We Have All Heard This Story Before It’s no doubt that ransomware is is the biggest threat in the modern cybersecurity landscape. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation. Blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020. Defenders have all been hearing this story for years, and know how to secure against ransomware right? The most common initial access vector is phishing so staff training sessions educating our staff on how to spot a deceptive url is required to keep the bad guys out. Installing endpoint security products and keeping them updated, and of course keep bulletproof backups right? Well, yes and no….
IT Security
What Is “Fake Ransomware”? The term “fake ransomware” might conjure up some feelings of relief. After all, if the ransomware is fake, then it must not have encrypted files, right? However, the term has been used to refer to a few different variants of a true ransomware attack. Firstly, it has been used to describe ransomware that does not encrypt files, but instead attempts to trick the victim into thinking their files are encrypted while demanding a payment to recover them. Secondly, the term has also been used to refer to ransomware that does in fact encrypt your files, but does not offer a decryption key if ransom is paid. This is much more nefarious and destructive than the first type; a real sucker punch. And most recently, the term has been used to refer to a case where ransomware was deployed by a company against itself to cover up…
In part 1 of PHP Malware series, we learned what a web-shell is and learned some basic ways that an attacker can build web-shell in PHP. In part two we took a look at how web-shells can be hidden using base 64 encoding and AES encryption techniques. In part three we’re gonna look at other crafty ways that an attacker could obfuscate PHP web shell or other malware such as a stealer which would exfiltrate sensitive data as it’s processed by a website. Cyber criminals want to avoid malware being found, and when it is found, they want it to be difficult for a researcher to discover what the malware is doing. An an attack technique is novel, attackers don’t want defensive security researchers to be able to use the technique information to build defensive strategy or make the information public. In order to demonstrate the skill’s of reverse engineering…
In part 1 of this series on PHP malware, we learned what a web shell is and looked at some basic examples. Basic web-shells are not too difficult to find since there are only so many commands that can be used to execute a string as a shell command. However, most attackers would not include a basic web shell such as the ones discussed in the first video. They know it would be much too easy to find and dwell time would be short. Instead the attacker will encode or encrypt the malware so it is more difficult to find. Also, there is an important difference between encrypting and encoding. Before we look at some more advanced ways to hide malware, let’s understand the difference between these two terms. What is Encoding? Encoding refers to the process of converting data from one form to another. Encoding does not normally imply…
Let’s talk about a critical intersection in the world of security; the combination of physical security and brand reputation. On January 9th 2022, a woman was killed while pumping gas when a 65 year old man backed up his SUV into the gas pump. The pump exploded into flames. The woman who was standing beside it was burned to death. This is a horrific and tragic situation that should never have happened. The gas station should have installed bollards to protect the physical pumps from being hit by a car. There should be a federal law that all gas pumps are required to have bollards protecting them. However, there is no such law and so instead, when loss of life happens from such a preventable incident we are left to ask whether the franchise owner is partially responsible. Many will rightfully criticize the owner and the brand for allowing such…
In this this series of articles and videos, I will explore some PHP malware code that has been publicly published. All the samples discussed are derived from a GitHub repository maintained by marcocesarato. The advice from Ripple Software Consulting is to always maintain solid web-server security through hardened configuration and monitoring, and vulnerability scanning both internal and external surfaces with a tool such as CISOfy’s Lynis or Greenbone’s GVM. For an example of solid LAMP stack server security you can visit the RSRC’s VPS Deploy WordPress GitHub repository which is a tool for automatically deploying a WordPress website on a hardened Linux VPS Server. If you don’t want to secure your own WordPress installation, you can hire a trained security consultant such as Ripple Software, or you can use another 3rd party managed hosting provider. PHP is a scripting language which means its source code is usually in human readable…
In October 2021, while writing an article about EDR/XDR solutions, I read an article from The Journal of CyberSecurity and Privacy entitled: “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors”. I think now is a good time to revisit that research paper. The study tested state of the art EPP and EDR platforms against simulated APT attacks. They key contribution of this paper is that it reveals what type of TTPs are still able to circumvent top of the line EDR solutions. The products tested in the study are a who’s who of leading endpoint security vendors? Seeing a blog post from Recorded Future discussing the same paper reminded me about it, and wanted to contribute my take on it. The full FINAL paper is available and the published version is available by searching Google for the article title “An Empirical Assessment of…
The Details The Log4J vulnerability in the Java logging package maintained by Apache made headlines late last week. It was disclosed as a Zero Day bug which is easily exploitable, received a CVSS score of 10/10, and includes remote code execution (RCE) on the target host. Associated CVE-2021-44228 is available on the NIST NVD website which provides more information and references including the CISA advisory. The number of Log4J installations has been described as “hundreds of millions” and “countless”. Virtually all Log4J versions (<= 20.14.1 which was released in early March 2021) are vulnerable. The most recent version of Log4J is now version 20.16.0 since subsequent patched updates were released in quick succession on December 6th and December 13th of 2021. If you want to know whether a 3rd party application is vulnerable to re-assess your risk, review the Software Bill of Materials (SBOM), if one has been provided, it…
IT Security Best Practices are processes and configurations outlined by industry leading standards organizations such as SANS, NIST, and OWASP amongst others. Some examples of best-practices include: keeping software and systems updated, uninstalling all but required applications and services, segmenting critical network resources, and configuring host and network firewalls to first block all traffic, then allow only required traffic by IP and protocol. But are best practices always feasible for an organization? To some, this may seem like a ridiculous question. Most CISO’s would likely rather consider the question the other way around: “Is not having best practices feasible?”, since their jobs depend on the performance of security controls. So why then did John Mandia of Mandiant Security LLC to respond with “it depends” when responding to that question before a US congressional special hearing in response to the SolarWinds malware [1]? Senator Wyden’s question specifically referenced NIST firewall best…
The Recorded Future web-conference today was a great insight into the deep Cyber-Intelligence technology the company has developed and what it offers organizations. On display were both a definitive set of broad trend data combined with deep and granular information on every aspect of the MITRE ATT&CK framework and beyond. Recorded Future’s LinkedIn profile reports the company as having had Series E funding of $25 million dollars, however Crunchbase reports an even higher total investment of over $50 million dollars. A press report on PRNewswire in October 2021 outlines Recorded Future’s recent investment in CVE intelligence company Cyber Threat Cognitive Intelligence (CTCI) and describes the Intelligence Fund; Recorded Future’s investment platform. For anyone as passionate about Cyber-Security, predictive forecasting, and Intelligence as I am, there is a ton to be excited about with Recorded Future’s platform and capabilities. Here’s what I learned from the conference today. Recorded Future aggregates data…