Energy Regulator Acts to Improve Power Grid Security

Energy Regulator Acts to Improve Power Grid Security

http://ift.tt/2yvTeLV

With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.

In response to such concerns, the Federal Energy Regulatory Commission (FERC) yesterday proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.Energy Regulator Acts to Improve Power Grid Security

“FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” it announced.

The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.”

The FERC statement also proposes that the North American Electric Reliability Corp (NERC) should develop criteria for mitigations against the risks resulting from any malware that could come from third-party transient devices. “These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards,” said FERC.

While there have been few known successful attacks against the U.S. critical infrastructure, concern has grown dramatically with increasing geopolitical tensions, and the more open attribution of specific cyber attacks to specific foreign nations. The activities of Russia, Iran and North Korea are concerning. Russia is openly blamed for the DNC breaches, NotPetya and the attacks against the Ukrainian power systems; North Korea has been blamed for the Sony breach and numerous attacks against South Korea; and Iran has been accused of attacks against aerospace and energy companies.

Related: U.S. Energy Department Invests $20 Million in Cybersecurity

Related: ‘Industroyer’ ICS Malware Linked to Ukraine Power Grid Attack

Related: U.S. Electric Grid – America the Vulnerable

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 02:22PM

‘IOTroop’ Botnet Could Dwarf Mirai in Size and Devastation, Says Researcher

‘IOTroop’ Botnet Could Dwarf Mirai in Size and Devastation, Says Researcher

http://ift.tt/2xTF4zy

A botnet, which is adding new bots every day, has already infected one million businesses during the past month and could easily eclipse the size and devastation caused by Mirai.

The malware and botnet, dubbed IOTroop, was spotted in September by researchers at Check Point who warn that 60 percent of corporate networks have at least one vulnerable device.

Similar to Mirai, the malware targets poorly protected network-connected devices such as routers and wireless IP cameras manufactured by D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, Synology and GoAhead.

“So far we estimate over a million organizations have already been affected worldwide, including the U.S., Australia and everywhere in between, and the number is only increasing,” according to Check Point’s preliminary research published Thursday.

While this malware appears to share some of Mirai’s code, it is new malware and campaign, said Maya Horowitz, group manager of threat intelligence at Check Point, in an interview with Threatpost.

“This has the potential to be more damaging than Mirai,” Horowitz said. “This is malware that has a much broader range of vulnerabilities to target across a much larger spectrum of products,” she said.

In October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks. The largest of such attacks flooded DNS provider Dyn causing several well-known websites to go dark for hours.

Horowitz said the IOTroop malware Check Point is examining has similarities to Mirai, such as the recruiting of a global army of network devices capable of launching crippling DDoS attacks.

“The most interesting difference between this malware and Mirai is that it is far more sophisticated. Attackers are not just exploiting default credentials to compromise devices, but also using a dozen or more vulnerabilities to get on these devices,” she said.

In the case of the GoAhead wireless IP camera, attackers exploited a well known bypass authentication vulnerability (CVE-2017-8225) identified in March and affecting more than 1,250 camera models. For other devices such as Linksys RangePlus WRT110 Wireless Router, adversaries are exploiting a remote command execution vulnerability known since 2014. This vulnerability exists because the router’s web interface fails to sanitize ping targets and lacks the use of cross-site request forgery tokens for protection.

Researchers said they have also identified several command-and-control servers used by adversaries behind the malware that update it with ranges of IP addresses to attack.

“Every infected device gets a range of IP addresses that are used to scan for these dozen or so vulnerabilities,” Horowitz said. “The malware is mostly self-propagating, with minimal C2 intervention. But we are still studying the malware and reverse engineering it to better understand how it works.”

“While we don’t have the completed answers, we do know that the infected devices get a range of IP addresses that the malware is instructed to check for vulnerabilities. And then the IPs of the vulnerable devices are sent back  to the C2,” she said.

Researchers believe that the botnet is quickly amassing and may be on the cusp of a massive DDoS attack. “Our research suggests we are now experiencing the calm before an even more powerful storm,” wrote researchers.

Still unknown is who are the threat actors behind the malware/botnet, any targets hackers might have and what the timeline of any attack might be.

“It is too early to assess the intentions of the threat actors behind it, but it is vital to have the proper preparations and defense mechanisms in place before an attack strikes,” said researchers.

Security News

via Threatpost | The first stop for security news http://threatpost.com

October 20, 2017 at 02:17PM

Booz Allen to Acquire AI-based Morphick

Booz Allen to Acquire AI-based Morphick

http://ift.tt/2yABjB3

Contracting giant Booz Allen is to acquire cybersecurity firm Morphick. Few details have been made public — there is no statement on the price involved nor the future of existing Morphick staff. Nevertheless, this seem to be a good fit for both companies, with Morphick gaining to access to more customers, and Booz Allen moving further along its published plan to expand its commercial presence.

Morphick is located in Cincinatti with a staff of around 40 cybersecurity specialists. Booz Allen has its global headquarters in McLean, Virginia, and employs around 23,000 people. The acquisition is expected to close in the third quarter of Fiscal Year 2018, and is subject to customary closing conditions.

“The acquisition bolsters Booz Allen’s growth strategy in its U.S. Commercial business, where the focus is on expanding clients’ access to scalable, on-demand managed threat services. The addition of the Morphick team and technology further solidifies the firm’s ability to solve increasingly advanced cyber challenges,” said Horacio Rozanski, president and CEO of Booz Allen. “Under our long-term growth strategy, Vision 2020, Booz Allen has been moving closer to the center of our clients’ missions, fusing our consulting heritage with expert capabilities in cyber, digital solutions, engineering and analytics,” he added.

At least part of Morphick’s technology comes from AI firm, Endgame. “The Morphick Managed EDR service, powered by Endgame,” announced Endgame in January 2017, “combines Morphick’s best-in-class managed detection and response services with Endgame’s unparalleled EDR platform to provide customers with earliest prevention, accelerated detection and response, and automated hunt of next-gen attacks.”

Booz Allen is moving straight to ‘next-gen’ threat detection with AI and machine-learning detection capabilities rather than signature-based detection — and calls it ‘an adaptive approach to threat detection’. “Morphick’s technology is differentiated by an adaptive approach to threat detection that addresses the growing challenge of highly evolved cyber threats and determined attackers, empowering companies to protect themselves and respond more effectively,” says Booz Allen. “The platform, which analyzes the motivation and actions of attackers to thwart their attacks, assists companies in mitigating the challenges of the shortage of skilled cyber professionals and limitations of traditional, static defenses.”

Existing Morphick staff will also complement Booz Allen’s current market presence. Describing its own alliance with Morphick, Endgame commented, “Core to the service offering are Morphick’s seasoned security analysts and NSA-accredited incident response teams, whose deep expertise enables them to identify and terminate the efforts of latent attackers targeting organizations’ intellectual property, business systems, or other key assets. These analysts will leverage Endgame’s EDR platform to prevent, detect, and rapidly respond to advanced attacks without the reliance on signatures.”

Endgame’s involvement in Morphick technology will continue beyond the acquisition. “Endgame and Morphick are committed to continuing our relationship following the Booz Allen Hamilton transaction,” an Endgame spokesperson told SecurityWeek. “Morphick has realized tremendous value for itself and its customers thanks to its use of the Endgame platform, and Morphick will continue to use and market the platform for their customers following the acquisition.”

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 01:43PM

What’s coming next in the world of malware? [VIDEO]

What’s coming next in the world of malware? [VIDEO]

http://ift.tt/2gxhpCs

If you want to know where the world of malware is heading…

…ask an expert!

So that’s exactly what we did – we spoke to Fraser Howard of SophosLabs, live on Facebook.

Fraser is one of the world’s leading threat researchers, with knowledge that is deep as well as broad.

He’s well worth listening to, and here’s what he told us:

(Can’t see the video directly above this line? Watch on Facebook instead.)

