Kategorie

Information security professionals are normally tasked with hunting threats that have been detected on their respective networks. What happens when you think that your network is under attack, but you’re not quite sure where the malware is or what they will do next? This article will detail how to threat hunt on your network by […]

The post Threat Hunting for Suspicious Registry and System File Changes appeared first on InfoSec Resources.

Threat Hunting for Suspicious Registry and System File Changes was first posted on July 20, 2018 at 5:51 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction So there you are, sitting at your desk at the organization where you work as an information security professional. You are performing your usual monitoring duties when you notice that you have a high volume of network traffic coming from a part of the world that your organization does not do business with. This […]

The post Threat Hunting for DDoS Activity and Geographic Irregularities appeared first on InfoSec Resources.

Threat Hunting for DDoS Activity and Geographic Irregularities was first posted on July 20, 2018 at 5:44 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction Demand for cybersecurity professionals is on the rise, and even specialized niche positions are seeing an increase in popularity. This makes threat hunting an especially sought-after job role, particularly in big corporations that are looking to identify and neutralize threats that are not easily detected by traditional security measures. This ensures that they keep […]

The post The Current Job Outlook for Threat Hunters appeared first on InfoSec Resources.

The Current Job Outlook for Threat Hunters was first posted on July 20, 2018 at 5:11 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction If you are planning on building your own threat-hunting tool but don’t know where to start, then this could be just the article for you. We will be taking a look at the specific steps that you will need to follow when building a threat-hunting tool of your own. Each environment is different, and […]

The post How to Build a Threat-Hunting Tool in 10 Steps appeared first on InfoSec Resources.

How to Build a Threat-Hunting Tool in 10 Steps was first posted on July 20, 2018 at 4:32 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction Threat hunting has become a fundamental security process within organizations. It targets threats that might have been missed by traditional detection methods like as firewalls, intrusion detection systems, malware sandboxes and SIEMs. This article covers the various considerations that need to be taken when outsourcing or developing an internal threat-hunting program. Internal vs. External […]

The post Considerations when Outsourcing Threat Hunting appeared first on InfoSec Resources.

Considerations when Outsourcing Threat Hunting was first posted on July 20, 2018 at 4:04 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files.

Introduction “Threat hunting” refers to the process of proactively and repeatedly searching through networks to detect and isolate advanced threats that evade existing security solutions. Such solutions may include firewalls, intrusion detection systems (IDS), malware sandboxes and SIEMs. Normally, existing security solutions require investigation to be conducted after an incident or warning has occurred. However, […]

The post Threat Hunting and SOC appeared first on InfoSec Resources.

Threat Hunting and SOC was first posted on July 20, 2018 at 3:55 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Dasan and D-Link routers running GPON firmware are being targeted by hackers in an attempt to create a botnet.

Microsoft's love for Linux continues… Microsoft has released its command-line shell and scripting language PowerShell Core for Linux operating system as a Snap package, making it easier for Linux users to install Microsoft PowerShell on their system. Yes, you heard me right. Microsoft has made PowerShell Core available to the Ubuntu Snap Store as a Snap application. PowerShell Core is a

Criminals have found a mischievous way to mine cryptocurrency. Security researcher Troy Mursch sounds off on why this tricky trend isn't going away anytime soon.

Airport TSA agents don’t check terminals for insecure WiFi networks, so stay on your toes when using hotspots at these airports.

An uncharacteristic spate of strikes against IoT devices in Finland during the summit was likely an indicator of a coordinated cyberespionage effort, researchers said.

Singapore's largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018. SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics. According to an advisory released by

CarePartners said its forensic investigation identified 1500 affected records - the hackers say they took 80,000.

Roblox was moving some older, user-generated games to a newer, more secure system when the attack took place, it says.

The Independent Inquiry into Child Sexual Abuse sent out a mass emailing in which a staffer mistakenly used "To" instead of "Bcc".

Antivirová firma Avast se dohodla na koupi slovenské mobilní vývojářské firmy Inloopx s hlavním sídlem v Žilině. Díky této transakci získá Avast vývojáře a další odborníky, kteří posílí tým zaměřující se na bezpečnost a ochranu chytrých domácností, internetu věcí (IoT) a mobilních zařízení.

Catch up with Day 4 of our Security SOS Week - here's the fourth episode of our week-long online security summit.

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

Propagation

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018 Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

Installation

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

• Keychain storage data
• Data extracted from the user login/password window
• Information about the network connection
• Data from Google Chrome: history, bookmarks, cookies

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

• Copies itself to /System/Library/ folder
• Sets itself to launch automatically on startup
• Unmounts and uninstalls its DMG image
• Adds itself to Accessibility
• Harvests additional information about the system
• Enables remote access to the system
• Forwards the harvested data to a C&C server

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

• Enables remote login
• Enables screen sharing
• Configures remote login permissions for the user
• Allows remote login to all
• Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

• Loading/unloading of kernel extensions for handling USB devices
• Data theft from user directories
• Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

• The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
• The Trojan sample contains the line “com.proton.calisto.plist”
• Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

• Always update to the current version of the OS
• Never disable SIP
• Run only signed software downloaded from trusted sources, such as the App Store
• Use antivirus software

MD5

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

LinuxSecurity.com: Most security awareness programs are at best gimmicks that will statistically fail at their goal. They intend to educate people so that they can make better decisions regarding how to behave or whether they are being conned.