtime, trying to assess the damage. Your CEO and other senior executives are panicking and furious, your corporate communication team is at their wits’ ends, fielding calls from the media.

Now what?

  1. Relax

Take a deep breath. Everyone around you may be panicking but you just adding to the chorus will not help matters one bit. In fact, it will probably make things worse as costly mistakes are often made during moments of blind panic. They also dilute your capacity to make decisions. Handle the situation calmly – understand that the breach has already happened and it cannot be undone. Take a deep breath, calm yourself and…

  1. Assess the Risk

Get your IT team and understand what has been breached. Is it confidential company information? Customer data? Your future plans? Understand the extent of damage as well – there is a difference between just customer names being leaked and full financial details, including credit card information, of your customers being breached. Every kind of data breach will require a different kind of handling, based on what kind of data has been breached. Understand, evaluate and decide on the next plan of action accordingly.

  1. Initiate your Incident Management/Disaster Recovery Plan

All security certification, regulation, industry standards require that you should have a well designed and well-documented incident management and disaster recovery plan. You should have rehearsed the plan in simulated situations. Now is the time for real execution of the plan. Follow the drill to ensure no steps are missed and minimize further damage. Take realistic and rational calls where judgment is needed. Do not bypass any incident management procedure. These plans are designed specifically for the situations where brains may run amok in panic. Trust them.

  1. Communicate

A key component of crisis management, whether of the cybersecurity kind or anything else, is clear, impactful communication. In the case of a breach, communication is essential and a point that cannot be ignored. Once you have assessed the extent of damage and how it is affected, you must communicate to all concerned stakeholders about the magnanimity of the situation. It is important to be clear and transparent whether to internal stakeholders like employees or external stakeholders like customers. Nip rumors right in the bud as they can cause distrust and damage aware. Devise a proper communication strategy for external communication and ensure all employees, especially senior leaders, are on the same page.

  1. Backup

If you have been backing up your data through services like the ones Seqrite offers for Data Loss Prevention (DLP), this is when it will come in handy. Ensure that you switch to a last known safe backup so that you do not lose your data. However, be careful to ensure that your backed up data has also not been infiltrated.

  1. Prepare for the future

There is no way you can reverse this breach but you can take steps for the future. Ensure you take a deep hard look at your cybersecurity framework and find out ways to strengthen it. This should happen across the enterprise right from the senior level to the employee level. Ensure that no gap is left open because as the criminals have proved, they will leave no stone unturned.

Enterprises should ensure they guard against breaches by employing a strong cybersecurity solution. They can consider Seqrite’s Endpoint Security (EPS) solution offers a comprehensive platform which integrates Data Loss Protection with technologies such as Anti Ransomware, Advanced DNA Scan, Behavioural Detection System. The Data Loss Prevention feature prevents data loss by monitoring confidential and user-defined data shared through removable drives, networks, and various applications.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Your business is hit by a breach. Now what should you do? appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

It’s the season of the holidays. Of fun, celebration and festivity. With just one hitch: cybersecurity.

The unfortunate fact is that cybercriminals are not on a holiday. They are continuously searching for ways in which they can damage enterprises. Some of the common ways in which users can get scammed by cybercriminals in these festive times are through malware disguised as something safe. So hence, an e-card you receive from a gift may seem like a sweet gesture, but be careful, there may be malicious code disguised inside it. Or criminals can try and lure unsuspecting individuals of free gifts and discount coupons, which they know people are searching for during the holiday season. These lured people will click on suspicious links or fill out forms providing personally identifiable information to cybercriminals who will sell it off to advertisers.

Vigilance is always one quality with which everyone should use the Internet but in the holiday season, it is advised to be even more careful when it comes to any kind of financial transaction.

Too Good to be True

Holidays are a time when almost everyone goes shopping. And in these times when anything and everything can be bought at the click of a button, the number of people who log on to e-commerce sites increased in numbers and there are a number of great deals on offers.

The problem is sometimes, these deals can be too good to be true. If you get an email from a big brand with an offer for something dirt cheap, back off a little. Sometimes, it just really is too good to be true. Don’t click on the body of the mail and log on to the brand’s website to see if it’s really true.

Malware Greetings

Just like shopping, holidays are a time to send greetings to each other. Some do it the old-fashioned way by calling each other and some like to send elaborate greeting cards.

The thing is though these elaborate greeting cards can often lines of code which can be malicious. So if you receive a greeting card in your mail from someone you don’t recognize, be very careful. Never download a file from such mail and if possible, refrain from opening it. Delete it as soon as you can.

Mind the Card

This is a time when usage of cards peak as people go out to eat, shop and celebrate. Plastic is king and it’s not uncommon to see all transactions take place through a simple swipe. But take care and be doubly careful about how you use the card. Check the card machine properly if you use it at an unfamiliar place and keep an eye on your card at all times. Ensure that you only swipe your card at prominent locations. The same advice applies when you are using the card at ATMs as well.

Counterfeit Apps

A lot of e-shopping is done on the cell phone as well. There is literally an application for every major thing so it’s not really a surprise that many people turn to apps when they are in search of something important, especially during the holiday season.

The trouble is cybercriminals are in on this as well and create counterfeit imitations of an authentic app. They look exactly like the real one and sometimes it’s very difficult to spot a difference. But the difference is the data you submit while using the app will go straight to malicious criminals who won’t think twice before using it for nefarious purposes. Cross-check the apps you download very carefully and ensure you only download from an authentic app store.

Shipping Receipts

Lots of goods are dispatched through the season and among the authentic ones, there are often fake shipping receipts sent to trick you of your personal information. You might receive a shipping notification which is purportedly from FedEx but is actually fraudulent. Handing over personal information like your home address can be extremely dangerous. Check these shipping notifications very carefully and never provide information unless you can completely trust the source.

A great gift to consider this year would to bolster your organization’s security by implementing a robust security solution. Seqrite’s Endpoint Security (EPS) offers one such solution – a simple and comprehensive platform boasting of advanced features such as Anti Ransomware, Advanced DNA Scan, Behavioural detection systems, Advanced Device Control and Web Filtering to protect any security vulnerabilities. By keeping devices secure, organizations can take one step ahead in keeping their networks safe this holiday season.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Beware of these 5 scams this holiday season! appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

Whether you like him or dislike him, one thing you can’t disagree with is that Elon Musk, the man behind Tesla and SpaceX, is a bonafide star. What he says makes news and his every utterance becomes a headline.

So obviously earlier in November, when he suddenly announced that he was stepping down from Tesla and giving away 10,000 BTC, it left the cryptocurrency world reeling.

This was his exact tweet: “I’m giving 10000 Bitcoin (BTC) to all community! I left the post of director of Tesla, thank you all for your suppoot! I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin. Participate in giveaway – m-tesla.me” with an image of a QR code.

Imposter syndrome

The name of the Twitter account was “Elon Musk” and it had the blue Twitter verified mark. It was also a promoted tweet. But the handle was a little strange – it was @capgemini_aust, an account that looked like it belonged to the global consulting firm, Capgemini.

And that’s when things started to unravel. This wasn’t Elon Musk, the billionaire who was tweeting. This was a hacker who had hacked into Capgemini Australia’s verified Twitter account, changed the name to “Elon Musk” and then tweeted this out, even paying money to promote it. In effect, this was a daring, very well-affected scam which had confused millions.

An organized scam

As it turned out, this wasn’t the only one. Throughout Twitter over the past month, plenty of businesses, including a UK clothing brand and a book & a record label, have been hijacked to impersonate Elon Musk and post about this cryptocurrency giveaway. This has left these accounts scrambling with Capgemini forced out to put out a statement: “We are aware that a number of Twitter accounts at various organizations have been impacted by this scam and the Capgemini Australia account was among them. It’s in the process of being restored and no Capgemini client operations have been adversely impacted.”

Elon Musk wasn’t the only victim of impersonation.  Other prominent personalities who were impersonated by malicious criminals on Twitter with the promise of a cryptocurrency giveaway were Bill Gates, John McAfee, Vitalik Buterin and many others. There was an entire ecosystem of these impersonated accounts using promoted tweets to talk about the cryptocurrency giveaway with bots also responding to make it look authentic.

