Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the realm of information security and covert communication, image steganography serves as a powerful technique for hiding sensitive data within innocent-looking images. By embedding secret messages or files within the pixels of an image, steganography enables covert transmission without arousing suspicion. This article aims to delve into the world of image steganography, exploring its principles, techniques, and real-world applications.

Understanding image steganography

• Image steganography is the practice of concealing information within the data of digital images without altering their visual appearance. The hidden data can include text, images, audio, or any other form of binary information.
• Image steganography serves as a clandestine communication method, providing a means to transmit sensitive information without arousing the suspicion of adversaries or unauthorized individuals. It offers an additional layer of security and confidentiality in digital communication.
• Steganography vs. Cryptography: While cryptography focuses on encrypting data to render it unreadable, steganography aims to hide the existence of the data itself, making it inconspicuous within an image. Steganography can be used in conjunction with encryption to further enhance the security of covert communication.

Techniques of image steganography

• LSB substitution: The Least Significant Bit (LSB) substitution method involves replacing the least significant bits of pixel values with secret data. As the least significant bits have minimal impact on the visual appearance of the image, this technique allows for the hiding of information without noticeably altering the image.
• Spatial domain techniques: Various spatial domain techniques involve modifying the pixel values directly to embed secret data. These techniques include modifying pixel intensities, color values, or rearranging pixels based on a predefined pattern.
• Transform domain techniques: Transform domain techniques, such as Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT), manipulate the frequency domain representation of an image to embed secret data. This allows for the concealment of information within the frequency components of an image.
• Spread spectrum techniques: Inspired by radio frequency communication, spread spectrum techniques spread the secret data across multiple pixels by slightly modifying their values. This method makes the hidden data more robust against detection and extraction attempts.
• Adaptive steganography: Adaptive techniques dynamically adjust the embedding process based on the image content and local characteristics, making the hidden data even more resistant to detection. This approach enhances security and makes it harder for adversaries to identify stego images.

Let’s see a working example of image steganography using a free tool called OpenStego, the same can be downloaded from here. You will be required to have Java Runtime Environment for OpenStego to work on your system.

Once, you’ve installed OpenStego, you will see its interface as shown below:

It has multiple options including Hide Data and Extract Data – more about these options can be found at official documentation of the tool.

We need to have two files, Message File (Which will be hidden data or data we want to hide) and Cover File (The file which we will use as a cover to hide the message file.)

I have downloaded two image files for the same.

Now, let’s hide the message file which is a quote inside the cover file which is “Hello” image.

After that, you will have to provide the directory and name for the output file. The same can be seen in the snapshot below:

You can also choose to encrypt the hidden data so that it is not accessible without a password. Click Hide data once you have followed all the steps.

After the process is completed, a success popup will appear on Openstego screen.

Now, we have 3 files and output file is the one which has the hidden image.

If we compare the properties of the output file and cover file, we will notice certain differences – like the size value will be different.

Now, let’s delete the cover file and message file and try to extract the data. If you open the output file you won’t notice any difference as it appears the same as any other image file. However, let’s try to extract data using OpenStego.

We have to select the path of the file we wish to extract data from and provide a destination folder for extraction. We also have to provide the password if any was chosen at the time of hiding the data.

Let’s select Extract data. Once, the extraction is done, a confirmation pop-up will appear on your screen.

Let us check the extracted file by going to the destination folder we assigned for the extraction of the message file.

As visible in the snapshot above, the message file is successfully extracted.

Real-world applications of steganography

• Covert communication: Image steganography finds applications in covert communication where parties need to exchange sensitive information discreetly. This includes intelligence agencies, law enforcement, and whistleblowers who require secure channels for sharing classified or confidential data.
• Digital watermarking: Steganography techniques can be employed for digital watermarking to embed copyright information, ownership details, or authentication codes within images. This allows for tracking and protecting intellectual property rights.
• Information hiding in multimedia: Image steganography can be extended to other forms of multimedia, including audio and video, allowing for the concealment of information within these media formats. This can be used for copyright protection, digital rights management, or covert messaging.
• Steganalysis and forensics: Image steganalysis focuses on detecting the presence of hidden information within images. Forensic investigators can employ steganalysis techniques to identify potential steganographic content, aiding in digital investigations.

Conclusion

Image steganography has emerged as a sophisticated method for covert communication and secure data transmission. By exploiting the subtle nuances of digital images, sensitive information can be hidden from prying eyes. As technology advances, the field of steganography continues to evolve, with new techniques and algorithms being developed to enhance the security and robustness of data hiding.

However, it is essential to balance the use of steganography with ethical considerations and adhere to legal frameworks to ensure its responsible and lawful application. As information security remains a critical concern in the digital age, image steganography serves as a valuable tool in safeguarding sensitive data and enabling secure communications.

The post Image steganography: Concealing secrets within pixels appeared first on Cybersecurity Insiders.

Executive summary

On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client’s print server to disable the server’s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.

AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.

In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.

Investigating the first phase of the attack

Initial intrusion

The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.

  

Establishing a beachhead

After compromising the local administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous “Music” folder name helping to conceal their malicious activities.

AuKill malware has been found to operate using two Windows services named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like “aSophos.exe” and “aSophosX.exe”. 

Establishing persistence

We also discovered “aSentinel.exe” running from “C:Windowssystem32”, indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the “UsersAdministratorMusicaSentinel” directory and later copied to the system32 directory for persistence.

Network reconnaissance

Our investigation also revealed that PCHunter, a publicly accessible utility previously exploited in ransomware incidents like Dharma, was running from the “UsersAdministratorMusicaSentinel” directory. This suggests that the attackers used PCHunter as a reconnaissance tool to survey the client’s network before deploying the EDR killer malware. Additionally, PCHunter enables threat actors to terminate programs and interface directly with the Windows kernel, which aligns with the needs of the attacker. We observed PCHunter generating several randomly named .sys files, as illustrated below:

Preventing data recovery

We found that the attacker deleted shadow volume copies from the print server. Windows creates these copies to restore files and folders to previous versions in case of data loss. By removing the shadow copies, the attacker was attempting to make it more challenging for our client to recover their files if they were successfully encrypted. Although no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This information, together with the usage of PCHunter and the staging of the EDR killer malware, paints a more complete picture of the attacker’s objectives and tactics.

Bypassing native Windows protection

With all these pieces in place, the attacker last needed to acquire kernel-level access. Despite gaining administrator rights early on, the attacker did not have enough control over the system to kill SentinelOne at this time. EDR solutions are classified as essential by Windows and are protected from being turned off by attackers when they escalate privileges. To successfully circumvent these safeguards, the attacker would need to travel one level deeper into the operating system and gain kernel-level access to the machine.

