Tag Archives: detailed

WannaMine cryptojacker targets unpatched EternalBlue flaw

New research detailed successful cryptojacking attacks by WannaMine malware after almost one year of warnings about this specific cryptominer and more than a year and a half  of warnings about the EternalBlue exploit.

The Cybereason Nocturnus research team and Amit Serper, head of security research for the Boston-based cybersecurity company, discovered a new outbreak of the WannaMine cryptojacker, which the researchers said gains access to computer systems “through an unpatched [Server Message Block, or SMB] service and gains code execution with high privileges” to spread to more systems.

Serper noted in a blog post that neither WannaMine nor the EternalBlue exploit are new, but they are still taking advantage of those unpatched SMB services, even though Microsoft patched against EternalBlue in March 2017.

“Until organizations patch and update their computers, they’ll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns,” Serper wrote in the blog post. “Part of giving the defenders an advantage means making the attacker’s job more difficult by taking steps to boost an organization’s security. Patching vulnerabilities, especially the ones associated with EternalBlue, falls into this category.”

It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware.
Jake Williamsfounder and CEO, Rendition Infosec

The EternalBlue exploit was famously part of the Shadow Brokers dump of National Security Agency cyberweapons in April 2017; less than one month later, the WannaCry ransomware was sweeping the globe and infecting unpatched systems. However, that was only the beginning for EternalBlue.

EternalBlue was added into other ransomware, like GandCrab, to help it spread faster. It was morphed into Petya. And there were constant warnings for IT to patch vulnerable systems.

WannaMine was first spotted in October 2017 by Panda Security. And in January 2018, Sophos warned users that WannaMine was still active and preying on unpatched systems. According to researchers at ESET, the EternalBlue exploit saw a spike in use in April 2018.

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., said there are many ways threat actors may use EternalBlue in attacks.

“It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware,” Williams wrote via Twitter direct message. “Cryptojackers are certainly one risk for these systems. These systems don’t have much power for crypto-mining (most lack dedicated GPUs), but when compromised en-masse they can generate some profit for the attacker. More concerning in some cases are the use of these systems for malware command and control servers and launching points for other attacks.”

FIN7 members arrested after stealing 15 million credit card records

FBI indictments unsealed Wednesday detailed the alleged crimes of three members of the FIN7 cybercrime gang who have been arrested and are in custody in Seattle.

Ukrainian nationals Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov were arrested by the FBI and are in custody. Each has been charged with 26 federal offenses, including conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The FBI described the three hackers as “high-ranking members” of the FIN7 cybercrime organization — also known as the Carbanak Group — in a press release. The FIN7 group has been connected with attacks on more than 100 businesses and data breaches across 47 states in which “more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations” were stolen.

The FBI admitted it didn’t expect FIN7 to disappear following these arrests, but framed the indictments as a major blow to the group.

“The naming of these FIN7 leaders marks a major step toward dismantling this sophisticated criminal enterprise,” Jay Tabb, special agent in charge of the FBI’s Seattle field office, said in a statement.  “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

However, security vendor FireEye wrote in a blog post that while FIN7 may pause activity for a short time, the group would continue in one form or another.

“Depending on the organizational and communication structure of the group, it is also plausible that multiple subgroups could form and carry out independent operations in the future. Recent campaigns, as well as those using tactics that were atypical for historical FIN7 campaigns, such as the SEC [Securities and Exchange Commission] campaigns with widespread targeting, may be representative of semi-autonomous groups pre-existing within, or cooperating with, the FIN7 criminal organization,” FireEye researchers wrote. “Certain malware families and techniques transcend strictly defined threat groups, and may be re-used by developers and operators as they transition between organizations and campaigns.”

FIN7 activity

According to the FBI announcement, FIN7 primarily targeted companies in the “restaurant, gaming and hospitality industries,” across the U.S., U.K., France and Australia. The FBI described FIN7’s methods as using spear phishing, adding that the group “accompanied emails with telephone calls intended to further legitimize the email” in order to trick users into installing Carbanak malware.

FireEye expanded on this based on its history of FIN7 activity, saying the group was connected to attacks across the U.S. and Europe in the hospitality, restaurant, travel, education, gaming, construction, energy, retail, finance, telecom, high-tech, government, software and business service industries.

Kimberly Goody, cybercrime analysis manager at FireEye, based in Milpitas, Calif., also clarified the distinction between Carbanak malware and the commonly used Carbanak Group name via Twitter.

The FBI noted that FIN7 even made attempts to appear legitimate.

“FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise,” the FBI wrote. “Combi Security’s website indicated that it provided a number of security services such as penetration testing. Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.”

FireEye confirmed some of FIN7’s job postings through Combi Security.

“While the recruitment of unwitting individuals as puppets has been a common component of at least some criminal schemes — for example, reshipping mules who are recruited through postings on career sites advertising attractive work-from-home jobs — FIN7’s veiling of full-scale financial compromises as legitimate offensive security engagements is particularly notable,” FireEye researchers wrote. “The apparent success of Combi Security in recruiting unsuspecting individuals in this manner, may lead to more of this type of technical recruitment by cyber criminals in the future.”