Target and Google targeted

Twitter did step into action banning all these impersonated accounts but then a new trend emerged. The hackers forego impersonation and decided to hack into major high-profile accounts. These accounts included leading departmental store Target, British skincare brand The Body Shop, Universal Music Czech Republic and even the UNHSCR Serbia account. Perhaps the biggest incident was when the Twitter account of Google’s collaboration tool G Suite was also compromised.

All the compromised Twitter accounts only tweeted about the supposed cryptocurrency giveaway which indicates that this is all the form of an organized scam. And it’s quite clear that Twitters users have to be doubly careful and follow precautions like:

  • Twitter has an option to allow two-factor authentication which should ideally be checked as it allows for greater protection.
  • Do not blindly indulge in cryptocurrency giveaways whether you see them on Twitter or any other social media.
  • Don’t blindly trust what verified accounts from trusted brands are saying. The hackers want to take advantage of the trust you reposed in them.
  • Check your privacy settings on all social media and see the kind of information you’re transmitting
  • If you want to know more about Bitcoin and other cryptocurrencies, always do it from a safe source

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post The truth about the Twitter cryptocurrency giveaway appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 3 minutes

Ransomware is scary. Anyone who has ever been the victim of a ransomware attack or seen the havoc WannaCry unleashed, would agree. And it is not a threat that seems to be going away anytime soon – the European Agency for Law Enforcement Cooperation (Europol) observed that ransomware remains the key malware threat in both law enforcement and industry reporting, in their Internet Organized Crime Threat Assessment 2018. The report also indicated that ransomware will continue to flourish.

By now, most organizations are familiar with the way ransomware operates. Hackers gain access to systems and encrypt the data, hence locking the original user out. The original users are threatened that their information will be deleted or leaked unless they pay an amount of ransom (mostly in the form of a cryptocurrency like Bitcoin) after which they will get the key to decrypt their data.

The havoc ransomware causes

Organizations have also started waking up to the importance of employing anti-ransomware protection to ensure they stay protected. But sometimes, desperate times call for desperate measure. In the event of a ransomware attack at any organization, small or big, chaos can reign. Operations come to a halt, money is being lost exponentially every second, the brand’s reputation is sinking with every second and the media is right at the doorstep. At this point, the temptation to just give in – accede to the hacker’s demands and pay the ransom, is just too much. Many companies are sorely tempted to pay up and just buy themselves some peace.

The short and simple answer is: Don’t. Your quick-fix solution could potentially lead to a disastrous long-term impact.

Don’t pay

An advisory about ransomware from the United State Computer Emergency Readiness Team (US-CERT) from 2016 succinctly summed up why  enterprise owners and network administrators should never accede to ransom demands:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

The three sentences make the perfect point. Even if your enterprise has been stuck down with ransomware and the costs are spiraling, there is no guarantee that you will get your files back. Absolutely no guarantee. Keep in mind that those who have hacked into your systems and stolen your data are criminals – they have no code of conduct or honor to follow. In fact, they may never have even planned to release the stolen data because that only will lead them to a bigger chance of being caught.

From the frying pan into the fire

In such a scenario, your enterprise is in a complete fix. Your data is gone and you’ve lost more money. Worse, your banking details have been provided to criminals, opening you to even more risks. And now the criminals are more emboldened since they know you’re a target who is willing to pay. Don’t count out more ransomware attacks against you as the word spreads in the market.

Even in the unlikely event that the criminals actually release the data, that doesn’t mean all your problems are solved. It is quite likely that your data by itself will be released but the original malware infection itself is still there. That means you are at the mercy of the hackers and they can carry out another attack whenever they desire.

Instead, take the smarter path and choose Seqrite’s Endpoint Security (EPS) solution which offers a comprehensive security for workstations, laptops and servers which integrates various advanced features including Anti Ransomware. Seqrite EPS was certified BEST+++ by AVLab – the EPS Enterprise Suite edition was 100% effective in detecting and blocking malicious files of crypto-ransomware thus earning the AVLab BEST+++ award.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Why should you say NO to ransomware demands! appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Seqrite Blog by Ankita Ashesh - 2w ago
Estimated reading time: 3 minutes

In almost a blink of the eye, the year will be over. In cybersecurity terms though, 2018 could probably be defined as “business as usual”. Cyber threats only increased, there were news of even more daring attacks and cyber breaches with more companies waking up to the catastrophic damage the lack of a cybersecurity framework can cause. In a nutshell, these were some of the most significant cyberattacks and trends of 2018:

  1. Facebook – Data Breach in September

Possibly the biggest data breach of the year, considering the sheer scale, size and reputation of the brand involved. It would probably be fair to say that Facebook is one of the most influential companies in the world today so there was a shock in September when news emerged that an attack on its computer had exposed the personal information of nearly 50 million users.

This was the largest security breach in the company’s 14-year-old history. Coming on the heels of the Cambridge Analytica scandal earlier in the year (more on that in the next point), this breach made a big hit on Mark Zuckerberg, Facebook, and social media companies, in general. The flaws in Facebook’s security systems were so severe that hackers were even able to hack into the user accounts of Facebook founder Zuckerberg and top executive Sheryl Sandberg, in a major embarrassment for the company.

  1. Facebook – Cambridge Analytica data breach

Facebook’s troubles had emerged earlier in the year, in March, when the news erupted of the Cambridge Analytica scandal. According to investigations made by the American and the British media, Cambridge Analytica stole personal information from 50 million Facebook user profiles. This was done by getting users to submit answers to a personality prediction application by a psychologist from the University of Cambridge Aleksandr Kogan. This application needed users to login using their Facebook account and gained access to their profiles, locations, likes, and other personal data. It also gathered data on the friends of the users who downloaded the application.

This data was then sent to Cambridge Analytica – which is a violation of Facebook’s terms of service – which created psychographic profiles on 30 million of these profiles, to influence voter behavior for its clients. This news caused a huge uproar over the world with Facebook being investigated by authorities of several countries and many angry users even starting a #DeleteFacebook campaign.

  1. Cosmos Bank hacking

An attack which really illustrated the frightening consequence of a hacking attack to banks in India, Pune’s Cosmos Bank was siphoned off of Rs 94 crore through a malware attack on their servers. These attacks happened in August and involved cloning of thousands of the bank’s debit cards through two days. The bank had to close its ATMs, operations and suspended net banking & mobile facilities. North Korean hackers were linked to the attack and the bank only managed to start its ATMs at the end of September, almost a full month after the attack.

  1. British Airways data breach

As one of the oldest and most well-known airlines of the world, there was a sense of concern when British Airways announced that 380,000 card payments on its website were compromised during a 15-day period between August 21st and September 5th. Details like name, email address, credit card information like the number, expiration date, and CVV code were stolen. While it did not affect flight operations, it caused several anxieties and concerns for customers who had booked flights in the intervening period.

Key Trend: GDPR

While not an attack or threat, the implementation of the General Data Protection Regulation (GDPR) in the European Union was one of the biggest events of the year from a cybersecurity perspective. May 25th, 2018 was the date on which GDPR finally came into existence. A high-profile and wide-ranging piece of legislation, the GDPR has updated the rules and regulations around data privacy for EU citizens in a world where this topic is getting increasingly important. The territorial scope has increased, stiffer penalties have been defined and conditions for data consent have also been formulated, leaving organizations to scramble and ensure that they are complying with the regulations.

As we can see, it has been an eventful year for enterprises ranging across all sectors. It is important to secure your cybersecurity defense and Seqrite’s range of solutions provides powerful protection to keep your enterprise safe.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Cybersecurity Roundup 2018 appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Estimated reading time: 6 minutes

Cyber-attacks through phishing emails are increasing and generally, attackers use DOC embedded macros to infiltrate victim’s machine. Recently Quick Heal Security Labs came across a Phishing e-mail sample which uses Microsoft’s equation editor exploit to spread Hawkeye keylogger.