(You don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.)

PS. If you like the T-shirt in the video, you can buy one at http://ift.tt/14WklN1.


Security News

via Naked Security http://ift.tt/1pHdTOi

October 20, 2017 at 01:31PM

Cable Bots, Arise! Domination of the Universe is at Hand

Cable Bots, Arise! Domination of the Universe is at Hand

http://ift.tt/2yCCWOC

Most CNC robots people see involve belts and rails, gantries, lead screws, linear bearings, and so forth. Those components need a rigid chassis to support them and to keep them from wobbling during fabrication and adding imperfections to the design. As a result, the scale is necessarily small — hobbyist bots max out at cabinet-sized, for the most part. Their rigid axes are often laid out at Cartesian right angles.

One of the exceptions to this common configuration is the delta robot. Deltas might be the flashiest of CNC robots, moving the end effector on three arms that move to position it anywhere in the build envelope. A lot of these robots are super fast and precise when charged with carrying a light load, and they get put to work as pick-and-place machines and that sort of thing. It doesn’t hurt that delta bots are also parallel manipulators, which means that the motors work together to move the end effector, with one motor pulling while the matching motor pulls.

But while Cartesian CNC bots are sturdy workhorses, and deltas are fly-weight racehorces, neither can really cut it when you want to go gigantic. In terms of simplicity and scale, nothing beats cable bots.

Cable Bots

Cable bots use wires or strings pulled by reel-mounted motors, with dimensions limited only by the room to mount the motors and the tensile strength of the cables used. When the strings are tensioned you can get a surprising degree of accuracy. Why not? Are they not computer-controlled motors? As long as your kinematic chain accounts for the end effector’s movement in one direction by unwinding another cable (for instance) you can very accurately control the end effector over a very wide scale.

The following are some fun cable bots that have caught my eye.

Skycam

Forget merely room sized — Skycam is the brand-leader of stadium sized cable bots. If you’ve watched any NFL you’ve seen the camera robots that zip overhead, following the action from close up thanks to a gimbal-mounted camera.

Each reel is controlled by its own computer, with a two-operator control rig centering around a Linux box. The 600-lb cables are kevlar-jacketed optical fiber and copper, and addition to moving the camera module (the “spar”) the wires transmit power and data. The 3.4 kW motors are equipped with encoders that ensure 1/100th of an inch in resolution.

If anything would tell you that cable bots scale up insanely it should be Skycam. What’s next? City-sized cable bots? World-sized CNC?

Trammel Hudson’s Polargraph

Way at the other end of the spectrum are two-stepper drawbots sometimes known as polargraphs or hanging v-plotters. They consist of a pair of stepper motors with reels controlling strings hanging down, with a module at the bottom equipped with a pen. Gravity provides tension, allowing the polargraph to make surprisingly precise lines.

Despite Trammel’s great results, it’s actually quite a simple rig; the project uses a TinyG CNC controller with two random steppers found at NYC Resistor. A polargraph’s toolhead can be made with nothing more complicated than a sharpie with a servo attached to it with a binder clip — the servo’s horn simply pushes back against the work surface and lifts the pen off of it. However, he went even simpler and his toolhead is simply a 3D-printed sleeve for a dry erase marker — no lift mechanism, so the drawings always include stray lines where the pen was moved. Check out Trammell’s web site to follow along with the Polargraph project, as well as assets on Flickr and GitHub.

The drawings in this post were created by Hackaday regular [Trammell Hudson]. His simplified polargraph uses a 3D-printed pen holder that has no lifting mechanism — the G-code just calls for the pen to draw from one point to the next even if that results in stray lines. [Trammell] has explored using his drawbot to make mathematically modeled patterns, like the space-filling Gosper and Hilbert curves, a visualization of a Lorenz attractor, and even mapping sine waves. My favorite is the wall-sized map of Paris.

