Yara for Incident Handling: a practical case

image_pdfimage_print

Yara is an initiative that’s become more and more popular for incident handling, especially over the last year. This project has been widely spoken about on this and other blogs.

Here I’m going to show you a practical example for using incident handling triggered by ransomware. Over the last months there has been an increase in this type of malware that, in spite of the many warnings from those of us working in security and incident handling, is still having quite a big impact. Fortunately, the most recent incidents of ransomware where I have been involved, the compromise has only affected one user each time, which allowed us to focus more on the scope of the encrypted archives than on identifying the equipment that may have been compromised.

Extension identification

One of the first cases we were involved in was an incident with CTB-Locker. On this occasion, a user reported a message appearing on his desktop informing him that his archives had been encrypted and asking for a ransom to recover them. Once part of the incident had been contained by disconnecting the equipment from the network and identifying it as the only one affected (let’s not go into this here) we went on to determine which archives had been encrypted and which ones could be recovered (we would never recommend paying the ransom).

[Read more…]

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

Two-step authentication, or how to make it tough for a hacker

Two-step authentication is a protection approach widely known among cyber security people but it is not that known among regular users. This article aims to teach everybody about it, as domestic user accounts are more and more targeted by hackers. We... Leer Más | Compártelo!

image_pdfimage_print
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

Taking apart office automation documents with OfficeMalScanner

image_pdfimage_print

One of the main routes of malware infection is through office automation documents. They represent a very potent vector of infection, specially in directed attacks and phishing campaigns.

These documents are crafted to carry hidden macros, OLE objects, executables, etc., which, once the user opens the document, conduct a series of malicious actions to obtain information with the idea of profiting from it or simply damaging the system. Generally, this type of generic malware downloads other malware for the Internet (droppers), exploits system vulnerabilities, duplicates itself to assure its lifespan in the system, exfilters user information, etc.

A very useful tool for analyzing and detecting anomalous patterns in office automation documents is the “OfficeMalScanner” suite, which you can download from the author’s web, http://www.reconstructer.org/.

[Read more…]

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”. Who hasn’t had a moment where two security technicians start talking about the “APT exploiting... Leer Más | Compártelo!

image_pdfimage_print
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

CurrentVersion\Run\Barbicas

Editor’s Note: tomorrow morning our colleague Antonio Sanz is going to be giving a talk on the malware described in this post, and the handling of the incident associated with its detection at CCN-CERT‘s 8th STIC Conferences. Last August,... Leer Más | Compártelo!

image_pdfimage_print
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

APT: bot exfiltration

In the world of advanced persistent threats or APTs, techniques used by malware artifacts play an important role in communication and exfiltering information via C2s (Command & Control). In this sense, there are as many as there are protocols and... Leer Más | Compártelo!

image_pdfimage_print
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

The attack of the mutant coffee machines

image_pdfimage_print

The other day, a friend told me that he was at work, having a coffee; one of those from the machine that are now standard in most companies, you know, a Nespresso. When he pushed the button something strange happened and the machine got stuck in a loop —they get more and more like computers— and the lights were flashing. He turned it off and then on again (my friend is a computer engineer) and everything worked out fine —just like a computer— and he could satisfy his need for caffeine.

A few minutes later, while enjoying his coffee and a chat (my friend is Spanish), he got a call from someone identifying themselves as a member of the coffee machine’s maintenance service staff asking him if there was any problem with the machine. With the coffee machine? No… well, yes, but how did you know? You have it monitored? It’s sent you a fault message? How did it do that? Ah! 3G… No, I didn’t know. Thanks. Bye.

My friend was somewhat mind-boggled. It hadn’t occurred to him the machine could have a direct line out. Not that it was a bad idea. In fact, it’s an excellent idea for the maintenance service, as they can detect faults, even carry out preventive maintenance and, of course, analyze user consumption patterns: when most coffees are taken, how long the machine is working, whether it usually runs out of water or the user fills it before it empties, whether it overheats. All the necessary information not only to maintain the machine, but to improve design on later versions as well, or even optimize performance by simply updating the software (firmware to be more exact) controlling the device.

[Read more…]

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

MUSES: Our best corporate security wishes

In line with a recent Security Art Work post, it is quite easy to come to the conclusion that corporate security makes no sense without user awareness and policy fostering. Corporate security policies, if any, are often a pipe dream: Almost all... Leer Más | Compártelo!

image_pdfimage_print
Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

Hunting traditional vulnerabilities on ICS systems

image_pdfimage_print

Several months ago (october 2013, if I recall correctly), I found some vulnerabilities on an HMI from OMRON. I wrote a post in Spanish describing the almost endless process we went thru from the discovering of the vulnerability to its publication (you can check the automatic Google translation here, though I assume no responsability).

Ten months later, we got the green light from OMRON (with great work by ICS-CERT and other CERTs), probably mostly pressed by our decission to publish the vulnerability at mid-end July. Lucky we’re the good guys. Now the vulnerability has been released: Advisory (ICSA-14-203-01), Omron NS Series HMI Vulnerabilities, so let’s go with the (few) details.

[Read more…]

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

Avoiding Dionaea service identification

image_pdfimage_print

(Please note this post has been translated, so some strings may appear in Spanish, mainly services names)

In previous posts we have already talked about Dionaea (Spanish), a low-interaction honeypot that offers a variety of network services. The main problem we face when deploying a honeypot is how to customize its services to make them undetectable by scanning tools. The more an attacker takes to detect its interacting with a honeypot, the more likely we will be able analyze its methodology, capture exploits, binaries, etc.

We will install Dionaea and modify some of its services to avoid identification by the network scanner most popular: Nmap.

We can get Dionaea from its project page, with the steps for its installation. In our case we used Ubuntu 12.04 as the base operating system. Active services by default are:

[Read more…]

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone