Malware Trends. December 2016

During this month of December we have observed from the malware laboratory of S2 Grupo various threats that we once again wanted to share with you. In this type of entries we will find known threats, seen in other sources or analyzed directly in our laboratory, but the goal of the post is to know what kind of threats have been active throughout this last month.

Here is a diagram with the information collected this month from the lab:

malwarediciembre

First of all, we would like to highlight the break that Locky has at least given us this month, with a tremendously reduced SPAM compared to the previous two months. This does not mean at all that it has disappeared, rather, many have been arriving at emails with texts of “subject:” such as the following: [Read more…]

The Russian ICC (V): FSB

2000px-fsb-svg
As we have indicated in previous posts, the FSB (Federal’nya Sluzhba Bezopasnosti) is the main heir of the KGB and the FAPSI; directed by Army General Alexander Bortnikov, whose breadth of responsibilities and power in Russia are undoubtedly marked by Vladimir Putin himself, a former director of the Service who, upon becoming President of the country, greatly strengthened the capabilities of the FSB -and its budget- as well as the presence of former Service members in the whole of Russian society. The FSB not only works in areas directly associated with intelligence and counterintelligence, but also reaches aspects such as social or electronic surveillance.... Leer Más

The good news from Yahoo

yahoo_logo_detailYahoo has just acknowledged the theft of information relating to more than 1 billion customer account … in 2013. Yes, 3 years ago.

Faced with this situation, different interpretations can be found: either because of the analysis of the incident they suffered in 2014, which they reported in September they have extended the forensic analysis of what happened backwards and have discovered that in 2013 they had suffered the largest information theft ever suffered by a single company, or they already knew it and have decided to report it now before the news leaked out through another source. I can even think of a third possibility (and maybe even one of you could think a fourth): that it was a malicious leak now that Verizon is formalizing a bid for Yahoo.
[Read more…]

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]

The Russian ICC (III): the Community

Undoubtedly, many people mentally associate intelligence or Russian secret services – to be exact, Soviet – to the KGB (Komitet gosudárstvennoy bezopásnosti, Committee for State Security). Unfortunately for the followers of Bond, the KGB, the Soviet-Russian secret service par excellence, was dismantled at the beginning of the 1990s by Mikhail Gorbachev, probably because he had become a powerful monster in terms of attributions, skills and knowledge, but, especially for its alleged involvement in the failed coup d’état of August 1991. Its power was distributed mainly among three different agencies: FSB (Federal Security Service), SVR (Foreign Intelligence Service) and FSO (Federal Protection Service), who joined the historical rival of the KGB, the GRU (General Intelligence Directorate), the Russian military intelligence service that survived the fall of the USSR (perhaps because of the support for the Soviet president during the coup, unlike the KGB). SIGINT attributions focused on an agency called FAPSI, equivalent to the US NSA, dismantled in 2003 and whose power, as in the KGB, was distributed among the different Russian services.... Leer Más

The Russian ICC (II). Context: Russia

Before talking about the Russian ICC, we must know that Russia is the largest country with the most kilometers (more than 20,000) in the world; it has the largest reserves of energy and mineral resources in the world still to be exploited, making it the largest energy superpower, as well as the world’s largest reserve of forest resources, and also has a quarter of the world’s unfrozen water.

From a cyber perspective, Russia is alleged to be the only country to have carried out combined (physical and logical) military action against another country (Georgia, August 2008) or has degraded critical infrastructure of a third party by cyber approach (Estonia, 2007). Their military and intelligence potential in this area is undoubted, as are their “physical” or traditional capabilities. The intelligence services are heavily involved in politics – as it happens, it is public that Vladimir Putin was an agent of the KGB and director of the FSB – or in the public or private sector, and they also maintain close relations – always supposed – with organized crime.
[Read more…]

The Russian ICC (I). Introduction: the Russians are coming!

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]

Linux.Mirai: Attacking video surveillance systems

During the Olympic Games in Rio de Janeiro, one of our sensors in Brazil detected a particularly interesting intrusion into a honeypot TELNET service.

This interaction used unusual credentials since the most received were, unlike what was expected, vyzxv and xc3511.

After an initial search no reference to attacks related to these credentials were found, but it was concluded that the credentials were recurring in DVRs (Digital Video Recorder) of the Chinese brand Dahua (e.g. DH-3004). Dahua is a leading global provider of surveillance solutions, because according to the IMS 2015 report they enjoy the largest mar-ket share.

[Read more…]

The end of passwords … or not

It is more than said and proven that passwords are the key that gives access to our information, and hence we give them so much importance. Today we use passwords to access our emails, the bank, social networks, online shopping sites … in short, we use passwords to access any site; and of course, as passwords must be robust, and on top of that we cannot use the same one for everything, so end up going crazy. That’s why some of us use password managers, mne-monics, etc. because otherwise it is impossible.

img1 [Read more…]

Blockchain and Cybersecurity I

Blockchain. Maybe some of you have heard of it. Others maybe not. Inside some circles, Blockchain is a concept that is resonating with force, even though a fair amount of people does not comprehend exactly what it is or why it is important. Any of us could ask: What is a blockchain?

Let’s read the definition from a random corner of the Internet: “A blockchain is a chain of blocks that contains batches of valid transactions. Each block includes the hash of the previous block of the blockchain, linking the two. The linked blocks form a chain, allowing only that block (successor) to be linked only to the other block (predecessor), giving its name to this database”.

Therefore, we could say that a blockchain is a chain of data blocks that contain transactions. Well, it doesn’t seem a promising thing, does it?

Let me highlight a little detail: a blockchain is a ledger of transactions that can’t be manipulated, nor forged. Can you imagine what we could do with this?
[Read more…]