Artificial intelligence and cybersecurity

The eternal game of cat and mouse between attackers and defenders in the world of cybersecurity has historically involved a constant improvement of the methodologies carried out by both parties. The rapid and innovative development of Artificial Intelligence (AI) is very attractive for the development of new methodologies for both attackers and defenders.

Broadly speaking, AI refers to the learning done by machines or computers, to carry out actions considered as “intelligent”. One of the great challenges of this discipline is to provide them with “human” capabilities so that they can have behaviors similar to ours. One of the branches with the greatest potential today in artificial intelligence is the so-called ‘Machine Learning’. The basic objective of this branch is to “train” the machine so that it is capable of giving an adequate response based on input parameters.

[Read more…]

Cyber (GRU) (II): historical SIGINT

The GRU, Military Unit 44388, obtains and processes intelligence from multiple disciplines, including IMINT, SATINT and, of course OSINT, with information needs linked to the military, political, technological, economic and ecological/energy fields ([1]). It was already indicated in the article dedicated to the GRU, within the series on the Russian Cyberintelligence Community, that the Sixth Directorate of the GRU has historically had the SIGINT (COMINT and ELINT) attributions of the Service. An excellent description of these attributions can be found in [2]; in the image, the historical structure of the GRU:

The Sixth Directorate, which reports directly to the Service’s Deputy Director for Technical Affairs, was divided into four divisions [Read more…]

WIRTE Group attacking the Middle East

The Intelligence Development Group of S2 Grupo has carried out an investigation on an actor from whom LAB52 has not been able to find references or similarities in open sources and who has been identified as WIRTE.

The DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018 and since then the follow-up has been carried out during the last few months.

This group attacks the Middle East and does not use very sophisticated mechanisms, at least in the campaign started in August 2018 which was monitored. It is considered unsophisticated by the fact that the scripts are unobtrusive, communications go unencrypted by HTTP, they use Powershell (increasingly monitored), and so on. Despite this apparently unsophisticated modus operandi compared to other actors, they manage to infect their victims and carry out their objectives. In addition, as will be seen during the report, the detection rate of some of the scripts in December 2018 by the main antivirus manufacturers is low, an aspect that must be highlighted. We must be aware that once these scripts are executed, it is when the behavior analysis of many solutions will detect them, but this fact has not been studied by LAB52.

This actor in all the artifacts analyzed shows his victims a decoy document in Arabic with different themes. During the report these documents will be analyzed and who could be the objectives depending on the topic dealt with in the document. [Read more…]

(Cyber) GRU (I): Introduction

As we already mentioned in the post about it, within the series on the Russian Cyberintelligence Community, the GRU (GU) is the most opaque of the Russian services, maintaining almost intact its Soviet heritage against the “westernized” FSB o SVR: in fact, the structure and operation of the Service has not been especially well known, being the main reference [1] until rather recently. Beyond specific data of operations without a clear attribution, or the identities of its Director and Deputy Directors -no secret-, little or nothing was known about the Service. However, and certainly very much in spite of the GRU, in 2018 there are – up to now – three facts that give a radical turn to this opacity: [Read more…]

Security in Windows Server 2019

At the end of last December, Microsoft published a document titled What’s new in Windows Server 2019, covering the new features and renewed functionalities provided by the new version of Windows Server. This post will focus on those features related to security improvements provided by Windows Defender ATP that had already been seen in Windows 10 through Windows Defender Exploit Guard, EMET (Enhanced Mitigation Experience Toolkit, which ceased to have support last July 31, 2018), as well as WDAC (Windows Defender Application Control).... Leer Más

EternalSilence: Why your router may be at risk from this NSA tool

Today’s article is courtesy of John Mason, co-founder of  TheBestVPN.com and writer at TripwireStaySafeOnline, DigitalGuardian y Educause. You can find him on twitter as @JohnCyberMason.

Do you trust your router to keep you safe from hackers and spies? You may want to take another look just to make sure.

Akamai recently discovered a malware campaign that has already compromised over 45,113 home and office routers. This was done using a tool based on the United States of America’s NSA hacking tools which were leaked online in 2017. To explain how hackers use this tool to turn your router into a proxy server, we first have to understand how UPnP works.

UPnP is a protocol that eases device and service discovery as well as the configuration of consumer devices and networks. Its primary purpose was to allow devices on a LAN to automatically expose services and functionality other devices on the local network.

[Read more…]

Who takes responsibility for errors made by smart robots?

As those of us who are interested in robotics know, ir represents one of the great technological advances of the 21st century. However, for this progress to be properly made, it must be accompanied by a transparent and dynamic regulatory framework that unifies and clarifies the uncertainties it generates. However, today there is no such regulatory framework at national, European or international level.

However, there are two references that are worth considering.

Firstly, the recommendation of the European Parliament (Draft Report with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)) for the establishment of a set of rules on liability. In the face of a possible “new industrial revolution” in which society enters an age of robots, bots, androids and other more advanced forms of AI, it is imperative that the legislator consider the consequences that may result from the use and implantation of these devices in our daily lives.

[Read more…]

Analysis of Linux.Omni

Following our classification and analysis of the Linux and IoT threats currently active, in this article we are going to investigate a malware detected very recently in our honeypots, the Linux.Omni botnet. This botnet has particularly attracted our attention due to the numerous vulnerabilities included in its repertoire of infection (11 different in total), being able to determine, finally, that it is a new version of IoTReaper.

Analysis of the binary

The first thing that strikes us is the label given to the malware at the time of infection of the device, i.e., OMNI, because these last few weeks we were detecting OWARI, TOKYO, SORA, ECCHI… all of them versions of Gafgyt or Mirai and, which do not innovate much compared to what was reported in previous articles.

So, analyzing the method of infection, we find the following instructions:

As you can see, it is a fairly standard script and, therefore, imported from another botnet. Nothing new.

Although everything indicated that the sample would be a standard variant of Mirai or Gafgyt, we carried out the sample download. [Read more…]

Analysis of Linux.Haikai: inside the source code

A few days ago we got the source code of the Haikai malware, which corresponds to one of the many implementations carried out by the continuous recycling of source code belonging to different IoT botnets. Although we have not identified any new developments compared to previous IoT malware versions, it has allowed us to obtain a lot of information on techniques, improvements and authors.

It should also be noted that, according to different records obtained, this botnet has been in operation for most of the last month of June.

In the following lines the code will be analyzed, as well as the possible attributions and the implementations not referenced in the execution thread, which allow us to guess that the code is mutating in different lines in parallel for the same function.

So let’s start by analyzing the structure of the files. [Read more…]

Simple & crazy covert channels (I): Asciinema (en)

In the preparation of our audits, we often waste a lot of time developing tools that require a lot of work and, in many cases, do not go unnoticed by those users with a more technical profile.
However, there are other simpler (and equally effective) methods to carry out the exfiltration of information, such as through tools that were not initially designed for this purpose and which, with relatively simple adjustments, allow us to carry it out.

Thus, in the following article the analysis of the asciinema tool will be carried out, as well as the different possibilities of use and how it can be integrated with an attack vector.

Asciinema is a very nice tool that I usually use for demos whose sole function is to register the user’s session and to provide a URL that allows us to easily share the user’s activity. Very valuable information that can be used in a malicious way.

Below, we will see if we could use it as a Linux keylogger and what modifications would be necessary to apply.
[Read more…]