Month: August 2018

Posted on

CSA Releases Top Threats to Cloud Computing: Deep Dive

BLACKHAT LAS VEGAS – AUGUST 8, 2018 – The Cloud Security Alliance(CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the release of the Top Threats to Cloud Computing: Deep Dive, a case-study analysis that provides more technical details dealing with architecture, compliance, risk and mitigations for each of the cloud computing threats and vulnerabilities identified in the Treacherous 12: Top Threats to Cloud Computing (2016).

“Last year’s Top Threats report cited multiple recent examples of issues found in the original Treacherous 12 survey, and while those anecdotes allowed cybersecurity managers to better communicate with executives and peers, they did not provide in-depth detail of how everything fits together from a security analysis standpoint,” said Jon-Michael C. Brook, co-chair of the Top Threats Working Group and a principal/Security, Cloud & Privacy at Guide Holdings. “This new report addresses those limitations and offers additional details and actionable information that identify where and how top threats fit in a greater security analysis, while simultaneously providing a clear understanding of how lessons, mitigations and concepts can be applied in real-world scenarios.”

“Security professionals recognize that the Treacherous 12 threats provide only a fraction of the whole picture. Other factors, such as actors, risk, vulnerabilities, and impacts, must also be considered,” said J.R. Santos, executive vice president/Research for CSA. “To address these missing elements, the Top Threats Working Group decided the next document would provide even greater context that could act as a springboard for architects and engineers conducting their own analysis of security issues in cloud computing and comparisons.”

This case study attempts to connect all the dots when it comes to risk management by using the following nine anecdotes cited in the Top Threats for its foundation:

  1. LinkedIn (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Account Hijacking; Denial of Service; Shared Technology Vulnerabilities)
  2. MongoDB (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Insecure Interfaces and APIs; Malicious Insiders; Data Loss)
  3. Dirty Cow (Top Threats: Insufficient Identity, Credential and Access Management; System Vulnerabilities)
  4. Zynga (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Malicious Insiders)
  5. Net Traveler (Top Threats: Data Breaches; Advanced Persistent Threats; Data Loss)
  6. Yahoo! (Top Threats: Data Breaches; Data Loss; Insufficient Due Diligence)
  7. Zepto (Top Threats: Data Breaches; Data Loss; Abuse and Nefarious Use of Cloud Services)
  8. DynDNS (Top Threats: Insufficient Identity, Credential and Access Management; Denial of Service)
  9. Cloudbleed Top Threats: Data Breaches; Shared Technology Vulnerabilities)

Each of the examples are presented as both a reference chart and detailed narrative. The reference chart’s format offers an attack-style synopsis of the actor, spanning from threats and vulnerabilities to associated controls and mitigations. The longer-form narratives provide additional context (such as how an incident came to pass or how it should be dealt with). For cases where details—such as impacts or mitigations—were not discussed publicly, the working group extrapolated to include expected outcomes and possibilities.

The paper goes on to outline recommended Cloud Controls Matrix (CCM) domains, sorted according to how often controls within the domains are relevant as a mitigating control. [Mitigations and controls applicable to the nine case studies cover 13 of the 16 Cloud Controls Matrix (CCM) domains.]

The CSA Top Threats Working Group is responsible for providing needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. The CSA invites interested companies and individuals to support the group’s research and initiatives. Companies and individuals interested in learning more or joining the group can visit the Top Threats Working Group page.

Download the Top Threats to Cloud Computing: Deep Dive now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

CSA, OWASP Issue Updated Guidance for Secure Medical 
Device Deployment

BLACKHAT LAS VEGAS – AUGUST 7, 2018 –The Cloud Security Alliance(CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, in conjunction with the Open Web Application Security Project (OWASP) today released OWASP Secure Medical Device Deployment Standard Version 2.0, an updated guide to the secure deployment of medical devices within a healthcare facility.

Considerable enhancements were made throughout the document, especially to the section on purchasing controls with an eye to security audits and evaluation, privacy impact assessment, and support evaluation controls. Additionally, the updated document now includes relevant guidance from the Federal Drug Administration.

