There’s been some speculation this week regarding Donald Trump’s Twitter account. Why? Because its follower count “dramatically” increased (according to reports) due to a bunch of bots. Since Twitter analytics are my thing at the moment, I decided to do some digging.
Sean examined some of Trump’s new followers and found they had something in common. They aren’t just following Donald Trump, they’re following lots of popular accounts.
So, I wrote and ran a script that queried Twitter for the last 5,000 accounts to follow the “top 100” Twitter accounts (Twitter accounts with the highest number of followers). The output of that script was a list of roughly 200,000 unique accounts.
Of those 200,000, over 20,000 accounts follow 5 or more of the top 100 Twitter accounts. Roughly 8,000 of those 20,000 accounts were created on the 1st of June 2017, have a default profile, no profile picture, and haven’t Tweeted.
947 of those accounts follow @realDonaldTrump.
Over 2000, or roughly a quarter of the above 8,000 accounts follow exactly 21 Twitter users (436 of those follow @realDonaldTrump).
What do these accounts have in common?
Apparently somebody’s real busy cultivating a huge number of Twitter accounts at this very moment. As to why they’re doing it, we can only speculate.
Whatever the reason, this stuff isn’t being done in a very stealthy manner. And creating new Twitter accounts is easily automated. (I just created a new account using a Gmail alias; email@example.com.)
I assume the folks at Twitter must see this activity. And I’m just wondering why they’re not doing anything about it. Creating accounts doesn’t even require a CAPTCHA.
P.S. – As an added bonus for those who like numbers p0rn, I checked which of the 200,000 unique accounts followed at least 10 of the top 100 accounts. It turns out roughly 7,000 of them do. Of these 7,000, around 3,000 were created on 1st June 2017, have a default profile, no profile picture, and haven’t Tweeted. 367 of those users follow @realDonaldTrump.
About 1,000 of those accounts follow exactly 21 other Twitter accounts. 160 of those follow @realDonaldTrump.
We’re hiring right now, and if you check out our careers page, you’ll find over 30 new positions ranging from marketing (meh) to malware analysis (woot!). A select number of these new positions are in F-Secure Labs. If you’re on the lookout for a job in cyber security, you might find one of these jobs interesting.
Our Cloud Platforms team builds and maintains a lot of the back end infrastructure used by Labs. They also build the systems that help power our breach detection technologies, and they’re looking for a couple of developers to add to that effort. Below are two open positions on that team. Both are located here in beautiful and temperate Helsinki.
Our Threat Protection team is in charge of researching and reverse engineering threats, and designing new and interesting ways to thwart them. They’re looking for researchers familiar with Windows as well as Linux, Android, and macOS. If you’re interested in this sort of stuff, you’ll find two open positions (also in Helsinki) below.
And then for those of you who feel that Helsinki is just too far south, we have a position available in the lovely city of Oulu. Our AML (Android, Mac, and Linux) Security Core team designs and builds anti-malware technologies for non-Windows platforms. This is a junior position, and a great way to get your foot in the door of the cyber security field.
Finally, you might have noticed several data scientist positions listed on our recruitment pages. We’re heavily bolstering our capabilities in the field of machine learning and data science, and we’ve formed a whole new department just for it. Matti Aksela, the head of that department, recently penned an article about what we’re doing in the field of AI. He’s also hiring.
Of course, as I mentioned above, we’re looking for great people to fill a whole range of open positions. And if you read this blog, you’re probably exactly the sort of person we’re looking for. So don’t delay – head on over and apply now!
Let’s take a moment to collect what we know about WannaCry (W32/WCry) and what we can learn from it.
When looked at from a technical perspective, WCry (in its two binary components) has the following properties.
All in all, writing the above makes me feel like it’s 2003 rather than 2017. In a perfect world, this malware outbreak should not have been able to happen. And the fact that the outbreak wasn’t even worse is thanks to the diligence of IT admins everywhere applying patches and keeping up firewall configurations. Without their work the outbreak would have been far worse. For example, a low ball estimate for computers infected by the W32/Blaster worm was 8 million computers and could have been as high as 16 million.
