Category: Detect

This blog was written by an independent guest blogger.

APIs are a crucial tool in today’s business environment. Allowing applications to interact and exchange data and services means that companies can provide an ever-greater range of features and functionalities to their clients quickly and easily. So, it is no wonder that a quarter of businesses report that APIs account for at least 10% of their total revenue – a number that will only increase in coming years.

But for all their benefits, APIs also create security concerns for organizations. In one survey of API users, 91% reported an API-related security incident. Unfortunately, API security efforts within many organizations are simply not sufficient, exposing the company and its clients to attack and loss of sensitive data. 

Every business that uses APIs, indeed every business even thinking about using APIs, should have a solid API security strategy in place. This article reviews API vulnerabilities and outlines steps organizations should take to secure their APIs.

The importance of APIs

APIs provide numerous benefits for both businesses and their customers. At its most basic level, an API is simply a tool that allows an application to communicate with external applications and data sources. Developers can leverage these connections to create new applications, functionalities, and analytical tools, speeding the pace of business innovation and constantly improving user experience.

APIs facilitate everything from online payment systems and banking to travel aggregator services, social media, and media streaming services. They are also an important part of the rapidly expanding cryptocurrency world. 

Crypto developers use APIs to build decentralized applications (DApps) on blockchains. APIs also interact with the smart contracts that control everything from transactions to the formation of decentralized autonomous organizations (blockchain governance structures known colloquially as DAOs).

APIs also ease data sharing among corporate applications, reducing the need for repetitive and wasteful data entry. And they are an essential part of automating many business functions. And in a business environment that increasingly includes remote workers, they help businesses build effective collaboration tools to ensure that their teams continue to work well, even when virtual.

Businesses can also use APIs for advanced competitive intelligence programs. Not only can they simplify the aggregation of competitive data from a range of sources, but they are integral in building effective data analytics and display tools. 

They can even be used to continuously track changes to your competitors’ websites so you can always be on top of the latest innovations in your industry (e.g., with tools like Visualping).  

API security vulnerabilities

Because APIs are such a dominant part of the business landscape, cyber attackers have targeted them with growing frequency. Gartner predicted that API attacks would be the most common attack vector this year, and that prediction is rapidly proving true.

Some of the world’s largest and most sophisticated companies have suffered widely publicized data breaches resulting from API attacks. And as businesses have painfully learned, hackers have many different ways to attack APIs.

Targeting code vulnerabilities

As with any software, APIs are only as good as their underlying code. Poor coding of APIs creates inherent vulnerabilities that hackers are only too happy to exploit.

DDoS attacks

Distributed denial of service attacks, which attempt to render APIs completely unavailable to users by overwhelming them with traffic, are rapidly increasing in frequency. One reason is the increase in e-commerce in recent years. DDoS attacks can prevent access to inventories by adding stock to carts that they then never check out (denial of inventory attack).

Failed authentication and access control policies

It is crucial for organizations to strictly control API access and require strong authentication. Company API security policies should include role-based access control, least privilege, and zero trust policies to limit opportunities for hackers to interfere with APIs using compromised credentials. These policies will also help restrict how far a successful hacker can get within company systems using compromised credentials, especially if companies strictly limit granting wide-ranging privileges to users.

Man-in-the-Middle (MitM) attacks 

Hackers can insert themselves between users and APIs by intercepting and changing the communications between them. Using MitM attacks, hackers can gain access to sensitive user accounts and information, which they can use to exfiltrate company data. The danger of MitM attacks increases when companies do not apply transport layer security (TLS) in their APIs.

Securing your APIs

So what steps do businesses need to take to have the best security possible when using APIs? 

Build an API inventory

The first step is to know what APIs you have and how you use them. A complete API inventory, including whether you have multiple versions of a given API, allows you to minimize your overall attack surface by eliminating unused or outdated APIs. An API inventory also helps you prioritize your security efforts, directing resources towards your most critical systems.

Create effective API security policies

API vulnerabilities start well before a hacker ever enters the picture. Unfortunately, many companies don’t adequately protect their API assets because they don’t have API security policies in place, or if they do, those policies are ineffective. Organizations must apply strong security policies to their API usage and routinely enforce and update those policies.

Use strong authentication methods and encryption

In addition to having policies that limit who can access your APIs, you need to verify the identity of the people and services accessing them. Authentication methods such as API key or OAuth authentication harden your APIs against attacks and reduce your attack surface.

Limit data exposure

The less data transferred through an API, the less there is for an attacker to intercept or exfiltrate. Therefore, keep data sharing across an API to what is absolutely necessary. Not only do you minimize potential breach issues, but the organization will also be in a better position concerning compliance issues.

Conclusion

APIs will only continue to grow in popularity and utility. And they will also continue to be popular attack targets. So, make sure you are taking all the necessary steps to secure your APIs against attackers. 

The post How and why you should secure APIs appeared first on Cybersecurity Insiders.

 “Approximately 64% of global CISOs were hired from another company” according to the 2021 MH Global CISO Research Report. The reasons are because of talent shortages, the role is still new to some companies, and companies have not created a succession plan to support internal promotions.

To overcome these challenges, companies can look to Virtual Chief Information Security Officer (vCISO) or a vCISO as a service provider. Companies should consider both the vCISO candidate and the additional “as a service” capabilities that the Provider brings to support the security program. This article covers what to look for when selecting a vCISO and vCISO as a service provider.

What to look for with the candidate

Businesses will want to align their CISO requirements with the skillset and background of the candidate vCISO. For example, the business may want a vCISO with security architecture experience when they are deploying a managed firewall service. Alternatively, if the business has a need to build a Security Operations Center (SOC) then a vCISO with SOC deployment experience might be preferred. While experience in a focused area is beneficial, a vCISO will have the following fundamental skills that align and preferably expand past the business security needs.

• Provide executive-level advisory and presentations.
• Create and track a risk register with identified cybersecurity gaps.
• Ability to develop, implement, and manage cybersecurity roadmap.
• Run tabletop exercises to identify business unit priorities and create alignment.
• Respond to third-party due diligence requests.
• Hardware and software assets as well as data identification and risk analysis.
• Reporting on metrics and key performance indicators (KPIs).
• Deliver and report on vulnerability and penetration testing.
• Oversee reporting, steering, and committee meetings.
• Review and update incident response plans.
• Identification, mitigation, and remediation activities for security related events.
• Policy and procedure development, updating and creation.
• Budget and planning development.
• Develop and run security awareness training.

What to look for in a vCISO as a service provider

vCISO as a service expands the vCISO from an individual contributor into a team that is engaged to lead a program or initiative. For example, instead of having a vCISO with SOC building experience, the entire team is brought in to create the program and build the SOC. Building a relationship with the Provider helps businesses quickly engage resources to support these larger types of initiatives. As the relationship grows, the business builds trust and expands into a valuable partnership. Below are items to consider when trying to find the right trusted partner.

• Access to a team of experts for a specific topic or concern through collaboration and sharing between the provider’s internal vCISO committee.
• Provide a diverse group of professionals that allow the customer to get a vCISO who can quickly engage within the customer’s timeline and budget.
• Leverage the diverse experience gained by the provider because of their engagements in different industries and business sizes from small business to global enterprise.
• Strategy frameworks and resources to build a security program and help create a succession plan.
• Meet the customer timelines and budgets through different levels of retainers and engagement models.
• Addressing security topics and strategy objectively while providing unbiased recommendations to security challenges.
• Coverage area to support regional, national, and global footprints.

The vCISO role is a flexible model to help customers manage cost, enhance quality of their deliverables, and reduce the time it takes to deliver on security activities. Engagements can be for a specific project, to provide coverage while a permanent CISO is identified, or to take on the role full-time. These benefits strengthen the relationship between customers and service provider which in turn, create the trusted partnership that is needed for stronger security.

The post What to look for in a vCISO as a service appeared first on Cybersecurity Insiders.

Cyber insurance coverage? Through the roof these days. Also, coverage is not that easy to get. The many breaches and the dollar judgements handed down make cyber insurance another costly operating investment. A mid-sized client of mine, as an example, pays $1 million in annual cyber insurance costs just to do business with its commercial and government customers.

The issue adds another twist to the topic of third-party risk. Typically, a corporation’s top tier of vendors has some form of cyber insurance. Such vendor coverage generally protects their customers from financial liability involving the breach of customer sensitive data such as Personal Identifiable Information (PII).  

Breach incidents can also include disruptions, intellectual property exfiltration, and website defacements. Lately ransom threats where the hacker demands payment for not releasing data onto dark sites have escalated. For those vendor corporations handling customer data, ranging from sales histories to financial transactions, such vendor coverage is a must instead of an option.

Yet there are those smaller supplier companies which eschew cyber insurance either by choice or through lack of awareness. Estimates vary, but those smaller uninsured companies range from 28 to 41%, according to industry reports.  Rising costs, coupled with the rigors of insurance requirements, ratchet down coverage as a priority.  

This is the crux of an escalating vendor issue facing CISO’s today: which ones pose uninsured risks? Is it simply the smaller boutique vendor? Or does scope include second tier and third tier suppliers to main vendors as well? What precautions can be taken in advance to pre-empt lack of vendor coverage across tiers? These problems have been echoed by the CISO community now faced by increasing attacks channeled through third parties.  

Here are three immediate mitigation steps CISO’s can take:   

• Know vendors to the nth degree.  Besides the standard inventory of cyber and IT suppliers, identify who are those who supply them. Do these secondary vendors have adequate coverage, and how about their subcontractors? This is not an easy task. But AT&T Cybersecurity offers vendor discovery tools, along with % risk levels, from partners such as NetSkope and BitSight. These tools help spare inter-vendor finger pointing and the “shock and surprise” in event of breach.       
• Lock down contracts. There are any number of cyber insurance requirement clauses that can be added to new contracts in progress and ones for renewal. Here’s where the CISO finds Finance and Legal resources to be invaluable partners. Together they can determine if adequate vendor coverage exists for legal fees, breach recovery and cyber vandalism.
• Cyber hygiene vigilance. Third parties still pose the greatest threat of breach despite the best of plans. No one wants to in a position where they must execute on cyber insurance in the first place CISO’s can keep cyber fences “horse high” with basic defense mechanisms such as:

• Complex passwords
• VPN use
• Encryption
• Multi-factor Authentication (MFA)
• Sound firewall rules
• Strong anti-virus
• User security awareness

Within any of these intertwined areas of defense, AT&T Cybersecurity can be of assistance.

To summarize the complete evaluation of third-party risk must now include cyber insurance readiness as a factor. No CISO is an island here, and it becomes a protective opportunity rather than a headache once the right internal business partners are engaged.  

The post Next CISO headache: Vendor cyber insurance appeared first on Cybersecurity Insiders.

Executive summary

• 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
• This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

• The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
• The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they've suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

• Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

Figure 2. Ransom note obtained by MSTIC.

• Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

• Erasing the MBR.
• Overwriting all files with 64 KB chunks of random data with one thread.
• Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We've looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

• WhisperKill
• HermeticWiper and IsaacWiper
• AcidRain
• CaddyWiper
• DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92	WhisperKill (stage1.exe)
SHA256	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78	WhisperKill (stage2.exe)
SHA256	0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da	HermeticWiper
SHA256	1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591	HermeticWiper
SHA256	13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033	IsaacWiper
SHA256	9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a	AcidRain
SHA256	47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6	AcidRain
SHA256	Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa	CaddyWiper
SHA256	7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87	Industroyer2
SHA256	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe	DoubleZero
SHA256	30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a	DoubleZero

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1190: Exploit Public-Facing Application
• TA0002: Execution
  • T1047: Windows Management Instrumentation
  • T1569: System Services
    • T1569.002: Service Execution
• TA0008: Lateral Movement
  • T1021: Remote Services
    • T1021.002: SMB/Windows Admin Shares
• TA0005: Defense Evasion
  • T1070: Indicator Removal on Host
    • T1070.004: File Deletion
    • T1070.001: Clear Windows Event Logs
  • T1112: Modify Registry
  • T1484: Domain Policy Modification
    • T1484.001: Group Policy Modification
• TA0011: Command and Control
  • T1102: Web Service
    • T1102.003: One-Way Communication
• TA0040: Impact
  • T1485: Data Destruction
  • T1499: Endpoint Denial of Service
• TA0042: Resource Development
  • T1588: Obtain Capabilities
    • T1588.003: Code Signing Certificates

The post Analysis on recent wiper attacks: examples and how wiper malware works appeared first on Cybersecurity Insiders.

Executive summary

• 2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
• This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

• The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
• The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they've suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

• Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

Figure 2. Ransom note obtained by MSTIC.

• Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

• Erasing the MBR.
• Overwriting all files with 64 KB chunks of random data with one thread.
• Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We've looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

• WhisperKill
• HermeticWiper and IsaacWiper
• AcidRain
• CaddyWiper
• DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92	WhisperKill (stage1.exe)
SHA256	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78	WhisperKill (stage2.exe)
SHA256	0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da	HermeticWiper
SHA256	1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591	HermeticWiper
SHA256	13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033	IsaacWiper
SHA256	9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a	AcidRain
SHA256	47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6	AcidRain
SHA256	Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa	CaddyWiper
SHA256	7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87	Industroyer2
SHA256	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe	DoubleZero
SHA256	30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a	DoubleZero

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1190: Exploit Public-Facing Application
• TA0002: Execution
  • T1047: Windows Management Instrumentation
  • T1569: System Services
    • T1569.002: Service Execution
• TA0008: Lateral Movement
  • T1021: Remote Services
    • T1021.002: SMB/Windows Admin Shares
• TA0005: Defense Evasion
  • T1070: Indicator Removal on Host
    • T1070.004: File Deletion
    • T1070.001: Clear Windows Event Logs
  • T1112: Modify Registry
  • T1484: Domain Policy Modification
    • T1484.001: Group Policy Modification
• TA0011: Command and Control
  • T1102: Web Service
    • T1102.003: One-Way Communication
• TA0040: Impact
  • T1485: Data Destruction
  • T1499: Endpoint Denial of Service
• TA0042: Resource Development
  • T1588: Obtain Capabilities
    • T1588.003: Code Signing Certificates

The post Analysis on recent wiper attacks: examples and how wiper malware works appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

Once a malicious actor has gained initial access to an internal asset, they may attempt to conduct command and control activity. The ‘Command and Control’ (C&C) tactic, as identified by the MITRE ATT&CK© Framework, consists “of techniques that adversaries may use to communicate with systems under their control within a victim network.” Cobalt Strike is an effective adversary simulation tool used in security assessments but has been abused by malicious actors for Command and Control of victim networks. If configured by attackers, it can be used to deploy malicious software, execute scripts, and more.

This investigation began when the Managed Extended Detection and Response (MXDR) analyst team received multiple alarms involving the detection of Cobalt Strike on an internal customer asset. Within ten minutes of this activity, the attacker launched a Meterpreter reverse shell and successfully installed remote access tools Atera and Splashtop Streamer on the asset. These actions allowed the attacker to establish multiple channels of command and control. In response, the MXDR team created an investigation and informed the customer of this activity. The customer determined that an endpoint detection and response (EDR) agent was not running on this asset, which could have prevented this attack from occurring. This threat was remediated by isolating the asset and scanning it with SentinelOne to remove indicators of compromise. Additionally, Cobalt Strike, Atera, and Splashtop Streamer were added to SentinelOne’s blacklist to prevent unauthorized execution of this software in the customer environment.

Initial alarm review

Indicators of Compromise (IOC)

An initial alarm was triggered by a Windows Defender detection of Cobalt Strike on an internal customer asset. The associated log was provided to USM Anywhere using NXLog and was detected using a Windows Defender signature. Multiple processes related to Cobalt Strike were attached to this alarm.

Cobalt Strike, as mentioned previously, is a legitimate security tool that can be abused by malicious actors for Command and Control of compromised machines. In this instance, a Cobalt Strike beacon was installed on the compromised asset to communicate with the attacker’s infrastructure. Windows Defender took action to prevent these processes from running.

Immediately following the Cobalt Strike detection, an additional alarm was triggered for a Meterpreter reverse shell.

A Meterpreter reverse shell is a component of the Metasploit Framework and requires the attacker to set up a remote ‘listener’ on their own infrastructure that ‘listens’ for connections. Upon successful exploitation, the victim machine connects to this remote listener, establishing a channel for the attacker to send malicious commands. A Meterpreter reverse shell can be used to allow an attacker to upload files to the victim machine, record user keystrokes, and more. In this instance, Windows Defender also took action to prevent this process from running.

Expanded investigation

Events search

During post-exploitation, an attacker may leverage scheduled tasks to run periodically, disable antivirus, or configure malicious applications to execute during startup. To query for this activity, specific event names, such as ‘Windows Autostart Location’, ‘New Scheduled Task’, and events containing ‘Windows Defender’, were added to a filter in USM Anywhere. An additional filter was applied to display events occurring in the last 24 hours. This expanded event search provided context into attacker activity around the time of the initial Cobalt Strike and Meterpreter alarms.

Event deep dive

Just after the Cobalt Strike and Meterpreter detections, a scheduled task was created named “Monitoring Recovery.” This task is identified by Windows Event ID 106:

This scheduled task was used to install two remote monitoring and management (RMM) applications: Atera and Splashtop Streamer.

Shortly after this task was created and executed, an event was received indicating “AteraAgent.exe” was added as a Windows auto-start service.

AteraAgent.exe is associated with Atera, a legitimate computer management application that allows for remote access, management, and monitoring of computer systems, but has been abused by attackers for command and control of compromised systems.

This change was followed by an event involving “SRService.exe” being added as a Windows auto-start service on this asset:

SRService.exe is associated with Splashtop Streamer Service, a remote access application commonly used by IT support, also abused by attackers for C&C communications.
At this point, the attacker attempted to create multiple channels for command and control using Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer. While the Cobalt Strike and Meterpreter sessions were terminated by Windows Defender, Atera and Spashtop Streamer were successfully added as startup tasks. This allowed the attacker to establish persistence in the customer environment. Persistence, as identified by the MITRE ATT&CK framework, allows the attacker to maintain “access to systems across restarts, changed credentials, and other interruptions that could cut off their access.”

Response

Building the investigation

All alarms and events were carefully recorded in an investigation created in USM Anywhere. The customer was immediately contacted regarding this compromise, which lead to an ‘all-hands-on-deck’ call to remediate this threat. This compromise was escalated to the customer’s Threat Hunter, as well as management and Tier 2 analysts.

Customer interaction

The MXDR team worked directly with the customer to contain and remediate this threat. This asset was quarantined from the customer network where it was scanned for malicious indicators using SentinelOne. The customer installed the SentinelOne EDR agent on this asset to protect it from any current threats. Additionally, the unauthorized applications Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer were added to SentinelOne’s blacklist to prevent future execution of these programs in the customer environment.

Limitations and opportunities

Limitations

While this compromise was quickly detected and contained, the customer lacked the protection required to prevent the applications Atera and Splashtop Steamer from being installed and added as Windows auto-start programs.

Opportunities

To protect an enterprise network from current threats, a multi-layered approach must be taken, otherwise known as ‘Defense in Depth.’ This entails multiple layers of protection, including Endpoint Detection and Response, implementation of a SIEM (Security Information and Event Management System), and additional security controls. With the addition of an EDR agent installed on this asset, this malicious behavior would have been prevented. AT&T’s Managed Endpoint Security (MES) provides endpoint detection and response and can be utilized along with USM Anywhere to actively detect, prevent, and notify the customer of malicious activity in their environment.

The post Stories from the SOC – Command and Control appeared first on Cybersecurity Insiders.

Image source: Freepik

This blog was written by an independent guest blogger.

As eCommerce grows, there are more issues concerning payments and security. Customers still don’t enjoy a smooth user experience, can’t access fraud-free transactions, and there are still many declined transactions.

Online shopping still lacks a seamless experience due to the risks of storing and handling sensitive account data.

The payment system uses basic details like CVV2, 3-digit security codes, expiration dates, and primary account numbers. If these details are compromised, a lot of things can go wrong. The industry is adopting a technology called “tokenization” to deal with these issues. 

Today, we will discuss this technology and help you understand how it can help.

What is tokenization?

Tokenization might sound like something complex, but the basic principle behind it is simple. It’s a process of replacing sensitive pieces of data with tokens. These tokens are random data strings that don’t hold any meaning or value to third parties.

These tokens are unique identifiers that can still hold a portions of the essential sensitive data, but they protect its security. The original data is linked to the new tokens but without giving any information that lets people reveal the data, trace it, or decipher it.

Here is a  video overview of tokenization.

The data piece is stored outside the internal system used by the business. Tokens are irreversible, so if they’re exposed, they cannot be returned to their original form.

Since the data is moved elsewhere, it’s almost impossible for someone to compromise this data.

How tokenization works

Tokenization has a wide range of applications. In eCommerce, payment processing is one of the most popular areas of tokenization and companies use tokens to replace account or card numbers, most commonly the primary account number (PAN) associated with a credit card.

The PAN is replaced with a random placeholder token, and the original sensitive data is stored externally. Once the original data needs to be used to complete transaction, it can be exchanged for the token and then transmitted to payment gateways, processors, and other endpoints using various network systems.

Example of tokenization

TokenEx is a typical tokenization platform used for eCommerce payments. The platform first intercepts the sensitive data from whichever channel it is being collected–mobile, desktop, PIN pad, etc. This data is tokenized and stored securely, and then the token is returned to the client for internal use. In the end, the sensitive data is detokenized and sent to payment-processing providers for executing and verifying transactions.

In the image below you can see how data travels on the TokenEx platform.

1. First, you have the channels through which the data is coming (“Secure Data Collection”).
2. In the bottom-middle section, you have our platform, where data is tokenized and stored (“Secure Data Storage”) before being returned to a client environment in the top-middle section (“Compliance Safe Harbor”) for safe, compliant internal use.
3. And then finally, on the right, you have the data being sent to a third party for processing (“Secure Data Transmission”), likely a payment service provider to authorize a digital transaction.

This combination of security and flexibility enables customers to positively impact revenue by improving payment acceptance rates, reducing latency, and minimizing their PCI footprint.

Image source: TokenEx

Types of tokenization

Tokenization is becoming popular in many different industries and not just eCommerce. Payments are just one of the uses of tokenization, and there are many more applications out there. Not all tokenization processes are the same, as they have different setups depending on the application.

Tokenization outside of the blockchain

Tokenization outside of the blockchain means that digital assets are traded outside of the blockchain and have nothing to do with NFTs or smart contracts. There are a variety of tokens and tokenization types outside the blockchain.

Vaultless tokenization

Vaultless tokenization is typically used in payment processing. Vaultless tokenization uses secure cryptographic devices with specific algorithms created on conversion standards that allow the safe transfer of sensitive data into non-sensitive assets. Vaultless tokens don’t require a tokenization vault database for storage.

Vault tokenization

Vault tokenization is used for traditional payment processing for maintaining secure databases. This secure database is called vault database tokenization, and its role is to store both non-sensitive and sensitive data. Users within the network decrypt tokenized information using both data tables.

NLP tokenization types

The natural language processing domain includes tokenization as one of the most basic functions. In this context, tokenization involves dividing a text into smaller pieces called tokens, allowing machines to understand natural text better. The three categories of NLP tokenization are:

1. Subword tokenization
2. Character tokenization
3. Word tokenization

Blockchain tokenization types

Blockchain tokenization divides asset ownership into multiple tokens. Tokenization on the blockchain is similar to NFTs as they behave as “shares.” However, tokenization also uses fungible tokens, and they have a value directly tied to an asset.

Blockchain tokenization allows decentralized app development. This concept is also known as platform tokenization, where the blockchain network is used as the foundation that provides transactional support and security.

NFT tokenization

One of the most popular tokenizations today is blockchain NFTs. Non-fungible tokens are digital data representing unique assets.

These assets don’t have a predetermined value (that is where the name non-fungible comes from) and can be used as proof of ownership, letting people trade various items or authenticate transactions. NFTs are used for digital art, games, real estate, etc.

Governance tokenization

This kind of tokenization is directed toward voting systems on the blockchain. Governance tokenization allows a better decision-making process with decentralized protocols as all stakeholders can vote, debate, and collaborate fairly on-chain.

Utility tokenization 

Utility tokens are created using a certain protocol allowing access to various services within that protocol. There is no direct investment token creation with utility tokens, and they provide good platform activity for improving the system's economy.

Where tokenization and eCommerce meet

Ecommerce payments have been growing for a long time, even before the global pandemic. We’re seeing a massive shift to online shopping with an exponential growth in sales. Even though the shift towards the digital world is definitive, this trend has introduced new challenges concerning security.

There’s a growing number of hackers and fraudsters looking to steal personal data. According to Risk Based Security research, in 2019 alone there were over 15 million data breaches in eCommerce. Tokenization is quickly being introduced as a way to combat fraud and convert account numbers into digital assets to prevent their theft and abuse.

Payment service providers that specialize in fraud detection can help verify transactions and devices, making it far more difficult for hackers to abuse someone’s information. Credit card and account information tokenization boosts security and protects data from external influences and internal issues.

Benefits of tokenization in eCommerce

Ecommerce companies can use tokenization to improve privacy and security by safeguarding payment information. Data breaches, cyber-attacks, and fraud can seriously affect the success of a business. Here’s how tokenization helps with all these threats. 

•  No need for extensive data control because tokens aren’t sensitive

Ecommerce businesses need to implement extensive data control protocols for handling sensitive data and ensuring there are no liabilities. It can be a really tiresome and expensive process. Tokenization removes this issue because none of the confidential data is stored internally.

•  No exposure if someone gets access to tokens

Data breaches are often fatal to businesses. They can lead to destroyed reputations, damaged business operations, loss of customers, and even legal issues. There’s no exposure of sensitive data when hackers access a database with tokenized payment records.

All payment data and personal information are safe since they aren’t stored within your systems. It’s true that this doesn’t prevent hacks, but it prevents the consequences of such events.

•  Frictionless transactions and convenience

Modern customers love simplicity. Having saved payment information and the option to press one button to make a purchase is crucial for business success. However, providing this kind of experience carries risk as companies must save payment information so that customers can reuse it.

Having multiple cards linked to an account with saved information creates liability. Tokenization can enable seamless payment options for end customers without requiring routing numbers or credit cards to be stored internally.

•  Companies can more easily comply with the PCI DSS

Companies that accept payment information and store it need to be compliant with various regulations, specifically the Payment Card Industry Data Security Standard. However, meeting these security requirements takes a lot of time and money. Payment tokenization service providers usually already have the required compliance certifications, so you’re outsourcing the majority of this responsibility to someone else.

Conclusion

We hope this post has helped you understand the basics of tokenization and how you can use it in eCommerce. The global tokenization market is estimated to grow at 21.5% CAGR, indicating that tokenization is here to stay. 

Keep in mind that we’re only scratching the surface here.

The post What is tokenization, what are the types of tokenization, and what are its benefits for eCommerce businesses? appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. When this account is used for administrative purposes, it can be difficult to distinguish between legitimate and malicious activity. Security best practice is to create and implement user accounts with limited privileges and disable the default ‘Administrator’ account on all machines.

The Managed Threat Detection and Response (MTDR) analyst team received 82 alarms involving the default ‘Administrator’ account successfully logging into multiple assets in the customer environment. The source asset attempting these logons was internal, successfully logging into multiple other internal assets within a short timeframe. Further investigation revealed the use of PowerShell scripts used for network share enumeration, account enumeration, and asset discovery.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

An initial alarm was triggered by a built-in USM Anywhere rule named “Successful Logon to Default Account.” This rule was developed by the Alien Labs team to trigger based on successful login attempts to default Windows accounts, captured by Windows Event Log. This alarm was the first indicator of compromise in this environment which prompted this investigation.

Expanded investigation

Events search

The customer confirmed in prior investigations that the default Administrator account is widely used for legitimate administrative purposes in this environment. How does one distinguish between administrative activity and malicious activity? Additional event searching must be conducted to provide more context into this login and the actions surrounding it. To do this, filters were utilized in USM Anywhere to query for events associated with the Administrator account on the affected asset.

Event deep dive

First, the account Security Identifier (SID) was used to confirm which account was being used for this login. The SID Is a Globally Unique Identifier (GUID) that is unique to each account on a Windows System. The default Administrator Security Identifier (SID) typically ends with the Relative Identifier (RID) of 500 on Windows Systems.

A review of the event attached to this alarm confirms that the default Administrator account was used to sign in, with a SID ending with the RID of 500.

To provide more context, events originating from the source asset were queried within the last 24 hours. 40 successful logins using the Administrator account were seen from this source to other internal assets in less than 10 minutes.

These events were captured by the AlienVault Agent, which was installed directly on the source asset  to forward events to USM Anywhere.

Reviewing for additional indicators

Further review into the activity originating from the source asset reveals the use of an encoded and compressed PowerShell script. Encoding and compression effectively allow the attacker to obfuscate scripts being executed, evading detection.

Using open-source tools, we were able to decode and decompress the underlying PowerShell script:

The decoded ‘Invoke-ShareFinder’ script seen above is a function used to query for exposed network shares in a Windows domain. This tool can also be used to determine which users have access to each network share.  Exposed and insecure network shares could allow an attacker to obtain sensitive information or conduct lateral movement.

An additional event was found for the PowerShell script “Discovery.psm1” being executed on this asset. This script is used for internal network discovery using various scanning techniques.

Response

Building the investigation

With all events gathered and analysis completed, an investigation was created and submitted to the customer for review. Due to the severity of this incident and for situational awareness, a call was made to the customer to inform them of this activity.

Customer interaction

The customer took quick action to isolate the source asset, preventing further lateral movement attempts. Additionally, all affected assets were scanned using SentinelOne to ensure they were not infected with malware. Lastly, the default ‘Administrator’ account was disabled on all assets in this environment, effectively preventing future abuse of this account.

Limitations and opportunities

Limitations

The MTDR team lacked visibility into the customer’s SentinelOne EDR environment, which would have allowed for additional context and quicker response action.

Opportunities

AT&T offers Managed Endpoint Security (MES), a tool that provides comprehensive endpoint protection against malware, ransomware, and fileless attacks. MES utilizes behavioral analysis, which would have alerted analysts of malicious activity and prevented the “Discovery” and “Invoke-ShareFinder” scripts from executing on the asset. MES can also be used to conduct response actions such as isolating and scanning affected assets. 

The post Stories from the SOC – Lateral movement using default accounts appeared first on Cybersecurity Insiders.

Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it’s vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions.

Cyber resiliency can’t be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language. Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. The languages used to manage the business and manage cybersecurity are different. This might obscure both the understanding of the real risk and the best approach to address the risk. Early on in my career, I was told to think of how to transform geek to CEO speak. That piece of advice still holds true.

Why? The argument for board-level cybersecurity understanding

The reality today is that cybersecurity is a critical business issue that must be a priority for every organization. As business operations become increasingly digitized, data has become one of the most valuable assets of any organization. This has resulted in increased expectations from customers, employees, regulators, and other stakeholders that an organization has developed appropriate resilience measures to protect against the evolving cyber threat landscape. The failure to do so presents substantial risks, including loss of consumer confidence, reputational damage, litigation, and regulatory consequences.

How? Changing the narrative away from the ‘team of no.'

The ‘how’ equation comes in two distinct yet equally important parts. One is levelling-up of the board’s cybersecurity knowledge. The other ensures that security teams get board-level support. The second of these requires those teams to help change the narrative: instead of being the 'team of no,' security teams need to be seen as influencers. Enablers and not enforcers, in other words.

It's time to stop repeating how things can't be done (on security grounds). Rather, we need to preach from the business transformation book and explain how they can be. We must stop operating out of silos and build out relationships with all business players, embedding 'scenario thinking' and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to proactively plan and prepare for a cyber-crisis; only by understanding the risks can the business be in the right strategic place to combat them successfully.

Cybersecurity teams should equip the board with the following as a starting point. 

• A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
• A summary of recent cyber incidents, how they were handled, and lessons learned.
• Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
• Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed today

Business and cybersecurity success go hand in hand

As the board’s role in cyber-risk oversight evolves, the importance of having a robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk.

If this sounds like a cybersecurity grooming exercise, that's because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn't such a bad idea, is it? The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2022 is a very risky game.

The post Cybersecurity and resilience: board-level issues appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

In mid-March, Microsoft released a free, open-source tool that can be used to secure MikroTik routers. The tool, RouterOS Scanner, has its source code available on GitHub. It is designed to analyze routers for Indicators of Compromise (IoCs) associated with Trickbot. This article will introduce some background on the MikroTik vulnerability, the Trickbot malware, and some ways you can protect yourself.

Trickbot emerges from the darknet

Trickbot was first discovered in 2016 and, despite efforts by Microsoft to stamp it out, has continued to remain a threat online. One of the main reasons for Trickbot’s persistence is that it has continued to change and evolve over the years. As a result, Trickbot has proven to be an adaptable, sophisticated trojan of modular nature, molding itself for different networks, environments, and devices.

As Trickbot has evolved, it began to reach Internet of Things (IoT) devices like routers. Since Trickbot continuously improves its persistence capabilities by dodging researchers and their reverse engineering attempts, it has been able to maintain the stability of its command-and-control (C2) framework.

Why is the MikroTik security flaw important?

Malware is particularly dangerous because it can be ransomware, a special type of malware that takes control over your computer or devices. Trickbot, as it has grown and evolved, now includes a plug-in for backdoor access for Ryuk, a piece of ransomware with crypto-mining capabilities. 

Once it had expanded its reach to networking devices, Trickbot began infecting MikroTik routers and modules and using them as proxy servers for its C2 servers and redirecting router traffic through alternative non-standard ports.

What makes the infection of MikroTik routers so significant is that they are used by millions of homes and organizations worldwide. The broad distribution of MikroTik routers gave Trickbot extensive infrastructure. Security flaws, like the MikroTik one, can be particularly important for web design because coders that work on the back end have to ensure that web pages are secure.

How does Trickbot work?

Researchers at Microsoft on the Microsoft Defender for IoT team discovered the exact mechanism that Trickbot’s C2 system used to exploit MikroTik devices. Hopefully, by discovering its inner workings, Trickbot will be stamped out for good.

The reason hackers use Trickbot is that it allows compromised IoT devices to communicate between the C2 server and other compromised devices. Hackers then breach target routers, typically using a combination of brute force and exploits.

One of the key ways brute force techniques are used by malware to infect MikroTik devices is by utilizing default MikroTik passwords. They also exploit brute force attacks that utilize passwords harvested from other MikroTik devices. Finally, they exploit the CVE-2018-14847 vulnerability utilizing RouterOS versions older than 6.42. This exploit allows hackers to read files from the device like user.dat, which often contains passwords.

Once they’ve gotten access, they start issuing commands that redirect traffic between two ports on the router. Redirecting traffic creates the communication line between impacted devices and the C2.

In the end, catching on to how Trickbot worked involved sniffing out commands that were specific to the unique operating system, RouterOS and RouterBOARD, used by MikroTik IoT devices.

All IoT devices are vulnerable

The important takeaway for professionals and end-users is that all IoT devices are vulnerable. In fact, many journalists have recently brought attention to the dangers of networked security cameras in your home.

A professionally-installed ADT security system was exploited by a technician who used his access to watch people’s deeply personal private lives. All of these cameras were IoT devices.

Although your smart fridge probably isn’t spying on you, it’s important to remember that the security landscape continues to expand as more and more devices become connected to the Internet. Devices that perform limited functionality, like routers and cameras, can often become prime targets for hackers because they are not regularly updated like smartphones and computers.

How do you protect yourself?

Utilizing special software tools can be a great way to protect yourself from cybersecurity threats. Microsoft’s RouterOS Scanner is the go-to way to resolve the MikroTik router vulnerability. As you can see, exploiting one MikroTik device opens up the possibility for exploiting many more.

Microsoft did the tech community a huge favor by giving away their security tool for free, but this may not be the end for Trickbot. Unfortunately, as long as MikroTik devices continue to operate without having their firmware updated and their devices monitored, Trickbot will probably stay around.

Starting a cybersecurity audit can be a good way to find other ways your company might be at risk. Understanding your digital security needs is the first step in securing your network and enterprise. AT&T offers several enterprise-level cybersecurity network solutions that are worth examining.

Another thing all Internet users should do is change their default passwords to more secure unique passwords. Much of the damage done by Trickbot and the MikroTik exploits was because of default passwords shipped with the devices. Changing your default passwords will ensure that brute-forcing your network will be much harder.

Generating hard-to-guess unique passwords is actually the number one cybersecurity tip. Whether you’re starting a blog for your small business or running a large company with hundreds of staff, creating a strong password is the best way to decrease your vulnerability to cyberattacks and loss of data privacy and security.

Staying educated is another way to ensure you stay on top of cyber security threats. Many large organizations offer training to employees to help them understand the terminology surrounding IT. It’s important to continue to educate yourself, too, as threats can change, vulnerabilities can be patched, and new technologies can make how we approach security shift overnight.

Finally, enable multi-factor authentication or MFA whenever it’s available. MFA can help cut down on unauthorized device access by requiring you to authenticate your identity every time you try to log on. MFA is a critical component of building a zero-trust cybersecurity model, which is the preferred way of securing your business today.

Conclusion

From Russia hacking Ukrainian government websites to the Okta hack that demonstrated even digital security firms are vulnerable to hackers, hacks and exploits have been all over the news lately. The release of Microsoft’s MikroTik router tool marks a turn in digital security and demonstrates that companies and teams are working hard to ensure that digital security can be maintained.

The post Microsoft releases open-source tool for securing MikroTik routers appeared first on Cybersecurity Insiders.