What is Windows event log? – Definition from WhatIs.com

The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system that is used by administrators to diagnose system problems and predict future issues.

Applications and the operating system (OS) use these event logs to record important hardware and software actions that the administrator can use to troubleshoot issues with the operating system. The Windows operating system tracks specific events in its log files, such as application installations, security management, system setup operations on initial startup, and problems or errors.

The elements of a Windows event log

Each event in a log entry contains the following information:

Date: The date the event occurred.

Time: The time the event occurred.

User: The username of the user logged onto the machine when the event occurred.

Computer: The name of the computer.

Event ID: A Windows identification number that specifies the event type.

Source: The program or component that caused the event.

Type: The type of event, including information, warning, error, security success audit or security failure audit.

For example, an information event might appear as:

Information        5/16/2018 8:41:15 AM    Service Control Manager              7036       None

A warning event might look like:

Warning               5/11/2018 10:29:47 AM  Kernel-Event Tracing      1              Logging

By comparison, an error event might appear as:

Error                      5/16/2018 8:41:15 AM    Service Control Manager              7001       None

A critical event might resemble:

Critical   5/11/2018 8:55:02 AM    Kernel-Power    41           (63)

The type of information stored in Windows event logs

The Windows operating system records events in five areas: application, security, setup, system and forwarded events. Windows stores event logs in the C:WINDOWSsystem32config folder.

Application events relate to incidents with the software installed on the local computer. If an application such as Microsoft Word crashes, then the Windows event log will create a log entry about the issue, the application name and why it crashed.

[embedded content]

Configure a centralized Windows Server 2016
event log subscription.

Security events store information based on the Windows system’s audit policies, and the typical events stored include login attempts and resource access. For example, the security log stores a record when the computer attempts to verify account credentials when a user tries to log on to a machine.

Setup events include enterprise-focused events relating to the control of domains, such as the location of logs after a disk configuration.

System events relate to incidents on Windows-specific systems, such as the status of device drivers.

Forwarded events arrive from other machines on the same network when an administrator wants to use a computer that gathers multiple logs.

Using the Event Viewer

Microsoft includes the Event Viewer in its Windows Server and client operating system to view Windows event logs. Users access the Event Viewer by clicking the Start button and entering Event Viewer into the search field. Users can then select and inspect the desired log.

Windows Event Viewer
The Event Viewer application in the Windows operating system

Windows categorizes every event with a severity level. The levels in order of severity are information, warning, error and critical.

Most logs consist of information-based events. Logs with this entry usually mean the event occurred without incident or issue. An example of a system-based information event is Event 42, Kernel-Power which indicates the system is entering sleep mode.

Warning level events are based on particular events, such as a lack of storage space. Warning messages can bring attention to potential issues that might not require immediate action. Event 51, Disk is an example of a system-based warning related to a paging error on the machine’s drive.

An error level indicates a device may have failed to load or operate expectedly. Event 5719, NETLOGON is an example of a system error when a computer cannot configure a secure session with a domain controller.

Critical level events indicate the most severe problems. Event ID 41, Kernel-Power is an example of a critical system event when a machine reboots without a clean shutdown.

Other tools to view Windows event logs

Microsoft also provides the wevtutil command-line utility in the System32 folder that retrieves event logs, runs queries, exports logs, archives logs and clear logs.

Third-party utilities that also work with Windows event logs include SolarWinds Log & Event Manager, which provides real-time event correlation and remediation; file integrity monitoring; USB device monitoring; and threat detection. Log & Event Manager automatically collects logs from servers, applications and network devices.

ManageEngine EventLog Analyzer builds custom reports from log data and sends real-time text message and email alerts based on specific events.

Using PowerShell to query events

Microsoft builds Windows event logs in extensible markup language (XML) format with an EVTX extension. XML provides more granular information and a consistent format for structured data.

Administrators can build complicated XML queries with the Get-WinEvent PowerShell cmdlet to add or exclude events from a query.

IOHIDeous is a macOS zero-day for the New Year

In a somewhat unorthodox New Year’s gift, a developer detailed a long-unpatched macOS zero-day flaw that could allow an attacker root access for full system compromise, although it cannot be exploited remotely.

Siguza, a hobbyist developer and hacker from Switzerland, described in great detail a zero-day vulnerability, dubbed IOHIDeous, which is said to affect all versions of macOS going back 15 years.

“This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel [read and write] and can be exploited by any unprivileged user,” Siguza wrote in a Github post. “IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then [sic] is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.”

Siguza released proof-of-concept (PoC) exploit code for IOHIDeous but noted that not all of the parts have been tested across all versions of macOS. Part of the attack used “doesn’t work on High Sierra 10.13.2 anymore,” but Siguza said the vulnerability is still present and may be exploitable in different ways. Siguza successfully tested other portions of the PoC attack on High Sierra and assumed to work on other versions of macOS or stated to be easily adapted for other versions.