With the exception of the ransomware payload, the worm is very similar to the W32/Blaster worm from 2003, which attacked a vulnerability in RPC/DCOM, but otherwise was very similar to WCry. All in all the attackers were not exactly super hackers. It is it rather obvious that the attackers did not know what they were dealing with when they created the worm, just used an exploit they found, and were not expecting this kind of massive distribution and attention. It feels like somebody using a sledgehammer for a fly swatter. It is very likely that the attackers are running for the hills right now, as law enforcement around the world are definitely going to coordinate to hunt them down.
The answer to why WCry’s outbreak was able to happen is most likely the same as why e-mail based attacks first died back in 2008-2010 and are now again a prevalent vector. Security systems that do not get challenged are not seen as critical and thus tend to atrophy. Major internet and local network worms have not been a problem for several years, and thus organizations have neglected firewall configuration maintenance. Also, often host firewall configuration is done lazily, SMB port 445 is needed as outbound from workstation to file server and often administrators allow it to be bi-directional just in case.
The initial run of WCry is now on the decline, but the vulnerable systems remain, so it is important to reflect back on the measures that killed past network worms over time.
And the most important thing that killed network worms was the host firewall configurations that were done according to recommended best practices.
Which shortly put are…
This means that workstations should have inbound ports 135, 137, 138, and 445 blocked from everything but sources that are supposed to use those services for maintenance purposes. And servers obviously need to have those ports open for which they need for providing service, but even as inbound traffic is allowed outbound should be blocked.
With this kind of configuration, even if there would be a host infected with a network worm, it is unable to infect other workstations, and even as it would be able to infect a server, this server cannot pass the infection back to other workstations. This configuration also makes it difficult for an APT attacker to do lateral movement, especially if you block Windows Remote management ports 5985 and 5986 from anything but administration workstations.
Of course there are special cases such as certain hospital MRI machines which have Windows XP which cannot be patched and is running SMB server for access to the MRI images. And as these systems cannot be touched, it is critical to make sure that every system that is allowed to connect to such a resource is well protected. If all systems that can connect to such an MRI device have been protected by their own firewalls, they cannot be infected by WCry or other copy-cat attacks, and thus cannot pass infection to a device that cannot be protected.
WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know.
WCry has currently made a measly $25,000
The spread of WCry was slowed by the actions of an “accidental hero” who registered a “killswitch” domain name he found in the code.
But, it only takes a small edit of that code, and a re-release to get the thing spreading like wildfire again.
It’s been featured in many public places, such as a train station in Frankfurt…
…in high street stores…
…and in academia.
It is reportedly super-easy to reverse engineer.
Microsoft has released a patch for Windows XP because of this malware…
…to the relief of many…
…including the guys running the Trident program.
Even Microsoft haven’t figured out the initial entry vector.
In case you were wondering, yes, F-Secure’s products block the WCry ransomware trojan. In fact, we block multiple mechanisms in the infection vector. Here are the WCry-associated detection names our systems have reported so far:
Here’s where we’ve been blocking it.
As a final note, the usual advice still applies. Patch your systems. Don’t run XP. And don’t click “enable content”.
You can also check out our other blog post about this outbreak.
As I mentioned in a previous post, I’m writing scripts designed to analyze patterns in Twitter streams. One of the goals of my research is to follow Twitter activity around a newsworthy event, such as an election. For example, last weekend France went to the polls to vote for a new president. And so I tuned the parameters of my scripts to see what I could find.
The script in question receives a stream of Tweets based on a list of search parameters. Here are the parameters I gave it:
[‘macron’, ‘lepen’, ‘presidentielle2017’, ‘presidentielles2017’, ‘MarineLePen’, ‘Marine2017’, ‘ ElectionPresidentielle2017’ ‘enmarche’, ‘aunomdupeuple’, ‘jevote’, ’emmanuelmacron’, ‘choisirlafrance’, ‘MLP’, ‘debat2017’, ‘debatpresidentiel’, ‘jevotepour’]
I kicked the script off on the afternoon of Friday May 5th, just before 14:00 French time, and terminated it at 22:00 on Sunday May 7th, a few hours after election results had been called. The script received a stream of Twitter status objects matching the search terms above. The number of Tweets per hour varied from about 18,000 (in the middle of the night, French time) to as much as 79,000 (in the last few hours before the polls closed). Processing involved extracting metadata such as tweet language, hashtags, URLs, and mentions to a set of output files.
Quite quickly after starting the script it became apparent that there were a fair number of URLS pointing to English language political opinion pieces being shared on the stream. As the weekend went on, it was obvious that a majority of them were positive of Le Pen and negative of Macron. Here are some examples of the sort of headlines that were being shared:
One article, who’s headline read “Macron Whistleblower Dies Under Suspicious Circumstances”, insinuated that a member of the Macron campaign had been assassinated using a “heart-attack gun”. Here’s a quote from that story:
“Intelligence agencies have been using ‘heart-attack gun’ technology for years, according to a Congressional testimony video filmed in 1975. Could it be that Corinne Erhel was the victim of such technology?”
Right. Anyway, moving on…
Regardless of the configured search terms, my scripts tend to always pick up a fair amount of URLS pointing to non-authoritative opinion pieces. This stuff is usually “background noise”, but last weekend, the volume had definitely been turned up. It wasn’t until late Sunday evening that stories in French, by French publications started to show up in the URL feed.
Since I was monitoring data about the French elections, I figured it would be interesting to see how many Tweets were in French as opposed to English. On the whole, there were more Tweets flagged as ‘fr’ by Twitter than those flagged as ‘en’. One particular moment during the weekend caught my eye, though. Have a look at this graph that depicts Tweets by language between the afternoon of Saturday May 6th and the afternoon of Sunday May 7th.
The orange line is clearly what we’d expect – after midnight on the 6th of May, the number of Tweets in French start to drop off as people presumably went to sleep. That number then picks up again on the morning of Sunday May 7th, as people began their day. The blue line shows Tweets in English, which spike at 01:00 French time. I don’t know what caused this spike, but the time zone lines up with early evening on the American continent.
Interesting patterns were also observed with regards to hashtags. When I started the script up, and for the first few hours, top hashtags included #Macron, #LePen and #Presidentielle2017. Later in the evening of Friday May 5ht, the #MacronGate hashtag started showing up. DFR Lab wrote a great article explaining the mechanisms behind this phenomenon. I highly recommend reading it. (tl;dr Bots!) The data I collected also points to patterns indicating the use of automation to push this hashtag. For instance, take a look at the following graph.
The above graph shows the number of times my script saw one of the four hashtags during each hour between 03:00 and 11:00 French time on May 7th, 2017. What you’ll notice is that the #Macron, #LePen, and #Presidentielle2017 hashtags were low-volume during the night (again, as expected, since everyone was probably asleep), and picked up as folks woke up. However, the #MacronLeaks hashtag maintained a fairly steady volume across this entire time-slice. In fact, the #Macron hashtag remained at the same steady volume all the way from it’s introduction on Friday evening until the election results were called. It then dropped like a stone to less than 5% of it’s previous volume during that hour, as the bot infrastructure was shut off.
Both the URLs and #MacronLeaks hashtags were predominantly shared by “American Alt-Right” Twitter accounts. In some cases, these accounts even tweeted/retweeted in French. At the end of the whole weekend, the most shared URL was a link to a YouTube video entitled “The Truth About Macron”. Next was the pastebin page containing links to the stolen Macron data. Seven out of the ten top shared URLs were links to non-authoritative news sources. Luckily, DFR Labs’ article made it into sixth position.
While the above analysis looks to be pretty doom and gloom, things really aren’t as bad as you might think. A vast majority of Twitter users probably wouldn’t have noticed the URL and hashtag flooding going on at all. Why? Well, performing a search in Twitter provides “Top” results by default, which ranks Tweets using an algorithm. And that algorithm appears to filter by some sort of quality (that tends to separate the wheat from the chaff). All that spamming by bot accounts going on in the background doesn’t appear to register. The same also goes for the “News” tab and the list of top 10 trending hashtags. The only place you’ll readily see the background noise is in the “Latest” tab.
So, if all that noise no longer generates much signal, why even still create it in the first place? The answer lies in the fact that the press and the media do spend the effort to dig into raw data looking for a story to run. When they find this otherwise “hidden” data, they run with it. In effect, the press are doing the bots’ jobs for them.
