We’ve published a White Paper today titled: The Callisto Group.
And who/what is the Callisto Group? A good question, here’s the paper’s summary.
Heavy use of spear phishing, and malicious attachments sent via legitimate, but compromised, email accounts.
Don’t click “OK”.
I’ve just started experimenting with Tweepy to write a series of scripts attempting to identify Twitter bots and sockpuppet rings. It’s been a while since I last played around with this kind of stuff, so I decided to start by writing a couple of small test scripts. In order to properly test it, I needed to point towards an active account. So, I opted for @realDonaldTrump.
After collecting data from the past 12 months, Sean and I realized that it should be broken into four separate sets to provide context. Here’s how we’ve broken it down.
The following diagram shows activity based on time and day, broken down by the four time periods defined above. As you can see, the highest Twitter activity has always occurred between early and mid-afternoon. Note the almost complete lack of activity between 08:00 and 12:00. Anybody developing Twitter bots for trading purposes might want to flag any activity on this account during that time-slot as “out of band”, and worthy of closer attention.
Here’s the time of day data graphed. Notice that Trump’s daily Twitter activity pattern didn’t really change across this data set.
Notice the last graph? This is the change of behavior I alluded to earlier. Prior to March 7th, 2017, Tweets posted via “Twitter for Android” were always in the overwhelming majority. The only other data set that shows significant iPhone usage is the election campaign period. And those Tweets can be most likely attributed to campaign staff.
So, how much did @realDonaldTrump Tweet before and after becoming POTUS?
During the run up to the 2016 elections, @realDonaldTrump’s account posted about twice as many Tweets per week as in the following months. The above graph also nicely illustrated the switch from Android to iPhone on week 10 of 2017. Here’s another graph that illustrates it.
Well, why did @realDonaldTrump’s account suddenly shift from Android to iPhone? It could have been something that was in the works (for security reasons). Or… it might have something to do with this Tweet.
Whatever the reason, the “schedule” remains more or less the same.
Perhaps we’ll build a bot of our own. It’s a work in progress, and I’ll post on this more in the future.
This operation is what’s known as an upstream attack, a method of compromise that we detailed in our State of Cyber Security 2017 report.
A stand-alone version of the (very informative) upstream attack article is now also available: The Weakest Link.
Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD.
The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at 8:30 GMT, with a very lengthy booking confirmation text body stating that the attached document needs to be printed out. See below.
The attachment is a .zip file, containing a compressed file, either in .zip or .rar format. The doubly compressed item is either a vbs-script for downloading and executing the Dridex banking trojan loader binary, or a Quant loader binary for downloading the same Dridex binary.
The second campaign started around 13:30 GMT and had a similar theme as the first one with subject lines such as “uk_confirmation_ph948261563.pdf” (numbers vary). The attached file is also a double zip-compressed file, but contained the Dridex loader binary without any intermediate downloader malware. And a text file with instructions (which if followed, results in compromise).
The third spam run began just before 18:00 GMT, and had subject lines such as “Emailing: P2993995.JPG” (numbers vary), and had a double compressed zip-file attachment. The body of the mail gave the impression that it was a bounce message from a mail server. The compressed items were similar to the second run, comprising of a Dridex binary and a short text file stating the binary needs to be executed.
This campaign of the Dridex banking trojan (campaign ID 7200) is targeting customers of multiple commercial banks in the UK, such as Barclays, Lloyds, and Santander.
The loader phones home to:
7f4aec2a738d13f4e0882ae917578f9176aab05d 32b442717c22a1e84d6eafbb20d794f781db4f05 694266450ffedf4008f0cf0e5573c63c56f2e5d0 e815d6b25675629a85d64a1f2d450da02c8cc579 299cd2cd9f4942b143c51e6d1e10ea240edcd65a 4379ab1633143b855e553d507366104c9d51b20d 5f9f46f34fdaceb6b2bb74043eb6cbbd2657fe16 7e3b81248835d59cfa780a315836694950fbc88c 9baf8662843220f52d0d5797efc70f886e60138f 9bddc3695c7272f3d848afe7a763d61497e518ab d4ea89cfd13794c8c79625e74e6f4e44be9bfa27 176e33b265829b7c1922be76652ec254148eb278 4f60ec876a7b59d547c01977bb13aba95114290b baf1d46ffeae15faffc6a905a2b6797bf06d0734 71792564c59392c6f875c18bb62b7f501ba48a5d feebdfc11a48fb72497683aa9a3447256ea04fb2 1f98860ad4fd5b8e59069a069735864f5756bc70 2fc7a8b3fabc1c4824fd5eebd9150a7f6efce740 637d81336b0734b43fe724c7b5411bb428dec54a e13fbb78710f6b3fa1981b9e958494b1f6de6d16 f2592c565e0e3483e7aae18863e3f0558a78ba1f 539af507be8ca297ce0aa14054b31a93a5998c0e 9a418586f2741f47e7e827e67d83d6ff7ca45ab0 cc5a97d500161cd80eec1cab210583cdff003c2c 155863bcd4ea677986beb13b1e519f3f71cf2183 hxxp://solucionesfenix[.]net/33f3v3.exe hxxp://nzhat[.]net/9jgtyft6
We detect these threats with detections such as:
Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others.
