Security Art Work

During the last quarter of 2022, the Lab52 team has conducted an in-depth analysis of the threats that have been active during the period, focusing on information from both public and private sources, as well as studying the geopolitical context in order to anticipate potential campaigns.

Below is the report for the quarter, which includes the main trends of the period, along with analysis of the most sophisticated threats and the most important geopolitical events.

The intelligence gathering and analysis carried out by the Lab52 cyberintelligence team has led to a series of conclusions and generated intelligence for S2 Grupo’s security services.

Some people may be wondering what the metaverse is, or even that it goes unnoticed in their daily lives.

Avoiding technicalities, and in order to provide a simple explanation, we can say that the purpose of the metaverse is “the creation of an immersive digital world“.

That is, a world through which users, using convergent technology such as virtual reality glasses, haptic garments, etc. can perform the same activities they do in real life (going to the movies, meeting friends, studying, working, shopping, …) and that, in turn, what happens in this digital world has repercussions in their lives. For example, it could be the case of making a purchase of a product through this digital world and it arrives at your home as if you had ordered it “in the real world”.

Although the metaverse seems somewhat novel, it is a term that appeared in the 1992 play Snow Crash, where people could interact in a virtual world through avatars. This concept was also seen years later in the video game Second Life or, more recently, in the Decentreland platform where you can even buy virtual plots of land as if it were a reality.

The increasing number of data breaches in the healthcare sector is causing serious problems in management and storage. In addition, traditional security methods being used to protect healthcare applications are proving ineffective. This is why emerging technologies such as blockchain are offering new security approaches and processes for healthcare applications, providing data confidentiality and privacy.

Data breaches are one of the main cybersecurity issues in the healthcare sector. Figure 1 shows how the amount of health record data leakage has been increasing, highlighting a large change between 2018 and 2019, a date coinciding with the start of the COVID-19 pandemic.

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.

In previous articles of this series (see part I and part II) we described the problem of detecting malicious domains and proposed a way to address this problem by combining various statistical and Machine Learning techniques and algorithms.

The set of variables from which these domains will be characterized for their subsequent analysis by the aforementioned Machine Learning algorithms was also described. In this last installment, the experiments carried out and the results obtained are described.

The tests have been carried out against a total of 78,661 domains extracted from the a priori legitimate traffic of an organization, from which 45 lexical features belonging to the categories described above have been calculated.

This post has been written jointly with Álvaro Moreno.

Cryptocurrencies have grown so much in recent years in terms of economic volume and relevance that they have become an important target for cybercriminals. Given that exchanges, platforms where users can buy and sell these cryptocurrencies, bring together a large number of transactions and users of these assets, they have become an important target for cybercriminals, who seek to get as much money as possible by exploiting their vulnerabilities.

In this article we will cover some of the most recent attacks on these Exchange platforms and conclude with a table on other major attacks on cryptocurrency exchanges.

Crypto.com

On January 17, 2022, the Exchange platform Crypto.com  discovered that a small number of users were making unauthorized withdrawals of cryptocurrencies from their accounts worth approximately 4800 ETH and 440 BTC, plus about $66,200 in other currencies.

The response from the platform was to suspend withdrawals of any tokens while an investigation was conducted. In the end, no customers of the platform suffered any loss of funds, as the 483 affected users received a full refund.

The inheritance of object handles between processes in a Microsoft Windows system can be a good source to identify local privilege elevation (LPE) vulnerabilities. After introducing the basic concepts around this type of security weaknesses, a tool capable of identifying and exploiting them will be presented, providing Pentesters and Researchers with a new point to focus their intrusion and research actions respectively, read on!

Within a Microsoft Windows operating system, processes are able to interact with securable system objects such as files, PIPES, registry keys, threads or even other processes. To do this and through the use of the WINAPI the source process requires the O.S. of a handle to perform a certain action on the object in question.

If the appropriate permissions and/or privileges are available, the O.S. authorizes this access by delivering the aforementioned object handle to the process that requires it. From that moment on it is possible to interact with it within the limits of the requested permissions. Let’s see the following example where a source process would make use of the WinApi OpenProcess function to try to open a target process (spoolsv.exe) in order to obtain information remotely from it (PROCESS_QUERY_INFORMATION).

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.

In the previous article we commented on the difficulty faced by Threat Hunting analysts as a result of the high number of domains registered daily by an organization. This makes it difficult to analyze and locate potentially malicious domains, which may go unnoticed among so much traffic. For this reason, in an attempt to facilitate the analyst’s task, the use of alternative techniques based on Machine Learning is proposed. Before presenting the different tests performed, the article introduces the algorithms to be used for the detection of anomalies in the domains.

To begin with, it is necessary to comment that having a large and varied database is fundamental for a model to be able to detect potentially malicious domains reliably, since its parameters are going to be adjusted in an environment that must be similar to the real one.

However, there is great difficulty in identifying patterns in high-dimensional data, and even more difficulty in representing such data graphically and expressing them in a way that highlights their similarities and differences. This is where the need arises to use a powerful data analysis tool such as PCA (Principal Components Analysis).

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.

Internet brings a world of possibilities for personal development and the realization of many of the daily activities, being an indispensable piece in today’s society. On this network there are hundreds of millions of domains to access, although unfortunately not all of them are safe. Malicious domains are those used by cybercriminals to connect to command and control servers, steal credentials through phishing campaigns or distribute malware.

In many cases, these domains share certain lexical characteristics that at first glance may attract attention. For example, in phishing campaigns, domains with TLD xyz, top, space, info, email, among others, are relatively common. Similarly, attackers use DGA (Domain Generation Algorithm) techniques to create random domains to exfiltrate information, such as istgmxdejdnxuyla[.]ru. Other striking properties can be excessive hyphens, multi-level domains or domains that attempt to impersonate legitimate organizations such as amazon.ytjksb[.]com and amazon.getfreegiveaway[.]xyz.

With digitization on the rise, organizations surf to thousands of different domains, making it difficult to detect malicious domains among so much legitimate traffic. In a medium-sized organization, between 3,000 and 5,000 domains of traffic are logged daily. This volume makes it unfeasible to analyze them manually. Traditionally, part of this detection process is automated using pattern search rules, for example, rules to find domains with TLDs (Top Level Domain) used in phishing campaigns, containing the name of large companies that are not legitimate or have more than X characters.