Despite [Trammel]’s great results, it’s quite simple; the project uses a TinyG CNC controller with two random steppers found at NYC Resistor. In fact, a polargraph can be quite simple. Its toolhead can be made with nothing more complicated than a Sharpie with a servo attached to it with a binder clip — the servo’s horn simply pushes back against the work surface and lifts the pen off of it. Check out [Trammell]’s web site to follow along with the Polargraph project, as well as assets on Flickr and GitHub.

Scanlime’s Tuco Flyer

[Micah Elizabeth Scott]’s cat, [Tuco], apparently needs his own robot to keep a camera focused on his feline glory. It’s a winch bot called the Tuco Flyer.

[Micah]’s YouTube videos focus on her expertise in mechanical and electrical engineering, plus a lot of kitty shots, so a 3D-printed, cable-bot flying camera rig is just the ticket.

The project includes a lot of great details, like her refurbished camera gimbal and the from-scratch winches, one of which can be seen to the right. In many cases she stores the electronics inside the infrastructure, making for a very elegant build.

It doesn’t appear that the project is at the “moving stuff in the air stage” so follow the project on Hackaday.io to keep up with the latest developments.

Gravity-Defying Parallel Robots

A few days back we mentioned another work in progress, the Arcus3D, a 3D printer that uses tensioned cables to move the toolhead around, much the way the polargraph works but in three dimensions. Based off the Flying SkyDelta reprap model, [Daren]’s printer uses stepper-driven cables to move the toolhead around.

The toolhead keeps low and level thanks to a “Super Gravity Pole”, a yard-long steel pole that anchors it; otherwise it would want to fly around uselessly. This highlights the fact that gravity as a tensioning element is part of what makes cable bots as simple as they are — otherwise you’d need more cables pulling down on the end effector.

But what happens if you do just that? I haven’t seen many hobbyist-level projects involving 6-motor cable bots but there are a few commercial products they are quite simple, incredibly fast, and scarily precise. I want to close out this piece by sharing an insane cable bot project, the CableEndy. It was [Andrej Rajnoha]’s master’s thesis at Brno Institute of Technology, and it packs some pretty insane specs — just to name a couple, it accelerates the toolhead at 10 G, and with 1 mm precision.

[SkyCam photo by Despeaux, CC BY-SA 3.0. Trammel Hudson’s photos used with permission.]

Friends, share your favorite cable bot pr0n and projects in comments.

 

Filed under: cnc hacks, Hackaday Columns

Security News

via Hackaday https://hackaday.com

October 20, 2017 at 01:07PM

Citrix helps transform other companies, but can it transform itself?

Citrix helps transform other companies, but can it transform itself?

http://ift.tt/2zDFZ9o

Citrix Systems, the well-known desktop virtualization services provider, has been in the news for all the wrong reasons lately. First, it was the inability to keep up with rapid industry growth, thereby resulting in slower revenue growth. Then it was the departure of the company’s latest CEO, Kirill Tatarinov, after just 18 months. The problem is, Citrix always tries to play catch-up with the market and is rarely at the helm of things. However, the latest set of strategic moves made by the company seems to kick things into top gear.

What changed now?

Citrix has finally woken up to the realization that the present world has changed considerably from what it was even a few years ago.

There have been widespread economic and political changes in the United States and elsewhere in the world, and companies must now devise new, innovative business models if they wish to sustain themselves and expand. Yes, the slower long-term financial growth has affected the workings of many organizations, forcing them to scale back on real estate and concentrate on “hot desking,” or remote working, to trim expenses.

But, at the same time, this kind of global uncertainty has prompted the new generations to take decisive steps for overcoming the limitations of a complex and scattered web of customers, suppliers, and employees. So, it’s not surprising that the industry is teeming with new practices and cultures.

For example, 75 percent of the international workforce is going to be comprised of millennials by the year 2025. This has resulted in the creation of a new middle-class among the workforce — one that is more tech-savvy and open to the challenges that arise from encouraging change and challenging age-old processes.