Investigating the second phase of the attack

Dropping the vulnerable driver

Our team discovered that AuKill had replaced the current Process Explorer driver, PROCEXP152.sys, with an outdated and vulnerable version named PROCEXP.SYS (from Process Explorer release version 16.32), located in the C:WindowsSystem32drivers directory. The alarm screenshot below demonstrates how AuKill swapped the existing driver with this older version, making the system susceptible to further exploitation.

 

Windows incorporates a security feature called Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a valid code signing authority before they can run. To bypass this security measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated in the SentinelOne screenshot below, the driver is signed and verified by Microsoft. Furthermore, the originating process was aSentinel.exe, an executable created to disable SentinelOne.

Acquiring kernel-level access

Process Explorer, a legitimate system monitoring tool developed by Microsoft’s Sysinternals team, enables administrators to examine and manage applications’ ongoing processes, as well as their associated threads, handles, and DLLs.

Upon startup, Process Explorer loads a signed kernel-mode driver, facilitating interaction with the system’s kernel, which is responsible for managing hardware and resources. Normally, that driver is PROCEXP152.sys. The attacker replaced the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, employing what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack. The attacker used this method to exploit the now vulnerable kernel mode driver to gain the kernel-level access they needed to successfully kill SentinelOne.

Killing SentinelOne

The kernel-mode driver used by Process Explorer has the unique ability to terminate handles that are inaccessible even to administrators. A handle is an identifier that corresponds to a specific resource opened by a process, such as a file or a registry key. At this point, AuKill hijacked Process Explorer’s kernel driver to specifically target protected handles associated with SentinelOne processes running on the print server. The SentinelOne processes were killed when the protected process handles were closed, rendering the EDR powerless. AuKill then generated several threads to ensure that these EDR processes remained disabled and did not resume. Each thread concentrated on a certain SentinelOne component and regularly checked to see if the targeted processes were active. If they were, AuKill would terminate them. SentinelOne was out of the way and no longer an obstacle to the attacker.

Response

Customer interaction

At this point, the attacker had gained privileged access to the asset, deployed their malware, and successfully killed the endpoint protection solution, SentinelOne. Based on the Cyber Kill Chain methodology developed by Lockheed Martin, we can conclude that the attacker had now successfully reached the “Command and Control” stage. However, the attacker did not reach the “Actions on Objectives” stage, as SentinelOne managed to disrupt ransomware deployment enough before it was killed to prevent any additional damage.

Any attempts to re-deploy malware or move laterally following the disablement of the EDR were thwarted by our team, who swiftly alerted the client to the activity and advised that the asset be taken offline and isolated from the rest of the network. Our team informed the client that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our threat hunters thoroughly review their environment, w e reassured the client that no sensitive information was exfiltrated or encrypted. In response to the attack, the client moved to rebuild their print server and reinstall SentinelOne.

Recommendations

As BYOVD attacks to bypass EDR software become more widespread, we strongly advise blacklisting outdated drivers with a known history of exploitation. Furthermore, we encourage our clients to maintain an inventory of the drivers installed on their systems, ensuring they remain current and secure. Lastly, we recommend bolstering the security of administrator accounts to defend against brute force attacks, as the incident detailed in this blog post could not have transpired without the initial privileged user compromise.

The post Stories from the SOC – Unveiling the stealthy tactics of Aukill malware appeared first on Cybersecurity Insiders.

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.

In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.

Key takeaways:

• In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
• According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
• The application is silently installed by malware on infected machines without user knowledge and interaction.
• The proxy application is signed and has zero anti-virus detection.
• The proxy is written in Go programming language and is spread by malware both on Windows and macOS.

Analysis

In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy – relying on users looking for interesting things, like cracked software and games.

The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1) 

 

Figure 1. As  on Virus Total: Proxy application – zero detections.

After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.

Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.

As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:

• “/SP-” – Disables the pop up “This will install… Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
• “/VERYSILENT” – When a setup is very silent the installation progress bar window is not displayed.
• “/SUPPRESSMSGBOXES” – Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.

Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.

The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)

Figure 3. As observed by Alien Labs: Proxy installation script.

The setup file drops two executable files:

• “DigitalPulseService.exe” – Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
• “DigitalPulseUpdater” – Check and download for new proxy applications available.

The proxy persists in the system in two ways:

• Run registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
• Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%DigitalPulseDigitalPulseUpdate.exe

The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)

Figure 4. As observed by Alien Labs: Proxy updater service.

A response from the server will include the version and download link:

{“dd”:”https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe”,”vv”:”0.0.16.14″}

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)

Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.

The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.

Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.

Recommended actions

To remove the proxy application from the system, delete the following entities:

Type	Data	Instructions
Folder	“%AppData%DigitalPulse”	To find current user “AppData” folder: Run -> %AppData% -> ENTER
Registry	HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Schedule task	DigitalPulseUpdateTask

 

Conclusion

In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31	Malware dropper hash
SHA256	2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d	Malware dropper hash
SHA256	b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38	Malware dropper hash
SHA256	424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9	Malware dropper hash
SHA256	518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1	Malware dropper hash
SHA256	417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621	Malware dropper hash
SHA256	611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416	Malware dropper hash
SHA256	801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d	Malware dropper hash
SHA256	7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7	Malware dropper hash
SHA256	3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd	Malware dropper hash
SHA256	7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110	Malware dropper hash
SHA256	5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8	Malware dropper hash
SHA256	de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842	Malware dropper hash
SHA256	dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9	Malware dropper hash
SHA256	42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126	Malware dropper hash
SHA256	e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f	Malware dropper hash
SHA256	f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca	Malware dropper hash
SHA256	6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca	Malware dropper hash
SHA256	aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7	Malware dropper hash
SHA256	0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8	Malware dropper hash
SHA256	331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521	Malware dropper hash
SHA256	0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0	Malware dropper hash
SHA256	db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219	Malware dropper hash
SHA256	1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a	Malware dropper hash
SHA256	530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4	Malware dropper hash
SHA256	9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56	Malware dropper hash
SHA256	aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950	Malware dropper hash
SHA256	3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd	Malware dropper hash
SHA256	a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97	Malware dropper hash
SHA256	65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0	Malware dropper hash
SHA256	e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b	Malware dropper hash
SHA256	cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3	Malware dropper hash
SHA256	cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551	Malware dropper hash
SHA256	153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52	Malware dropper hash
SHA256	8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b	Malware dropper hash
SHA256	c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41	Malware dropper hash
SHA256	550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940	Malware dropper hash
	5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769	Malware dropper hash
DOMAIN	bapp.digitalpulsedata[.]com	Proxy node server

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
  • TTA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post ProxyNation: The dark nexus between proxy apps and malware appeared first on Cybersecurity Insiders.

This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.

Executive summary 

AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.

Key takeaways: 

• AdLoad malware is still present and infecting systems, with a previously unreported payload.
• At least 150 samples have been observed in the wild during the last year.
• AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
• The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.

Analysis 

AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.

These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.

• The main purpose of the malware has always been to act as a downloader for subsequent payloads.
• It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
• In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
• This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
• This activity probably represents AdLoad’s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.

AT&T Alien Labs has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.

Figure 1. Histogram of AdLoad samples identified by Alien Labs.

The vast number of samples in the wild have consequently led to many devices becoming infected. Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.

The intentions behind the users of this botnet for residential proxy systems is still unclear, but so far it has already been detected delivering SPAM campaigns. A campaign was suffered by the University of Illinois, who had to release an internal alert to notify their students of this thread.

Figure 2. University of Illinois alert at https://answers.uillinois.edu/illinois/page.php?id=120871.

This blog will focus on a sample of AdLoad, which AT&T Alien Labs observed in the wild during the month of June: 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc. This sample was named “app_assistant”. Together with ‘main_helper’ or ‘mh’ are the most common filenames observed for this malware.

The sample initiates the execution with a system profiler. The system profiler pulls system information focusing in on the UUID (Universally Unique Identifier) that can be used later to identify the system with the Command and Control (C&C) on the proxy servers.

It then reaches out to an AdLoad server to report the infection. The URL is hardcoded in the sample. Alien Labs has observed two different patterns thus far:

Pattern 1 includes:

• POST request to a URL with path “/l”.
• Host with api. Subdomain.
• Content Type is “application/x-www-form-urlencoded”.
• The body starts with “cs=” and is followed by around 300 base64 characters.

This behavior had already been observed in the wild and is detected by ET (Emerging Threats) with a public rule attributing the activity to OSX/SHLAYER (Rule in the appendix).

Figure 3: Example from Alien Labs of network traffic of sample 54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81.

Pattern 2 includes:

• POST request to a URL with path “/a/rep”
• Host with m. subdomain
• Content Type is charset=utf-8
• The body starts with “smc” and is followed by encrypted data.

No public rules were identified for this behavior as of the publishing of this blog, however Alien Labs has provided a rule in the appendix.

In both cases, the User Agent is formed by the filename of the executed file followed by “(unknown version) CFNetwork/$version” plus the Darwin version number.

Figure 4: Example from Alien Labs: network traffic of sample 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc.

After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server’s C&C. The request carries as a parameter the UUID of the infected machine among other encoded parameters. This request responds with a link of the file to download, usually in digitaloceanspaces[.]com. It also includes the environment to use and the version number of the payload.

Figure 5 summarizes the different connections Alien Labs has observed as of the publishing of this article (steps 1-5), and the activity we will describe next (steps 5-8).

Figure 5: Infection process as analyzed by Alien Labs.

Attack chain, Steps 5-8

• Once the malware downloads the proxy app, it is unzipped with a password, and xattr -rd is executed on the files to remove the quarantine attribute from them. This bypasses Gatekeeper’s security.
• The existing files are copied to ‘/Users/$user/Library/Application Support/$randomstring’. Any unnecessary files placed in the system, the /tmp directory, and the original zip file are deleted.
• At this point, the newly generated folder under Application Support has two files: the first is a version control named ‘pcyx.ver’ and the second contains the proxy application, usually named ‘helper’ or ‘main’. If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.[random long string].plist, which points at the proxy application executable in the Application Support folder.
• The application is already running, and the hosts start operating as a proxy server. Its initial configuration is usually hardcoded (figure 6), but it can be modified through the previous request to the proxy C&C, modifying the used domain, port, environment, etc. The communication with proxy servers usually occurs over port 7001, but it has also been seen over port 7000 and 7002, probably alternatives in case 7001 is taken.

Figure 6: As observed by Alien Labs: the malware configuration includes C&C address, certificate, malware version and more.

• As the application runs, its first action is to beacon system information and status to the proxy server. It sends a registration message to its C&C after collecting the machine’s information. This data includes macOS version, hardware stats like CPU, memory, and battery status. Additionally, it extracts the machine’s UUID, labeled as “peer_id”, that is used as identifier of the machine with the C&C (figure 7).
• After registration with its C&C, the malware receives the proxy manager server to which it forwards proxy requests.

Figure 7: Collecting system information before registering as new peer.

Many of the proxy requests immediately issued after an infection appear to be testing queries, i.e., iplookups or access to streaming services like Netflix, HBO or Disney, from specific locations. Figure 8 shows the beacon and the response from the server, together with the request for an IP Lookup, which arrived at the infected system through port 7001.

Figure 9 shows more clearly how the IP Lookup is forwarded to its actual destination and the received response is sent back to the proxy server.

Figure 8: Beacon and and IPlookup as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

Figure 9: Proxy flow, as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

The beacon message shown in figure 8 is sent every few seconds to get further instructions from the C&C. This includes requests for updated hardware information to check if the machine may be running into issues soon and should not be loaded as proxy (low battery or high CPU usage) (Figure 10).

Figure 10: Pinging C&C for further instructions, observed by Alien Labs.

Alien Labs has identified several domains as proxy server nodes that were relaying the proxy requests to the infected systems. These domains all had generic randomly generated names, like bapp.pictureworld[.]co and were hosted in usually reliable cloud services, like Amazon or Oracle. However, they appeared to only be used as DNS resolvers, since those IPs happened to all resolve to a private company domain around the time of infection. The company name also showed up in the certificates of some of these generic domains.

Based on the above information, a small business selling proxy services appears to be behind the proxy activity. The list of prices published in this private company webpage, does include residential IP proxys as an offered service.

In addition to the Mac samples analyzed in this blog, Alien Labs has also identified other Windows samples replicating the behavior just explained. These Windows samples also end up acting as proxies through the known ports 7000, 7001 and 7002, with traffic coming from the same domains. AT&T Alien Labs will be releasing a new blog in the upcoming weeks with that analysis.

Recommended actions 

To remove AdLoad samples from the system:

1. AdLoad samples can be identified with the Yara rule included in the Appendix, originally created by SentinelOne in a previous AdLoad report.
2. Analyze any system matching suricata rules 4002758 and 2038612.

To remove the proxy application from the system:

1. Review ‘/Users/X/Library/Application Support/’ and look for a folder named with a string of over 20 randomly generated characters, which contains files like: main, helper, pcyx.ver; and are currently running in your system in the background.
2. Understand the need for all the existing Launch Agents plists in /Library/LaunchAgents/. Especially looking for another long string of random characters, and identify the existing agents, deleting the unnecessary ones.
3. Analyze any systems communicating though port 7000, 7001 or 7002 to suspicious IPs (or matching suricata rules 4002756 and 4002757).

Conclusion 

The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications. The underreporting of MacOS based threats may lead users to a false sense of security and underscores that any popular operating system can become a target for skilled adversaries.

AT&T Alien Labs is not aware whether the private company relaying the proxy requests is actively infecting the systems, or they are buying what they believe to be legitimate systems. However, their proxy servers are accessing these systems and selling a similar service to their clients. Buyers are leveraging the benefits of a residential proxy botnet: anonymity, wide geolocation availability and high IP rotation; to deliver SPAM campaigns through the last year.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. 

SURICATA IDS SIGNATURES

alert tcp $HOME_NET any -> $EXTERNAL_NET [7000:7002] (msg:”AV TROJAN AdLoad Proxy Node Beacon”; flow:to_server,established; content:”|7B 22|peer_id|22 3A|”; offset:0; depth:11; content:”|22 2C 22|connect_version|22|”; distance:0; content:”|22|action|22|”; distance:0; classtype:bad-unknown; sid:4002756; rev:2;)

alert tcp $EXTERNAL_NET [7000:7002] -> $HOME_NET any (msg:”AV TROJAN AdLoad Proxy Node Response”; flow:established; content:”|7B 22|result|22 3A|”; offset:0; depth:10; content:”|22|error|22 3A 22|”; distance:0; content:”|22 2C 22|action|22 3A 22|result|22|”; distance:0; content:”|22|uuid4|22|”; distance:0; content:”|22|version|22|”; distance:0; classtype:bad-unknown; sid:4002757; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN OSX AdLoad CnC Beacon”; flow:established,to_server; content:”POST”; http_method; content:”/a/rep”; http_uri; depth:6; isdataat:!1,relative; content:”m.”; depth:2; http_host; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”charset=utf-8″; http_content_type; pkt_data; content:”smc”; http_client_body; depth:3; content:”$”; distance:7; within:1; http_client_body; isdataat:200,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:4002758; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN OSX/SHLAYER CnC Activity M2″; flow:established,to_server; content:”POST”; http_method; content:”/l”; http_uri; depth:2; isdataat:!1,relative; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”cs=”; http_client_body; depth:3; pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/PR”; http_content_type; content:”application/x-www-form-urlencoded”; depth:33; isdataat:!1,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:2038612; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_08_25, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2022_08_25;)

 

YARA RULES

private rule Macho {        meta:               description = “private rule to match Mach-O binaries”        condition:               uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca }   rule adload_2021_system_service {        meta:               description = “rule to catch Adload .system .service variant”               author = “Phil Stokes, SentinelLabs”               version = “1.0”               last_modified = “2021-08-10”               reference = “https://s1.ai/adload”        strings:               $a = { 48 8D 35 ?? ?? 00 00 48 8D 5D B8 BA B8 00 00 00 48 89 DF E8 ?? ?? FB FF 48 8B 43 08 48 2B 03 66 48 0F 6E C0 66 0F 62 05 ?? ?? 00 00 66 0F 5C 05 ?? ?? 00 00 0F 57 C9 66 0F 7C C0 48 8D 7D A0 0F 29 0F F2 0F 59 05 }        condition:               Macho and all of them }

 

Associated indicators (IOCs) 

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report. 

TYPE	INDICATOR	DESCRIPTION
SHA256	d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b	AdLoad sample
SHA256	956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472	AdLoad sample
SHA256	6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc	AdLoad sample
SHA256	3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264	AdLoad sample
SHA256	2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87	AdLoad sample
SHA256	7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3	AdLoad sample
SHA256	4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32	AdLoad sample
SHA256	68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3	AdLoad sample
SHA256	1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5	AdLoad sample
SHA256	2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa	AdLoad sample
SHA256	ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51	AdLoad sample
SHA256	c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d	AdLoad sample
URL	hxxp://m.skilledobject[.]com/a/rep	AdLoad beacon
URL	hxxp://m.browseractivity[.]com/a/rep	AdLoad beacon
URL	hxxp://m.enchantedreign[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activitycache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activityinput[.]com/a/rep	AdLoad beacon
URL	hxxp://m.opticalupdater[.]com/a/rep	AdLoad beacon
URL	hxxp://m.connectioncache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.analyzerstate[.]com/a/rep	AdLoad beacon
URL	hxxp://m.essencecuration[.]com/a/rep	AdLoad beacon
URL	hxxp://m.microrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.articlesagile[.]com/a/rep	AdLoad beacon
URL	hxxp://m.progresshandler[.]com/a/rep	AdLoad beacon
URL	hxxp://m.originalrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.productiveunit[.]com/a/rep	AdLoad beacon
URL	hxxp://api.toolenviroment[.]com/l	AdLoad beacon
URL	hxxp://api.inetfield[.]com/l	AdLoad beacon
URL	hxxp://api.operativeeng[.]com/l	AdLoad beacon
URL	hxxp://api.launchertasks[.]com/l	AdLoad beacon
URL	hxxp://api.launchelemnt[.]com/l	AdLoad beacon
URL	hxxp://api.validexplorer[.]com/l	AdLoad beacon
URL	hxxp://api.majorsprint[.]com/l	AdLoad beacon
URL	hxxp://api.essentialenumerator[.]com/l	AdLoad beacon
URL	hxxp://api.transactioneng[.]com/l	AdLoad beacon
URL	hxxp://api.macreationsapp[.]com/l	AdLoad beacon
URL	hxxp://api.commondevice[.]com/l	AdLoad beacon
URL	hxxp://api.compellingagent[.]com/l	AdLoad beacon
URL	hxxp://api.lookupindex[.]com/l	AdLoad beacon
URL	hxxp://api.practicalsync[.]com/l	AdLoad beacon
URL	hxxp://api.accessiblelist[.]com/l	AdLoad beacon
URL	hxxp://api.functionconfig[.]com/l	AdLoad beacon
Domain	hxxps://vpnservices[.]live	Proxy C&C to report infected systems
Domain	hxxps:// upgrader[.]live	Proxy C&C to report infected systems
Domain	hxxp://bapp.pictureworld[.]co	Proxy Node

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques: 

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1543: Create or Modify System Process
      • T1543.001: Launch Agent
  • TA0005: Defense Evasion
    • T1140: Deobfuscate/Decode Files or Information
    • T1497: Virtualization/Sandbox Evasion
      • T1497.001: System Checks
    • T1222: File and Directory Permissions Modification
      • T1222.002: Linux and Mac File and Directory Permissions Modification
    • T1553: Subvert Trust Controls
      • T1553.001: Gatekeeper Bypass
    • T1562: Impair Defenses
      • T1562.001: Disable or Modify Tools
  • TA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post Mac systems turned into proxy exit nodes by AdLoad appeared first on Cybersecurity Insiders.

We’re pleased to announce the availability of the 2023 AT&T Cybersecurity Insights Report: Focus on State and Local government and higher Education in the United States (US SLED). It looks at the edge ecosystem, surveying US SLED leaders, and provides benchmarks for assessing your edge computing plans. This is the 12th edition of our vendor-neutral and forward-looking report. Last year’s Focus on  US SLED report documented trends in securing the data, applications, and endpoints that rely on edge computing (get the 2022 report).

Get the complimentary 2023 report.

The robust quantitative field survey reached 1,418 security, IT, application development, and line of business professionals worldwide. The qualitative research tapped subject matter experts across the cybersecurity industry.

At the onset of our research, we established the following hypotheses.

• Momentum edge computing has in the market.
• Approaches to connecting and securing the edge ecosystem – including the role of trusted advisors to achieve edge goals.
• Perceived risk and perceived benefit of the common use cases in each industry surveyed.

The results focus on common edge use cases in seven vertical industries – healthcare, retail, finance, manufacturing, energy and utilities, transportation, and US SLED- delivering actionable advice for securing and connecting an edge ecosystem, including external trusted advisors. Finally, it examines cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases. For this Focus on US SLED, 178 respondents represented the vertical.

The role of IT is shifting, embracing stakeholders at the ideation phase of development.

Edge computing is a transformative technology that brings together various stakeholders and aligns their interests to drive integrated outcomes. The emergence of edge computing has been fueled by a generation of visionaries who grew up in the era of smartphones and limitless possibilities. Look at the infographic below for a topline summary of key findings.

In this paradigm, the role of IT has shifted from being the sole leader to a collaborative partner in delivering innovative edge computing solutions. In addition, we found that US SLED leaders are budgeting differently for edge use cases. These two things, along with an expanded approach to securing edge computing, were prioritized by our respondents in the 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem.

In 2023, US SLED respondents’ primary edge use case is building management, which involves hosted HVAC applications, electricity and utility monitoring applications, and various sensors for large buildings. This is just the beginning of the evolution in the public sector to increase the value of public investments, so every dollar goes a bit further. In higher education, edge uses cases are being used for things like immersive and interactive learning and helping faculty to be more accessible with solutions like real-time feedback.

Edge computing brings the data closer to where decisions are made.

With edge computing, the intelligence required to make decisions, the networks used to capture and transmit data, and the use case management are distributed. Distributed means things work faster because nothing is backhauled to a central processing area such as a data center and delivers the near-real-time experience.

With this level of complexity, it’s common to re-evaluate decisions regarding security, data storage, or networking. The report shares the trends emerging as US SLED embraces edge computing. One area examined is expense allocation, and what we found may surprise you. The research reveals the allocation of investments across overall strategy and planning, network, application, and security for the anticipated use cases that organizations plan to implement within the next three years.

How to prepare for securing your edge ecosystem.

Develop your edge computing profile. It is essential to break down the barriers that typically separate the internal line of business teams, application development teams, network teams, and security teams. Technology decisions should not be made in isolation but rather through collaboration with a diverse group of stakeholders. Understanding the capabilities and limitations of all stakeholders makes it easier to identify gaps in evolving project plans.

The edge ecosystem is expanding, and expertise is available to offer solutions that address cost, implementation, mitigating risks, and more. Including expertise from the broader SLED edge ecosystem increases the chances of outstanding performance and alignment with organizational goals.

Develop an investment strategy. During edge use case development, organizations should carefully determine where and how much to invest. Think of it as part of monetizing the use case. Building security into the use case from the start allows the organization to consider security as part of the overall project cost. It’s important to note that no one-size-fits-all solution can provide complete protection for all aspects of edge computing. Instead, organizations should consider a comprehensive and multi-layered approach to address the unique security challenges of each use case.

Increase your compliance capabilities. Regulations in the public sector and for education can vary significantly. This underscores the importance of not relying solely on a checkbox approach or conducting annual reviews to help ensure compliance with the growing number of regulations. Keeping up with technology-related mandates and helping to ensure compliance requires ongoing effort and expertise. If navigating compliance requirements is not within your organization’s expertise, seeking outside help from professionals specializing in this area is advisable.

Align resources with emerging priorities. External collaboration allows organizations to utilize expertise and reduce resource costs. It goes beyond relying solely on internal teams within the organization. It involves tapping into the expanding ecosystem of edge computing experts who offer strategic and practical guidance. Engaging external subject matter experts (SMEs) to enhance decision-making can help prevent costly mistakes and accelerate deployment. These external experts can help optimize use case implementation, ultimately saving time and resources.

Build-in resilience. Consider approaching edge computing with a layered mindset. Take the time to ideate on various “what-if” scenarios and anticipate potential challenges. For example, what measures exist if a private 5G network experiences an outage? Can data remain secure when utilizing a public 4G network? How can business-as-usual operations continue in the event of a ransomware attack?

Successful SLED edge computing implementations require a holistic approach encompassing collaboration, compliance, resilience, and adaptability. By considering these factors and proactively engaging with the expertise available, organizations can unlock the full potential of edge computing to deliver improved outcomes, operational efficiency, and cost-effectiveness.

The post Get the AT&T Cybersecurity Insights Report: Focus on US SLED appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Where do vulnerabilities fit with respect to security standards and guidelines? Was it a coverage issue or an interpretation and implementation issue? Where does a product, environment, organization, or business vertical fail the most in terms of standards requirements? These questions are usually left unanswered because of the gap between standards or regulations on the one hand, and requirements interpretation and implementation, on the other. Certified products and environments often suffer from security issues that were supposed to be covered by the requirements of the standard.

In [1], for instance, the authors give examples of vulnerable products that were IEC 62443 certified. In [2], SANS discusses the case of PCI-certified companies and why they are still being breached. This “interpretation gap,” whether it manifests in the implementation of requirements or in the assessment process, hinders security and leads to the fact that being compliant is not necessarily the same as being secure.

Admittedly, the interpretation of guidelines and requirements in standards, which have a descriptive approach in general, is not an easy task. Requirements can be rather generic and wide open to interpretation depending on the context, resources, the current threat landscape, the underlying technologies, etc. Specific requirements might also lead to conflicting interpretations depending on the type of stakeholder, which will inevitably affect the implementation side.

