New Tool: PinPatrol add-on for Firefox

Sunday, July 24, 2016

We have created a new tool for improving the experience using HSTS and HPKP in Firefox. This tool is a Firefox add-on that shows this information in a human readable way. It is very easy to use and it can provide useful information about the HSTS and HPKP data stored by your browser.


The HTTP Strict Transport Security protocol (HSTS) can turn HTTP requests into HTTPS from the browser itself. If a server decides to send HSTS headers to a browser, any subsequent visit to the domain from that browser is automatically and transparently converted to HTTPS from the browser, avoiding unsafe requests from the starting point of the connection itself. The application of the HSTS protocol is transparent to the user, i.e., browsers. themselves are responsible for redirecting and remembering for how long domains should be visited via HTTPS if they have notified via HSTS. The domain transmits HSTS information to the browser with the Strict-Transport-Security header.

The idea behind the certificate pinning is to be able to detect when a chain of trust has been modified. In order to do so, a digital certificate present in a certificate chain needs to be unequivocally associated, usually in the browser, with a specific domain. Thus, a domain A, e.g., will be linked to a specific certificate/certification authority B. If for any reason a different certification authority B’ (which depends on a trusted root certification authority) tries to issue a certificate associated with domain A, an alarm is launched. In general, any modification of the certification chain is suspected of a possible alteration. That is what HPKP (HTTP Public Key Pins) is for.


Firefox supports HSTS from version 4 and HPKP from version 32. This is a Firefox extension that shows in a readable format, the state of HSTS and HPKP domains stored by the browser. Firefox does not have a native way to show these domains or this functionality properly documented.

An example of what the add-on shows


The information provided by the table is the one stored by the browser, "translated" into a more human readable way.

  • Domain: Domain protected under HSTS or HPKP.
  • Score: This score is a Firefox value. It increases by one every different day (24 hours at least) the domain is visited.
  • Date: Last day the domain was visited. It is calculated by Firefox using the number of days since 01/01/70.
  • Expiration Date: Max-age of HSTS or HPKP, in other words, when the entry will expire.
  • SecurityPropierty: This is a Firefox value. SecurityPropertyUnset if 0, SecurityPropertySet if 1 or SecurityPropertyKnockout if 2.
  • IncludeSubdomains: Whether the HSTS or HPKP directive includes subdomains.
  • HPKP Pins: List of pins in the HPKP header.
PinPatrol is available from Mozilla official repository. Hope you find it useful.

New tool: Maltego transforms for Tacyt

Sunday, July 17, 2016

If you are a Maltego user, you already know how intuitive and useful it is for researching and analyzing information. You may know as well that Maltego allows to create transforms, that are no more than scripts to call some service API or whatever other resource. Since Tacyt counts with a comprehensive API and a SDK for an easier use, transform are a natural step ahead to take advantage of everything Maltego offers. And here they are.

Imagine you are performing a research that involves applications and its relations. You may ask Tacyt to give you results about permissions, links, names, emails, certificates, etc… And you end up with an interesting data, let’s say, an interesting domain. Who does that domain belong to? Well, instead of using external resources, you may use Maltego, run Tacyt transforms, extract the interesting information and once you get to an url, email, profile or whatever other entity, take advantage of the other many transforms available for Maltego. So the research gets easier, visual and complete in a single screenshot.

We have created several transforms, but more are sure to come (the code is all in GitHub so you could create your own). We have created as well entities for Tacyt in Maltego, and a package to install them all. The steps to install are easy:

  1. Import the MTZ file from "Manage, Import, Config" menu.
  2. Once imported, check the Python path and transforms paths themselves match the ones in your system. Click on "Manage Transforms" and search for tct (with wildcards) to show all Tacyt transforms. Select them all using shift button.
  3. In "Transform Inputs", modify "Command line", and "Working directory" (the path where the .py transforms are stored) accordingly.

Of course you would need to specify your API ID and Secret in
Here is a short video about how to develop a little research with an arbitrary app.

In the video, it is shown how, coming from an app classified as Brain Test family, relevant information may be extracted as certificate data. From a not so common alias in the Subject Common Name, we may search again this it in Tacyt, and other apps show up. From one of them we extract the domains (which we could apply some transform to, so we get their registering data). It would be possible to search if the alias corresponds with a Twitter identity (Transform from alias to Twitter user), which is confirmed (although it does not necessarily mean the account is responsible for the malware).

The code and transforms are available here. Hope you find it useful.

European Cybersecurity Strategy: Telefónica´s support

Thursday, July 14, 2016

Telefónica welcomes two relevant milestones that have taken place in Brussels during the last days in order to foster the European cybersecurity strategy to avoid incidents that can undermine consumer confidence and cause major economic damage to European business and the economy at large.  Cybersecurity and the fight against cybercrime has turned into one of the political priorities for the ICT sector in the EU and Telefónica is ready to play its part.
On July 6th, the European Parliament Plenary voted on the Directive on Network and Information Security following the adoption by Council in last May.

The NIS Directive is the first EU wide legislation on cybersecurity ever and culminates a long process of negotiations between Parliament, Council and European Commission.

Once the Directive enters into force (on the twentieth day after it´s been published in the EU Official Journal in August) Member States will have 21 months to transpose it into their national laws.

For the first time, NIS Directive creates a legislative framework that will also apply to some digital services, leveling the playing field and establishing harmonized requirements regardless of whether the providers of these services are based in the EU.

The three pillars of the Directive aim at:
  • developing of national capabilities
  • cooperating among national Authorities
  • establishing specific security obligations and notification requirements for operators of “essential services” (traditional critical infrastructures) and providers of “digital services” (such as Cloud providers, online market places and search engines)

One day before the NIS Directive was voted by the European Parliament, on July 5th, the Commission  adopted a Cybersecurity Package composed by a decision establishing a contractual Public-Private Partnership on Cybersecurity expected to trigger €1.8 billion of investment by 2020 and a Communication on a Competitive and Innovative Cybersecurity Industry, setting the basis for a “industrial policy” on Cybersecurity.

The cPPP is basically a contract between the Commission and the European Industry with a commitment to co-finance specific lines of research. Pedro Pablo Pérez, ElevenPaths’ CEO and Telefónica Global Security Managing Director, has been appointed as member of Board of Directors and also Partnership Board of European Cybersecurity Organization (ECSO), the association that will implement the cPPP. 

Telefónica is the only telco operator that has been selected to occupy this relevant position. This reinforces our commitment to enhance Digital Confidence of customers, citizens and businesses, in line with Telefónica’s positioning in Public Policy and our willingness to engage with the Commission in realizing the vision for a secure and trusted online environment in Europe.

The main goals of the Cybersecurity cPPP are:
  • to improve industrial CyberSecurity capacities and digital autonomy of the EU, by promoting trust and security in digital services and networks in response to global cyber threats, while respecting EU values (Fundamental Right to Privacy)
  • to stimulate developments of EU industrial and technological resources to overcome
    • existing gaps in EU technology and online services
    • existing barriers for the achievement of a real Digital Single Market for Cybersecurity products and services
  • with the ultimate goal of contributing to a strong European Cybersecurity Industry

As we can see, there is a firm commitment manifested, now it´s time to move from words to deeds because nowadays the digital world goes much faster than the physical. There is no time to waste.

» The original post is based on Telefonica's Public Publicy Blog and written by Andrea Fabra
"European Cybersecurity Strategy: Telefonica’s support"

Another month, another new rooting malware family for Android

Monday, July 11, 2016

Several months ago there was a media explosion about Android-rooting malware on Google Play. Those families were discovered by Cheetah Mobile Security Research Lab, Check Point, Lookout, FireEye, and Trend Micro and variously named NGE MOBI/Xinyinhe, Brain Test, Ghost Push, Shedun or Kemoge. In a previous report, we tried to connect the dots and concluded that there was a good chance each malware was developed by the same group which evolved its techniques dating back to 2014.

Now, it’s happening again: There are numerous reports in the media about HummingBad, Hummer, and Shedun Reloaded. Do them belong to the same malware family? It all depends which lab is doing the analysis. Three different families or not?


In February, Check Point alerted the market about HummingBad. It followed the same "rules" established by the Brain Test family, which means it introduces a rootkit on the phone, is almost impossible to remove, and installs fraudulent apps automatically. But it was stunningly more sophisticated. It was installed by drive-by-downloads, its content was encrypted, and it used several redundancy methods to ensure infection (including automatic and, if not possible, social engineering). Some of the infrastructure used as a C&C was hxxp:// domain, hxxp://, hxxp:// and hxxp:// And it gets worse. In early July, Check Point researchers attributed HummingBad to a "legitimate" advertising company called Yingmob, responsible as well for the iOS malware called Yispecter that took advantage of its enterprise certificate to install itself and was discovered in late 2015. 


