AMSI, one step further from Windows malware detection

At the beginning it was a virus; pieces of assembly code which connected to the files, so that they could modify the “entrypoint”. Afterwards, this technique was twisted and improved as much as possible, they searched for automatic execution, reproduction, and independence of the “guest” (the malware has already beenstandalone since some time), and also so that it could go under the antivirus radar. “Touch Hard Disk” was the premise (how could they infect it?) and in turn the malware anathema. If it managed to avoid this toll as much as possible, it could get away from the detectors. This technique is called “Fileless”, which sought for an ethereal formula in order to survive within the memory for as long as possible. Hence, it does not touch the disk or delay it too much and it does not land upon what the antivirus firmly controls. "Fileless" has been perfected to such an extent (are you familiar with the malware which combines macros and Powershell?), that there is already a native formula in Windows to mitigate it as much as possible. Yet, it's not getting the attention that it should.

The basic AMSI structure, provided by Microsoft

#CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties

Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case of Facebook, they pay millions of dollars every year to investigators and bug hunters to detect security flaws in their products and infrastructure, in order to minimize the risk of being subject to specific attacks. Though, after the Cambridge Analytica scandal, the company has launched a new type of bug bounty to compensate those that report "data abuse" on their platform. Through the new program 'Data Abuse Bounty', Facebook will ask third parties to help them find application developers who are misusing their data. "Certain actors can maliciously gather and abuse Facebook user’s data even when security vulnerabilities do not exist. This program has the intention of protecting us against abuse", according to the publication carried out by the company.

How are we preparing ourselves for the RSA Conference 2018?

2018 is a unique year for us. We continue on our journey with the great security community to jointly combat the threats faced by our sector. At ElevenPaths, Telefónica’s dedicated cyber security unit, we have been working on a new approach, which we will officially announce at the world-leading annual security event, the RSA Conference.

This event will take place from the 16th to the 20th April, in San Francisco (USA), where we will be exhibiting from our stand #2207 in the South Hall of the Moscone Center. You can visit us here for free by registering for an Expo Hall Pass via the official RSA Conference website using our unique access code: X8ETELEF (the deadline to use this code is the 19th April 2018).

A Technical Analysis of the Cobalt phases, a nightmare for a bank’s internal network

A few days ago, a key member from a group of attackers known as Cobalt/Carbanak (or even FIN7 for some of them) was arrested in Alicante. This group has been related to different campaigns against banking institutions, which has caused substantial losses through transfers and fraudulent cash withdrawals in cash machines. We are going to see some technical details from modus operandi, the last wave, how it functions and some ideas about how to mitigate the impacts.

The objective of the group is to access the infrastructure of a financial entity in order to compromise cash machines and withdraw cash fraudulently. Although it seems like science fiction, they do it with network control of the cashpoints, to the point of being able to do it at a specific time, so that it starts to release all of the cash that it contains. Thus, at this moment the ‘mule’ who finds themselves in front of the cash machine will be able carry out the action. More than in the sample analysis, we will focus on the most interesting aspects of the attack phases.

Monero says goodbye to the ASIC miners (at least for now)

Last Friday, 6th April marked an important date for the community of Monero users and developers, as one of the cryptocurrencies led the defense of anonymity for its users. As already commented upon within previous posts, Monero utilizes the CryptoNote protocol which was proposed in October 2013. This conceals who the sender and receiver are of the transaction by utilizing circular signatures or a ring, which mixes the transactions from different users. Furthermore, from January 2017, you can also conceal the transferred balance in each transaction, by strengthening the privacy with the implementation of Ring Confidential Transactions, an improvement of its algorithm.

Figure 1. Iconography of the Monero project.

Accelerating European cyber security between the United Kingdom and Telefonica (Wayra) – Part one of two

The GCHQ (Government Communications Headquarters) is not very well known outside of the United Kingdom. The governmental organization is almost a century old (it will celebrate its 100th anniversary next year), in 1919 it started as the government's school of codes and encryption (Government Code & Cypher School) and it was not until 1946 that it changed its name to what it is now.

The GCHQ’s job is to maintain Great Britain´s security through information assurance and also signals intelligence (SIGINT).

The GCHQ was founded after the first world war and had the important role during the second world war of working on how to break the German Enigma codes and also during the Cold War, from its famous center in Bletchley Park.

Bletchley Park ©GCHQ

#CyberSecurityPulse: Tell me your social networks and you will be welcome in the United States (or maybe not)

The US Department of State wants to ask visa applicants to provide details of their social networks which they have used within the last five years, as well as their phone numbers, email addresses and international trips during this period. The plan, if approved by the US Office of Management and Budget, will extend the background screening to those who have been marked for additional immigration screening; for all of the immigrant visa applicants and for all of the non-immigrant visa applicants, such as business travellers and tourists.