Detect – Page 11 – CyberSecurity Confabulation

Code Mirage: How cyber criminals harness AI-hallucinated code for malicious machinations

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

Introduction:

The landscape of cybercrime continues to evolve, and cybercriminals are constantly seeking new methods to compromise software projects and systems. In a disconcerting development, cybercriminals are now capitalizing on AI-generated unpublished package names also known as “AI-Hallucinated packages” to publish malicious packages under commonly hallucinated package names. It should be noted that artificial hallucination is not a new phenomenon as discussed in [3]. This article sheds light on this emerging threat, wherein unsuspecting developers inadvertently introduce malicious packages into their projects through the code generated by AI.

Free artificial intelligence hal 9000 computer space odyssey vector

AI-hallucinations:

Free inkblot rorschach-test rorschach test vector

Artificial intelligence (AI) hallucinations, as described [2], refer to confident responses generated by AI systems that lack justification based on their training data. Similar to human psychological hallucinations, AI hallucinations involve the AI system providing information or responses that are not supported by the available data. However, in the context of AI, hallucinations are associated with unjustified responses or beliefs rather than false percepts. This phenomenon gained attention around 2022 with the introduction of large language models like ChatGPT, where users observed instances of seemingly random but plausible-sounding falsehoods being generated. By 2023, it was acknowledged that frequent hallucinations in AI systems posed a significant challenge for the field of language models.

The exploitative process:

Cybercriminals begin by deliberately publishing malicious packages under commonly hallucinated names produced by large language machines (LLMs) such as ChatGPT within trusted repositories. These package names closely resemble legitimate and widely used libraries or utilities, such as the legitimate package ‘arangojs’ vs the hallucinated package ‘arangodb’ as shown in the research done by Vulcan [1].

The trap unfolds:

Free linked connected network vector

When developers, unaware of the malicious intent, utilize AI-based tools or large language models (LLMs) to generate code snippets for their projects, they inadvertently can fall into a trap. The AI-generated code snippets can include imaginary unpublished libraries, enabling cybercriminals to publish commonly used AI-generated imaginary package names. As a result, developers unknowingly import malicious packages into their projects, introducing vulnerabilities, backdoors, or other malicious functionalities that compromise the security and integrity of the software and possibly other projects.

Implications for developers:

The exploitation of AI-generated hallucinated package names poses significant risks to developers and their projects. Here are some key implications:

Trusting familiar package names: Developers commonly rely on package names they recognize to introduce code snippets into their projects. The presence of malicious packages under commonly hallucinated names makes it increasingly difficult to distinguish between legitimate and malicious options when relying on the trust from AI generated code.
Blind trust in AI-generated code: Many developers embrace the efficiency and convenience of AI-powered code generation tools. However, blind trust in these tools without proper verification can lead to unintentional integration of malicious code into projects.

Mitigating the risks:

Free handshake cooperation agreement vector

To protect themselves and their projects from the risks associated with AI-generated code hallucinations, developers should consider the following measures:

Code review and verification: Developers must meticulously review and verify code snippets generated by AI tools, even if they appear to be similar to well-known packages. Comparing the generated code with authentic sources and scrutinizing the code for suspicious or malicious behavior is essential.
Independent research: Conduct independent research to confirm the legitimacy of the package. Visit official websites, consult trusted communities, and review the reputation and feedback associated with the package before integration.
Vigilance and reporting: Developers should maintain a proactive stance in reporting suspicious packages to the relevant package managers and security communities. Promptly reporting potential threats helps mitigate risks and protect the wider developer community.

Conclusion:

The exploitation of commonly hallucinated package names through AI generated code is a concerning development in the realm of cybercrime. Developers must remain vigilant and take necessary precautions to safeguard their projects and systems. By adopting a cautious approach, conducting thorough code reviews, and independently verifying the authenticity of packages, developers can mitigate the risks associated with AI-generated hallucinated package names.

Furthermore, collaboration between developers, package managers, and security researchers is crucial in detecting and combating this evolving threat. Sharing information, reporting suspicious packages, and collectively working towards maintaining the integrity and security of repositories are vital steps in thwarting the efforts of cybercriminals.

As the landscape of cybersecurity continues to evolve, staying informed about emerging threats and implementing robust security practices will be paramount. Developers play a crucial role in maintaining the trust and security of software ecosystems, and by remaining vigilant and proactive, they can effectively counter the risks posed by AI-generated hallucinated packages.

Remember, the battle against cybercrime is an ongoing one, and the collective efforts of the software development community are essential in ensuring a secure and trustworthy environment for all.

The guest author of this blog works at www.perimeterwatch.com

Citations:

Lanyado, B. (2023, June 15). Can you trust chatgpt’s package recommendations? Vulcan Cyber. https://vulcan.io/blog/ai-hallucinations-package-risk
Wikimedia Foundation. (2023, June 22). Hallucination (Artificial Intelligence)1. Wikipedia. https://en.wikipedia.org/wiki/Hallucination_(artificial_intelligence)
Ji Z, Lee N, Frieske R, Yu T, Su D, Xu Y, et al. Survey of hallucination in natural language generation. ACM Comput Surv. (2023 June 23). https://doi.org/10.1145/3571730

The post Code Mirage: How cyber criminals harness AI-hallucinated code for malicious machinations appeared first on Cybersecurity Insiders.

The impact of blockchain technology on the future of shipping and logistics

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

a bunch of containers on a ship

Photo by Tom Fisk

Many industries are experiencing rapid growth thanks to the seemingly overnight advancement of new technologies. Artificial intelligence, for example, has swiftly gone from a vague possibility to being a major component in numerous digital systems and processes. Another technology that has somewhat snuck up on us is blockchain.

Many people associate blockchain with cryptocurrency. However, while blockchain was primarily being used as a decentralized ledger to secure and confirm cryptocurrency trades, it is now being used in numerous other applications across a range of industries.

Blockchain-as-a-service, for example, is offered as a third-party management of cloud-based networks for companies building blockchain applications. And as a whole, many industries are starting to use blockchain for securing transactions such as the shipping and logistics sector.

What is blockchain and where did it all begin?

Blockchain is quickly becoming the new must-have technology, but like any new tech, it has seen an interesting evolution from where it started to where it is today.

Blockchain was first created to make the trading of digital currency more secure. The concept was to have a decentralized currency that could easily be tracked without relying on banks. Thus, blockchain was invented as a public ledger that stored all information in blocks, with each block representing a transaction. Each new block that was created would then include a sequence from the previous block, which would then link or chain all of the blocks together.

This blockchain technology is what makes transactions or the exchange of information so much more secure because blocks are difficult to replicate or change. If someone wanted to replicate or change one block, they would have to change all the previous ones that it is linked to as well.

Once other industries realized the genius of the concept, they started adopting it as well. Financial institutions, for example, which of course, are founded on the idea of transactions and exchanging of money, quickly saw the appeal of using blockchain. Fintech companies, in particular, that had their sights set on building finance systems of the future were early adopters of blockchain technologies. Many of these same businesses are now combining blockchain technologies with mobile tech offerings, among others, to increase efficiency.

Now, we are seeing what is being called “blockchain scaling,” which is the newest innovation using blockchain. Traditionally, every computer in a network must process every transaction, which is slow. But with blockchain, the process can be scaled and accelerated without sacrificing security.

Today, a scaled blockchain is believed to be fast enough to power our more advanced technologies that store and exchange data and information, like the Internet of Things (IoT). This makes blockchain ideal for any number of industries, not just cryptocurrency trading and banks.

How blockchain is revolutionizing transportation, shipping, and logistics

If there is one process that encompasses transportation, shipping, and logistics, it’s the supply chain. And supply chain management, like numerous other processes, has seen a sudden growth with digitalization and the adoption of new technologies that allow for optimization and fewer inefficiencies.

Supply chain processes rely on the linking of various systems to coordinate the manufacturing and shipping of products. In other words, a wealth of data is being shared and transferred throughout the supply chain process, making this an ideal sector to use blockchain technology.

Global shipping

The global shipping industry has long faced a number of issues that result in delays and other errors, which can come at high costs. With blockchain, however, shipping companies will have the framework to mitigate these issues and speed up operations.

In particular, the U.S. Department of Transportation Maritime Administration reports that blockchain can help with the following to increase shipping efficiency:

Shipment tracking;
Smart bills of lading (B/Ls);
Smart contracts.

For example, a lack of real-time information availability and poor tracking capabilities leads to high volumes of canceled orders and cargo loss, which can cost companies thousands of dollars. But these issues can be solved with blockchain technologies.

Delays related to B/Ls are another problem. A B/L provides all the necessary information for the processing of a shipment from carrier to shipper, serving as a receipt, contract, and document of ownership. But traditionally, B/Ls can take days to arrive but are needed for a shipment to be processed.

Fraud is also a concern, as B/Ls can easily be modified and forged. Blockchain, however, enables the digitalization of these documents and speeds up the process of exchanging data throughout the entire shipping process, creating an overall more efficient shipping system.

Transportation

The transportation industry is also expected to benefit greatly from blockchain. The implementation of this technology in the freight industry is slow-moving, but once it happens, it will benefit carriers in various ways. Such changes with blockchain that are expected include:

Enabling carriers to connect to a permissioned blockchain network;
Carriers soliciting freight from third-party providers more easily, through a connected blockchain network;
Blockchain networks matching carriers with available trucks to loads;
Faster generating and sending of smart contracts;
Faster and more secure shipment tracking;
Faster generating and sending of invoices so carriers can be paid more easily.

As a whole, blockchain can increase efficiency across the freight and transportation sector while also reducing administrative burdens and increasing transparency.

Aviation

The aviation sector is another industry that deals in transportation and shipping, where blockchain has captured interest. It can help with security and identity management, baggage management, ticketing, maintenance orders, loyalty programs, and more. Any process that involves sharing data or information, which is most processes these days as everything is digitized, can benefit from blockchain technologies.

Wrapping up

As a final note, it’s important to understand that, for all the advantages of using blockchain, the implementation of any new technology comes with risks. Though people sing the praises of blockchain for how secure it is, it’s not foolproof.

Cybercriminals, for example, get more clever with every passing day, and they can and will find ways to compromise blockchain technology. This is not to say that the shipping and transportation industries should avoid blockchain, but rather that when implementing this new technology, companies should make cybersecurity a priority.

To ensure blockchain is the most efficient, it’s necessary to first understand all the risks that come with it to mitigate issues going forward. Only then can shipping and logistics companies truly benefit and revolutionize their industries using blockchain technology.

The post The impact of blockchain technology on the future of shipping and logistics appeared first on Cybersecurity Insiders.

What may be lurking behind that QR code

Posted 2 years ago by hello@alienvault.com

QR code on iPhone being scanned

As we go about our daily lives, whether that be shopping with the family, enjoying dinner at a restaurant, finding our gate at the airport, or even watching TV, we find ourselves more and more often encountering the QR code. These black-and-white checkerboards of sorts have gained a reputation for being a fast and convenient way of obtaining information via our smartphones while at the same time contributing to environmental conservation, as they allow businesses such as retailers and restaurants to print fewer paper menus or flyers.

But before you whip out that phone and activate your camera, you should be aware that these seemingly innocuous QR codes can also be used for purposes you aren’t anticipating. Adversaries can also abuse them to steal your money, identity, or other data. In fact, the term in the cybersecurity industry for attacks that leverage QR codes as a means of delivery is “quishing.” Although this may sound cute, the intentions behind these intrusions are, in reality, quite sinister.

A brief history of the QR code

While it may seem like we have only been interacting with QR codes over the past several years, they were in fact invented almost 30 years ago in 1994 by a Japanese company called Denso Wave, a subsidiary of Toyota Motor Corporation, for the purposes of tracking automotive parts in the assembly process. QR stands for “quick response” and is a sophisticated type of bar code that utilizes a square pattern containing even smaller black and white squares that represent numbers, letters, or even non-Latin scripts which can be scanned into a computer system. Have you ever noticed that there are larger black and white squares in just three of the corners of a QR code? Their purpose is to allow a scanning device to determine the code’s orientation, regardless of how it may be turned.

The use of QR codes has expanded considerably since 1994. They have become a favored means for businesses to circulate marketing collateral or route prospects to web forms, and other even more creative uses have also been cultivated. Instead of printing resource-consuming user manuals, manufacturers may direct their consumers to web-hosted versions that can be reached by scanning codes printed on the packaging materials. Event venues print QR codes on tickets that can be scanned upon entry to verify validity, and museums post signs next to exhibits with QR codes for visitors to obtain more information. During the COVID-19 pandemic, the use of QR codes accelerated as organizations sought to create contactless methods of doing business.

The dangers that lie beneath

QR codes don’t appear to be going away anytime soon. The speed, and versatility they offer is hard to deny. However, any hacker worth their salt understands that the most effective attacks leverage social engineering to prey upon human assumptions or habits. We’ve become accustomed to scanning QR codes to quickly transact or to satisfy our sense of curiosity, but this convenience can come at a cost. There are several websites that make it incredibly simple and low cost (or free) for cybercriminals to generate QR codes, which they can use to do any of the following:

Open a spoofed web page – Upon scanning the QR code, your browser will open a fake web page that appears to be a legitimate business, such as a bank or e-commerce site, where you are requested to provide login credentials or payment data, also known as a phishing attack. It is also possible that this site contains links to malware.
Recommend an unscrupulous app – You will be directed to a particular app on the Apple App or Google Play Store and given the option to download the app to your mobile device. These apps can contain malware that installs additional programs or they may collect and share sensitive information from your mobile device with its developers and other third parties. This information could be your name, phone number, email address, photos, location, purchasing information, and browsing history,
Automatically download content onto your devices – This may include photos, PDFs, documents, or even malware, ransomware, and spyware.
Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. Once scanned, you will receive a notification banner with a link to connect to the network. From there, a hacker can monitor and capture information transmitted over the network in what’s referred to as a “man-in-the-middle attack.”
Make a phone call – A notification will appear, confirming that you’d like to call the number programmed into the QR code. Someone will answer, claiming to be a legitimate business but then requesting personal or financial information and/or adding you to a list to be spammed later.
Compose an email or text message – An email or text message is prepopulated with the message and recipient that the QR creator has programmed. You will then receive a notification banner confirming that you would like to send it. Once you do so, your email address or phone number may be added to a spam list or targeted for phishing attacks.
Trigger a digital payment – QR codes may be used to process payments through PayPal, Venmo, or other means. This one may seem like an easy one to spot, but what if the QR code was placed on a parking meter with a message to scan it to submit payment for the time your automobile will be occupying the spot?

Five ways to defend against malicious QR codes

Spotting a malicious QR code may be difficult because the displayed URLs are often shortened or hosted on cloud platforms, such as Amazon Web Services (AWS). Fortunately, there are things you can do to reduce your chance of falling victim to a quishing attack:

Ask yourself “How certain am I of the creator of this QR code?” One that is printed on food packaging or posted on a permanently mounted sign at a train station may have a lower risk of being malicious than one that is printed on a sticker at your local brewery or on a flyer handed to you by someone you don’t know. If you receive an email or text containing a QR code from a reputable source, verify that it is legitimate by responding through a different means like sending a message through another platform or making a phone call.
Determine if there is an alternate way of obtaining the information you seek, such as navigating to the business’ public website or requesting a paper menu.
Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
Don’t jailbreak your device. This will bypass the restrictions and security intentionally placed on your device by the manufacturer and expose it to malware and other risks.
Ensure that you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites and risky network connections.

This topic was covered in a SecurityInfoWatch piece today.

The post What may be lurking behind that QR code appeared first on Cybersecurity Insiders.

Image steganography: Concealing secrets within pixels

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

In the realm of information security and covert communication, image steganography serves as a powerful technique for hiding sensitive data within innocent-looking images. By embedding secret messages or files within the pixels of an image, steganography enables covert transmission without arousing suspicion. This article aims to delve into the world of image steganography, exploring its principles, techniques, and real-world applications.

Understanding image steganography

Image steganography is the practice of concealing information within the data of digital images without altering their visual appearance. The hidden data can include text, images, audio, or any other form of binary information.
Image steganography serves as a clandestine communication method, providing a means to transmit sensitive information without arousing the suspicion of adversaries or unauthorized individuals. It offers an additional layer of security and confidentiality in digital communication.
Steganography vs. Cryptography: While cryptography focuses on encrypting data to render it unreadable, steganography aims to hide the existence of the data itself, making it inconspicuous within an image. Steganography can be used in conjunction with encryption to further enhance the security of covert communication.

Techniques of image steganography

LSB substitution: The Least Significant Bit (LSB) substitution method involves replacing the least significant bits of pixel values with secret data. As the least significant bits have minimal impact on the visual appearance of the image, this technique allows for the hiding of information without noticeably altering the image.
Spatial domain techniques: Various spatial domain techniques involve modifying the pixel values directly to embed secret data. These techniques include modifying pixel intensities, color values, or rearranging pixels based on a predefined pattern.
Transform domain techniques: Transform domain techniques, such as Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT), manipulate the frequency domain representation of an image to embed secret data. This allows for the concealment of information within the frequency components of an image.
Spread spectrum techniques: Inspired by radio frequency communication, spread spectrum techniques spread the secret data across multiple pixels by slightly modifying their values. This method makes the hidden data more robust against detection and extraction attempts.
Adaptive steganography: Adaptive techniques dynamically adjust the embedding process based on the image content and local characteristics, making the hidden data even more resistant to detection. This approach enhances security and makes it harder for adversaries to identify stego images.

Let’s see a working example of image steganography using a free tool called OpenStego, the same can be downloaded from here. You will be required to have Java Runtime Environment for OpenStego to work on your system.

Once, you’ve installed OpenStego, you will see its interface as shown below:

OpenStego tool screen capture

It has multiple options including Hide Data and Extract Data – more about these options can be found at official documentation of the tool.

We need to have two files, Message File (Which will be hidden data or data we want to hide) and Cover File (The file which we will use as a cover to hide the message file.)

I have downloaded two image files for the same.

message and image screenshots - both look harmless and cute

Now, let’s hide the message file which is a quote inside the cover file which is “Hello” image.

After that, you will have to provide the directory and name for the output file. The same can be seen in the snapshot below:

openstego screen where you can enter password for the message

You can also choose to encrypt the hidden data so that it is not accessible without a password. Click Hide data once you have followed all the steps.

After the process is completed, a success popup will appear on Openstego screen.

OpenStego working

Now, we have 3 files and output file is the one which has the hidden image.

input, message and output, where output looks just like input

If we compare the properties of the output file and cover file, we will notice certain differences – like the size value will be different.

Now, let’s delete the cover file and message file and try to extract the data. If you open the output file you won’t notice any difference as it appears the same as any other image file. However, let’s try to extract data using OpenStego.

We have to select the path of the file we wish to extract data from and provide a destination folder for extraction. We also have to provide the password if any was chosen at the time of hiding the data.

entering password in openstego to get hidden message

Let’s select Extract data. Once, the extraction is done, a confirmation pop-up will appear on your screen.

extracting hidden message in openstego

Let us check the extracted file by going to the destination folder we assigned for the extraction of the message file.

seeing original message in openstego

As visible in the snapshot above, the message file is successfully extracted.

Real-world applications of steganography

Covert communication: Image steganography finds applications in covert communication where parties need to exchange sensitive information discreetly. This includes intelligence agencies, law enforcement, and whistleblowers who require secure channels for sharing classified or confidential data.
Digital watermarking: Steganography techniques can be employed for digital watermarking to embed copyright information, ownership details, or authentication codes within images. This allows for tracking and protecting intellectual property rights.
Information hiding in multimedia: Image steganography can be extended to other forms of multimedia, including audio and video, allowing for the concealment of information within these media formats. This can be used for copyright protection, digital rights management, or covert messaging.
Steganalysis and forensics: Image steganalysis focuses on detecting the presence of hidden information within images. Forensic investigators can employ steganalysis techniques to identify potential steganographic content, aiding in digital investigations.

Conclusion

Image steganography has emerged as a sophisticated method for covert communication and secure data transmission. By exploiting the subtle nuances of digital images, sensitive information can be hidden from prying eyes. As technology advances, the field of steganography continues to evolve, with new techniques and algorithms being developed to enhance the security and robustness of data hiding.

However, it is essential to balance the use of steganography with ethical considerations and adhere to legal frameworks to ensure its responsible and lawful application. As information security remains a critical concern in the digital age, image steganography serves as a valuable tool in safeguarding sensitive data and enabling secure communications.

The post Image steganography: Concealing secrets within pixels appeared first on Cybersecurity Insiders.

Top 15 Data Security Posture Management (DSPM) platforms for 2023

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

Data Security Posture Management (DSPM) plays a critical role in identifying security risks, prioritizing misconfigurations, and implementing a zero-trust framework. It is an emerging technology, and there are only a few capable solutions that provide good product offerings. Check out the list of some of the best DSPM platforms that can be considered to streamline data protection, governance, and compliance efforts.

Final thoughts

In today’s data-driven era, finding the best DSPM platform is crucial for businesses to safeguard data against cyber threats and derive business value while meeting compliance. So, go through the provided list of DSPM platforms and pick the best one to meet your business objectives.

The post Top 15 Data Security Posture Management (DSPM) platforms for 2023 appeared first on Cybersecurity Insiders.

Mac systems turned into proxy exit nodes by AdLoad

Posted 2 years ago by hello@alienvault.com

This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.

Executive summary

AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.

Key takeaways:

AdLoad malware is still present and infecting systems, with a previously unreported payload.
At least 150 samples have been observed in the wild during the last year.
AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.

Analysis

AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.

These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.

The main purpose of the malware has always been to act as a downloader for subsequent payloads.
It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
This activity probably represents AdLoad’s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.

AT&T Alien Labs has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.

bar chart of AdLoad samples

Figure 1. Histogram of AdLoad samples identified by Alien Labs.

The vast number of samples in the wild have consequently led to many devices becoming infected. Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.

The intentions behind the users of this botnet for residential proxy systems is still unclear, but so far it has already been detected delivering SPAM campaigns. A campaign was suffered by the University of Illinois, who had to release an internal alert to notify their students of this thread.

memo alert from University of Illinois

Figure 2. University of Illinois alert at https://answers.uillinois.edu/illinois/page.php?id=120871.

This blog will focus on a sample of AdLoad, which AT&T Alien Labs observed in the wild during the month of June: 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc. This sample was named “app_assistant”. Together with ‘main_helper’ or ‘mh’ are the most common filenames observed for this malware.

The sample initiates the execution with a system profiler. The system profiler pulls system information focusing in on the UUID (Universally Unique Identifier) that can be used later to identify the system with the Command and Control (C&C) on the proxy servers.

It then reaches out to an AdLoad server to report the infection. The URL is hardcoded in the sample. Alien Labs has observed two different patterns thus far:

Pattern 1 includes:

POST request to a URL with path “/l”.
Host with api. Subdomain.
Content Type is “application/x-www-form-urlencoded”.
The body starts with “cs=” and is followed by around 300 base64 characters.

This behavior had already been observed in the wild and is detected by ET (Emerging Threats) with a public rule attributing the activity to OSX/SHLAYER (Rule in the appendix).

network traffic sample

Figure 3: Example from Alien Labs of network traffic of sample 54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81.

Pattern 2 includes:

POST request to a URL with path “/a/rep”
Host with m. subdomain
Content Type is charset=utf-8
The body starts with “smc” and is followed by encrypted data.

No public rules were identified for this behavior as of the publishing of this blog, however Alien Labs has provided a rule in the appendix.

In both cases, the User Agent is formed by the filename of the executed file followed by “(unknown version) CFNetwork/$version” plus the Darwin version number.

with Darwin version number

Figure 4: Example from Alien Labs: network traffic of sample 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc.

After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server’s C&C. The request carries as a parameter the UUID of the infected machine among other encoded parameters. This request responds with a link of the file to download, usually in digitaloceanspaces[.]com. It also includes the environment to use and the version number of the payload.

Figure 5 summarizes the different connections Alien Labs has observed as of the publishing of this article (steps 1-5), and the activity we will describe next (steps 5-8).

Adload infection process

Figure 5: Infection process as analyzed by Alien Labs.

Attack chain, Steps 5-8

Once the malware downloads the proxy app, it is unzipped with a password, and xattr -rd is executed on the files to remove the quarantine attribute from them. This bypasses Gatekeeper’s security.
The existing files are copied to ‘/Users/$user/Library/Application Support/$randomstring’. Any unnecessary files placed in the system, the /tmp directory, and the original zip file are deleted.
At this point, the newly generated folder under Application Support has two files: the first is a version control named ‘pcyx.ver’ and the second contains the proxy application, usually named ‘helper’ or ‘main’. If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.[random long string].plist, which points at the proxy application executable in the Application Support folder.
The application is already running, and the hosts start operating as a proxy server. Its initial configuration is usually hardcoded (figure 6), but it can be modified through the previous request to the proxy C&C, modifying the used domain, port, environment, etc. The communication with proxy servers usually occurs over port 7001, but it has also been seen over port 7000 and 7002, probably alternatives in case 7001 is taken.

adload malware configuration

Figure 6: As observed by Alien Labs: the malware configuration includes C&C address, certificate, malware version and more.

As the application runs, its first action is to beacon system information and status to the proxy server. It sends a registration message to its C&C after collecting the machine’s information. This data includes macOS version, hardware stats like CPU, memory, and battery status. Additionally, it extracts the machine’s UUID, labeled as “peer_id”, that is used as identifier of the machine with the C&C (figure 7).
After registration with its C&C, the malware receives the proxy manager server to which it forwards proxy requests.

adload initiating c2 communication

Figure 7: Collecting system information before registering as new peer.

Many of the proxy requests immediately issued after an infection appear to be testing queries, i.e., iplookups or access to streaming services like Netflix, HBO or Disney, from specific locations. Figure 8 shows the beacon and the response from the server, together with the request for an IP Lookup, which arrived at the infected system through port 7001.

Figure 9 shows more clearly how the IP Lookup is forwarded to its actual destination and the received response is sent back to the proxy server.

adload beacon

Figure 8: Beacon and and IPlookup as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

adload proxy flow

Figure 9: Proxy flow, as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

The beacon message shown in figure 8 is sent every few seconds to get further instructions from the C&C. This includes requests for updated hardware information to check if the machine may be running into issues soon and should not be loaded as proxy (low battery or high CPU usage) (Figure 10).

adload c2 heartbeat

Figure 10: Pinging C&C for further instructions, observed by Alien Labs.

Alien Labs has identified several domains as proxy server nodes that were relaying the proxy requests to the infected systems. These domains all had generic randomly generated names, like bapp.pictureworld[.]co and were hosted in usually reliable cloud services, like Amazon or Oracle. However, they appeared to only be used as DNS resolvers, since those IPs happened to all resolve to a private company domain around the time of infection. The company name also showed up in the certificates of some of these generic domains.

Based on the above information, a small business selling proxy services appears to be behind the proxy activity. The list of prices published in this private company webpage, does include residential IP proxys as an offered service.

In addition to the Mac samples analyzed in this blog, Alien Labs has also identified other Windows samples replicating the behavior just explained. These Windows samples also end up acting as proxies through the known ports 7000, 7001 and 7002, with traffic coming from the same domains. AT&T Alien Labs will be releasing a new blog in the upcoming weeks with that analysis.

Recommended actions

To remove AdLoad samples from the system:

AdLoad samples can be identified with the Yara rule included in the Appendix, originally created by SentinelOne in a previous AdLoad report.
Analyze any system matching suricata rules 4002758 and 2038612.

To remove the proxy application from the system:

Review ‘/Users/X/Library/Application Support/’ and look for a folder named with a string of over 20 randomly generated characters, which contains files like: main, helper, pcyx.ver; and are currently running in your system in the background.
Understand the need for all the existing Launch Agents plists in /Library/LaunchAgents/. Especially looking for another long string of random characters, and identify the existing agents, deleting the unnecessary ones.
Analyze any systems communicating though port 7000, 7001 or 7002 to suspicious IPs (or matching suricata rules 4002756 and 4002757).

Conclusion

The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications. The underreporting of MacOS based threats may lead users to a false sense of security and underscores that any popular operating system can become a target for skilled adversaries.

AT&T Alien Labs is not aware whether the private company relaying the proxy requests is actively infecting the systems, or they are buying what they believe to be legitimate systems. However, their proxy servers are accessing these systems and selling a similar service to their clients. Buyers are leveraging the benefits of a residential proxy botnet: anonymity, wide geolocation availability and high IP rotation; to deliver SPAM campaigns through the last year.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

alert tcp $HOME_NET any -> $EXTERNAL_NET [7000:7002] (msg:”AV TROJAN AdLoad Proxy Node Beacon”; flow:to_server,established; content:”|7B 22|peer_id|22 3A|”; offset:0; depth:11; content:”|22 2C 22|connect_version|22|”; distance:0; content:”|22|action|22|”; distance:0; classtype:bad-unknown; sid:4002756; rev:2;)

alert tcp $EXTERNAL_NET [7000:7002] -> $HOME_NET any (msg:”AV TROJAN AdLoad Proxy Node Response”; flow:established; content:”|7B 22|result|22 3A|”; offset:0; depth:10; content:”|22|error|22 3A 22|”; distance:0; content:”|22 2C 22|action|22 3A 22|result|22|”; distance:0; content:”|22|uuid4|22|”; distance:0; content:”|22|version|22|”; distance:0; classtype:bad-unknown; sid:4002757; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN OSX AdLoad CnC Beacon”; flow:established,to_server; content:”POST”; http_method; content:”/a/rep”; http_uri; depth:6; isdataat:!1,relative; content:”m.”; depth:2; http_host; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”charset=utf-8″; http_content_type; pkt_data; content:”smc”; http_client_body; depth:3; content:”$”; distance:7; within:1; http_client_body; isdataat:200,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:4002758; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN OSX/SHLAYER CnC Activity M2″; flow:established,to_server; content:”POST”; http_method; content:”/l”; http_uri; depth:2; isdataat:!1,relative; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”cs=”; http_client_body; depth:3; pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/PR”; http_content_type; content:”application/x-www-form-urlencoded”; depth:33; isdataat:!1,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:2038612; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_08_25, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2022_08_25;)

YARA RULES

private rule Macho

{

meta:

description = “private rule to match Mach-O binaries”

condition:

uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

}

rule adload_2021_system_service

{

meta:

description = “rule to catch Adload .system .service variant”

author = “Phil Stokes, SentinelLabs”

version = “1.0”

last_modified = “2021-08-10”

reference = “https://s1.ai/adload”

strings:

$a = { 48 8D 35 ?? ?? 00 00 48 8D 5D B8 BA B8 00 00 00 48 89 DF E8 ?? ?? FB FF 48 8B 43 08 48 2B 03 66 48 0F 6E C0 66 0F 62 05 ?? ?? 00 00 66 0F 5C 05 ?? ?? 00 00 0F 57 C9 66 0F 7C C0 48 8D 7D A0 0F 29 0F F2 0F 59 05 }

condition:

Macho and all of them

}

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b	AdLoad sample
SHA256	956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472	AdLoad sample
SHA256	6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc	AdLoad sample
SHA256	3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264	AdLoad sample
SHA256	2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87	AdLoad sample
SHA256	7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3	AdLoad sample
SHA256	4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32	AdLoad sample
SHA256	68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3	AdLoad sample
SHA256	1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5	AdLoad sample
SHA256	2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa	AdLoad sample
SHA256	ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51	AdLoad sample
SHA256	c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d	AdLoad sample
URL	hxxp://m.skilledobject[.]com/a/rep	AdLoad beacon
URL	hxxp://m.browseractivity[.]com/a/rep	AdLoad beacon
URL	hxxp://m.enchantedreign[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activitycache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activityinput[.]com/a/rep	AdLoad beacon
URL	hxxp://m.opticalupdater[.]com/a/rep	AdLoad beacon
URL	hxxp://m.connectioncache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.analyzerstate[.]com/a/rep	AdLoad beacon
URL	hxxp://m.essencecuration[.]com/a/rep	AdLoad beacon
URL	hxxp://m.microrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.articlesagile[.]com/a/rep	AdLoad beacon
URL	hxxp://m.progresshandler[.]com/a/rep	AdLoad beacon
URL	hxxp://m.originalrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.productiveunit[.]com/a/rep	AdLoad beacon
URL	hxxp://api.toolenviroment[.]com/l	AdLoad beacon
URL	hxxp://api.inetfield[.]com/l	AdLoad beacon
URL	hxxp://api.operativeeng[.]com/l	AdLoad beacon
URL	hxxp://api.launchertasks[.]com/l	AdLoad beacon
URL	hxxp://api.launchelemnt[.]com/l	AdLoad beacon
URL	hxxp://api.validexplorer[.]com/l	AdLoad beacon
URL	hxxp://api.majorsprint[.]com/l	AdLoad beacon
URL	hxxp://api.essentialenumerator[.]com/l	AdLoad beacon
URL	hxxp://api.transactioneng[.]com/l	AdLoad beacon
URL	hxxp://api.macreationsapp[.]com/l	AdLoad beacon
URL	hxxp://api.commondevice[.]com/l	AdLoad beacon
URL	hxxp://api.compellingagent[.]com/l	AdLoad beacon
URL	hxxp://api.lookupindex[.]com/l	AdLoad beacon
URL	hxxp://api.practicalsync[.]com/l	AdLoad beacon
URL	hxxp://api.accessiblelist[.]com/l	AdLoad beacon
URL	hxxp://api.functionconfig[.]com/l	AdLoad beacon
Domain	hxxps://vpnservices[.]live	Proxy C&C to report infected systems
Domain	hxxps:// upgrader[.]live	Proxy C&C to report infected systems
Domain	hxxp://bapp.pictureworld[.]co	Proxy Node

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

- TA0001: Initial Access
  - T1189: Drive-by Compromise
- TA0003: Persistence
  - T1543: Create or Modify System Process
    - T1543.001: Launch Agent
- TA0005: Defense Evasion
  - T1140: Deobfuscate/Decode Files or Information
  - T1497: Virtualization/Sandbox Evasion
    - T1497.001: System Checks
  - T1222: File and Directory Permissions Modification
    - T1222.002: Linux and Mac File and Directory Permissions Modification
  - T1553: Subvert Trust Controls
    - T1553.001: Gatekeeper Bypass
  - T1562: Impair Defenses
    - T1562.001: Disable or Modify Tools
- TA0007: Discovery
  - T1082: System Information Discovery
- TA0011: Command and Control
  - T1090: Proxy
  - T1571: Non-Standard Port
- TA0040: Impact
  - T1496: Resource Hijacking

The post Mac systems turned into proxy exit nodes by AdLoad appeared first on Cybersecurity Insiders.

RAM dump: Understanding its importance and the process

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

In the realm of digital forensics and incident response, the analysis of volatile memory, commonly referred to as RAM (Random Access Memory), plays a pivotal role in extracting crucial evidence and uncovering valuable information. RAM dump – the process of capturing the contents of a computer’s memory, is a vital step in preserving volatile data for forensic examination. This article aims to shed light on the importance of RAM dump in digital investigations and provide insights into the process involved.

The significance of RAM dump

Volatile nature of RAM: RAM is a volatile form of memory that holds data temporarily while a computer is powered on. Once the system is shut down, the contents of RAM are lost. Therefore, capturing a RAM dump becomes essential to preserve valuable evidence that may not be available through traditional disk-based analysis.
Dynamic and live information: RAM contains real-time information about running processes, active network connections, open files, encryption keys, passwords, and other critical artifacts. Analyzing the RAM dump allows forensic investigators to access this dynamic and live information, providing insights into the state of the system at the time of the incident.
Uncovering hidden or encrypted data: RAM often holds data that may not be easily accessible through traditional file system analysis. It can reveal information about active malware, hidden processes, encrypted data in memory, or remnants of deleted files, offering a wealth of evidence that can be crucial to an investigation.

The RAM dump process

Acquiring a RAM dump: To perform a RAM dump, specialized tools or techniques are used to capture the contents of RAM. Common methods include physical access and utilizing software tools designed for memory acquisition. Physical access allows directly connecting to the computer’s memory modules, while software tools can acquire RAM remotely or by creating a memory image from a hibernation file.
Preserving data integrity: It is essential to ensure the integrity of the RAM dump during acquisition to maintain its evidentiary value. This involves utilizing write-blocking mechanisms, verifying the integrity of the acquired image, and documenting the entire process to establish a proper chain of custody.
Analyzing the RAM dump: Once the RAM dump is acquired, it can be analyzed using specialized software tools designed for memory forensics. These tools enable investigators to extract information, identify running processes, recover artifacts, and search for patterns or indicators of compromise.
Extracting volatile data: The RAM dump analysis involves extracting volatile data such as active network connections, running processes, loaded drivers, registry information, file handles, and other artifacts. This data can be used to reconstruct the system’s state, identify malicious activities, or uncover hidden information.
Memory carving and artifacts recovery: Memory carving techniques are employed to search for specific file types or artifacts within the RAM dump. This process involves identifying file headers or signatures and reconstructing files from the memory image. This can be particularly useful in recovering deleted or encrypted files.

RAM dumps can be acquired using specialised tools like FTK Imager and Magnet Ram Capturer (both of which are available for free) or the analysis can be done using specialised tools or Open source frameworks like Volatility Framework.

Let’s take a look on how to acquire a RAM dump and registry files using FTK Imager.

To acquire RAM and registry files, please follow these steps:

Download FTK imager from here.
Follow the installation steps.
Once installed, Run FTK imager and select Capture memory option from toolbar menu as shown in screenshot:

FTK Imager Capture

Alternatively, you can select Capture memory from the File dropdown menu inside FTK Imager as illustrated in screenshot below:

FTK Imager Capture memory

Once you select Capture memory, provide a destination path where you wish to save the dump file. Alternatively, you can select to include pagefile. After that, the process of capturing memory will begin.

ramdump

You will receive a pop up once the process is finished.

ramdump done

Since I chose to capture memory as well as pagefile I will have two files available.

ramdump files

The file with the name “memdump.mem” is the RAM capture file.

You can take the dump file to analyze as required on your forensics workstation.

Best practices and considerations

Timeliness and live analysis: RAM dump acquisition should be performed as soon as possible to capture the volatile data before it gets overwritten or lost. Additionally, live analysis of the RAM dump can provide real-time insights into ongoing activities and help mitigate immediate threats.
Privacy and legal considerations: Collecting and analyzing a RAM dump may involve accessing sensitive user data or private information. It is crucial to follow legal procedures, obtain proper authorization, and adhere to privacy laws and regulations to ensure compliance and protect the rights of individuals involved.
Proper training and expertise: RAM analysis requires specialized knowledge and skills in memory forensics. Forensic investigators should undergo proper training and continuously update their expertise to effectively handle RAM dump acquisition and analysis.

Conclusion

RAM dump acquisition and analysis are vital components of digital forensics and incident response investigations. The volatile nature of RAM and the real-time information it holds make RAM dump an invaluable source of evidence. By understanding the importance of RAM dump and following proper acquisition and analysis procedures, forensic investigators can uncover hidden data, identify malicious activities, and reconstruct the system’s state during an incident.

However, it is essential to stay updated with evolving technologies, legal considerations, and best practices in RAM analysis to ensure the integrity and effectiveness of the process. Ultimately, RAM dump plays a critical role in modern digital investigations, helping investigators piece together the puzzle and provide essential insights for resolving cases.

The post RAM dump: Understanding its importance and the process appeared first on Cybersecurity Insiders.

Mind the (Interpretation) gap: Another reason why threat modeling is important

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

Where do vulnerabilities fit with respect to security standards and guidelines? Was it a coverage issue or an interpretation and implementation issue? Where does a product, environment, organization, or business vertical fail the most in terms of standards requirements? These questions are usually left unanswered because of the gap between standards or regulations on the one hand, and requirements interpretation and implementation, on the other. Certified products and environments often suffer from security issues that were supposed to be covered by the requirements of the standard.

In [1], for instance, the authors give examples of vulnerable products that were IEC 62443 certified. In [2], SANS discusses the case of PCI-certified companies and why they are still being breached. This “interpretation gap,” whether it manifests in the implementation of requirements or in the assessment process, hinders security and leads to the fact that being compliant is not necessarily the same as being secure.

Admittedly, the interpretation of guidelines and requirements in standards, which have a descriptive approach in general, is not an easy task. Requirements can be rather generic and wide open to interpretation depending on the context, resources, the current threat landscape, the underlying technologies, etc. Specific requirements might also lead to conflicting interpretations depending on the type of stakeholder, which will inevitably affect the implementation side.

Threat modeling is one way to avoid shortcomings (or even possible shortcuts) in the implementation of standards, and the organization’s own security policies. Think of threat modeling as an enforcement mechanism for the proper implementation of requirements. The reason this is the case is simple; threat modeling thinks of the requirements in terms of relevant threats to the system, and determines mitigations to reduce or completely avoid the associated risks. Consequently, each requirement is mapped to a set of threats and mitigations that covers relevant use cases under specific conditions or context, e.g., what are the trust boundaries, protocols and technologies under use or consideration, third-party interactions, dataflows, data storage, etc.

This is becoming a must-have nowadays since, when it comes to technical requirements, the concern about their interpretation still persists even when companies have been audited against them. In the following, the presented data analysis makes the link between disclosed vulnerabilities in Industrial Control Systems (ICS) and the technical requirements reported in the ‘gold standard’ of standards in this area, namely the IEC 62443. It shows the difficulty of satisfying the requirements in broad terms and the need for more specific context and processes.

CISA ICS advisories’ mapping

The analysis of CISA ICS advisories data, representing close to 2,5K advisories released between 2010 and mid-2023 [3], reveals the extent of the challenge an implementer or an assessor is faced with. Table 1 presents the top weaknesses and the associated count of advisories as well as IEC 62443 requirements’ mapping. Affected sectors, the CVSS severity distribution, and top weaknesses per sector are also reported; in Figures 1 and 2, and Table 2.

Table 1. Top weaknesses in CISA’s ICS advisories and their IEC 62443 mapping.

Weakness	Name	Number of advisories	IEC 62443 technical requirement
CWE-20	Improper Input Validation	266	SR/CR 3.5 – Input validation
CWE-121	Stack-based Buffer Overflow	257
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	205
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	185
CWE-284	Improper Access Control	159	FR1 – Identification and authentication control (IAC) FR2 – Use control (UC)
CWE-125	Out-of-bounds Read	158	SR/CR 3.5 – Input validation
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	149	SR/CR 3.5 – Input validation
CWE-400	Uncontrolled Resource Consumption	145	SR/CR 7.1 – Denial of service protection SR/CR 7.2 – Resource management
CWE-787	Out-of-bounds Write	139	SR/CR 3.5 – Input validation
CWE-287	Improper Authentication	137	SR/CR 1.1 – Human user identification and authentication SR/CR 1.2 – Software process and device identification and authentication
CWE-122	Heap-based Buffer Overflow	128	SR/CR 3.5 – Input validation
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	115	FR4 – Data confidentiality (DC) SR/CR 3.7 – Error handling
CWE-798	Use of Hard-coded Credentials	101	SR/CR 1.5 – Authenticator management
CWE-306	Missing Authentication for Critical Function	98	SR/CR 1.1 – Human user identification and authentication SR/CR 1.2 – Software process and device identification and authentication SR/CR 2.1 – Authorization enforcement
CWE-352	Cross-Site Request Forgery (CSRF)	84	SR/CR 1.4 – Identifier management
CWE-89	Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)	81	SR/CR 3.5 – Input validation
CWE-319	Cleartext Transmission of Sensitive Information	75	SR/CR 4.1 – Information confidentiality
CWE-427	Uncontrolled Search Path Element	64	SR/CR 3.5 – Input validation CR 3.4 – Software and information integrity
CWE-120	Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)	62	SR/CR 3.5 – Input validation
CWE-522	Insufficiently Protected Credentials	62	SR/CR 1.5 – Authenticator management

Figure 1. Number of vulnerabilities per sector

chart of vulnerabilities by sector

Figure 2. CVSS severity distribution.

pie chart of CVSS distrubution by severity

Table 2. Top weaknesses per sector.

Sector	Top Weakness	Name	Number of advisories
Critical Manufacturing	CWE-121	Stack-based Buffer Overflow	175
Energy	CWE-20	Improper Input Validation	147
Water and Wastewater	CWE-20	Improper Input Validation	87
Commercial Facilities	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	42
Food and Agriculture	CWE-20	Improper Input Validation	55
Chemical	CWE-20	Improper Input Validation	54
Healthcare and Public Health	CWE-284	Improper Access Control	32
Transportation	CWE-121	Stack-based Buffer Overflow	31
Oil and gas	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	18
Government Facilities	CWE-121	Stack-based Buffer Overflow	18

Guiding requirements’ interpretation

Table 1 shows the varied levels of abstraction the vulnerabilities map to. This is one of the main issues leading to the increased complexity associated with the interpretation of requirements; for both the implementation and the assessment. While a high level of granularity allows for the definition of needed security mechanisms, a low level of granularity during the interpretation and implementation is necessary as it allows for a better understanding of all the types of threats or failures that a specific system might be subject to, e.g., given a deployment model or an underlying technology.

The case of the “Input validation” requirement is revealing, with eleven of the top twenty weaknesses in Table 1 falling under it. On the surface, input validation is rather straightforward; analyze inputs and disallow anything that can be considered unsuitable. In practice, however, the number of properties of the data and input use cases to potentially validate can be daunting. It might also be hard, or even impossible, to flush out all possible corner cases. The IEC 62443 “input validation” requirement is quite generic and encapsulates two CWE categories; “Validate Inputs” [4] and “Memory Buffer Errors” [5]. It is then essential to have a clear understanding of the target application or system to be able to identify relevant threats under each requirement and how to prevent them, i.e., achieve the said requirement.

On the other hand, the “Improper access control” weakness [6] is also an interesting use case. It is extremely high-level and maps to two foundational requirements of the IEC 62443. This highlights an issue in vulnerability reports, where high-level abstraction weaknesses are being misused in disclosure reports. More specific weaknesses related to the kind of access control involved would have been more appropriate, e.g., missing or weak authentication, missing or incorrect authorization, etc. This is not useful for trend analysis, especially on how real-world vulnerabilities relate to technical requirements in standards and regulations.

Threat modeling is helpful in both cases. Software developers, system architects, and security professionals can understand the requirements and address the predictable security issues that fall under them, given specific assumptions about the application or the system setup. In addition, current threat modeling tools can speed up the process by generating the relevant threats and their mitigations automatically, including based on threat intelligence data. The set of mitigations can also be tailored to meet different needs; for instance, the strength of a potential adversary, as is the case in the IEC 62443 standard, where four security levels are defined. These security levels (1 to 4) define technical requirements, along with requirement enhancements, in order to counter different levels of risk.

I believe that by using threat modeling as a framework, the interpretation and mapping of requirements into implementation and deployment measures become more predictable. It will also give developers and system architects a better chance of more complete coverage and accurate description of what the requirements ought to be, given the target system context, its dependencies, and the current threat landscape.

The guest author of this blog is a security researcher at iriusrisk.com.

References

[1] https://arxiv.org/pdf/2303.12340.pdf

[2] https://www.sans.org/white-papers/36497/

[3] https://www.cisa.gov/news-events/cybersecurity-advisories

[4] https://cwe.mitre.org/data/definitions/1019.html

[5] https://cwe.mitre.org/data/definitions/1218.html

[6] https://cwe.mitre.org/data/definitions/284.html

The post Mind the (Interpretation) gap: Another reason why threat modeling is important appeared first on Cybersecurity Insiders.

What Is Global Privacy Control (GPC), and how can it help you protect your data?

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

More than 67% of internet users in the US remain blissfully unaware of online privacy and data protection regulations.

At the same time, the global average cost of data breaches and cyber-attacks has increased by 15% since 2020 to $4.45 million. In fact, compromised credentials and personal information are responsible for nearly 20% of nearly 1.4 billion security incidents during this period.

As a result, there’s a growing need for a solution to protect sensitive data from potential theft or misuse.

Global Privacy Control (GPC) is an emerging resolution to give users more control over their data when navigating the internet and using digital solutions.

In this article, you’ll learn about the core concept of GPC and its importance in digital protection.

What is Global Privacy Control (GPC)?

Global Privacy Control, or GPC, is a cybersecurity and data privacy initiative to give businesses and individuals greater control over their data, including its storage, distribution, and usage.

It offers a simple, standardized way to assert and protect your privacy rights while surfing the internet and navigating different websites and applications.

Adopting and implementing the protocol sends a “Do Not Collect or Share My Data” signal to digital platforms, prompting them to refrain from selling your data to third parties for advertising and other commercial purposes.

Common data websites collect generally include:

Personal information (Name, contact, address, etc.);
Browsing history;
Live location;
Device information (Model, operating system, etc.);
IP address;
Cookies;
Payment information (Card details, digital wallet credentials, etc.);
Account credentials (Social media apps, third-party services, etc.);
Usage data (Time, features used, launch frequency, and more).

By activating the GPC signal, you can exercise your privacy rights and stop sites and apps from collecting all the information listed (and more).

The significance of data privacy and how can GPC help?

Data privacy is more critical than ever due to the unprecedented exchange and collection of data on the internet. Digital entities actively collect your valuable data, including personal information, browsing habits, location, financial details, etc.

By creating vast repositories of your data, websites, and apps gain insights into your online behavior, and use them to tailor:

Ads;
UI/UX design;
Site content;
Products;
Services.

However, by doing so, they increase your risk of security breaches and privacy infringements. Hackers and cybercriminals actively target sensible information like your IP address to orchestrate various attacks, including:

Distributed Denial of Service (DDoS) attacks;
Spoofing;
Ransomware and spyware;
Man-in-the-Middle attacks;
Brute force attacks, etc.

Fortunately, you can prevent an IP address hack and consequential attacks using a virtual private network (VPN). A VPN encrypts your IP address and online traffic, making it nearly impossible for malicious criminals to access your data.

However, you can take data protection to a whole new level by combining Global Privacy Control with VPN and other essential cybersecurity tools, such as:

Anti-malware software;
SSL certificates;
Multi-factor authentication;
Intrusion detection systems, etc.

Preserving data privacy is crucial for protecting valuable data and building trust between users and digital platforms. As it stands, GPS is one of the few initiatives that can proactively prevent breaches by stopping the flow of user data.

Benefits of adopting Global Privacy Control

Below are the key benefits of adopting GPC on websites or apps:

1. Data security & privacy enhancement

GPC enables you to fortify your valuable data against nonconsensual or unauthorized sharing. Hence, you can use your personal information solely for core purposes, such as logging into your account or online transactions.

With GPC protocols, no website or app will record your browsing activity, usage, or online behavior, significantly reducing the risk of attacks, identity theft, and unauthorized access.

2. Transparent data collection and usage

If your business relies on collecting user data, you can use GPC to enable transparent collection and usage. You can share how your site or app collects, processes, and shares user data. This transparency allows visitors, customers, or users to make more informed decisions about engaging with your site or app.

3. Building trust & credibility

If you run an online business, one of the best ways to build trust with users is by respecting their online privacy preferences. This powerful branding and marketing strategy allows you to implement GPC and honor “Do Not Share My Data” requests.

Demonstrating that you care about your user’s privacy needs can improve credibility and foster a long-term relationship with them.

4. Compliance with privacy regulations

In the post-pandemic age, there’s an increased focus on data privacy regulations worldwide, including (but not limited to):

General Data Protection Regulation (GDPR) – EU and UK;
California Consumer Privacy Act (CCPA);
California Privacy Rights Act (CPRA);
Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada;
Health Information Technology for Economic and Clinical Health Act (HITECH), etc.

These bodies have strict privacy laws and policies you must adhere to. Failure to comply could lead to heavy fines and legal liabilities. Moreover, when users learn you’re non-compliant, they’ll hesitate to visit your site or use your app.

5. Empowering user control

Global Privacy Control makes users 100% responsible and accountable for the data they share on digital platforms. You have full control over your sharing preferences and can choose to avoid sharing data with third-party companies directly or through the site or app.

This user-centric approach promotes a sense of ownership and helps businesses mitigate security risks.

Conclusion

As the world rapidly shifts to a digital-first economy, you must take the necessary steps to safeguard data privacy.

With our commitment to Global Privacy Control (GPC), you can maximize data control and privacy protection. So, feel free to delve into our wealth of resources and empower yourself with the knowledge to fortify your online defenses.

The post What Is Global Privacy Control (GPC), and how can it help you protect your data? appeared first on Cybersecurity Insiders.

Mobile Device Management: Securing the modern workplace

Posted 2 years ago by hello@alienvault.com

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

More mobile devices, more problems. The business landscape has shifted dramatically, as more endpoints connect to corporate networks from a wider variety of locations and are transmitting massive amounts of data. Economic forces and a lengthy pandemic have caused a decentralization of the workforce and increased adoption of a hybrid workplace model.

Today, employees are more mobile than ever.

The modern workforce and workplace have experienced a significant increase in endpoints, or devices connecting to the network, and managing these diverse endpoints across various geographic locations has grown in complexity.

Here’s an analogy: imagine a bustling city, with its many roads, highways, and intersections. Each road represents a different endpoint, and the city itself symbolizes your corporate network. As the city grows and expands, more roads are built, connecting new neighborhoods and districts. Our corporate networks are like expanding cities.

But along with digital transformation and a distributional shift of the workforce, the cybersecurity landscape is evolving at an equal pace. The multitude of endpoints that connect to the network is widening the attack surface that bad actors with malicious intent can exploit.

From a cybersecurity perspective, more endpoints represent a significant business risk. Organizations need to understand the importance of managing and securing their endpoints and how these variables are intertwined for a complete endpoint security strategy.

The evolution of Mobile Device Management (MDM)

Traditional MDM has existed in some form since the early 2000s, when smartphones entered the marketplace. MDM has evolved over the last few decades, and in some way, Unified Endpoint Management (UEM) represents this modern evolution. Today, UEM has become a prominent solution for modern IT departments looking to secure their expanding attack surfaces.

UEM is more than just managing endpoints. The “unified” represents one console for deploying, managing, and helping to secure corporate endpoints and applications. UEM offers provisioning, detection, deployment, troubleshooting, and updating abilities. UEM software gives IT and security departments visibility and control over their devices as well as their end-users, delivered through a centralized management console.

For a more detailed discussion of mobile device security, check out this article.

What is the difference between MDM and UEM?

UEM and MDM are both solutions used to manage and secure an organization’s devices, but their scope and capabilities differ.

MDM is a type of security software used by an IT department to monitor, manage, and secure employees’ mobile devices deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. MDM is primarily concerned with device security, allowing organizations to enforce policies, manage device settings, monitor device status, and secure devices if lost or stolen.

On the other hand, UEM is a more comprehensive solution that manages and secures not just mobile devices but all endpoints within an organization. This includes PCs, laptops, smartphones, tablets, and IoT devices. UEM solutions provide a single management console from which IT can control all these devices, regardless of their type or operating system.

The need for comprehensive endpoint protection

As the number of endpoints increase with the rise of a mobile workforce, so does the need for comprehensive endpoint protection. This includes the use of encryption, secure configurations, and secure communication channels.

Encryption is a critical security measure that helps protect data in transit and at rest. By encrypting data, you can ensure that even if a device is lost or stolen, the data on it remains secure and inaccessible to unauthorized users.

Secure configurations are another crucial aspect of endpoint protection, which involves setting up devices to minimize vulnerabilities and reduce the attack surface. For example, this could include disabling unnecessary services, limiting user privileges, or implementing secure settings for network connections.

For protecting data in transit, secure communication channels are essential. This can be achieved by leveraging Virtual Private Networks (VPNs), which encrypt the data being transmitted and provide a secure tunnel for communication.

The role of MDM in enforcing security measures

MDM solutions play a key role in enforcing these security measures consistently across all devices. MDM allows organizations to manage and control device settings, ensuring that all devices adhere to the organization’s security policies.

For example, MDM solutions can enforce encryption policies, ensuring that all data stored on the device is encrypted. They can also enforce secure configurations, such as requiring devices to have a passcode or biometric authentication, and disabling features that pose a security risk, such as USB debugging on Android devices.

Check out this infographic for a visual representation of mobile security.

Implementing DLP policies within MDM solutions

Data Loss Prevention (DLP) policies are another crucial aspect of endpoint protection. These policies help prevent unauthorized data exfiltration, whether intentional or accidental.

MDM solutions can help enforce DLP policies by controlling what data can be accessed on the device, and how it can be shared. For example, MDM solutions can prevent sensitive data from being copied to the clipboard or shared via unsecured communication channels.

Security benefits of MDM and UEM

MDM (and by extension, UEM) delivers many benefits for organizations, with the most appealing being reduced costs across multiple departments. By comprehensively automating many IT tasks and processing, UEM often lowers overhead costs and hardware expenditures.

Other key benefits are as follows:

Offers endpoint management integration with multiple platforms: One of the major selling points of UEM software is its ability to integrate with a variety of platforms, including Windows 10, macOS, Linux, Chrome OS, iOS, and Android, among others. With UEM, your business can configure, control, and monitor devices on these platforms from a single management console.

Provides data and app protection across the attack surface: UEM protects corporate data and applications, reducing cybersecurity threats. This protection is accomplished by providing conditional user access, enforcing automated rules, enforcing compliance guidelines, providing safeguards for data loss, and empowering IT administrators to identify jailbreaks and OS rooting on devices.

Helps establish a modern Bring Your Own Device (BYOD) security stance: An effective UEM deployment can go a long way in maintaining the user experience for employees, regardless of who owns the device. UEM can be an effective tool for patching vulnerable applications, updating to the latest OS version, and enforcing the use of endpoint security software that actively protects BYOD devices from network-based attacks, malware, and vulnerability exploits.

Authentication: With the increase in cyber threats, implementing robust authentication measures has become more important than ever. This includes multi-factor authentication, biometric authentication, and other advanced authentication methods.

Enhanced mobile security: As the use of mobile devices for work purposes increases, so does the need for enhanced mobile security. This includes leveraging advanced security measures such as encryption, secure containers, and mobile threat defense solutions.

Remote data wiping: In the event of a device being lost or stolen, or if an employee leaves the company, it’s crucial to ensure that sensitive corporate data doesn’t fall into (or stay in) the wrong hands. UEM solutions provide the capability to remotely wipe data from devices — which can be a full wipe, removing all data, or a selective wipe, removing only corporate data while leaving personal data intact. This feature provides an essential safety net for protecting corporate data.

Application whitelisting: With the vast number of available applications, it is important to control which apps can be installed on corporate devices. UEM solutions allow for application whitelisting, where only approved applications can be installed on the devices, which helps to prevent the installation of malicious apps or apps that have not been vetted for security. It also ensures that employees are using approved and supported software for their work tasks.

Strategies for deploying MDM and UEM

Before rolling out any MDM or UEM solution, an organization must lay the foundation for effective deployment. By embracing a few key strategies, you can dramatically improve the chances of a successful implementation.

Establish a robust endpoint management policy: With BYOD and work from home (WFH), the risk of company data being compromised increases. Before implementing a UEM solution, an endpoint management policy is essential to ensure that all of your endpoint devices meet specific requirements.

Adopt automation: The future of enterprise device management is automation. From deployment to updates to reporting, an automated device fleet is the optimal solution. Automation helps reduce the manual effort and time spent on managing the devices, thereby increasing efficiency. Automation in MDM brings numerous benefits and has a variety of use cases. By automating tasks such as device enrolment, configuration, and updates, you can significantly reduce the time and effort required to manage mobile devices. This not only increases efficiency but also reduces the risk of human error, which can lead to security vulnerabilities.

Embrace 5G: The advent of 5G is already transforming the importance of mobile devices. The increased speed and reduced latency offered by 5G will enable more devices to be connected and managed efficiently. The increased speed offered by 5G means data can be transferred between devices and the MDM server much faster, enabling quicker updates, faster deployment of applications, and more efficient data synchronization. For instance, large software updates or security patches can be pushed to devices more quickly, reducing downtime and ensuring devices are protected against the latest threats. Reduced latency means that commands issued from the MDM server to the devices are executed almost in real-time — particularly beneficial in situations where immediate action is required, such as remotely locking or wiping a lost or stolen device.

Outsourcing enterprise mobility management: As the complexity of managing a mobile workforce increases, many organizations are considering outsourcing their enterprise mobility management, allowing them to leverage the expertise of specialized providers and focus on their core business functions.

By incorporating these trends and strategies into your MDM plan, you can ensure that your organization is well-equipped to handle the challenges of a mobile, hybrid and WFH workforce.

How AT&T Cybersecurity can help with MDM and UEM

In today’s digital landscape, securing your organization’s endpoints is more crucial than ever. AT&T Cybersecurity offers a range of endpoint security products and services designed to help you protect your laptops, desktops, servers, and mobile devices. AT&T’s unified approach to managing and securing endpoint devices provides better visibility and closes security gaps that may have been overlooked. With AT&T Cybersecurity, you can protect your organization’s reputation, safeguard against key threat vectors, simplify management, and maintain control with Zero Trust.

Don’t wait for a security breach to happen. Take a proactive approach to your organization’s cybersecurity by exploring AT&T’s endpoint security offerings. Whether you need advanced forensic mapping and automated response with SentinelOne, unparalleled visibility into IoT and connected medical devices with Ivanti Neurons for Healthcare, or high-level, end-to-end mobile security across devices, apps, content, and users with IBM MaaS360, AT&T Cybersecurity has a solution tailored to your needs.

Ready to take your MDM to the next level?

Enable your employees with precise access to the applications and data required to do their job from anywhere. Learn more about secure remote access and how AT&T Cybersecurity can work with your organization.

Learn more

The post Mobile Device Management: Securing the modern workplace appeared first on Cybersecurity Insiders.

Introduction:

AI-hallucinations:

The exploitative process:

The trap unfolds:

Implications for developers:

Mitigating the risks:

Conclusion:

What is blockchain and where did it all begin?

How blockchain is revolutionizing transportation, shipping, and logistics

Global shipping

Transportation

Aviation

Wrapping up

A brief history of the QR code

The dangers that lie beneath

Five ways to defend against malicious QR codes

Understanding image steganography

Techniques of image steganography

Real-world applications of steganography

Conclusion

Top Data Security Posture Management (DSPM) tools to watch

1. Securiti DSPM

2. Symmetry DataGuard

3. Sentra

4. Dig Security Platform

5. Flow Security

6. Laminar

7. TrustLogix

8. Cyera

9. Concentric

10. Veza

11. BigID

12. Fasoo

13. Normalyze

14. OneTrust

15. Open Raven

Final thoughts

Executive summary

Analysis

Recommended actions

Conclusion

Detection methods

Associated indicators (IOCs)

Mapped to MITRE ATT&CK

The significance of RAM dump

The RAM dump process

Best practices and considerations

Conclusion

CISA ICS advisories’ mapping

Guiding requirements’ interpretation

References

What is Global Privacy Control (GPC)?

The significance of data privacy and how can GPC help?

Benefits of adopting Global Privacy Control

Conclusion

The evolution of Mobile Device Management (MDM)

The need for comprehensive endpoint protection

The role of MDM in enforcing security measures

Implementing DLP policies within MDM solutions

Security benefits of MDM and UEM

Strategies for deploying MDM and UEM

How AT&T Cybersecurity can help with MDM and UEM

Ready to take your MDM to the next level?