Critical Flaws in Intel Processors leaves millions of PCs vulnerable

Posted 11/21/2017

Read the rest of this entry »

New Post Title

Posted 11/15/2017

India to Create Cyber Defense Agency

Read the rest of this entry »

Unpatched Microsoft Word DDE Exploit being used in widespread malware attacks

Posted 10/23/2017
A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns.

Last week we reported how hackers could leveraging an old Microsoft Office feature called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or memory corruption.

DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.

The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.

The DDE exploitation technique displays no "security" warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated "with proper syntax modification."
 Soon after the details of DDE attack technique went public, Cisco's Talos threat research group published a report about an attack campaign actively exploiting this attack technique in the wild to target several organisations with a fileless remote access trojan (RAT) called DNSMessenger.

Necurs Botnet Using DDE Attack to Spread Locky Ransomware


Now, hackers have been found using the Necurs Botnet—malware that currently controls over 6 million infected computers worldwide and sends millions of emails—to distribute Locky ransomware and TrickBot banking trojan using Word documents that leverage the newly discovered DDE attack technique, reportedSANS ISC.

Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, but now they have updated the Nercus Botnet to deliver malware via the DDE exploit and gain an ability to take screenshots of the desktops of victims.
"What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims," Symantec said in a blog post
"It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities."

Hancitor Malware Using DDE Attack

Another separate malware spam campaign discovered by security researchers has also been found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.
Hancitor is a downloader that installs malicious payloads like Banking Trojans, data theft malware and Ransomware on infected machines and is usually delivered as a macro-enabled MS Office document in phishing emails.

How to Protect Yourself From Word DDE Attacks?


Since DDE is a Microsoft's legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields, neither the tech company has any plans of issuing a patch that would remove its functionality.

So, you can protect yourself and your organisation from such attacks by disabling the "update automatic links at open" option in the MS Office programs.

To do so, Open Word → Select File → Options → Advanced and scroll down to General and then uncheck "Update Automatic links at Open."

However, the best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.
By Swati Khandelwal
Read the rest of this entry »

Government Takes Steps to Leverage Home-Grown Security ProductsMove Is Seen As a Signal to Private Sector to Follow Suit

Posted 10/23/2017

Earlier this year, the government of India announced that it wants to leverage indigenously developed security solutions to protect telecom networks. Now, that effort is broadening.

India's Union Ministry of Electronics and Information Technology, or MeitY, has announced it will give preferential treatment to security solutions developed locally for use throughout the government at the center and state levels.

The Make in India effort is seen as a way to increase reliance on home-grown products, which will give local manufacturers a boost in business. Plus, government officials argue that relying more on local products will eliminate the risk involved in using products from other nations, which, in some cases, might surreptitiously monitor activities.

The MeitY notification lists India-made products the government hopes to use. Among them are multifactor authentication, DDoS mitigation, SIEM, big data analytics and next- generation firewalls.

MeitY will monitor the ongoing effort to implement locally developed security products, says Arvind Kumar, MeitY's senior director.

While some security practitioners welcome the move in the government sector, many say carrying out a similar initiative in the private sector could prove difficult because most large enterprises use products made by multinational companies that have long, successful track records.

"What's the incentive for me to go with a local company?" asks a CISO of major IT company, who asked not to be named. "Our projects are big, and survival of these [local security] companies, who often are new in the business, is an issue. I had an experience before when a startup faded out within a couple of years of starting a project with us. Having said that, there are a few promising local companies, and we have engaged with them before for GRC."

A Boost for Business? 

MeitY's move is seen as a way to help India build the size of its cybersecurity industry. NASSCOM in 2016 estimated that total revenue in the sector could grow to $35 billion (U.S.) by 2025 and that this could lead to employment opportunities for about 1 million professionals.

But the leaders of some local IT security companies argue that it's difficult to launch and sustain a business.

For instance, Ashish Tandon, founder and CEO at Indusface, an application security provider, argues that organizations are unable to leverage income tax breaks.

"Most companies don't make a profit for the first few years, hence income tax sops have little impact," he says. "The government's current tax concession measures, such as TDS [tax deducted at source], are not helping us in improved cash flow or justifying the investments made."

Sahir Hidayatullah, CEO at Smokescreen, notes: "I spend millions in R&D of security products. I should be eligible for some tax breaks. But I don't get any."