Here’s what I wrote about Latitude, on February 5, 2009.
A new mobile phone application, Google Latitude, was introduced yesterday. It’s an interesting new addition to Google Maps.
According to Google, with Latitude you can:
Err… Complete control? True, only the friends that you add/allow are able to follow your movements and Latitude does have a manual override function. But complete control? Perhaps it would be more accurate to claim that there are strong controls.
Assuming that you remember to use those controls of course.
If you want to maintain complete control over your privacy, you probably won’t be installing Latitude.
On the other hand, if you’re willing to share some of your personal details, Latitude could prove itself to be a really useful feature.
Updated to add: Reader Daniel S. posted a comment, Google has modified their text to:
While Latitude was very popular within a niche, it never achieved mass success and was discontinued in 2013. Google Maps on the other hand is practically everywhere, so, “Latitude” is about to be reborn in a big way.
The new sharing features appear to have solid controls; it’s opt-in, has time limitations, et cetera. But still, if you’re concerned about leaking your location, be sure to review the settings when you receive the update.
A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data.
This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter.
And that brings to mind this article (by Andy)…
OVER THE PAST FEW YEARS, you’ve probably heard phrases such as “the tactics, techniques, and procedures crafted by highly resourced threat actors are falling into the hands of less skilled adversaries”. That’s long speak for “expect a lot more script kiddies to start pwning your systems”. As Dr. Ian Levy from GCHQ recently pointed out, a lot of the attacks we’re seeing nowadays aren’t “Advanced Persistent Threats”, they’re simple hacks performed by “Adequate Pernicious Toerags”.
Nothing illustrates this phenomenon better than the group we’ve dubbed “The Romanian Underground”. This is a group that our Cyber Security Services colleagues have had first-hand experience with on a number of occasions while performing incident response and forensics work.
The Romanian Underground are, simply put, a bunch of IRC chatroom buddies who decided it would be cool to take up the hobby of “hacking”. Most of these kids, upon joining the collective, have little to no Unix skills to speak of. They probably know about five commands in total. Newcomers are taken under the wing of a mentor who provides them with simple tools and training to get them started on their new hobby. These mentors are almost as unskilled as the newcomers – they probably know about five more Unix commands than their apprentices. But they’ve been in the game for a few weeks already, and have a wealth of experience.
As newcomers learn the ropes (which usually implies that they’ve learned to configure the tools they’ve been provided), they’re promoted to mentors, and take on their own set of apprentices. This hierarchical model closely resembles the popular pyramid selling schemes you might have had the misfortune to come across. Of course, the guys involved in The Romanian Underground aren’t looking to become millionaires by selling soap – the pyramid scheme is a form of gamification, where the goal is to collect as many owned systems as possible and move up the ranks.
Of course, it’s the guys at the top of the pyramid who are truly benefitting from all of this. They’re the ones providing the tools, and by pushing all their manual work downstream, they get access to thousands of compromised systems. Meanwhile, the newcomers are happy to proudly identify themselves as “hackers” on their Facebook pages (alongside other random hobbies such as windsurfing or snowboarding).
The toolkits being pushed down the pyramid are usually designed to exploit or brute force common services such as SSH and webmail servers. What might surprise you (or not) is that these toolkits, in the hands of completely unskilled noobs, are being used to compromise even PCI-DSS compliant organizations across the globe.
While this hierarchical method of operations is new to Romania, it’s not new to us. We’ve been aware of Turkish website defacement groups such as Akıncılar (who surfaced in 1999 and appear to have still been active in 2016) for quite some time. Those guys also operate under a hierarchy, albeit a more military-style one. In fact, one of our own web sites was defaced by a Turkish group back in 2007. It turns out they abused a vacation notification plugin to perform the attack (pro-tip: plugins will burn you!). Funnily enough, the popularity of our forums actually increased after the attack due to the publicity we received. Go figure.
These structured groups differ from the also rather prevalent “herd of cats” approach to hacking collectives such as anon or 4chan, where members scratch and claw their way up the pile only to get pulled back down the next day.
Gamification seems to be a growing trend amongst unskilled hacker groups. In 2016, Turkish hackers set up a DDoS-for-points game designed to be played by noobs. Players were provided with a custom tool designed to carry out DDoS attacks against specific, mostly politically motivated targets. Participants earned points for every 10 minutes’ worth of DDoS achieved. Those points could be redeemed to purchase various clickfraud tools. The grand prize was an “unlocked” version of the DDoS tool that allowed its owner to target any site of their choosing.
At the end of the day, we feel that boxes being owned is a lot scarier than website defacements and DDoS attacks, especially when you consider that this is the first time we’ve encountered it being done on such a large scale, and by script kiddies.
We’re not surprised that the majority of cyber attacks that happened during 2016, from the San Francisco MUNI to the Dyn outage, were carried out using simple, scriptable techniques against badly maintained infrastructure. The fact that folks with very little skill or know-how can carry out successful attacks against PCI-DSS compliant organizations paints a grim picture of the state of our global computing infrastructure going into 2017.
This article was originally published in our State of Cyber Security 2017 report.
A stand-alone version is also available: The Romanian Underground.
We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump.
No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.)
The CIA’s developers would probably need to retool anyway. OS’s get major updates annually. There’s always churn, and thus, tools to be rebuilt or created anew. A vulnerability analyst and exploit developer is always busy.
The documents appear to have come from an internal wiki of some sort. They look like notes written by a developer.
A (very plausible) theory we’ve heard: former Booz Allen Hamilton contractor Harold Martin’s cache of documents.
Don’t know, ask them. (Not sure we care.) Sounds cool though.
Very seriously. Investigations began immediately. Notes don’t equal a good bug report however, so it will take time to be thorough.
Via our own bug bounty program.
A fact of life: all software has bugs. End-point protection software is a popular target of university researchers. And that’s a good thing, bug hunting makes for better software.
Cyber security companies are frequently asked if they add backdoors to their products for the benefit of law enforcement and/or nation states. We think these documents conclusively dispel that theory (at least on our part). As you can see, nation state adversaries need to make an effort to bypass our products, just like cyber criminals.
Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents.
Here’s Apple’s statement via BuzzFeed News.
According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, indeed, iOS users update fast.
Based on “first launch” telemetry from our Freedome VPN, we consistently observe rapid adoption of the latest version of iOS. In short order, the latest version is the majority of what we see from first-time users.
And then… there’s Google’s statement, again, via BuzzFeed News.
Google is “confident that security updates and protections in […] Android already shield users from many of these alleged vulnerabilities.” But here’s the big problem – while the latest version of Android OS might be secure – the version of Android actually installed on the vast majority of phones is not. Not by a long shot.
Based on our Freedome VPN telemetry, we can say that it takes a significant amount of time for Android updates to arrive on customers’ devices.
Here’s a breakdown by a selected set of countries.
The Nordics have a relatively high percentage of Android versions 6 and 7. But the majority of the world? Versions 4 and 5 still dominate.
Bottom line: if you run Android and care at all about your device’s security… choose your hardware with care. Only a few select vendors are currently focused on providing Google’s monthly security updates to end users.
The graphs in this post were originally published in our State of Cyber Security 2017 report.
A stand-alone version is also available: Mobile OS Take Up Rate.
As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once again, been bestowed this award, and thank everyone involved in making this happen!
Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various […]2017-02-23
In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]2017-02-22
For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security. The new title reflects a change in the type […]2017-02-15
On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet: “the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with […]2017-02-08
Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.” Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias. Last Friday, Journal News reported that a man from Middletown, Ohio was charged with […]2017-02-01
An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.” Sockpuppets are nothing particularly new… they go back as far as USENET. But it feels that recently, sockpuppetry has reached new heights. Twitter is an easy place to […]2017-01-16
A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus. Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve […]2017-01-10
After several high-profile cyber attacks made big news headlines this year, it’s become evident to me, through online commentary, that there’s some confusion in the public space about how incident response services are utilized, how attribution is performed, and how law enforcement’s role fits into cyber crime investigations. I’m hoping this article helps to clear […]2016-12-21
On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been […]2016-12-07
Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context. The proposed annual budget is reportedly estimated at two million euros. I think… they’re gonna need a bigger boat. Fighting against hybrid warfare disinformation will […]2016-11-24