“Too many of today’s network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind,” said OWASP Project Leader Christopher Frenz, who authored the original paper.

This report is reflective of how organizations are increasingly putting more resources toward supporting the development community in equal parts with security.

“The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora’s box of security issues involving legacy systems and healthcare devices that were not designed with security in mind,” said Hillary Baron, Research Program Manager, CSA. “It’s our hope that this document provides a clear roadmap for healthcare organizations looking to ensure that medical devices and systems across the organization follow IT security best practices.”

The report, to which CSA’s Internet of Things (IoT) Working Group provided input and significant contributions, provides guidance in areas such as:

  • Purchasing controls: Security audits/evaluation, privacy impact assessment; and support evaluation;
  • Perimeter defenses: Firewalls, Network Intrusion Detection/Prevention System (NIDS/NIPS), and Proxy Server/Web Filters;
  • Network security controls: Network segmentation, internal firewalls, internal network IDS/IPS, syslog servers, log monitoring, vulnerability scanning and DNS sinkholes
  • Device security controls: Change default credentials, account lockout, enabling secure transport, spare copies of firmware/software, device configuration backup, baseline configurations, storage encryption, different user accounts, restricting access to management interface, updating mechanisms, compliance monitoring and physical security;
  • Interface and central station security: OS hardening, encrypted transport, and message security-HL7 v3 security standards;
  • Security testing: Penetration tests; and
  • Incident response: Incident response plan and mock incidents.

Download OWASP Secure Medical Device Deployment Standard Version 2.0.

About Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

This is Me and My (Private) Identity

Do we really need regulators to come and tell us that each person’s data is, well, private? A few years before the GDPR regulation came into effect in Europe, the Law for Protection of Personal Data Held by Private Parties (LFPDPPP) in Mexico stated basically the same principles with which many companies are now struggling to comply:

  • Individuals have the right to know what personal data about them is stored by any company
  • Individuals have the right to request such information to be deleted or withheld from being shared with any other third party

The enactment of these regulations has made both individuals and companies alike aware of the basic fact that too much information about ourselves has been voluntarily but unknowingly disclosed; that some common-sense boundaries have been breached; and that so much information is definitely not needed to provide the digital services we are signing into, and thus, we could block access to prevent further dissemination and commercialization of our habits, browsing history, location, network of family, friends and colleagues, and so on.

So, if rules could be rewritten from start … if you were actually to read the license or service agreement of each online service that you really want to stick with, what terms would you consider reasonable to understand the information about yourself that you are willing to disclose in order to receive those digital services? Of course, we are discarding the possibility that you are happy with such clauses like “by using this app, you understand that we can obtain every piece of your personal data, contacts, location, browsing history and sell it and share it with whomever we can get to pay more for it, with no obligation to you or your descendants.”

So, trying to solve this puzzle, allow me to propose the following Taxonomy of Private Identity and briefly explain the different components.

The Taxonomy
In today’s model, we have assumed the fact that we are required to authenticate ourselves in the online universe basically through one of two widely adopted credentials: your email address and/or your Facebook credentials. Yes, sure, your Facebook account was originally authenticated through an email account but now qualifies as equally valid. However, both can be faked. Yet we are comfortable with an authentication mechanism that is not certain and can be easily stolen.

In the proposed taxonomy, different data is protected behind purpose-specific gates. Those gates can be opened with their respective private key, plus one key linked to you as an individual.

Detailed description of proposed encryption mechanism and data structure of the proposed blockchains will be the subject of an upcoming article. At this level, let’s say that the key that allows access to the other gateways should be generated from biometric data. Fingerprints and facial recognition are now easily implemented, but a widespread model would require more complex data, potentially even DNA data that would link that personal key to the owner.

Implementation of such taxonomy would allow participants to segregate the information that they open to different actors or services, for specific purposes. For example, your LinkedIn profile could add a tag in each of your education or professional milestones, indicating that each of these items has been “verified,” without a need to provide a copy of it in the open network. As long as LinkedIn is a participant of the authentication protocol, it can confirm that participant universities or employers have confirmed your information, without the need to provide any unnecessary data to persons requesting confirmation of the event. In a similar way, personal legal papers (say, shares deposited into a trust fund) could become public legal papers when linked to a document like a will. You, and only you as owner of your private data, would be tagging the existence of such personal legal documents to what could be consulted by the public, if that’s needed or required by law.

