Reflash Flash Research Framework

Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various tools.

Jarkko presented the tool at AVAR 2016 and some people have asked about its availability. So… here it is, released as open source under a GPL-v3 license.

In the Reflash repository, there is also a technical research paper for those interested in the internals of the tool.

reflash-practical-actionscript3-instrumentation-abstract

And Jarkko’s presentation, available here, is helpful for those wanting to set up the tool.

reflash-jarkko-turkulainen-avar-2016

Jarkko presenting at AVAR 2016.

Share and enjoy.



Bitcoin Friction Is Ransomware’s Only Constraint

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) rather than all.

Also part of the portal… a group chat function for support requests. Multiple conversations all strung together, making for a fascinating read overall.

Spora.bz Public Communication

Among recent conversations is a bit.ly link to a forum page on the site Bleeping Computer where the “Spora Administrator” wanted reviews left, as evidence that paying the extortion results in unencrypted files.

The bulk of clicks, according to bit.ly statistics, occur on a Tuesday. FYI: running a cyber extortion scheme is a regularly scheduled job and spam runs go out on Tuesdays.

A great deal of the chat support issues revolve around one thing… Bitcoin.

7: I dont have a bitcoin account yet and cant make it within 3 days, as you know.

Support: We removed all deadlines for you.

Apparently “7” thinks it’s not so easy to setup a Bitcoin account “as you know”.

And here’s another practicality, many people exist in the cash economy.

A: Admin, I dont know what checked the course means. It is hard to purchase bitcoins in the US I drove over 200 miles to purchase 500 worth, they took 10% you take 11% I had USD70 in a different wallet you took 11%, you have USD466 and I have no way to purchase more until tomorrow and will once again have to drive 200 mile to get them and get home. Please consider.

Support: No problem

Many people don’t have the needed resources to buy Bitcoins online. Credit is required, and there are plenty of people with insufficient credit. For them, a physical Bitcoin ATM or “brick-and-mortar” retailer is required.

We should be thankful that there are at least some limits on purchasing Bitcoin. If it were any easier to do so, very little else would check the growth of crypto-ransomware’s business model. The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid.

In the past, cyber crime schemes (such as scareware) have been killed off by disrupting the money supply. The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin.


This article was originally published in our State of Cyber Security 2017 report.

Now available! A new supplemental appendix which includes 34 pages (more than 20,000 words) of Spora “tech support” chats.



F-Secure Does Cyber Security

For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security.

The new title reflects a change in the type of content you can expect to read in the report. Although we still have portions devoted to this year’s malware landscape, the report is largely focused on cyber security at large and stories from the field.

In my previous post, I mentioned we’d be making a lot more noise about the work of our Cyber Security Services division. This report is one of the steps we’ve made in that direction. And another nice change you’ll notice is that this year’s report includes several contributed articles from some of our friends and partners.

This report took a lot of hard work to put together, but my colleagues and I had fun creating it. We hope you have just as much fun reading it!

Finally… here’s a link to the report.



“F-Secure does red teaming?”

On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet:

the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with critical IT infrastructure.

Last week, we released a new brand video. See below.

In response to the video, we started to see some interesting (and in some cases flattering) comments on Twitter.

(See the thread here.)

Yes, F-Secure really has been doing red teaming since June 2015 (and nSense well before that). And incident response, digital forensics, risk assessments, penetration testing, fuzz testing, vulnerability assessments, software security consulting, and a whole bunch of other things is now something that F-Secure does. We possibly didn’t make enough noise about that fact. Expect that to change this year!



Noun: Confirmation Bias

Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.”

Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias.

Last Friday, Journal News reported that a man from Middletown, Ohio was charged with the crime of arson, in part due to data from his artificial heart implant.

Data from man’s pacemaker led to arson charges

Artificial heart implant? Get the data!

Data from man’s pacemaker led to arson charges

But… only asking one professional to analyze the data?

Data from man’s pacemaker led to arson charges

That runs a high risk of confirmation bias.

Arson investigations unfortunately utilize a lot of pseudoscience and assumptions.

There’s a case from Texas in which the prosecutor’s theory focused on a pentagram.

Death By Fire

It was just an Iron Maiden poster.

Death By Fire

Evidence of nothing.

Perhaps the heart implant / pacemaker data actually supports law enforcement’s theory. But perhaps not. Time will tell.

What do we know now?

I know that I can predict this story will stoke fears of our data being used against us. In a age in which multitudes of people are wearing fitness trackers and smart watches tracking their heart rates, how can it not?

But it’s not data we should fear, it’s the humans “interpreting” it.



Noun: Sockpuppet

An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.”

Sockpuppets are nothing particularly new… they go back as far as USENET. But it feels that recently, sockpuppetry has reached new heights.

Twitter is an easy place to find multiple examples…

Russian language sockpuppets

“Joined September 2016”

And so I’ve created a list of “September ’16 sockpuppets” – 80 related accounts.

Take a look (down the rabbit hole) and see for yourself. Enjoy!



F-Secure Vulnerability Reward Program Update

A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus.


Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve seen in 2016:

  • We had close to 60 unique submissions.
  • We rewarded almost €30,000 for 35 reports in total.
  • We rewarded €5,000 for one critical vulnerability.
  • We released two security advisories as a result of the submissions received.

The reports submitted during the past year have proven to be very useful to us. We have seen some interesting exploitation tricks and our development team has made use of the information to further improve our internal process. Not forgetting, we have a Hall of Fame page thanking all the researchers who helped make our products better.

On the other hand, we realized, being new to this, that we are not perfect and some mistakes were made. For that, we apologize and ask for forgiveness. We have learned from it and here is an update on what to expect in 2017:

  • Our program is now extended for another year, ending on 31st December 2017.
  • We are now promising an acknowledgement email within 5 business days upon receiving your report. We will also provide a progress update email within 10 business days after our last contact with you.
  • We are working on listing a payment table so that you can have a better overview of our reward level. Stay tuned to our program page.
  • We are also working on defining what we at F-Secure consider as quality report, and this too will be updated in our program page.

We thank you for your continuous research and for helping us keep our users secure. Click here for the complete rules. Happy bug hunting!



What’s The Deal With Digital Forensics, Incident Response, And Attribution?

After several high-profile cyber attacks made big news headlines this year, it’s become evident to me, through online commentary, that there’s some confusion in the public space about how incident response services are utilized, how attribution is performed, and how law enforcement’s role fits into cyber crime investigations. I’m hoping this article helps to clear things up and answer some of the most frequent questions I’ve been getting.

Cyber crime investigations are similar in nature to fraud and financial crime investigations. Nowadays a great deal of financial crimes are, in fact, cyber crimes. Cyber crimes, just like financial crimes, are frequently difficult to spot.

In the case of financial crimes, it might take something like a quarterly financial audit to reveal that something suspect is going on. Some cyber crimes are subtle like this, too. For instance, in the case of a hidden attacker maintaining persistence on a corporate network for purposes of long-term data exfiltration, the intrusion might only be revealed during a network sweep, as part of periodic threat assessment process, or via a newly installed intrusion detection system.  Not all cyber crimes are difficult to spot. Some cyber crimes reveal themselves as part of the operation – an attacker will contact the victim organization and will attempt to extort a ransom, or an attacker will leak data to the public, and the victim company will find out about it.

It’s interesting to note that several high-profile breaches during the past few years were discovered when a cyber security vendor installed their technology stack on the victim’s network as part of a pre-sales demo or trial period.

Regardless of how it’s discovered, once a company suspects that they’re the victim of a financial or cyber crime, they’ll need to collect additional evidence before involving law enforcement. Once an investigation is initiated, a variety of third party auditors are usually brought in to help. In the case of suspected fraud or financial crime, insurance companies can provide some of those services. In the case of a cyber crime, a cyber security firm specialized in digital forensics and incident response will be called in.

