Personal Countersurveillance (I): Facial Recognition

(Please note some of the internal links are in Spanish)

Those of us who work in the cybersecurity sector are accustomed to hearing about threats and defense measures, but almost always referring to a virtual environment. However, there are other dimensions, such as physical security, that can affect us in different ways.

This series has been inspired by the paper by Adam Harvey of the Chaos Communication Congress of 2016: “Retail Surveillance / Retail Countersurveillance”. In it I will discuss some concepts concerning surveillance systems and counter-surveillance measures that can be used to avoid recognition by third parties.

This first article focuses on facial recognition, some of its most controversial applications to date and their implications.

Figure 1: Anonymous. Image taken from http://luisjimenez.com/wp-content/uploads/2016/05/faception.jpg [Posted on 15/05/2017]

[Read more…]

The mimi (mimikatz) side of #NotPetya

(Please note some of the internal links are in Spanish)
One of the things that most caught our attention from the #NotPetya malware lab is the module that appears to contain code from the mimikatz tool. It is an automation of the process of any pentest that we believe is worth studying and treat it with love, to learn.
For the analysis we focus on the 32-bit version of the binary:
[Read more…]

The Evolution of Trickbot

From the malware lab of S2 Grupo we have been monitoring the movements of a Trojan known as Trickbot. Its relationship with Dyre, another older Trojan with which it shares many design features, and the speed at which it evolves, has captured our interest ever since we saw the first samples.

This malware is usually categorized as a banking Trojan since it has so far been very oriented towards data theft relating to banking, but its modular design allows to expand its capabilities at any time so as to perform any kind of extra action.

During its early versions, some very good analyses were already done such as those of @hasherezade in the malwarebytes blog and Xiaopeng Zhang in that of Fortinet. But the development of Trickbot has continued during the last few months, reaching version 17 in less than 6 months. So we thought that it would be interesting to check the changes it has undergone during its evolution and to delve deeper into some of its most curious techniques when performing different actions.
[Read more…]

MOSH, beyond SSH

Today, I do not think it necessary to mention what the SSH (Secure Socket Shell) protocol is, since it would be really difficult to live without it today. Therefore, SSH is considered globally as the “mega” indispensable tool for any administration work. Among the advantages of its use we can find: secure access to remote machines, access to services on other machines by creating direct or reverse tunnels, creation of proxy socks, creation of secure channels for the encapsulation of traffic from unsecured applications … etc.

Among the innumerable advantages of this protocol, there is a point that can sometimes be a great inconvenience, the performance of the connection.

To try to solve this problem and add improvements, Mosh (mobile shell) emerged, an application that offers several advantages over the traditional SSH connection. It was presented at the USENIX Annual Technical Conference 2012 by Keith Winstein & Hari Balakrishnan, M.I.T. Computer Science and Artificial Intelligence Laboratory.

[Read more…]

Mirai meets OpenSSL

It is not a surprise that new variants of Mirai and more come to light, being available to anyone the source code of the bot, the CnC server and the download server. However, they all had relatively similar features (except for the variant for Windows, of course).

On March 19 came a new version of Mirai that caught our attention because of its size. While the usual is to find Mirai binaries of around tens of Kbs, this new sample has 1.6 Mbs. The TELNET connection that preceded the download of the binary is exactly the same as in previous catches.
[Read more…]

Shadow Brokers: exploiting Eternalblue + Doublepulsar

(Just one month after publishing this post in spanish, these exploits were used in conjunction with the WanaCry ransomware to perform one of the largest worldwide cyber attacks of the last few years.
Hundreds of companies (Hospitals too) were compromised and all their data was encrypted.)

A few days ago the news broke out that the group Shadow Brokers had released a new batch of exploits of the NSA. As if this were not enough, in the github where the exploits are there is also information on how to attack the banking systems.

The vast majority of published exploits make compromising a Windows system childlike and almost as we see in movies, since they are several 0-day (now patched by Microsoft) that attack the SMB protocol in all its versions.

Of all the exploits available, the one that has drawn the most attention to the community has been the combo called Eternalblue + Doublepulsar. In this post we will explain how to deploy a test environment where you can test the exploits.

(Editor’s note: Needless to say, the information is provided for informational and didactic purposes in order to collaborate in improving the knowledge of cybersecurity technicians. Cybercriminals do not need anyone to teach them how to use exploits, and to those unsuspecting scriptkiddies who think of playing cybercriminals, well, good luck in the courts).
[Read more…]

The Russian ICC (IX): APT groups

russian-malware-analysis-temp-770x513We have talked so far about the main services that make up the Russian intelligence community in its cyber domain and we will continue to describe in successive posts the rest of the complex Russian ecosystem but, where are the allegedly Russian APTs? Groups known to everyone, such as APT28 (FancyBear, Sofacy …) or APT29 (CozyBear, The Dukes …), must be somehow related to this community … if they are not part of it, right?... Leer Más

The Russian ICC (VIII): GRU

gru_emblemThe only major Russian service which, as we have indicated, is not a direct heir of the KGB is the GRU (Glavnoye Razvedyvatelnoye Upravlenie), military unit 44388, whose aim is to provide intelligence to the Ministry of Defense, the military leadership and Russian armed forces as a whole. This service is dedicated to military intelligence, from strategic to operational, working not only in an exclusive sense of defense, but also encompassing other aspects such as politics or economy linked to the military sphere, and especially foreign intelligence – sometimes with the SVR. Since 1996, it has been entrusted with the mission of acquiring information on ecology and the environment. In order to execute these tasks, the GRU has all kinds of capabilities, from IMINT to HUMINT, through OSINT and, of course, SIGINT, capabilities that give it a sphere of action and international influence and that allow the GRU to “act in any point of the world where the need might arise, “according to statements by General Valentin Vladimirovich Korabelnikov, in an interview granted in 2006, when he was Director of GRU.... Leer Más

The Russian ICC (VII): FSO

e1470_fsoAnother of the heirs of the FAPSI is the FSO (Federal’naya Sluzhba Okhrani), identified in [1] as military unit 32152 and headed since May of this year by Major General Dmitry Kochnev (his predecessor, Evgeny Murov, was General of the Army, two ranks higher, and this in the Russian services is very important). Murov obtained very important FAPSI attributions: with more than 20,000 troops today (supposedly, since it is classified information, and various sources speak of more than 50,000), the FSO inherited and expanded the KGB’s Ninth Address, with responsibility for the protection of governmental “goods”, in the broadest sense of the word. For example, the Presidential Security Service, the PBS-Putin’s bodyguards, or control of the famous Russian nuclear briefcase depend on the FSO, as well as the operation of a secure network for the transmission of election results, GAS Vybory (Information is, obviously, an asset to be protected). Specifically, from a cyber point of view, this service has assumed, among other capacities, those associated with strategic SIGINT, the guarantee of exploitation of state systems – especially regarding its protection against foreign services – and the security of National classified information ([2]), which includes presidential communications: the FSO provides secure communications at a very high level, for example between the Kremlin and the main Russian military commanders, giving it enormous control power for the control of information …... Leer Más

What is a TDS (Traffic Director System)?

The idea to write this post came from investigating multiple cases of infections in computers because of the ubiquitous Exploit Kits (EK). A visit to a website that apparently should not carry any risk ended with the user calling the security service because he could not open his files and said that an image appeared on the screen asking him for money to recover his data. And in other cases not even that, because he had become infected with a RAT or a banking Trojan and was not aware of it.

There are simple redirection methods that are implemented directly on the web server. They are options that allow to manage the visits to this website and adapt its behavior to the preferences or characteristics of the visitors.

[Read more…]