Also in July, Cheetah Mobile wrote about a malware it called Hummer, a new threat different from GhostPush (its own name for Shedun, Kemoge, BrainTest, etc). Although Cheetah Mobile does not explicitly says so, Hummer is HummingBad, as we can easily confirm with Tacyt because, for example, it uses the same infrastructure and rooting file called right_core.apk, which is sometimes embedded and sometimes downloaded.

A HummingBad/Hummer sample with some of the singular URLs used


Lookout thinks differently. They claim HummingBad, or Hummer, is the same as Shedun, discovered in November 2015. It maintains Shedun is closely related to the BrainTest/GhostPush family, but it only describes the HummingBad malware as "not new" without any further technical details.

So, is this HummingBad/Shedun an evolution from the same cybercriminal group we connected in our previous report, or does it come from a different group? Let’s take a look.

Our analysis

HummingBad, or Hummer, comes from a "legitimate" adware company called Yingmob which, for a while, had its "Hummer Launcher" app on Google Play. Google eventually removed the app in May 2015.

Hummer Launcher signed with the same certificate as some HummingBad samples

As we determined using Tacyt, even the aggressive payloads are signed with the same certificate.

From our previous report in October, we saw some very specific behaviors that associated all the malware families. For example, the use of a few particular domains and the presence of some files inside the APK like "".

One of the particular domains shared by several samples analyzed in October

One of the particular file names shared by several samples analyzed in October

Our analyst team used Tacyt to conclude that there is strong evidence suggesting a relationship between several different reports from different security companies, and confirmed that some of the aggressive apps discovered were on Google Play in early 2015. The evidences suggested that these supposed different families of malware, may be just the same Chinese cybercriminals (because of using the infrastructure, domains, topics, files, etc.) evolving the same idea about serving aggressive ads, rooting the devices, sending commands and installing new packages.

We came to this conclusion because of several similarities that relate the families: domains, dates, permissions, names, certificates, resources, etc. The Chinese group started their activities maybe in late 2014, using the OPDA "brand" and trying to introduce malware on Google Play as well as legitimate apps. Later, they evolved new techniques, from Xinyinhe adware, which seems to be just a variant of Ghost Push, Brain Test to Kemoge, all technically related in some way.

What about HummingBad? 

Checking HummingBad’s singularities we determined that it uses a completely different infrastructure with little in common with our previous findings, even though it follows the same philosophy of rooting the device and silently installing apps. We can find no evidence about certificates, files, or any other hint that helped us to tie both families together as we did before. Of course, we may have not found them. For example, HummingBad uses mainly these domains:,,,… They are not shared with previous Chinese families, except, which seems common place for adware and malware. All apps containing this particular domain on Google Play are eventually removed shared between several different aggresive adware or malware samples eventually removed

As another example, HummingBad uses right_core.apk as a payload, which is either downloaded or embedded.

Searching for samples using a specific file downloaded or embedded

With HummingBad we can only go back to early 2015 with "legitimate" adware samples. With the BrainTest family we can go back to 2014.

Signing date for all the samples we have labeled by our analysts as HummingBad

Another point of interest is that it appears that Brain Test was not very interested in tracking their ads with UMENG (the popular Chinese platform), while HummingBad seems to use UMENG in many more samples. The keys do not match in any case.

Comparing keys between families

Philosophy matches but the code, infrastructure, and "history" do not

Shedun and HummingBad seem to operate from the roots of "legitimate" Chinese companies (OPDA and Yingmob), and they may be related in other ways, but the owners, resources and developers appear different. So we can conclude a couple of insights:

  • HummingBad is Hummer, but it does not seem to be Shedun/GhostPush/Brain Test itself.
  • This is important, because it would mean cybercriminals are learning from each other. It is not just the same group evolving its own product. That is a scary since they will most likely improve technically to gain market share when they have "competitors". 

Attribution is always a risky exercise for every researcher (including us), but we believe HummingBad is not an evolution but is instead another new, dangerous rooting malware that was developed alongside previous malwares (just as there are different ransomware or banking Trojan families with the exact same philosophy). And we also think this malware it here to claim its market share and stay for a while.