The French presidential election was an ideal moment for me to refine the scripts I’ve been writing to find the usage patterns associated with “active measures” in upcoming elections and world events. The UK general election is in just a few weeks, so I’ll get to see how well my changes work. I’m sure I’ll have sometime interesting to report on after that event happens!
There is a variant of phishing attack that nowadays is receiving much attention in the security community. It’s called IDN homograph attack and it takes advantage of the fact that many different Unicode characters look alike. The use of Unicode in domain names makes it easier to spoof websites as the visual representation of an internationalized domain name in a web browser may appear indistinguishable to the legitimate site. For example, Unicode character U+0117 which is Latin small letter E with dot above, looks similar to Latin small letter E in ASCII. Hence it is possible to register domain such as labsblog.xn--f-secur-z8a.com which is equivalent to labsblog.f-securė.com.
This topic has already been thoroughly discussed. Security researchers have had been warning about it for over a decade, but it has only relatively recently gained more attention – also from the bad guys. To trace this dangerous trend, we’re going to use a combination of DNS reconnaissance tool dnstwist (which I created some time ago) as well as some command line kung fu to gather and analyze all the information we find.
We will start by pulling a list of the most popular websites worldwide published by Alexa Internet. This seems to be a good representative group because the very top of them should be a tempting target for phishing attacks.
The ZIP file contains a million of domain names so we’ll just narrow that down to a reasonable scope of 100. This will give us something that looks like this.
We will use dnstwist which provides a convenient way for generating domain name variations using a range of techniques including Unicode homograph attack. The idea is quite straightforward. The tool will use previously prepared list of 100 domains as a seed, generate a list of potential phishing domains and then query WHOIS servers for registration dates.
An hour later we have 100 files named with the corresponding domain names. Since we’re focusing on Unicode domains we need to filter out domain names which when encoded with Punycode start with xn-- string. This data is comma delimited so we cut out the column with registration date. Finally we group it by year and count the number of occurrences in order to plot a nice graph.
The data collected clearly shows that attackers have been using Unicode-based domains for a long time.
The top three phishing targets are Google, Facebook and Amazon.
Due to the fact that the life span of a phishing domain is rather short and the lack of data from a wider period it is difficult to demonstrate a clear upward trend. However, given the recent interest in the subject, it can be assumed that attacks of this nature will occur more often.
At the time of conducting this research, we inadvertently discovered a domain running an active phishing site that seems to target Facebook users in China. We have notified Facebook’s security team about this incident.
I use Macs both at home and at work, and as a nerd, I enjoy using interesting stand-alone tools and apps to keep my environment secure. Some of my favorites are knockknock, ransomwhere?, and taskexplorer, from the objective-see website. I’ve also been recently playing around with (and enjoying) Monitor.app from FireEye.
When I heard that Little Flocker had been acquired by F-Secure, I paid a visit to our Mac team to find out more about it. The first thing I learned: Little Flocker has been renamed F-Secure XFENCE.
Our Mac developer tasked with this project described XFENCE as a “firewall for files.” I think that sums it up pretty well.
Here’s how it works. After an initial install and reboot, the tool goes into “learning mode”. While in this mode, XFENCE builds rules based on process behaviors and file accesses it sees, so it’s wise to do the stuff you’d usually do on your system – launch applications, access common files, and that sort of thing. Upon exiting learning mode, XFENCE saves the rules it collected, and then enters protection mode, where it prompts on any “out of the ordinary” behavior (i.e., anything it didn’t create a rule for during learning mode). Interacting with XFENCE prompts will cause new rules to be created.
We’ve had behavioral blocking mechanisms on the Windows side for ages already. Integrating XFENCE/Little Flocker’s technologies into our Mac products will finally bring that security layer to macOS. However, as you might guess from my description, XFENCE is pretty much a power-user tool at the moment. Every prompt presents the owner of the system with a decision that can only be answered correctly if the user has enough knowledge of what wanted and unwanted behavior looks like. In order to make this technology friendly for non-power-users, we’ll be turning to cloud lookups.
