Security Art Work

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]

During the Olympic Games in Rio de Janeiro, one of our sensors in Brazil detected a particularly interesting intrusion into a honeypot TELNET service.

This interaction used unusual credentials since the most received were, unlike what was expected, vyzxv and xc3511.

After an initial search no reference to attacks related to these credentials were found, but it was concluded that the credentials were recurring in DVRs (Digital Video Recorder) of the Chinese brand Dahua (e.g. DH-3004). Dahua is a leading global provider of surveillance solutions, because according to the IMS 2015 report they enjoy the largest mar-ket share.

[Read more…]

It is more than said and proven that passwords are the key that gives access to our information, and hence we give them so much importance. Today we use passwords to access our emails, the bank, social networks, online shopping sites … in short, we use passwords to access any site; and of course, as passwords must be robust, and on top of that we cannot use the same one for everything, so end up going crazy. That’s why some of us use password managers, mne-monics, etc. because otherwise it is impossible.

[Read more…]

Blockchain. Maybe some of you have heard of it. Others maybe not. Inside some circles, Blockchain is a concept that is resonating with force, even though a fair amount of people does not comprehend exactly what it is or why it is important. Any of us could ask: What is a blockchain?

Let’s read the definition from a random corner of the Internet: “A blockchain is a chain of blocks that contains batches of valid transactions. Each block includes the hash of the previous block of the blockchain, linking the two. The linked blocks form a chain, allowing only that block (successor) to be linked only to the other block (predecessor), giving its name to this database”.

Therefore, we could say that a blockchain is a chain of data blocks that contain transactions. Well, it doesn’t seem a promising thing, does it?

Let me highlight a little detail: a blockchain is a ledger of transactions that can’t be manipulated, nor forged. Can you imagine what we could do with this?
[Read more…]

The RHME2 is an embedded CTF running on the Arduino Nano board. The participants have to prove their skills both on software and hardware exploitation. Buffer overflows, ROP, C++ exploitation, cryptoanalysis, side channel analysis, fault injection… and all these in an AVR architecture!

The pre-registration for the 2nd edition of the RHME challenge is open now. Pre-register now and get your Arduino Nano with the challenges. The boards will be sent for free at the end of October and the CTF will officially start on November 1st. There is a limit of 500 boards and the first to come, the first to ship!
More information at http://rhme.riscure.com

Ransomware is here to stay. This is something becoming clearer by the minute. It is a very lucrative business if we judge it by the successful infection effectiveness rate and, to a lesser extent, due to rescue payment rates by the affected parts.

To the already infamous Cryptolocker, CryptoWall, TorrentLocker, TeslaCrypt and others, we have to add the recent HydraCrypt and UmbreCrypt. All of them with slight variations over the previous ones in an attempt to avoid the scarce barriers that Antivirus institutions are introducing, together with some initiatives more or less imaginative, and somewhat effective, in order to identify the activity of this kind of threat.

Recently, the CNI (Spanish National Intelligence Center), through the CCN-CERT, published a Ransomware guide where they had compiled some ransomware variants together with file decrypting tools that different Antivirus companies provided, after disarticulating several criminal networks or after deep analysis of malware samples.

[Read more…]

This year has started with some frights for all of us who have responsibilities in secure operations in electric power grids. There is, on one hand, the Israel Electric Authority event. On January 27^th we find headlines like these, from Fox News:

Apparently the day came when someone had activated, at last, the Doomsday button and sent Israel, or was close to, to the middle ages. However, reality ended up being more prosaic and Apocalypse prophets had to sheathe again their keyboards once it was confirmed that, in the end, it was a case of ransomware in equipment belonging to a typical IT network, infected by the not-so-elegant phishing technique. Furthermore, as I am reading, the partial loss of electric supply on some clients could be attributed to the deliberate decision of personnel in charge of the grid operations who would have preferred to disconnect some load, instead of facing a complete network collapse. Moreover, it has been stated that operators reacted that way under the conviction they were under attack in a moment when the demand was growing at a high rate because of the low temperatures.

[Read more…]

Malcom (Malware Communication Analyzer) is a tool I have been using for quite some time now and, even though it is quite well documented in several sites, I thought convenient to dedicate an article because on its latest actualizations it has become more stable and consistent.

Its main objective is to analyze the network traffic connections in a graphic way while simultaneously crossing data with public or private malware feeds in order to identify malicious nodes (C&C servers, for example); how the malware tries to communicate with them and analyze possible behavior patterns, understand P2P networks or to observe DNS Fast-Flux type infrastructures.

[Read more…]

Wearables have landed into our life to entertain us, making some actions easy and even to control parts of it.

It is called wearable any accesory we wear that interacts with us and our devices in order to carry on any task (be it either related to health, sports, entertainment…).

Even though they have been around the markets several years, is this year 2016 when the real boom is being awaited. The proof of it is that in the recently celebrated Mobile World Congress, a whole area was dedicated to wearables and the Internet of Things. Furthermore, in this same event it was more than confirmed that wearable technology is rebounding quite strongly and, consequently, it will stay trendy for several years.

[Read more…]

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]