However, while exploiting the IOHIDeous macOS zero-day could allow for an attacker to escalate privilege, run arbitrary code and gain root access, Siguza said on Twitter that the risks are somewhat lessened because the flaw is not remotely exploitable and because “triggering [the] bug is pretty noticeable with the entire UI being torn down and whatnot…”

Siguza also commented on why IOHIDeous details were released publicly and not sold either on the dark web or to a bug bounty program.

“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” Siguza wrote on Twitter. “Since neither of those were the case, I figured I’d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing zero-day ransomware rather than write-ups ;)”

As of the time of this post, Apple has not responded to requests for comment or released information about any potential IOHIDeous patch.

Advanced machine learning, database automation touted at OpenWorld

SAN FRANCISCO — Oracle founder and CTO Larry Ellison this week detailed the company’s autonomous Oracle Database 18c for the cloud, which Ellison said will rely on advanced machine learning techniques to greatly reduce database administration tasks, such as tuning and patching. 

At the heart of this Oracle cloud database is extensive use of machine learning, which Ellison called “the first branch of artificial intelligence that really works.”

This application of machine learning, which employs neural networks and other modeling algorithms to sift large amounts of log data and detects recurring patterns of database activity, is also part of a cybersecurity product for automatically patching databases that Ellison pledged to discuss further at the event.

For Oracle Database 18c, machine learning allows it to “patch itself while running, all without any downtime whatsoever,” according to Ellison, who spoke at Oracle OpenWorld 2017. He also said operations improvements allow his company to offer an Oracle Database 18c SLA that guarantees 99.995% reliability and availability, while reducing planned and unplanned downtime to less than 30 minutes per year.

Automation of database administration

While, the system, which Ellison dubbed as “self-driving” and “the world’s first autonomous database,” may be unique by some measures, it is also part of a long-standing trend that is well under way.

Automation of database cluster deployment on cloud has become increasingly common, and wider automation can be anticipated, according to Tony Baer, an analyst at Ovum.

“You can see how cloud databases are doing automation — with database sharding as a major example,” Baer said. Meanwhile, query performance and other database activities are also being affected by advanced machine learning technology, he said.

Baer noted that “Oracle has all kinds of database activity logs. That is big data that acts as a corpus for machine learning that can figure out what is a normal pattern, and highlight queries that are going to cause trouble.”

Advanced machine learning adds another element to the mix, but the latest Oracle moves are best viewed as part of an evolution in process automation, according to Vinod Bhutani, database services manager at DBAMart Database Services in Broomfield, Colo.

“There is a whole lot of automation for the database already. For example, there are such tools as Oracle SQL Tuning Advisor and Segment Advisor,” Bhutani said in an interview at Oracle OpenWorld.

“In my view, the database is 60% to 70% automated already,” he said, adding that the amount of automation employed is often based on the database administrators’ comfort levels with such automation’s effectiveness.

Bhutani said he would be looking for additional details, particularly on Oracle’s cybersecurity offerings, to see how much further Oracle takes database automation.

Whither the DBA?

In his Oracle OpenWorld keynote, Ellison admitted the move to greater automation for the Oracle cloud database could be seen as a threat to DBA job security. But he was basically sanguine on the prospects.

“Yes, you are automating the ways of database professionals, but they already have more work than they can possibly ever get to,” he said.

Greater database automation will free up DBAs from routine patching and repetitive tuning, he said, enabling them to focus more on schema design, analytics — including advanced machine learning styles of analytics — and securing data.

Noel Yuhanna, an analyst at Forrester, on hand at Oracle OpenWorld, agreed. “The DBA job is being changed toward more data-driven initiatives, with more emphasis on security and governance — and architecting the future of the data,” he said.

“The DBA will focus more on business value, as opposed to technology,” he said.

Meanwhile, analyst Baer also pointed to an increasingly important role for the DBA. “There is definitely a future for the DBA. There is just no question about it,” he said. “You can’t automate everything.”

Hearing Redshift steps

Ellison said the Oracle Database 18c, running on Exadata infrastructure on the Oracle Cloud or Cloud at Customer , will become generally available in December for data warehousing only, with a transactional version appearing in June of 2018.

This “data warehouse-first approach” emphasizes Oracle’s intention to compete more fully with Amazon, its cloud and its Redshift cloud data warehouse. At Oracle OpenWorld, Ellison repeatedly cited Redshift as a competitor, claiming superior uptime and better relative pricing for Oracle.

“We guarantee our bill will be less than half of what Amazon Redshift will be,” he said. “We will write that in your contract.”

The company further moved to sweeten its cloud pricing deal recently, introducing a “bring your own license” policy for existing customers moving databases, middleware and more to the Oracle cloud platform.

With the “18c” designation, Oracle takes on a model-year style naming format for its database, not unlike that of Microsoft SQL Server. Aligning database naming with calendar years is in some part a bow to the growing use of yearly, subscription-based pricing models for databases on the cloud.