Dealing with the new relationships

The new workforce dynamics at Citrix rely on a mix of distributed patterns of working, generational clashes, and major structural changes. So, for this to work, new forms of management styles, cultural changes, and communicational channels have been necessary.

Citrix wants all these processes to work harmoniously and make sure that staff is sufficiently motivated. What’s more, the customers need to be properly maintained as well. Thus, they have introduced advanced digital workspaces that provide enough flexibility and freedom when it comes to changing the way work is completed as per their preferences.

The important thing is, such changes need individuals who possess a flair for handling complex, more advanced networks, especially if they wish to fulfill the needs of today’s tech-savvy, informed customers. And Citrix is not averse to adopting a new workforce that fulfills these criteria.

What the new workforce at Citrix looks like

So, what exactly is this “new workforce” we keep talking about? Well, it consists of employees who are better trained and equipped to deal with the changing technology, and, therefore, savvy customers.

The industry as a whole has been affected by the rise of the millennial generation, and so Citrix seeks to engage and serve this group in different ways. The company understands that this generation is unique, not just because of sheer numbers, but because of their close proximity to smartphones, social media, and broadband from an early age.

For these people, technology is the norm, and so, they expect to have the necessary information at their fingertips. And Citrix can help with that. Another significant point is millennials are often better equipped to handle cutting-edge critical business tools than senior workers. This makes them the logical choice for embracing the expanding mobile work culture at Citrix.

But some people just are not able to deal with change that well.

It should be noted that mobility now assumes many forms, not just smartphones. There are sensors, end points, and devices that represent lots of connected “things.” As cloud computing goes mainstream, so does all this possess the ability to scale.

Organizations now use at least one cloud device for supporting some part of their business. And Citrix can help them with this. The company can relieve the pressure on businesses to digitize their operations quickly. Because if they don’t, they might not be able to survive.

Position of Citrix in the IT industry

In the current market, businesses have become quite volatile, and the IT sector has become extremely complicated. This means, businesses need to tackle large problems if they wish to take advantage of some amazing opportunities. Citrix, for example, has found a solution. No longer does the company sell a piece of technology or a product license. Now, their final goal is to boost the survival chances of organizations by helping clients digitally transform their existing workplaces into something new.

Thus, Citrix plays a more hands-on role in the evolution of IT companies, since it is the sole technology firm that integrates networking services, app delivery, file sharing, and mobility to provide a productive customer experience and work environment, underpinned by the cloud.

Position of Citrix in the IT industry

Citrix realizes very well how the unification of data and applications within a secure digital workspace allows people to complete tasks, irrespective of the time, location, or device. So what the company is doing is making businesses more agile, protecting their IP and data, and giving them a clear way to engage with the complicated network of customers, employees, and suppliers, facilitating positive innovation and change, and boosting collaboration, just like the creators of those “Transformers” movies boosted their image even more since “Transformers 5” was amazing.

The changing world has led to changing customers. Therefore, to help businesses keep pace, Citrix too has evolved to meet the demands of the changing workforce, changing demands, and changing expectations.

How have they fared?

Citrix is streamlining its product portfolio, focusing more on enterprise offerings than becoming a total Software-as-a-Service company. The firm is scaling its main business to gain more time and investment. The company is primed to attract more customers with its comprehensive suite of solutions, and it has already closed more contracts in virtual client computing than in previous years.

Citrix Systems

But in order to truly survive in the long term, Citrix must move away from its limited focus of supporting only Windows-centric environments to something bigger. The company must broaden its tablet and smartphone focus instead of supporting the use of these devices as endpoint technology used for connecting to Windows infrastructure.

It should make use of all it has at its disposal, and right now that includes several advanced capabilities in monitoring, accelerating, and managing networking infrastructure that it can leverage for cloud-computing environments.

Photo credit: Wikimedia

The post Citrix helps transform other companies, but can it transform itself? appeared first on TechGenix.

Security News

via Comments on: http://techgenix.com

October 20, 2017 at 01:05PM

Google’s Advanced Protection Program: extra security at a cost

Google’s Advanced Protection Program: extra security at a cost

http://ift.tt/2hScokH

Are you a high-risk user whose Google account hackers might want to target? If you are, how much hassle would you put up with to make your account more secure?