Our security components (on all platforms) perform reputation lookups for objects such as URLs, files, and certificates. Client-side decision logic factors in the results of these queries when deciding whether to allow an executable to run or whether a website should be blocked. In a similar vein, we’ll be building mechanisms into XFENCE to allow it to query behavioral patterns. In the future, if XFENCE sees a Microsoft Word document attempting to run an executable, it’ll prevent that from happening by default, without prompting the user (in the same way that our DeepGuard component on Windows works right now). Because launching an executable from a word document is pretty much never legit behavior.
Well, almost. An analyst on our Threat Intelligence team recently recently discovered a sample in-the-wild in which an IT guy (presumably) was attempting to deploy updates to computers in his organization by emailing employees with Word docs containing embedded executables. Our product would prevent such “update mechanisms” from working. And we recommended approaching such tasks in a different (and more sane) manner. 🙂
We’ve started up a beta program for folks who would like to help us test XFENCE, and use it for free (as in beer). And we plan to add features such as the cloud lookup mechanisms I detailed here. We’re very keen on getting feedback! You can find the beta program for XFENCE here.
We’ve published a White Paper today titled: The Callisto Group.
And who/what is the Callisto Group? A good question, here’s the paper’s summary.
Heavy use of spear phishing, and malicious attachments sent via legitimate, but compromised, email accounts.
Don’t click “OK”.
I’ve just started experimenting with Tweepy to write a series of scripts attempting to identify Twitter bots and sockpuppet rings. It’s been a while since I last played around with this kind of stuff, so I decided to start by writing a couple of small test scripts. In order to properly test it, I needed to point towards an active account. So, I opted for @realDonaldTrump.
After collecting data from the past 12 months, Sean and I realized that it should be broken into four separate sets to provide context. Here’s how we’ve broken it down.
The following diagram shows activity based on time and day, broken down by the four time periods defined above. As you can see, the highest Twitter activity has always occurred between early and mid-afternoon. Note the almost complete lack of activity between 08:00 and 12:00. Anybody developing Twitter bots for trading purposes might want to flag any activity on this account during that time-slot as “out of band”, and worthy of closer attention.
Here’s the time of day data graphed. Notice that Trump’s daily Twitter activity pattern didn’t really change across this data set.
Notice the last graph? This is the change of behavior I alluded to earlier. Prior to March 7th, 2017, Tweets posted via “Twitter for Android” were always in the overwhelming majority. The only other data set that shows significant iPhone usage is the election campaign period. And those Tweets can be most likely attributed to campaign staff.
So, how much did @realDonaldTrump Tweet before and after becoming POTUS?
During the run up to the 2016 elections, @realDonaldTrump’s account posted about twice as many Tweets per week as in the following months. The above graph also nicely illustrated the switch from Android to iPhone on week 10 of 2017. Here’s another graph that illustrates it.
Well, why did @realDonaldTrump’s account suddenly shift from Android to iPhone? It could have been something that was in the works (for security reasons). Or… it might have something to do with this Tweet.
Whatever the reason, the “schedule” remains more or less the same.
Perhaps we’ll build a bot of our own. It’s a work in progress, and I’ll post on this more in the future.
There’s news today of a BAE/PWC report detailing a Chinese-based hacking group campaign dubbed “Operation Cloud Hopper”. Chinese Group Is Hacking Cloud Providers to Reach Into Secure Enterprise Networks https://t.co/Le4E4Se2Hc pic.twitter.com/adpDyWYa6C — News from the Lab (@FSLabs) April 5, 2017 This operation is what’s known as an upstream attack, a method of compromise that we […]2017-04-05
Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD. The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at […]2017-03-31
Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others. Here’s what I wrote about […]2017-03-23
A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data. This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter. And that brings to mind this article (by Andy)… OVER THE PAST FEW YEARS, you’ve probably heard […]2017-03-22
We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump. Did the news surprise you? No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.) Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need […]2017-03-09
Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents. Here’s Apple’s statement via BuzzFeed News. According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, […]2017-03-09
AV-Test has awarded F-Secure Client Security with Best Protection 2016! And as tradition dictates, we took it on a tour of Helsinki. As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once […]2017-03-03
Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various […]2017-02-23
In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]2017-02-22
For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security. The new title reflects a change in the type […]2017-02-15