The victim organization pays for such services out of their own pocket. Why? Because incident response isn’t just about forensics. It’s about cleaning up affected systems, restoring the network to a non-compromised state, restoring lost data, and often it’s also about providing assistance to the victim organization in adjusting security practices and risk management plans to avoid future incidents. As part of the incident response process, law enforcement are involved once enough evidence has been collected to determine when and how the crime was committed.

Once involved, law enforcement agencies utilize the forensic data collected by privately-run incident response operations as a starting point for their own investigations. Remember that the police have access to additional sources of evidence that private investigators don’t. For instance, law enforcement agencies can subpoena logs from additional private sources (such as Internet Service Providers), and can correlate data from other investigations they’ve run. In our experience, law enforcement will often continue to cooperate with third party first-responders during an ongoing criminal investigation.

Cyber Attribution Dice

You can also determine cyber attribution with this handy set of dice. (Source: https://www.etsy.com)

Attribution is more of an art than a science. When it comes to cyber crimes, private incident responders perform educated guesswork. This usually involves correlating the tactics, techniques, and procedures (TTPs) found at the crime scene with previous casework or open source threat intelligence. This guesswork includes analyzing samples, such as custom tools or malware, found at the scene, language and content patterns found in phishing emails, the locations of C&C servers and phishing sites, techniques used for persistence or lateral movement, IP addresses associated with the attacks, and any other metadata uncovered during the investigation. The motives of suspected criminal groups may also factor into attribution guesswork. It’s not uncommon for private cyber security companies to work with law enforcement when determining attribution. However, due to the confidential nature of ongoing law enforcement work, evidence collected by or provided by law enforcement agencies isn’t normally made public as part of a third-party’s attribution conclusions.

There are a lot fewer cyber security companies in the world than there are insurance and financial services companies. Because of that, the demand for cyber security services companies is high. So high, in fact, that security-conscious organizations will often pay a yearly fee to keep a cyber security firm on retainer. By doing this, they ensure that help will be at hand as soon as an incident happens, and that prices for incident response work are charged at agreed upon rates. This is not unlike keeping law firms or financial services firms on retainer (for emergencies) or having certain special corporate agreements with insurance partners in place. Organizations that don’t have a cyber security firm on retainer typically have difficulty securing incident response and forensics services when they’re needed, and may end up paying rather high prices when they finally find someone who can help.

Incident response work isn’t just about reacting to breaches and cyber crimes. Companies are now able to purchase cyber insurance policies. Here’s how forensics work comes into play in the case of an insurance settlement related to a cyber security incident. Insurance firms employ claims adjusters whose job it is to investigate insurance claims and determine the extent of a company’s liability when the claim is filed. In a traditional sense, claims adjusters gather data in a variety of ways, including interviewing claimants and witnesses, consulting police and hospital records and inspecting property damage. In the case of a cyber crime, cyber claims adjusters, are brought in to run forensics in a similar way to how incident response is carried out. Compensation is awarded to the claimant based on the findings of the cyber claims adjuster. If the cyber claims adjuster were to, for instance, determine that a network was breached via a known vulnerability that should have been patched long ago, the claimant may receive a low amount of compensation. This is completely analogous to how an individual claimant would receive a low amount of compensation if they were burgled and it was later determined that they’d left their front door open.

With cyber security incidents becoming more and more widespread, businesses are learning that they need to adapt. This includes setting aside budget to keep cyber security services on retainer, paying for periodic trainings, threat assessments, and risk assessments, and even bringing experts onto their payroll to properly manage their cyber security practices. The cost of not taking cyber security seriously today is akin to the cost of not having your business properly insured. And yet there are plenty of businesses out there who don’t think they’ll become the victim of the next breach, and who clearly don’t take these costs into account. And they’re most likely going to end up paying through the nose in the long term.



On Botting, Cheating, And DDoSers

On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been caught botting in the past. This is the first action they’ve taken on cheating since the August 30th release of the latest expansion, Legion.

Bots in World of Warcraft are used for a variety of cheats, all of which impact legitimate players fairly heavily. What might surprise you is that botting, and cheating in general, is extremely common. Left unchecked, it can proliferate to the point of ruining an entire franchise.

Diablo 3, another game published by Blizzard entertainment, was, for all intents and purposes, destroyed by botting. During 2015 it became apparent that a large percentage of the player base were botting their characters. Even some high-profile “celebrity” streamers were known to bot “off camera”. One streamer, who’s account averaged over 22 hours gameplay per day since the launch of the game’s “Seasons” mode explained that his brother “Chris” was playing on his account when he wasn’t. He was eventually caught, and lost his account, only to immediately buy a new one and continue to bot. To this day, bots are still often referred to as “Brother Chris”.

In another example of just how widespread the problem was, here’s a video of one player who forgot to shut off his stream before starting his bot software and leaving it running, all night, for the world to see. At the time, he was one of very few people to actually lose their accounts.

A multi-bot setup

A WoW bot farm in action. (Source: https://wowbotfarm.wordpress.com)

Botting in Diablo 3 went unchecked for so long that many players came to the conclusion that there would never be any repercussions for doing it. This empowered more and more players to follow suit and start cheating. The snowball effect grew to the point where it was estimated that way more than half of all players were botting and using other cheat software. As cheating went from niche to mainstream, it became a de facto requirement for playing the game competitively. The problem was so bad that several high-profile Diablo 3 players got together and wrote an open letter to Blizzard. Although Blizzard acknowledged this letter shortly after it was posted, botting continued unabated for months later.

A well-known streamer, MannerCookie, posted this video on youtube showing what bots are capable of. If you’ve never seen a bot in action, I recommend watching the video – it’s quite astonishing how sophisticated they are. What’s sad is that MannerCookie actually received an account ban for making this public service announcement.

Blizzard eventually enacted a ban wave in Diablo 3, but long after I, and all of my friends, had given up on the game. I’m pretty sure Blizzard were stuck between a rock and a hard place on the bot issue. Ban all the bots and you lose more than half of your player base. Don’t ban them, and you slowly lose regular players, trust, and legitimacy. The fact is, the problem shouldn’t have persisted, unchecked, for as long as it did.

With Blizzard enacting ban waves on an infrequent, almost regular-as-clockwork basis, most botters simply buy new accounts and continue where they left off. Last night, just hours after the ban wave, I spotted several bots in World of Warcraft, happily doing what they’ve always being doing. I reported them, but I wouldn’t be surprised to see them over and over again.

Visiting the forums used by botters after a ban wave gives me insight into the psyche of these folks. What’s obvious is that many of them feel incredibly entitled. They claim it’s their right to bot. I saw one kid go ballistic about the fact that he didn’t have time to play all of his eleven, yes, count them, eleven different Warcraft accounts without the use of a bot. He went on to state, in no uncertain terms, that he was going to sue Blizzard for the action they had taken on his accounts (which, of course, I’m sure he didn’t).

Given that cheating is surprisingly widespread, and to many, perfectly acceptable, an entire culture of self-entitled habitual video game cheaters has sprung up. In these social circles, cheating at video games is just the first step on a path that leads to even more anti-social behavior. More often than not, these same self-entitled kids, once caught in the act of breaking terms of service, will lash back at Blizzard with DDoS attacks sourced from the same readily available services of the folks I talked about in my last post. Every time Blizzard swings the ban hammer, they know they’ll need to brace for DDoS attacks. And those attacks affect everyone using Blizzard’s services. This cesspool of low moral ethics hurts legitimate gamers, the games they’re playing, and games companies themselves. And companies like Blizzard need to spend significant resources on cheat detection and DDoS prevention just to keep on top of all of this.