These are questions Google is inviting its users to ask themselves with the announcement of the Advanced Protection Program (APP), a reassuring but also potentially awkward way to add extra layers of security to Google accounts.

Available from this week, it’s free to all consumer Google account holders, but before you rush off to sign up let’s dig a little deeper into what is on offer because the downsides won’t be for everyone.

First, APP’s target user base, which includes:

Campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.

But also:

Human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues.

To that could be added high net-worth individuals, VIPs and perhaps politicians and company management using a Google account in a personal capacity (see the infamous attack on the DNC’s John Podesta in 2016).

It first dawned on Google that some users faced a higher risk than others in 2010 when it went public on the aggressive Aurora attacks conducted on its Chinese users by an unnamed nation state that everybody twigged must be China itself.

Google has tried to contain targeted attacks by introducing security protections such as two-step and multi-factor authentication, and HTTPS connections by default, as well as gradually limiting attachment behaviour in Gmail.

Google thinks this is no longer enough and has launched APP with three new protections.

Anti-phishing

The first is mandating that users authenticate themselves using a hardware token such as the FIDO U2F YubiKey. Other authentication methods (including backup codes and SMS) will no longer work.

These cost a reasonable $18 (£15), but users will also have to buy an additional Bluetooth token (another $25 perhaps) to authenticate from smartphones lacking a USB port. That’s two keys to look after and you can’t lose either without incurring a temporary loss of account access.

It’s not clear whether these will be needed for every authentication, but if they are that will mean users can’t allowlist access from a regularly-used device and will have to plug in a key for every login, from every device.

The extra security of using a token means that attackers who successfully steal your user name and password can’t access your account, even if they also steal the device you normally use to access that account.

Limiting app access

APP’s second defence is to constrain access to accounts from third-party apps, by which it means anything not made by Google. The risk these pose:

By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.

Third-party apps will never be able to access Gmail, Google Drive or Google Photos, and using Chrome to access Google services will become mandatory. Anyone using iOS will have to use Google’s apps to access services.

This feature sounds straightforward enough but this will nix any website or service that either uses a Google account for authentication (or which needs access to it), for example WhatsApp, Dropbox, or the New York Times.

It’s not clear whether users will still be able to forward email to third-party accounts. In principle, there’s no reason why not although whether that’s a good idea for secure email is another matter.

Account verification

Attackers sometimes try to gain access to an account by initiating a reset after pretending they’ve been locked out. As researchers have noted, this can happen in a number of ways. Under APP, additional checks will become necessary although it hasn’t yet specified what these will be.

The company has said “these added verification requirements will take a few days to restore access to your account,” which makes clear that users resetting credentials could be left without access for some time (including if they lose their tokens – see above).

The extra inconvenience APP adds to using a Google account will be more than worth it for some users. The lingering question is whether, in time, all regular Google users might end up being part of this group given the industrial scale of sophisticated attacks.

That said, users can already opt for a sort of halfway house between standard account security and what APP offers simply by turning on multi-factor verification, either using the Google Authenticator app or, better still, by enrolling a YubiKey. For most people, this might be the place to start dialling up security before tangling with the APP.


Security News

via Naked Security http://ift.tt/1pHdTOi

October 20, 2017 at 12:56PM

Locky Uses DDE Attack for Distribution

Locky Uses DDE Attack for Distribution

http://ift.tt/2yWV74K

While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.

Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.

The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.

Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.

The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.

Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.

Related: Massive Spam Runs Distribute Locky Ransomware

Related: Hackers Used Government Servers in DNSMessenger Attacks

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 20, 2017 at 12:48PM

CVE-2017-12628

CVE-2017-12628

http://ift.tt/2yWpuIB

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM

CVE-2017-6141

CVE-2017-6141

http://ift.tt/2hQIayz

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 20, 2017 at 12:24PM