Cybercriminals use different techniques to steal confidential data. Now they are offering advanced forms of malware to fulfill their purpose. That’s why we are still observing actively evolving new threats. Hawkeye belongs to a family of keylogger. The latest Hawkeye v8 reborn uses Microsoft Office Equation Editor Vulnerability CVE-2017-11882 to infiltrate. We also published a detailed blog post on this exploit which can be read here. This exploit uses new techniques to evade detection of AV product. It compiles its code while executing and loads payload in memory without writing it on the disk.

Flow of Execution:

Fig1.Flow of execution

Exploit Analysis:

The buffer overflow vulnerability is present in the “FONT” record in equation native object. To exploit this vulnerability, OLE object must invoke equation native object and to do so it needs to include Equation Native stream in OLE file.

It can be done by using two types:

  1. Use of “Equation Native” stream.
  2. Use of CLSID of “Equation Native” stream.

In this case, it uses CLSID instead of “Equation Native” stream.

Fig. 2: {0002CE02-0000-0000-C000-000000000046} of Equation Editor present in OLE file.

It uses “OLE10native” stream to parse the OLE objects to “Equation Native” stream.

Following is the minimal header of “OLE10native” stream:

DWORD Size of equation object (MTEF header + MTEF data)

After execution of OLE, file equation editor is invoked and starts parsing the record. First, it parses MTEF header and TYPESIZE header and next starts to parse FONT record. In this case, it is overflowed by the buffer of FONT record content.

The following figure shows the structure of OLE10Native stream which goes to parse by Equation Native object.

Fig. 3: Structure of header of OLE object.

Exploiting this vulnerability results in executing shellcode and finally content malicious payload download from CNC server.

Fig. 4: Malicious URL present in the Shellcode.

Shellcode connects to URL to download malware by using “URLDownloadToFileW” API present in Urlmon.dll and executes it to do some malicious activity. In our case, we found malware as Hawkeye keylogger which performs keylogging activity and sends data using SMTP server.

Payload Analysis:

The Latest Hawkeye keylogger uses 3 step execution. It starts with container it executes loader which Injects Hawkeye payload into Regasm.exe then it captures keystroke and credentials stored in the browser, outlook as well as some FTP file manager and sends them using SMTP protocol.

In the first stage, Encrypted C# code which is present in the text format in malware file is decrypted and then compiled in memory. After that Compiled code present in memory is executed by malware. Following code is used for compilation of code and in memory execution using .NET framework utilities. As the code is in text form and compiled at runtime. It reduces payload size and helps them to hide from antivirus programs.

Fig.  5: Compilation and In-Memory Execution of malware

CSharpCodeProvider is used to access utility of .NET compiler i.e. csc.exe used to compile code dynamically. To execute such a code in memory without its physical copy it provides compiler option (as shown in Fig. 5). When we provide “GenerateExecutable” as false then it creates a class library. If we provide the value as “true” then it creates an executable file. For “GenerateInMemory” if we provide “false” as the value then it saves a physical copy of assembly at %temp%/randomname.exe. If “GenerateInMemory” is true then it doesn’t save a physical copy of assembly on secondary disk. Then by using compilerResults.CompiledAssembly.EntryPoint.Invoke(null, null); it will execute code from the entry point.

In the second stage, loader decrypts Hawkeye reborn stub from resource and injects it into RegAsm.exe. Regasm.exe is assembly registration tool of .NET used to register or unregister assembly. In this malware, by using reflection (i.e invokeMember method) regasm.exe is executed, and hawkeye payload is passed as a parameter to regasm.exe. Then this payload is executed as child process under Regasm.exe. In Fig. 6 Text4 is the path of regasm.exe and hXYyylN6() returns decrypted byte array of payload.

Fig. 6: Injecting Hawkeye stub into Regasm.exe

In the last stage, the final payload is executed by loader under RegAsm.exe(which is a legitimate utility of Microsoft .NET framework).  It looks like a genuine Microsoft application but actually, it is Hawkeye keylogger. The payload is obfuscated by using ConfuserEx 1.0 and SuppressIldasm. To execute malware after rebooting, it creates run entry.

The latest version of Hawkeye contains many functionalities as following.

  • Captures user keystrokes, clipboard content.
  • Copies FTP, mail credentials.
  • For anti-debugging, it uses SuppressIldasm and ConfuserEx 1.0.
  • To disable antivirus and tools like Wireshark it adds key debugger and value rundll32 in Image File Execution for those applications.
  • Use genuine tools like “MailPassView” and “BrowserPassView” for password theft.
  • Also, disable rstrui.exe which is used to restore files.
  • Use anti-sandbox techniques like Thread.sleep() for delay in execution.
  • Use base64 encryption to send data to the CNC server.
  • The code is compiled at the user end using csc.exe (C Sharp Compiler)
  • Search for “.Oeaccount” extension file in all Directories.
  • Disables task manager, command Prompt and registry by adding registry under CurrentVersion\\Policies\\System.
  • Kills cmd.exe and Wscript.exe
  • Detects antivirus and firewall product details using WMI query.
Fig. 7: Hawkeye Modules

Working of Hawkeye Keylogger:

When Keylogger is executed it first checks user type, then collects information like hostname, BIOS, antivirus, firewall product details and sends all the information to “SUNDA[@]doctorework[.]com”. To detect antivirus product details, it uses WMI query by using ManagermentObjectSearcher Class of C#.

It creates SMTP connection for data transfer with server us2[.]outbound[.]mailhostbox[.]com, where it sends all keyboard inputs, clipboard and system information in base64 encrypted format.

Fig 8: Base64 encrypted SMTP Traffic of Hawkeye

Also, it uses pomf[.]cat website to store screen-shots by using HTTP POST request. It contains Nirsoft’s MailPassView and BrowserPassView in the resource directory. By using MailPassView it gets stored credential from outlook and by using BrowserPassview it copies stored credentials from browsers and then sends the user’s credential through SMTP connection.

Fig. 9: File Upload request

It contains a list of antivirus and programs like windows defender, Wireshark, and rstrui.exe. This program is prevented from execution, to achieve this it adds registry into

“HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CurrentVersion\\Image File Execution Options\\Program_name.exe\\” 

Key name: Debugger value: rundll32.exe 

Also, it kills cmd.exe, wscript.exe and modifies Hosts file.

Rstrui.exe is the utility for file restoration by disabling such utilities it is preventing a victim from restoring to restore point.

Fig. 10: Registry to Disable Antivirus

It checks for running application names if it contains “WPE PRO”, “The Wireshark Network Analyzer” and it checks “SbieDll.dll” if it is executing then it terminates execution. For anti-sandbox techniques, it uses sleep instructions.

As Hawkeye keylogger logs every key pressed it is harmful to confidential data security.

Conclusion:

With emerging digital trends data is becoming more important so for stealing it attacker uses keylogger malware. To hide from anti-virus products, keyloggers are getting evolved from simple code to managed MSIL code with advance evading techniques. Malware authors use social engineering tweaks and using some exploit code to infiltrate in victim’s machine. To protect from these types of attacks, the user should update their Microsoft applications and anti-virus product. Quick Heal blocks this attack in multiple stages with its advanced detection mechanism.

Detection:

Quick Heal Provides multi-level protection for hawkeye keylogger.

PDF file is detected by detection: PDF.Downloader.31377
Hawkeye is detected by detection: Trojan.Ransom, Pwstool.Netpass and Trojan.IGENERIC

IOC:

PDF: 5F9227210036BB64F71E9A5E25115A39
DOC: 5191234DBE697D3A79400FD89DEE3BBD
SUND: 78787470C46A45BE5AF5AE5DC2BF6EB9
Domain: hxxp[:]//fbsleads[.]com/assets/SSUUNDS[.]exe
Mail id: sunda[@]doctorework.com
Mail Server: us2[.]outbound[.]mailhostbox[.]com

Subject Matter Experts:
Aniruddha Dolas, Vallabh Chole, Pradeep Kulkarni | Quick Heal Security Labs

The post Obfuscated Equation Editor Exploit (CVE-2017-11882) spreading Hawkeye Keylogger appeared first on Seqrite Blog.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview