Blockchains, The Next C&C Control Medium?

Posted on  by

A group of researchers recently published a paper claiming that bitcoin can act as an ideal C&C for botnets.

Using this method, operators are able to piggyback communications onto Bitcoin’s network by relaying messages to bots by embedding them in Bitcoin transactions. This offers various costs savings to the operator by removing the need to maintain an actual server for the bots to communicate with.

That said, it’s worth keeping in mind Bitcoin transactions incur a fee, which would merit a deeper cost analysis of this scheme, and perhaps making this as a very resilient backup to a conventional C&C server.

Bitcoin nodes maintain a decentralized blockchain, also known as a distributed transaction log, which alleviates the need for bot-to-bot communication, possibly making it impossible to estimate the actual size of the botnet.

The most important advantage is that C&C communication via bitcoin’s network can never be disrupted by simply taking down a few servers or poisoning a group of routing tables, because bitcoin’s network is designed to resist such forms of attacks.

It is also worth mentioning the recent rise of Ethereum and whether it can have any significant advantages over Bitcoin for this use-case, due to it’s use of Smart Contracts.


Security Roundup - 2017-08-11

Posted on  by and

SHA2017 happened over the past several days, and videos have been going straight to their YouTube channel. There were a wide range of talks over the 4 days, meaning there is a little something for everyone, whether that is physical security, the blockchain, voting, IoT and more.

HackerOne has released their Hacker-Powered Security Report, highlight the growth of bug bounties in non-technology verticals, with financial services and banking leading the growth, followed by media and entertainment, though the vast majority of big players in these areas do not have programs. The study goes on to show that bug bounties are leading to higher rate of disclosure, as well as higher rate and lower time to resolve of issues.

Talos Intel goes over how important it is to give actionable information, and how they try to handle it when a urgent situation is evolving in real time.

For those that love to see a teardown of potentially unwanted apps, ObjectiveSee provides a breakdown of a new adware variant called Mugthesec. Mugthesec masquerades as a Flash installed (and indeed installs flash), but goes on to do things like install browser extensions and inject content into browser sessions.

SpiderLabs also provides the goods, with writeups on Trickbot, a banking malware, and Nitol, a malware with DDoS and backdooring capabilities.

Recent NIST guidelines have suggested that service providers should check for commonly used, or compromised credentials, which may come from existing breaches. Troy Hunt has flipped this into allowing people to query by passwords and password hashes, so that users can learn if said passwords are part of a breach. This is provided as a web interface, an API for integrating with, and a list of hashed passwords that can be downloaded offline to integrate with. At time of writing, this consists of 320 million passwords.

Last week, a typosquat attack on NPM packages was launched, relying on people making typos when installing packages. The malicious packages intended to try and steal secrets when installed, while also depending on the package the user actually wanted, to avoid initial detection. Duo Security followed up by doing analysis on install scripts, noting a number of privacy concerns, as well as security concerns for some packages. These techniques are not limited to node packages, but other software packages as well.

Bleeping Computer takes us in Italy where the US conducted an investigation that led to the arrest of 5 people. The group was leveraging Shellshock to exploit QNAP NAS devices, creating a backdoor in the system and emulate legitimate human activity in order to boost revenues through advertising. When researchers started to track the moves of the group they soon noticed some rookie OpSec mistakes like registering domains used in the fraud with the personal email of their leader; this allowed to reveal the identity of the attacker with a simple password reset request. Soon followed a joint investigation by the FBI, Dutch and Italian police that led to the arrest of the group.

Wikileaks revealed another Hollywood-style hacking tool able to detect and disable webcams and microphones connected physically or wirelessly to a computer. Project ‘Dumbo’ involves a USB thumb drive equipped with a Windows hacking tool; once the detection takes place the malware mutes all the recording devices, disables network adapters and selectively corrupts or deletes recordings. The software needs to operate with SYSTEM level permissions and needs the USB stick to be plugged in during the whole operation.


Security Roundup - 2017-08-04

Posted on  by and

We covered conferences earlier this week, now here is the rest:

As if ATM skimmers were not enough, apparently there are now skimmers at gas station pumps that steal your credit card information, and even text the information to attackers. These skimmers seem to be wired up to the power supply of the pump, meaning they can operate indefinitely, with attackers never needing to revisit the location again.

For those that love visualizations, and are interested in breaches, you should check out this interactive “World’s Biggest Data Breaches” bubble chart.

Chrome Extensions are part of everybody’s workflow, making our lives easier and allowing us to be more productive. Extensions are extremely powerful and have the possibility of altering every webpage that is open in the browser without user consent. On July 30th the authors of the extension CopyFish have been victims of a phishing attack and subsequently lost access to their google account. The attackers hijacked the chrome extension adding adware injection capabilities; the new release triggered the automatic update of chrome infecting thousands of computers.

Palo Alto Networks offers an in-depth analysis of a webshell named TwoFace. Named due to the fact that this webshell installs a second webshell in a multi-layer system that was able to deploy different variants of the webshell and allow remote control through an embedded webserver. This threat allowed attackers to maintain persistent access to a remote server for nearly a year while they tried to exfiltrate user passwords.

Palo Alto also provides some in depth analysis of “Foudre”, apparently an evolution on a malware strain named Infy which was taken down last year. This new strain appears to incorporate some protections to prevent takedowns, now using a DGA algorithm as well as a signature mechanism to validate the C2.

The terms of Symantec’s Certificate Authority probation has been outlined. Later this year, Symantec is expected to become a Subordinate Certificate Authority, with another certificate authority issuing certificates in their name. Next year, there will be 2 separate incidents where browsers (and specifically Chrome) will distrust certificates issued by Symantec under the previous structure. This will provide Symantec with time to build out this new system, and their customers to have new certificates issued, rather than disrupt Symantec’s customer base. Most certificates should get renewed naturally under this scenario.


Post-Vegas-Con Roundup - 2017-08-01

Posted on  by

Last week was the BsidesLV, Blackhat and Defcon trifecta of security conferences. Lots of interesting news coming out of them, and below are some of things we found interesting. You can check out slides from Blackhat and Defcon.

For those interested in the physical aspects of security:

This contactless payment “borrowing” hack is pretty neat, allowing a coordinated attacker to relay contactless payment information over short distances, effectively allowing you to make payments with someone else’s device.

Google researchers went over research into evaluation of secure USB hardware devices.

One amateur electronics developer investigated security measures of a safe, and took advantage of several properties to take cracking it from a 4 month procedure to a maximum of 1 hour and 13 minutes.

Lots of coverage came about due to setting up some voting machines to be hacked, showing a lot of vulnerabilities including old software, accessible ports, poor wifi security allowing remote access, and more. Some of those in attendance have started blogging about the things they tried.

Google went on stage to cover the many steps they have taken to reduce the Android attack surface, having realized that exploit mitigation is not a viable strategy, esecially when you are up to billions of devices. They have noticed an uptick in lower level vulnerability disclosures, which they partially credit to thir bug bounty incentives, as well as their locking down of user space making vulnerabilities higher up harder to accomplish.

Security researchers have been digging into the ShadowBrokers, and went over some of their findings. Fortuitous timing in that ShadowBrokers also did an update last week, detailing further steps to sign up to their monthly data dumps. They also commented that June’s data dump has not been leaked by whoever had signed up, with July’s dump being sent to “subscribers” shortly.

Research into other bad actors led to the discovery that 95% of ransomware pay outs were coordinated via the BTC-e trading platform. The research involved harvesting bitcoin wallets from malware binaries, and tracking transactions through the blockchain. As part of the research, the financials of ransomware became a little clearer, with some months clearing $2 million in payments. In related news, the owner of BTC-e has been arrested on a number of money laundering charges, not just related to ransomware, but also to several bitcoin heists from the past few years.

Researchers delved into how hacker’s control panels can have vulnerability problems themselves, allowing for takeover and shut down of these networks.

Patrick Wardle, chief security researcher at Synack, went over his research into Mac malware with Fruitfly, where he wrote a custom C&C server to analyze actions in a controlled environment, and led him to reverse engineer the (simple in this case) communication protocol.

ShieldFS is a file system extension revealed at BlackHat, which intends to protect against ransomware. Using machine learning to detect ransomware as it happens, ShieldFS also leverages copy on write to store copies of modified files, allowing easy recovery (because we have a copy) of files that were encrypted.

Finally, Black Hat’s annual Pwnie awards had their winner’s (and losers) announced, ranging from the Equation Group for creating the exploits behind WannaCry, to Google’s research into practical SHA-1 collisions with SHAttered.


Security Roundup - 2017-07-27

Posted on  by and

BSidesLV, BlackHat and Defcon may all be this week, but if you aren’t there and need to kill time waiting for the videos to go up, feel free to check out some security talks from SteelCon.

Check out our very own Scott Walsh’s write up of Cisco’s mid-year cybersecurity report. Overall, Exploit kits are down, being replaced by spam. This is thought to be due to Flash’s more robust patching. Business email compromise(BEC), aka phishing, costs billions per year- train your financial people to verify transactions. Ransomware continues to grow, and is now targeting medical devices. In unsurprising news, vulnerability disclosures are followed by an uptick in attacks targeting the vulnerabilities disclosed.

Store your passwords in the cloud? Security Researcher Adam Shostack puts together a dialogue around the threat model of trusting a third party with your passwords. Unsurprisingly, a big fat target of passwords is just that, but eventually every user has to decide for themselves “What is your threat model?”

Vulnerabilities come in many shapes and sizes. One pentester goes over how his discovery of a misconfigured web server on a non-traditional port allowed him access to the machine and ultimately to the internal network of the company.

SambaCry has spread into the IoT world, with the existence of a similar exploit dubbed Shellbind. Still leveraging EternalBlue, Shell bind seems to be targeting Network Attached Storage (NAS) devices, themselves running Samba and effectively a tiny computer. Whether hackers use it to just try and mine CryptoCurrency, or pivot into another wave of attacks remains to be seen.

What happens when a security researcher decides to test the certificate revocation workflow of Certificate Authorities? This story covers how one security researcher started by testing revocation response time to testing what sort of validation CAs do before revoking. Testing two free cert providers, the researcher ‘forged’ a private key and hid it in a list of actually compromised keys to see what the CAs would do. While one detected something wrong with the fake key, the other CA did not. The researcher noticed that the vast majority of documents on how to check a private key matching a public key are actually wrong in many cases. The CA in question has indicated they have tightened up their workflow to prevent this issue going forward.

Some interesting malware news in Statinko. Recent analysis has discovered a malware strain that has been in circulation since 2012. Statinko has largely been used for ad fraud, but is a full fledged back door with remote capabilities that have been observed in CMS brute force attacks. The ESET community has a more detailed breakdown on how Statinko works and the interesting ways it avoids detection.

As more strains of malware become prevalent, as Microsoft has stated continued efforts in post-infection detection, under the premise that pre-infection detection will at some point fail, and defense in depth should help mitigate more advanced threats.