The government hasn't done enough to help local cybersecurity firms, argues C.N. Shashidhar, founder and CEO at SecurIT Consultancy. "They have always considered the foreign players better and have deployed their products in their departments," he says of government agencies. "... But unless we give local firms the opportunity, without impractical regulatory hurdles, the intended measures will continue to remain just on paper. Government should lead by example by buying local products."

Another factor that is proving challenging for local companies is that to qualify to sell products to the government, a company must have annual revenue of nearly $2 million. 

The CEO of a Noida-based cybersecurity firm describes other difficulties local companies in the sector face: "I have faced multiple instances when despite delivering the services, my payments have been delayed - both by private firms and government departments," he says. "Approaching concerned ministry with my complaint isn't easy."

Leap of Faith? 

Meanwhile, some CISOs in the private sector remain reluctant to do business with local, relatively inexperienced, security startups.

"As a CISO, I have certain responsibility towards the organization I work for. Yes, I would tend to trust companies who've been in this space for a few years more, albeit I would definitely be willing to consider newly launched companies in the cyber space, but maybe not for very sensitive products such as a firewall - unless I have a primary firewall from another known vendor, as an example," says Berjes Shroff, CEO at Berj InfoSec, an information security consulting firm.

A big challenge for many CISOs is to become familiar with new security product offerings from local companies.

"With CISOs shifting towards a business role and cybersecurity a boardroom discussion, there is limited time to offer for evaluating any new unknown product," says Sapan Talwar, CEO at Aristi Ninja and former IT security leader at Adobe. Plus, for some categories of security products, such as sandboxing, no local offering exists, say practitioners.

Some security practitioners argue that the government should create stronger financial incentives for using locally developed security products.

"Right now, there isn't any benefit I get for undertaking the services of a local firm," says a security practitioner at one Indian company, who asked not to be named. "If government announces that they will provide some kind of a tax sop or share the risk with me in case the company isn't able to meet my requirements, things will get lot easier for me as a CISO."

Hidayatullah says that some CISOs at larger organizations actively seek out local solution providers who better understand regional specific use-cases and compliances. A case in point is the recent RBI cybersecurity guidelines - you would be hard pressed to find foreign companies who understand and help banks comply with these central bank regulations, whereas Indian firms will."

For now, Indian security companies are primarily focusing on deception technology, big-data analytics, machine learning, threat intelligence and orchestration platforms, he adds.

"One would like to see Indian companies focus on networking products, threat intelligence, machine learning, AI, digital forensics and offensive cybersecurity products and services," Shashidar says. "For a long time, Indian companies have purely focused on creating products from a defensive standpoint. We need to shift focus to creating offensive cybersecurity products and services."

Shroff adds: "I would like to see new companies concentrate more on products such as DLP, for example, but there must be value-add in these products. If priced correctly, these products, which companies are hesitant to invest in, may stand a better chance of making it big. But the value-add above existing popular products must exist."

Read the rest of this entry »

What Makes India's Telecom Sector Vulnerable to Attacks?

Posted 8/21/2017

My contributions to this article are referenced below. Please share.

Read the rest of this entry »

Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits

Posted 6/22/2017

Read the rest of this entry »

IOT based malware for DVR, anyone?

Posted 6/22/2017

Read the rest of this entry »

WannaCry. Windows Users Be warned

Posted 5/15/2017


The SecuriT Advisory
A Public Service Message from SecuriT Consultancy Services LLP

The Wanna Cry Ransomware is affecting hundreds of thousands of vulnerable computers across more than 100 countries.

If you are a Windows User, you maybe at Serious Risk of being infected.

What is Ransomware?
Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.
In short, Ransomware stops you from using your PC and holds your files or PC to ransom.

NSA of US as part of its global cyber dominance and counter terrorism strategy had developed certain cyber weapons/exploits  based on sophisticated vulnerability research on leading Information Technology and Mobile products and services. The group of exploits in questions is known as “ETERNALBLUE".
Due to an alleged lapse by an NSA staffer, the entire data pertaining to the above research including tools, documentation was left on a an insecure server and the same was stolen by a group of hackers known as “Shadow Brokers”. This group released the tools and exploits into the open domain around a month back.
The released exploits have now been converted into Ransomware and are infecting thousands of computers across more than 100 countries.
Map of Infected Countries (after first 24 hours after release of ransomware)

7 Step approach to protection
    •    Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows   operating system, keep your system up to date, or simply upgrade your system to Windows 10. #Apply patch MS17-010#
    •    Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
    •    Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
    •    Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
    •    Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
    •    Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
    •    Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.


Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.

WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.

Once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first tries to connect the following domain, which was initially unregistered:


If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.

But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.

A security researcher, tweeting as MalwareTech, did the same and registered the domain mentioned above, accidentally triggering a "kill switch" that can prevent the spread of the WannaCry ransomware, at least for now.

Malware Tech registered this domain by spending just £10, which makes the connection logic successful.

"In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files," Microsoft warned.
If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No 'Kill-Switch'

WannaCry infections are raising even hours after kill-switch was triggered, from 100,000 to 213,000 computers across 99 countries, and now this latest version can take over other hundreds of thousands of unpatched computers without any disruption.

we put together more information about this massive ransomware campaign, also explaining how the researcher, known as MalwareTech, accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware, but it does not repair computers that are already infected.

That domain was responsible for keeping WannaCry propagating and spreading like a worm, but MalwareTech registered the domain in question, and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system.

If you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken, because as soon as the attackers realize, they came back.

Costin Raiu, the director of global research and analysis team at Kaspersky Labs has confirmed that they have seen samples on Friday that did not have the kill switch.

"I can confirm we've had versions without the kill switch domain connect since yesterday”

So, expect a new wave of ransomware attack, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.

"The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts." Matthew Hickey, a security expert and co-founder of Hacker House

Instead of depending upon mass email spamming, just like an ordinary malware campaign, WannaCry cyber attack leverages SMB exploit to remotely hijack vulnerable computers just by scanning every IP address on the Internet.

Even after WannaCry made headlines all over the Internet and media, there are still hundreds of thousands of unpatched systems easily available open to the Internet.
"The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success." Hickey says.

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says.

So, the new strain of WannaCry 2.0 malware would not take enough time to take over these systems as well as others connected to the same local network.

Get Prepared: Install Security Patches & Disable SMBv1

MalwareTech also warned: "It's very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!"
"Informed NCSC, FBI, etc. I've done as much as I can do currently, it's up to everyone to patch."
As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Even after this, I believe, many individuals remain unaware of the new patches and many organizations running on older or unpatched versions of Windows, who are considering to upgrade their operating systems, would take time as well as it’s going to cost them money for getting new licenses.

So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.

For god sake: Apply Patches. Microsoft has been very generous to you.

Quick Tip to stop #WannaCry (for all Windows users, even if you have installed the updates, Just disable SMB if not in use)
Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.


Read the rest of this entry »

New Post Title

TrickBot Is Hand-Picking Private Banks for Targets — With Redirection Attacks in Tow!

Posted 5/4/2017

IBM X-Force research follows organized cybercrime and continually monitors the criminals’ targets and modus operandi. In a recent analysis of TrickBot campaigns in the U.K., Australia and Germany, I found that the operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.

Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.

IBM X-Force Malware Research
Figure 1: TrickBot Target URLs by Geographical Location of Targeted Brand (Source: IBM Security)

A Sharpened Focus on Business Banking

TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list. A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam. I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.

Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.


TrickBot Ramping Up Campaigns

In recent weeks, IBM X-Force has been detecting ramped-up TrickBot activity in Australia, New Zealand and the U.K., the operators’ primary target geographies at this time.

The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.

IBM X-Force Trusteer Research
Figure 2: TrickBot Campaigns Ramp Up in April (Source: IBM Security)

In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement serverside webinjections and redirection attacks. More details about those techniques appear in our technical blog on TrickBot.

A Rising Threat in 2017

In my December 2016 TrickBot blog, I noted that this malware was one to watch in 2017, and this cybergang is certainly living up to that prediction. The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.

The TrickBot malware emerged in the summer of 2016 and featured some striking resemblances to the Dyre Trojan right off the bat. Within no more than a month of attack activity, TrickBot was fully equipped with redirection attacks that hit banks in three distinct geographical and linguistic zones: the U.K., Germany and Canada. It then moved on to attacking banks in Asia, Australia and New Zealand, the latter two of which were prominent Dyre targets.

As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year’s end.

IBM X-Force Research
Figure 3: Top Most Prevalent Financial Malware Families (Source: IBM Security)

Please note that prior to publishing this blog, IBM X-Force notified the concerned parties and provided them with indicators of compromise (IoCs), and information about TrickBot and its attack methods.

TrickBot Collection is available publicly on X-Force Exchange. We studied the following current TrickBot samples for this blog:

  • 044F4F4491F3395F3046F60CAEF820C7
  • 070BABE9EF7820172ABC450B748EC277
  • 08BA011DF60438CCB9462E819E7EC722

Mitigating TrickBot Attacks

Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing.


By Limor Kessem

Read the rest of this entry »