AMSI, one step further from Windows malware detection

Monday, April 23, 2018

At the beginning it was a virus; pieces of assembly code which connected to the files, so that they could modify the “entrypoint”. Afterwards, this technique was twisted and improved as much as possible, they searched for automatic execution, reproduction, and independence of the “guest” (the malware has already beenstandalone since some time), and also so that it could go under the antivirus radar. “Touch Hard Disk” was the premise (how could they infect it?) and in turn the malware anathema. If it managed to avoid this toll as much as possible, it could get away from the detectors. This technique is called “Fileless”, which sought for an ethereal formula in order to survive within the memory for as long as possible. Hence, it does not touch the disk or delay it too much and it does not land upon what the antivirus firmly controls. "Fileless" has been perfected to such an extent (are you familiar with the malware which combines macros and Powershell?), that there is already a native formula in Windows to mitigate it as much as possible. Yet, it's not getting the attention that it should.

Estructura básica AMSI imagen
The basic AMSI structure, provided by Microsoft

#CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties

Thursday, April 19, 2018

social networks Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case of Facebook, they pay millions of dollars every year to investigators and bug hunters to detect security flaws in their products and infrastructure, in order to minimize the risk of being subject to specific attacks. Though, after the Cambridge Analytica scandal, the company has launched a new type of bug bounty to compensate those that report "data abuse" on their platform. Through the new program 'Data Abuse Bounty', Facebook will ask third parties to help them find application developers who are misusing their data. "Certain actors can maliciously gather and abuse Facebook user’s data even when security vulnerabilities do not exist. This program has the intention of protecting us against abuse", according to the publication carried out by the company.

How are we preparing ourselves for the RSA Conference 2018?

Tuesday, April 17, 2018

2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s dedicated cyber security unit, we have been working on a new approach, which we will officially announce at the world-leading annual security event, the RSA Conference.

This event will take place from the 16th to the 20th April, in San Francisco (USA), where we will be exhibiting from our stand #2207 in the South Hall of the Moscone Center. You can visit us here for free by registering for an Expo Hall Pass via the official RSA Conference website using our unique access code: X8ETELEF (the deadline to use this code is the 19th April 2018).

RSA 2018 imagen

A Technical Analysis of the Cobalt phases, a nightmare for a bank’s internal network

Monday, April 16, 2018

A few days ago, a key member from a group of attackers known as Cobalt/Carbanak (or even FIN7 for some of them) was arrested in Alicante. This group has been related to different campaigns against banking institutions, which has caused substantial losses through transfers and fraudulent cash withdrawals in cash machines. We are going to see some technical details from modus operandi, the last wave, how it functions and some ideas about how to mitigate the impacts.

The objective of the group is to access the infrastructure of a financial entity in order to compromise cash machines and withdraw cash fraudulently. Although it seems like science fiction, they do it with network control of the cashpoints, to the point of being able to do it at a specific time, so that it starts to release all of the cash that it contains. Thus, at this moment the ‘mule’ who finds themselves in front of the cash machine will be able carry out the action. More than in the sample analysis, we will focus on the most interesting aspects of the attack phases.

Monero says goodbye to the ASIC miners (at least for now)

Tuesday, April 10, 2018

Last Friday, 6th April marked an important date for the community of Monero users and developers, as one of the cryptocurrencies led the defense of anonymity for its users. As already commented upon within previous posts, Monero utilizes the CryptoNote protocol which was proposed in October 2013. This conceals who the sender and receiver are of the transaction by utilizing circular signatures or a ring, which mixes the transactions from different users. Furthermore, from January 2017, you can also conceal the transferred balance in each transaction, by strengthening the privacy with the implementation of Ring Confidential Transactions, an improvement of its algorithm.

Iconografía del proyecto Monero
Figure 1. Iconography of the Monero project.