Threat modeling is one way to avoid shortcomings (or even possible shortcuts) in the implementation of standards, and the organization’s own security policies. Think of threat modeling as an enforcement mechanism for the proper implementation of requirements. The reason this is the case is simple; threat modeling thinks of the requirements in terms of relevant threats to the system, and determines mitigations to reduce or completely avoid the associated risks. Consequently, each requirement is mapped to a set of threats and mitigations that covers relevant use cases under specific conditions or context, e.g., what are the trust boundaries, protocols and technologies under use or consideration, third-party interactions, dataflows, data storage, etc.

This is becoming a must-have nowadays since, when it comes to technical requirements, the concern about their interpretation still persists even when companies have been audited against them. In the following, the presented data analysis makes the link between disclosed vulnerabilities in Industrial Control Systems (ICS) and the technical requirements reported in the ‘gold standard’ of standards in this area, namely the IEC 62443. It shows the difficulty of satisfying the requirements in broad terms and the need for more specific context and processes.

CISA ICS advisories’ mapping

The analysis of CISA ICS advisories data, representing close to 2,5K advisories released between 2010 and mid-2023 [3], reveals the extent of the challenge an implementer or an assessor is faced with. Table 1 presents the top weaknesses and the associated count of advisories as well as IEC 62443 requirements’ mapping. Affected sectors, the CVSS severity distribution, and top weaknesses per sector are also reported; in Figures 1 and 2, and Table 2.

Table 1. Top weaknesses in CISA’s ICS advisories and their IEC 62443 mapping.

Weakness	Name	Number of advisories	IEC 62443 technical requirement
CWE-20	Improper Input Validation	266	SR/CR 3.5 – Input validation
CWE-121	Stack-based Buffer Overflow	257
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	205
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	185
CWE-284	Improper Access Control	159	FR1 – Identification and authentication control (IAC)   FR2 – Use control (UC)
CWE-125	Out-of-bounds Read	158	SR/CR 3.5 – Input validation
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	149
CWE-400	Uncontrolled Resource Consumption	145	SR/CR 7.1 – Denial of service protection   SR/CR 7.2 – Resource management
CWE-787	Out-of-bounds Write	139	SR/CR 3.5 – Input validation
CWE-287	Improper Authentication	137	SR/CR 1.1 – Human user identification and authentication   SR/CR 1.2 – Software process and device identification and authentication
CWE-122	Heap-based Buffer Overflow	128	SR/CR 3.5 – Input validation
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	115	FR4 – Data confidentiality (DC)   SR/CR 3.7 – Error handling
CWE-798	Use of Hard-coded Credentials	101	SR/CR 1.5 – Authenticator management
CWE-306	Missing Authentication for Critical Function	98	SR/CR 1.1 – Human user identification and authentication   SR/CR 1.2 – Software process and device identification and authentication   SR/CR 2.1 – Authorization enforcement
CWE-352	Cross-Site Request Forgery (CSRF)	84	SR/CR 1.4 – Identifier management
CWE-89	Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)	81	SR/CR 3.5 – Input validation
CWE-319	Cleartext Transmission of Sensitive Information	75	SR/CR 4.1 – Information confidentiality
CWE-427	Uncontrolled Search Path Element	64	SR/CR 3.5 – Input validation   CR 3.4 – Software and information integrity
CWE-120	Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)	62	SR/CR 3.5 – Input validation
CWE-522	Insufficiently Protected Credentials	62	SR/CR 1.5 – Authenticator management

 

Figure 1. Number of vulnerabilities per sector

 

Figure 2. CVSS severity distribution.

 

Table 2. Top weaknesses per sector.

Sector	Top Weakness	Name	Number of advisories
Critical Manufacturing	CWE-121	Stack-based Buffer Overflow	175
Energy	CWE-20	Improper Input Validation	147
Water and Wastewater	CWE-20	Improper Input Validation	87
Commercial Facilities	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	42
Food and Agriculture	CWE-20	Improper Input Validation	55
Chemical	CWE-20	Improper Input Validation	54
Healthcare and Public Health	CWE-284	Improper Access Control	32
Transportation	CWE-121	Stack-based Buffer Overflow	31
Oil and gas	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	18
Government Facilities	CWE-121	Stack-based Buffer Overflow	18

 

Guiding requirements’ interpretation

Table 1 shows the varied levels of abstraction the vulnerabilities map to. This is one of the main issues leading to the increased complexity associated with the interpretation of requirements; for both the implementation and the assessment. While a high level of granularity allows for the definition of needed security mechanisms, a low level of granularity during the interpretation and implementation is necessary as it allows for a better understanding of all the types of threats or failures that a specific system might be subject to, e.g., given a deployment model or an underlying technology.

The case of the “Input validation” requirement is revealing, with eleven of the top twenty weaknesses in Table 1 falling under it. On the surface, input validation is rather straightforward; analyze inputs and disallow anything that can be considered unsuitable. In practice, however, the number of properties of the data and input use cases to potentially validate can be daunting. It might also be hard, or even impossible, to flush out all possible corner cases. The IEC 62443 “input validation” requirement is quite generic and encapsulates two CWE categories; “Validate Inputs” [4] and “Memory Buffer Errors” [5]. It is then essential to have a clear understanding of the target application or system to be able to identify relevant threats under each requirement and how to prevent them, i.e., achieve the said requirement.

On the other hand, the “Improper access control” weakness [6] is also an interesting use case. It is extremely high-level and maps to two foundational requirements of the IEC 62443. This highlights an issue in vulnerability reports, where high-level abstraction weaknesses are being misused in disclosure reports. More specific weaknesses related to the kind of access control involved would have been more appropriate, e.g., missing or weak authentication, missing or incorrect authorization, etc. This is not useful for trend analysis, especially on how real-world vulnerabilities relate to technical requirements in standards and regulations.

Threat modeling is helpful in both cases. Software developers, system architects, and security professionals can understand the requirements and address the predictable security issues that fall under them, given specific assumptions about the application or the system setup. In addition, current threat modeling tools can speed up the process by generating the relevant threats and their mitigations automatically, including based on threat intelligence data. The set of mitigations can also be tailored to meet different needs; for instance, the strength of a potential adversary, as is the case in the IEC 62443 standard, where four security levels are defined. These security levels (1 to 4) define technical requirements, along with requirement enhancements, in order to counter different levels of risk.

I believe that by using threat modeling as a framework, the interpretation and mapping of requirements into implementation and deployment measures become more predictable. It will also give developers and system architects a better chance of more complete coverage and accurate description of what the requirements ought to be, given the target system context, its dependencies, and the current threat landscape.

The guest author of this blog is a security researcher at iriusrisk.com.

References

[1] https://arxiv.org/pdf/2303.12340.pdf

[2] https://www.sans.org/white-papers/36497/

[3] https://www.cisa.gov/news-events/cybersecurity-advisories

[4] https://cwe.mitre.org/data/definitions/1019.html

[5] https://cwe.mitre.org/data/definitions/1218.html

[6] https://cwe.mitre.org/data/definitions/284.html 

The post Mind the (Interpretation) gap: Another reason why threat modeling is important appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

APIs, formally known as application programming interfaces, occupy a significant position in modern software development. They revolutionized how web applications work by facilitating applications, containers, and microservices to exchange data and information smoothly. Developers can link APIs with multiple software or other internal systems that help businesses to interact with their clients and make informed decisions.

Despite the countless benefits, hackers can exploit vulnerabilities within the APIs to gain unauthorized access to sensitive data resulting in data breaches, financial losses, and reputational damage. Therefore, businesses need to understand the API security threat landscape and look out for the best ways to mitigate them.

The urgent need to enhance API security 

APIs enable data exchanges among applications and systems and help in the seamless execution of complex tasks. But as the average number of APIs rises, organizations often overlook their vulnerabilities, making them a prime target of hackers. The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months.

Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually.

Why does API security still pose a threat in 2023?

Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams.

As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data. 

API sprawl produces shadow and zombie APIs that further threaten API security. A zombie API is an exposed, abandoned, outdated, or forgotten API which increases the API security threat landscape. These APIs proved helpful at some point, but later they got replaced by newer versions. As organizations work on building new products or features, they neglect the already existing APIs to wander in the application environment allowing the threat actors to penetrate the vulnerable API and access sensitive data.

Contrastingly, shadow APIs are third-party APIs often developed without proper surveillance and remain untracked and undocumented. Enterprises that fail to protect against shadow APIs introduce reliability issues, unwanted data loss, penalties for non-compliance, and increased operational costs.

Moreover, the emergence of new technologies like the Internet of Things (IoT) has introduced more difficulty in maintaining API security. With more devices connected to the internet that can be accessed remotely, any inadequate security measures can lead to unauthorized access and potential data breaches. In addition, generative AI algorithms can pose security challenges. Hackers can use AI algorithms to detect the vulnerabilities within the APIs and launch targeted attacks.

Best practices to improve API security amid rising threats

API discovery is crucial in uncovering modern API security threats like zombie and shadow APIs. The security teams are trained in protecting the mission-critical APIs but discovering the internal, external, and third-party APIs is also vital to enhance API security. Organizations must invest in automated API discovery tools that detect every API endpoint and provide visibility into which APIs are live, their location, and how they function.

Developers should also monitor the API traffic by integrating API gateways and proxies that may indicate the presence of shadow APIs. In addition, creating policies that define how the APIs are documented, used, and managed further helps locate unknown or vulnerable APIs.

Assess all APIs via testing

As API security threats become more prevalent, security teams can’t rely on common testing methods. They need to adopt an advanced form of security testing methods like SAST (static application security testing). It is a white-box security testing method that identifies the vulnerabilities and remediates the security flaws within the source code. Providing immediate feedback to developers allows them to create a secure code that ultimately leads to secure applications. However, as this testing cannot detect vulnerabilities outside the code, security teams can consider using other security testing tools like DAST, IAST, or XDR to improve security standards.

Adopt a Zero Trust security framework

Also, users must authorize and authenticate themselves to access the data, and this way plays a vital role in reducing the attack surface.

Users must authorize and authenticate themselves to access them and help reduce the attack surface. In addition, by leveraging Zero Trust architecture (ZTA), APIs can be segmented into smaller units having their own set of authentication, authorization, and security policies. This gives security architects more control over API access and enhances API security.

API posture management

API posture management is another great way that helps organizations to detect, monitor, and minimize potential security threats due to vulnerable APIs. Various posture management tools continuously monitor the APIs and notify them about suspicious or unauthorized activities. This enables organizations to respond promptly to API security threats and reduce the attack surface.

These tools also perform regular vulnerability assessments that scan the APIs for security flaws, allowing organizations to take measures to strengthen API security. Besides this, these tools provide API auditing capabilities and ensure compliance with leading industry regulations such as HIPAA or GDPR and other internal policies to maintain transparency, and maximize overall security standards.

The post Why is API security the next big thing in Cybersecurity? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

More than 67% of internet users in the US remain blissfully unaware of online privacy and data protection regulations.

At the same time, the global average cost of data breaches and cyber-attacks has increased by 15% since 2020 to $4.45 million. In fact, compromised credentials and personal information are responsible for nearly 20% of nearly 1.4 billion security incidents during this period.

As a result, there’s a growing need for a solution to protect sensitive data from potential theft or misuse.

Global Privacy Control (GPC) is an emerging resolution to give users more control over their data when navigating the internet and using digital solutions.

In this article, you’ll learn about the core concept of GPC and its importance in digital protection.

What is Global Privacy Control (GPC)?

Global Privacy Control, or GPC, is a cybersecurity and data privacy initiative to give businesses and individuals greater control over their data, including its storage, distribution, and usage.

It offers a simple, standardized way to assert and protect your privacy rights while surfing the internet and navigating different websites and applications.

Adopting and implementing the protocol sends a “Do Not Collect or Share My Data” signal to digital platforms, prompting them to refrain from selling your data to third parties for advertising and other commercial purposes.

Common data websites collect generally include:

• Personal information (Name, contact, address, etc.);
• Browsing history;
• Live location;
• Device information (Model, operating system, etc.);
• IP address;
• Cookies;
• Payment information (Card details, digital wallet credentials, etc.);
• Account credentials (Social media apps, third-party services, etc.);
• Usage data (Time, features used, launch frequency, and more).

By activating the GPC signal, you can exercise your privacy rights and stop sites and apps from collecting all the information listed (and more).

The significance of data privacy and how can GPC help?

Data privacy is more critical than ever due to the unprecedented exchange and collection of data on the internet. Digital entities actively collect your valuable data, including personal information, browsing habits, location, financial details, etc.

By creating vast repositories of your data, websites, and apps gain insights into your online behavior, and use them to tailor:

• Ads;
• UI/UX design;
• Site content;
• Products;
• Services.

However, by doing so, they increase your risk of security breaches and privacy infringements. Hackers and cybercriminals actively target sensible information like your IP address to orchestrate various attacks, including:

• Distributed Denial of Service (DDoS) attacks;
• Spoofing;
• Ransomware and spyware;
• Man-in-the-Middle attacks;
• Brute force attacks, etc.

