Blog de Seguridad de la Información de S2 Grupo
For several weeks we have been detecting a new variant of malware for Linux and IoT architectures from the malware laboratory of S2 Grupo, registered for the first time on the VirusTotal platform on October 18, which we have called Linux.Helios, due to the name of certain functions present in the sample.
We emphasize that the main antivirus signatures do not unanimously classify this sample: they range from ELF.DDoS to Tsunami, through Gafgyt or Mirai.
[Read more…]
(Please note some of the internal links are in Spanish)
Those of us who work in the cybersecurity sector are accustomed to hearing about threats and defense measures, but almost always referring to a virtual environment. However, there are other dimensions, such as physical security, that can affect us in different ways.
This series has been inspired by the paper by Adam Harvey of the Chaos Communication Congress of 2016: “Retail Surveillance / Retail Countersurveillance”. In it I will discuss some concepts concerning surveillance systems and counter-surveillance measures that can be used to avoid recognition by third parties.
This first article focuses on facial recognition, some of its most controversial applications to date and their implications.
Figure 1: Anonymous. Image taken from http://luisjimenez.com/wp-content/uploads/2016/05/faception.jpg [Posted on 15/05/2017]
It is not a surprise that new variants of Mirai and more come to light, being available to anyone the source code of the bot, the CnC server and the download server. However, they all had relatively similar features (except for the variant for Windows, of course).
On March 19 came a new version of Mirai that caught our attention because of its size. While the usual is to find Mirai binaries of around tens of Kbs, this new sample has 1.6 Mbs. The TELNET connection that preceded the download of the binary is exactly the same as in previous catches.
[Read more…]
The widespread use of devices connected to the network, such as cars, medical equipment, industrial controllers (PLCs), appliances, etc., has brought with it a new and extremely vulnerable landscape.
While there has been a breakthrough in connectivity issues (Twitter is everywhere!), the security issue has also been set aside. This is mainly due to the fact that for most users and organizations, Internet security is not a fundamental factor, which is why cases such as Mirai, one of the largest distributed denial of service attacks that has been recorded so far, which is just one of the first cases that we have to face in this new scenario..
The proliferation of interconnected devices has brought many advantages to users (homes, organizations): flexibility, mobility, automation, efficiency, etc., but what happens when we do not take the appropriate security measures and are unprotected by default?
You will then see how a series of small weaknesses can lead to a large leak of information, compromising personal, financial and confidential data, both private and organizational.
We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.
Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?
Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]
During the Olympic Games in Rio de Janeiro, one of our sensors in Brazil detected a particularly interesting intrusion into a honeypot TELNET service.
This interaction used unusual credentials since the most received were, unlike what was expected, vyzxv and xc3511.
After an initial search no reference to attacks related to these credentials were found, but it was concluded that the credentials were recurring in DVRs (Digital Video Recorder) of the Chinese brand Dahua (e.g. DH-3004). Dahua is a leading global provider of surveillance solutions, because according to the IMS 2015 report they enjoy the largest mar-ket share.
(Please note this post was originally published in the Spanish version of Security Art Work last 20th Nov 2012)
A couple of weeks ago I saw ARGO, a film directed by and starring Ben Affleck. I have to admit that I didn’t put much hope in it (Daredevil did much evil to Ben Affleck… well, that one and many others), but it turned out to be more than good (it gets a 7.4 in filmaffinity).
Without getting into spoilers, ARGO it is based on a true story that takes place in Iran in 1979 in the middle of social riots. In order to say as little as possible, there is an attack on the United States Embassy, which decides to destroy all the existing information (indeed they first talk about burning the documentation but they finally use shredders). The Embassy is assaulted but a group of people from the Embassy flees and takes refuge “somewhere” in Iran. Since they haven’t burnt all the documentation, the attackers retrieve the documents shredded trying to recover information that allows them to identify the fugitives. And that’s all I can say.
What I mean is that sometimes we don’t give the paper documentation the necessary importance; we could say it is indeed often undervalued; not everything are passwords and encryption. In the same way, when we shred documentation, we often think that any shredder is good for this task.