So, the key point is that we start thinking about whether we can identify all these important pieces of private data, know where it is stored, and whether we have given unnecessary access to a huge technology company to link it to marketing algorithms … or worse, if rogue actors have very easy access to the digital representation of our lives and assets.

Author’s note: Jose Angel Arias has started and led several technology and business consulting companies over his 30-year career. In addition to having been an angel investor himself, as head of Grupo Consult, he participated in TechBA’s business acceleration programs in Austin and Madrid. He transitioned his career to lead the Global Innovation Group in Softtek for four years. He is currently Technology Audit Director with a global financial services company. He has been a member of ISACA and a Certified Information Systems Auditor (CISA) since 2003.

Jose Angel Arias, CISA

[ISACA Now Blog]

Posted on

DarkHydrus Uses Phishery to Harvest Credentials in the Middle East

Last week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying out a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. These attacks were targeting government entities and educational institutions in the Middle East.

The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials.

Based on Unit 42’s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens DarkHydrus’ use of the open source for their attack tools.

A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in 2017. What is noteworthy is DarkHydrus’ use of an open-source tool to carry out targeted attacks against these entities in the Middle East, which is fitting of their reliance of open source tools and these attacks are consistent in terms of targeting with what we reported last week. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future.

 

Credential Harvesting Attack

On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East. The attack involved a spear-phishing email with a subject of “Project Offer” and a malicious Word document (SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment. When opened, the malicious Word document displays a dialog box that asks the user for their credentials, as seen in Figure 1.

Figure 1 Authentication dialog box presented to the user when opening document

As you can see in Figure 1, the authentication prompt says “Connecting to <redacted>. 0utl00k[.]net”, which is a DarkHydrus C2 server. If the user enters their credentials in this dialog box and presses ‘Ok’, the credentials are sent to the C2 server via the URL https://<redacted&gt;.0utl00k[.]net/download/template.docx. With the authentication dialog box gone, Word displays the contents of the document, which in this specific case was an empty document. While this document was empty, the authentication prompt may have made the targeted user more likely to enter their credentials, thinking it’s necessary to view the contents of the document.

DarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their credentials. Firstly, the redacted subdomain was the domain of the targeted educational institution. Also, the 0utl00k[.]net domain resembles Microsoft’s legitimate “outlook.com” domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials. Some users may not even notice what domain the dialog states they are connecting to and habitually type their Windows credentials.

We found two additional Word documents using the 0utl00k[.]net domain to harvest credentials, seen in Table 1. We first saw these related Word documents in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.

First Seen SHA256 Filename Remote Template
11/12/2017 9eac37a5c6.. PasswordHandoverForm.docx https://0utl00k[.]net/docs
09/18/2017 0b1d5e1744.. استطلاع.docx https://0utl00k[.]net/docs

Table 1 Additional DarkHydrus Word documents used to steal credentials

Both of these related documents use the attachedTemplate technique to steal credentials by sending them to a URL https://0utl00k[.]net/docs. Unlike the June 2018 document that displayed no content after credential theft, both of these documents displayed content that appears pertinent to the targeted organization. The September 2017 document displays an employee survey, which can be seen in Figure 2.

Figure 2 Employee survey displayed after credential theft

The November 2017 document displays a password handover document after credential theft occurs, as seen in Figure 3. We were unable to find the displayed document via open source research, which may suggest that the actor gathered this password handover form from a prior operation.

 

Figure 3 Password handover form displayed after credential theft

The infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of the attacks resolved to 107.175.150[.]113 and 195.154.41[.]150. This same infrastructure was discussed in the Campaign Analysis of our previous blog.

 

Phishery Tool

While analyzing the three malicious Word documents, we determined that two of the documents were created using an open source tool called Phishery. The Phishery tool is capable of the following:

  1. Creating malicious Word documents by injecting a remote template URL
  2. Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template

We were able to confirm that DarkHydrus used Phishery to create these Word documents by using the open source tool to create a document and host a C2 ourselves. The DarkHydrus document used in the June 2018 attacks had a remote template URL added, as seen in Figure 4.

 

Figure 4 Remote template URL seen in the DarkHydrus document from June 2018

We were able to replicate the remote template path seen in Figure 4 by using Phishery to create a weaponized delivery document. Figure 5 shows Phishery’s output to the command that injects a URL into a file named “good_test.docx”, which it will save the resulting file to “bad_test.docx”.

 

Figure 5 Phishery command used to create a document that has same remote template URL as DarkHydrus

To confirm, we used Phishery’s C2 server and opened DarkHydrus’ Word document from the June 2018 attacks. When presented with the authentication dialog box, we entered “fakename” and “fakepass” as credentials, as seen in Figure 6 and pressed enter.

Figure 6 Authentication dialog box with fake credentials entered

On the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in Figure 7. The C2 server was able to obtain the “fakename” and “fakepass” credentials entered into the authentication dialog box displayed when opening DarkHydrus’ Word document.

 

Figure 7 Output of Phishery C2 showing captured credentials

Conclusion

DarkHydrus is a threat group carrying out attack campaigns targeting organizations in the Middle East. We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials. The use of Phishery further shows Dark Hydrus’ reliance on open source tools to conduct their operations.

Palo Alto Networks customers are protected by Dark Hydrus by:

  • The C2 server 0utl00k[.]net is classified as Malware
  • All Phishery documents created by DarkHydrus have malicious verdicts in WildFire
  • AutoFocus customers can monitor this threat group’s activity via the DarkHydrus tag

 

Indicators of Compromise

Samples

d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318

9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49

0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82

 

Infrastructure

0utl00k[.]net

107.175.150[.]113

195.154.41[.]150

[Palo Alto Networks Research Center]

Posted on

A First-Hand Experience with CISSP CAT

Patrick Strijkers is a 43-year-old information risk security officer at a pension funds firm in the Netherlands. He works in the IT security department in security incident management. Patrick’s employer runs a job rotation program, allowing him to gain experience in a variety of roles, with his next position coming invulnerability management this September. He holds the following security certifications:

  • CompTIA Security+
  • CompTIA Network+
  • EC-Council Certified Ethical Hacker v8
  • EC-Council Certified Security Analyst v8
  • EC-Council Computer Hacking Forensics Investigator v8
  • Rapid7 Nexpose
  • Rapid7 Metasploit Pro

Patrick’s goal last year was to earn his CISSP certification. He attended a five-day boot camp course and studied for two and a half months before sitting for his exam on August 11 of 2017. At that time, the format of the CISSP exam was only available in the linear format

“After fighting through 250 questions over the course of 320 minutes – including two brief breaks to clear my mind – it was devastating to read the ‘Sorry, you failed’ exam notice,” said Patrick. He decided to take some time away from studying and waited to prepare for his next attempt until February of 2018. With his exam scheduled for April 20, Patrick began to dive back into the material, although at first he was not aware of the new CAT exam format.

“After finding out about the new format in the beginning of April, it got me a bit frightened of what to expect of it,” said Patrick. He was unsure of the number of questions he would be answering, as well as how the difficulty of the exam might be affected by the format change. “In the end, it didn’t stop me from taking the shot.”

The night before the exam, Patrick checked into a hotel near his testing site and recalls being nervous before this attempt, whereas his nerves were calm back in August. The biggest challenge he felt with the CAT format was not being able to mark questions to review, but Patrick found that his time management was excellent this time around, as he completed the exam (at 150 questions) with time to spare.

Upon finding out he had passed, Patrick said “The second I was notified I asked to please see the paper, as I couldn’t believe it. But yes, I did pass my CISSP exam.”

Congratulations to Patrick for reaching his goal of becoming a CISSP! Welcome to the (ISC)family!

[(ISC)² Blog]

English
English
Exit mobile version