Fortunately, you can prevent an IP address hack and consequential attacks using a virtual private network (VPN). A VPN encrypts your IP address and online traffic, making it nearly impossible for malicious criminals to access your data.

However, you can take data protection to a whole new level by combining Global Privacy Control with VPN and other essential cybersecurity tools, such as:

• Anti-malware software;
• SSL certificates;
• Multi-factor authentication;
• Intrusion detection systems, etc.

Preserving data privacy is crucial for protecting valuable data and building trust between users and digital platforms. As it stands, GPS is one of the few initiatives that can proactively prevent breaches by stopping the flow of user data.

Benefits of adopting Global Privacy Control

Below are the key benefits of adopting GPC on websites or apps:

1. Data security & privacy enhancement

GPC enables you to fortify your valuable data against nonconsensual or unauthorized sharing. Hence, you can use your personal information solely for core purposes, such as logging into your account or online transactions.

With GPC protocols, no website or app will record your browsing activity, usage, or online behavior, significantly reducing the risk of attacks, identity theft, and unauthorized access.

2. Transparent data collection and usage

If your business relies on collecting user data, you can use GPC to enable transparent collection and usage. You can share how your site or app collects, processes, and shares user data. This transparency allows visitors, customers, or users to make more informed decisions about engaging with your site or app.

3. Building trust & credibility

If you run an online business, one of the best ways to build trust with users is by respecting their online privacy preferences. This powerful branding and marketing strategy allows you to implement GPC and honor “Do Not Share My Data” requests.

Demonstrating that you care about your user’s privacy needs can improve credibility and foster a long-term relationship with them.

4. Compliance with privacy regulations

In the post-pandemic age, there’s an increased focus on data privacy regulations worldwide, including (but not limited to):

• General Data Protection Regulation (GDPR) – EU and UK;
• California Consumer Privacy Act (CCPA);
• California Privacy Rights Act (CPRA);
• Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada;
• Health Information Technology for Economic and Clinical Health Act (HITECH), etc.

These bodies have strict privacy laws and policies you must adhere to. Failure to comply could lead to heavy fines and legal liabilities. Moreover, when users learn you’re non-compliant, they’ll hesitate to visit your site or use your app.

5. Empowering user control

Global Privacy Control makes users 100% responsible and accountable for the data they share on digital platforms. You have full control over your sharing preferences and can choose to avoid sharing data with third-party companies directly or through the site or app.

This user-centric approach promotes a sense of ownership and helps businesses mitigate security risks.

Conclusion

As the world rapidly shifts to a digital-first economy, you must take the necessary steps to safeguard data privacy.

With our commitment to Global Privacy Control (GPC), you can maximize data control and privacy protection. So, feel free to delve into our wealth of resources and empower yourself with the knowledge to fortify your online defenses.

The post What Is Global Privacy Control (GPC), and how can it help you protect your data? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The supply chain, already fragile in the USA, is at severe and significant risk of damage by cyberattacks. According to research analyzed by Forbes, supply chain attacks now account for a huge 62% of all commercial attacks, a clear indication of the scale of the challenge faced by the supply chain and the logistics industry as a whole. There are solutions out there, however, and the most simple of these concerns a simple upskilling of supply chain professionals to be aware of cybersecurity systems and threats. In an industry dominated by the need for trust, this is something that perhaps can come naturally for the supply chain.

Building trust and awareness

At the heart of a successful supply chain relationship is trust between partners. Building that trust, and securing high quality business partners, relies on a few factors. Cybersecurity experts and responsible officers will see some familiarity – due diligence, scrutiny over figures, and continuous monitoring. In simple terms, an effective framework of checking and rechecking work, monitored for compliance on all sides.

These factors are a key part of new federal cybersecurity rules, according to news agency Reuters. Among other measures are a requirement for companies to have rigorous control over system patching, and measures that would require cloud hosted services to identify foreign customers. These are simple but important steps, and give a hint to supply chain businesses as to what they should be doing; putting in measures to monitor, control, and enact compliance on cybersecurity threats. That being said, it can be the case that the software isn’t in place within individual businesses to ensure that level of control. The right tools, and the right personnel, is also essential.

The importance of software

Back in April, the UK’s National Cyber Security Centre released details of specific threats made by Russian actors against business infrastructure in the USA and UK. Highlighted in this were specific weaknesses in business systems, and that includes in hardware and software used by millions of businesses worldwide. The message is simple – even industry standard software and devices have their problems, and businesses have to keep track of that.

There are two arms to ensure this is completed. Firstly, the business should have a cybersecurity officer in place whose role it is to monitor current measures and ensure they are kept up to date. Secondly, budget and time must be allocated at an executive level firstly to promote networking between the business and cybersecurity firms, and between partner businesses to ensure that even cybersecurity measures are implemented across the chain.

Utilizing AI

There is something of a digital arms race when it comes to artificial intelligence. As ZDNet notes, the lack of clear regulation is providing a lot of leeway for malicious actors to innovate, but for businesses to act, too. While regulations are now coming in, it remains that there is a clear role for AI in prevention.

According to an expert interviewed by ZDNet in their profile of the current situation, digital threat hunters are already using sophisticated AI to look for patterns, patches and unusual actions on the network, and are then using these large data sets to join up the dots and provide reports to cyber security officers. Where the challenge arrives is in that weapons race; as AI models become more sophisticated and powerful, they will ‘hack’ faster than humans can. The defensive models need to stay caught up but will struggle with needing to act within regulatory guidelines. The key here will be in proactive regulation from the government, to enable businesses to deploy these measures with assurance as to their legality and safety. 

With the supply chain involving so many different partners, there are a wider number of wildcards that can potentially upset the balance of the system. However, businesses that are willing to take a proactive step forward and be an example within their own supply chain ecosystem stand to benefit. By building resilience into their own part of the process, and influencing partners to do the same, they can make serious inroads in fighting back against the overwhelming number of supply chain oriented cybersecurity threats.

The post Building Cybersecurity into the supply chain is essential as threats mount appeared first on Cybersecurity Insiders.

Black Hat 2023 is in full swing.

Check out this new episode of ITSecurityGuyTV on cybersecurity and healthcare. AT&T’s head of evangelism, Theresa Lanowitz, visits with ITSecurityGuyTV, Charlie Harold, in this new episode on edge computing’s role in healthcare.

2984 Cybersecurity.ATT.com with Theresa Lanowitz at BHUSA2023 from Security Guy TV on Vimeo.

The post Edge computing’s role in healthcare appeared first on Cybersecurity Insiders.