#CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack?

Tuesday, March 20, 2018

A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers. Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea. However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. "Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer," said Vitaly Kamluk, researchers with Kaspersky Lab who co-authored a report released on the attacks. "Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda."

In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. "How the industry responded was a disaster," Kamluk said. "There was too much finger pointing with no certainty." Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).

#CyberSecurityPulse: Biggest-Ever DDoS Attack Hits Github Website

Monday, March 5, 2018

At the end of 2016, a DDoS attack on DynDNS blocked major Internet sites such as Twitter, Spotify and PayPal. The Mirai botnet was used to take advantage of the full bandwidth of thousands of Internet-connected devices. However, last Wednesday 28th of February we witnessed the largest DDoS attack ever seen on the GitHub website, reaching a record 1.35 Tbps and 126.9 million packets per second.

Interestingly, the attackers did not use any botnets, but misconfigured Memcached servers to amplify the attack. Memcached operation is based on a distributed hash table. To prevent misuse of Memcached servers, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use. In this sense, Akamai estimates that at least 50,000 servers are vulnerable.

New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module

This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in the middle attacks once a target has been compromised. It is available from the post exploitation module in Metasploit project.

Evrial, malware that steals Bitcoins using the clipboard... and the scammed scammers

Monday, February 26, 2018

Evrial is the latest cryptocoin malware stealer, and uses the power to control the clipboard as its strongest bet to get "easy money". Elevenpaths has took a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that whoever he is… scammed the scammers themselves.

Qutra, the creator, selling its malware

#CyberSecurityPulse: Dude, Where Are My Bitcoins?

Monday, February 19, 2018

Numerous types of attacks are affecting cryptocurrency users: families of malware that steal wallets, phishing attacks that try to forge platforms where users manage their bitcoins, applications that use the CPU of users to mine... And, in addition, those that prefer to manage their own money without delegating responsibility to a third party they will also have to deal with the problem of losing private keys or not remembering the password with which we protected the wallet.

If it has happened to you and you have protected your wallet with a password, maybe you do not have everything lost. John the Ripper, a password cracking software tool, contains plugins that crack differents wallets: bitcoin2john, blockchain2john, electrum2john, ethereum2john and multibit2john. In the first place, we will have to select the type of plugin that we are going to use depending on the type of wallet that you are using. Then, you pass that content to a text file, launch John The Ripper ./john with the file name and, finally, cross the fingers!

SandaS GRC, the best way to perform the GSMA IoT Security Assessment

Wednesday, February 14, 2018

SandaS GRC
ElevenPaths SandaS GRC allows organizations to support their business strategy, improve operational performance, mitigate operational risks and ensure regulatory compliance. Is the perfect complement with which you can create a governance program, risk management and effective compliance of the security of your organization’s information.

With the aim of extending this control to the IoT deployments, SandaS GRC has incorporated a set of controls to secure IoT deployments. These controls are those collected in the GSMA IoT Security Guidelines through the GSMA IoT Security Assessment, where Telefónica has actively contributed.

#CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations

Monday, February 5, 2018

The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United States military bases worldwide. Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit. Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.

However, information from cartographic systems on facilities of interest to the defense, such as military bases, has always been available. Subject to errors or inaccuracies, but always available given the inability of governments to limit their dissemination. In this sense, this type of information has been used to perpetrate attacks, to the point that India raised in 2009 the closure of Google Earth as a measure to avoid attacks like those in Bombay.

Managed Detection & Response: Prevention is Not Enough, You Need to Become Cyber-Resilient

Thursday, January 25, 2018

Managed Detection & Response cybersecurity imagen
You want your organization to be cyber-resilient but you have no means?

You have advanced security solutions in place, but you lack skilled staff trained to take advantage of them?

You are unable to detect and respond to a security breach and you fear the consequences for your business of the NIS and GDPR legislation?

If you are concerned about these issues, we are also concerned, and that is why we have been working with our skilled analysts, Test Lab and Strategic Partners strive to offer our customers a Managed Detection and Response service beyond the traditional approaches.

Tackling Cybercrime: Three Recommendations for 2018

Wednesday, January 24, 2018

Tackling Cybercrime: Three Recommendations for 2018 cybersecurity imagen

In 2017 we saw ransomware variants such as Wannacry wreak havoc across computer networks in the UK. Not only were these variants of malware almost impossible to remove from computers without causing data loss but they caused real damage – we saw awful scenes when hospitals and doctors’ surgeries had to close their doors as a result.  We know in 2016 the UK cost of cybercrime was estimated at around £29 billion and in 2017 we saw a 22% growth on that figure. It’s clear the problem is not going away anytime soon.

#CyberSecurityPulse: Guess Riddle... How Is Information Stored In a Bitcoin Address?

Tuesday, January 23, 2018

As we have seen in previous post on ElevenPaths blog, the OP_RETURN field of a Bitcoin transaction is used to store a small portion of information (up to 80 bytes) that is usually used to timestamp information taking advantage of the fact that the Bitcoin network is distributed and replicated throughout the network. Numerous projects are used to create use cases to certify that something has happened as the Proof of Existence project, validate academic certificates or even publish the orders to execute the infected nodes inside a botnet. However, did you know what was the technique used before 2013 to store information in the blockchain?

In this sense, the Bitcoin addresses were used (and still are used). At the end, an address does not stop being a text string encoded in Base58Check that contains useful data of up to 20 bytes in length relative to the hash of the public key associated with the address. Knowing this, small quantities were sent to these arbitrarily generated addresses, and therefore, no known private key. This has the consequence that the balance sent to those addresses for which the private key is not available will not be able to be spent, but at least it guaranteed that the operations will be stored in the chain of blocks.

#CyberSecurityPulse: The Transparent Resolution of Vulnerabilities Is Everyone's Business

Monday, January 8, 2018

The new year has started with a story that has taken the covers of specialized and generalist media all around the world. The vulnerabilities named as Meltdown and Spectre have put on the table that even aspects that we took for granted as the architecture of the hardware that makes operate almost all of our systems is likely to have to be reinvented. The correction of this type of failures in the future should be put to the test with new designs that prevent them, but until these new systems go on the market it is necessary to find contingency software solutions that mitigate the problem in the meantime.

The different operating systems have tried to deal with a vulnerability that was notified to several operating systems security teams on November 9, 2017. In fact, the proofs of concept included in the Meltdown paper are made on Firefox 56, which was the current stable version until the arrival of Firefox Quantum (version 57) on November 14 of that same month. According to the managers of Canonical, the company responsible for the development and maintenance of Ubuntu, this date is important providing that this was used on November 20 as a reference to establish a consensus about January 9, 2018 as the date for the publication of the details of the vulnerability by its authors.