Often parents ask us what their kids are getting up to in the Internet that they don’t know about. This might just be one of those things.


This article was originally published on Huffpost Tech UK.



A Joint Centre To Combat Hybrid Warfare Threats

Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context.

YLE Uutiset 2016-11-21

The proposed annual budget is reportedly estimated at two million euros.

I think… they’re gonna need a bigger boat.

You're gonna need a bigger boat

Fighting against hybrid warfare disinformation will be extremely challenging in today’s media landscape. Disinformation for profit, a.k.a. content farming, as well as good old fashioned misinformation, coupled with the average individual’s inability to make any real critical distinctions, provides a huge amount of cover for politically motivated disinformation.

And how bad is the average individual’s ability to tell real news from fake? Stanford researchers recently evaluated students’ ability and described the results as…”bleak”.

From NPR.

NPR 2016-11-23

It’s a surprise to me that researchers would be shocked but the results of their study – but then, I spent a many, many months studying cost-per-action social media spam on Facebook years ago. Fraudulent links using supposedly scandalous video bait of one sort or another spread rapidly, and millions upon millions of people clicked the links. Repeatedly. Why would scandalous “news” be any different?

Is education the answer?

Education Week 2016-11-01

I’m never against a good education. But it’s not going to fix the problem.

As long as media continues to hunt for “viral content” in its increasingly desperate search for advertising revenues – disinformation and misinformation will continue to exist and flourish. And as long as it does, there will be able ample enough cover to provide political actors plausible deniability.

The new Helsinki joint centre has its work cut out for it.



Yahoo! Voice Call 2FA Fail

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the […]

2016-11-17

What’s The Deal With “Next Gen”?

We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about. Coopetition in the AV industry But before getting into what “Next […]

2016-11-16

A RAT For The US Presidential Elections

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message […]

2016-11-10

How To Vet URL Shorteners #2016CampaignEdition

John Podesta, the Chairman of Hillary Clinton’s 2016 presidential campaign, allowed his Gmail account to be compromised in March 2016. And as a consequence, his correspondence has been in the news throughout the month of October. Recently, the March 2016 phishing message itself was published. Do you notice anything odd about the message? The very […]

2016-10-31

CSS Disclosure: tar Extract Pathname Bypass

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish. See below for more info. tar Extract Pathname Bypass Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321)

2016-10-27

Hacking An Election Is Hard. Why Not Pwn The Messenger Instead?

Election day USA, November 8th, is nigh. US elections (during a presidential election year) are a massive affair comprising federal, state, and local candidates for all sorts of elected positions: president, governors, senators, representatives, judges, state and county commissioners, et cetera. They are organized and run at the county level. There are 3,144 counties and […]

2016-10-26

Fun With Internet Metadata (AKA The Deep Web)

Our Cyber Security Services (CSS) division spend a fair amount of time working with companies on threat assessments. They’ve been doing this stuff for several years, and during that time, they developed some useful tools to make their jobs easier. One of those tools is Riddler. It’s a web crawler that makes Internet metadata available via […]

2016-10-21

What’s The Deal With Non-Signature-Based Anti-Malware Solutions?

Gartner recently published an insightful report entitled “The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization”. In this report, it discusses the ways in which non-signature technologies can be used to augment an organization’s endpoint protection strategy. Let’s take a look at how Gartner has defined non-signature malware detection solutions. Here’s a clip directly […]

2016-10-17

Definitely Not Cerber

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”. The characteristics of the mail, naming of the attached item, […]

2016-09-20

Seriously, Put Away The Foil

I was scanning the headlines this morning, as I do, and came across this article by YLE Uutiset (News). — “Finnish police: Keep your car keys in the fridge” From YLE’s article: “These so-called smart keys work by emitting a signal when the driver touches the door handle. The lock opens when it recognises the […]

2016-09-15