Monday, 12 September 2022

Ransomeware - Intermittent Encryption

 An emerging trend among ransomware gangs is encrypting only parts of files, instead of complete encryption of files or drives.

The tactic, dubbed intermittent encryption, is effective and can offer some advantages to cyber criminals.

Automated detection tools may have a more difficult time catching signs of the malicious action if there's less file modification happening as the encryption takes place.

Additionally, the time to encryption is decreased by an order of magnitude depending on how much data is skipped, while still producing files that are damaged enough to be useless.

Some implementations of the technique include options to encrypt every X number of bits / bytes / megabytes while skipping Y of the same.

Others offer less options to operators but remain sophisticated by using pre-coded settings based on file size. Black Basta, for example, encrypts all content under 704 bytes. If the file is between 704 bytes and 4KB, 64 bytes are encrypted and then 192 are skipped. For files larger than 4KB, unencrypted spaces are reduced to 128 bytes but keeps 64 byte blocks of encryption.

Due to the significant advantages (speed, more difficult detection) and basically no downsides, security people should expect to see widespread adoption of this technique.

at No comments:

Wednesday, 7 September 2022

2 Factor Proxy Bypass

 In the never ending game of cat and mouse, cyber criminals have found a way to bypass two-factor authentication. While the method is newer, the techniques and methods are not. By simply combining a normal phishing site along with a proxy, malicious actors are able to intercept two-factor auth codes and authenticated cookies.

Standard phishing emails are used, with messages asking people to update their passwords, log in to confirm an account, etc. Previously, when someone browsed to those malicious sites via the links, they would enter their account name and password. The malicious actor would harvest those credentials, and could try to use them to gain access to accounts on many sites. Two-factor authentication, when used properly, would prevent the malicious login since the attacker would never receive the authentication code. Now, with this new application of old techniques, they're able to steal not only the credentials, but also the two-factor code and even authenticated session cookies.

The proxy bypass technique would look something like this:

(image credit to Resecurity)

  1. A user receives a phishing email, clicks the malicious link, and enters their credentials
  2. The link sends the connection through a proxy server to the actual website (Microsoft login, Google login, etc)
  3. A legitimate MFA page is proxied back to the user from the website that's being intercepted by the proxy
  4. The user puts in their two-factor authentication code, which is sent via the proxy to the legitimate website. At this point, the two-factor auth code can be considered compromised
  5. Website returns an authenticated session cookie to the proxy, which is relayed to the user's browser. At this point, the malicious actor has the authenticated session cookie, username, password, and two-factor code and can log in to the actual site as the victim
  6. The user is redirected to another page. It's likely that the legitimate Microsoft, Google, or other site is loaded
In short, the user starts a TLS session appearing to connect to the target website. This TLS session is intercepted by the malicious proxy which can then be decrypted. The malicious proxy then creates a TLS session to the target website, and can continue to middle-man and intercept all TLS communications between the victim and the target site.

As reported by The Hacker News, PhaaS (phishing-as-a-service) toolkits utilizing this method are being sold. One example is EvilProxy, which costs as little as $400 / month.

at No comments:

Friday, 6 March 2020

Macro enabled .slk malware distribution

I came across a nasty campaign which utilizes macro enabled .slk "Excel" file attachments.

Here's the email, sans any identifying information

There's no grammar errors but we do have some odd wording common to phishing campaigns: kindly verify, with gratitude.

It's unlikely that someone is going to send a business invoice from a hotmail.com address, which is a big indicator that this is bad.

The Excel icon for the attachment is quite convincing. slk is a Symbolic LinK file, which is used to exchange data between spreadsheets and various other software.

The sheet opens to a pretty standard looking "Enable macros to view content" message, common to macro enabled maldocs.


Here's a snip of the code in the .slk

It appears to be using EEXEC to open a command prompt to load the hxxp://phpimagehost dot com page. From this page,  aGNEs.bat is downloaded in to the local %temp% folder. EEXEC is used again to run the aGNEs.bat. This is where malware would be loaded on to the target system.

I didn't enable macros, so I didn't see the end result. MalwareHunterTeam found that the payload was the NetSupport Manager RAT, which can give someone full access to the affected system.

Here's the whois for that domain

It's noteworthy that the domain was registered on 3/4 and the phish was on 3/5. The phpimagehost page has already been taken down.

At my company we disable macros in macro enabled Excel and Word files from online sources. This attack wouldn't have executed. Moving forward, we may block all emails with .slk attachments since some employees do have to enable macros.

VT results from the .slk attachment


at No comments:

Wednesday, 5 February 2020

Invoice Credential Stealer


I've got another credential stealing phish today.

I'm rating this at a 2/5 - it's boring, basic, and very predictable.

The links are masquerading as an invoice, in hopes of tricking a recipient to click them in hopes of making a sale.

Both the View and Invoice_05_02_2020 links point to the same domain - hxxps://share.getcloudapp.com/, but to different subpages within

When either link is clicked, this page loads.


So far, nothing obviously malicious is going on.

The next page loads a few options for email providers. This is where the deception really starts.
When the links to providers are clicked, a fake "Sign in" page appears that takes the email address and password but doesn't actually sign in to anything.

This is where clickers get compromised - they may enter their email address and password, the login fails, they try again thinking they typed their password incorrectly, and the loop continues until they give up.

At this point, the phisher has usernames and passwords.


Multifactor authentication can still protect victims - they would start receiving verification texts, calls, or app prompts and would hopefully not take actions that could let the phisher in.

I suggest SMS for verification codes to my less tech savvy coworkers. There is no reasonable way for the user to accidentally allow a verification attempt - they would have to give that code to the hacker. A sophisticated attacker could use a SIM swap attack to circumvent this, or could simply call the user, present themselves as someone of importance, and ask for the code.

The phone call method where a user just has to press # to verify isn't secure. A hacker may cause back to back calls, and a frustrated person may just press # to make the calls stop.

For my more tech savvy coworkers, I like to suggest the Microsoft authentication app. Once configured, they get a push notification on their cellphone to approve / deny the login attempt. This relies in the user to be smart enough to know when to expect a verification prompt, so I wouldn't suggest it for 


Methods
  • Urgency - nobody wants to be late on an invoice

IOCs
  • Invoice coming from an unknown contact
  • The invoice isn't attached as a PDF

Noteworthy Whois Data
  • There is no whois data for the final site that steals credentials




at No comments:

Tuesday, 4 February 2020

Your email password expires today


Here we have a fairly boring phish.

The page it links to was already 404'd by the time I got to it. I suspect it was a credential stealing website - it discusses changing a password, which means it probably had a password field that steals whatever is typed in.



Methods:
  • Urgency
    • Expires in 24 hours
  • Intimidation
    • Severity: High


IOCs

  • Sender address is not from the corporate domain
  • Grammar errors
  • Strange font

Noteworthy Whois Data
  • Domain created the same day the phishing email was sent 2/4
  • Registrant Country: Panama

at No comments:
Subscribe to: Posts (Atom)

Ransomeware - Intermittent Encryption

 An emerging trend among ransomware gangs is encrypting only parts of files, instead of complete encryption of files or drives. The tactic, ...

  • 2 Factor Proxy Bypass
     In the never ending game of cat and mouse, cyber criminals have found a way to bypass two-factor authentication. While the method is newer,...
  • Ransomeware - Intermittent Encryption
     An emerging trend among ransomware gangs is encrypting only parts of files, instead of complete encryption of files or drives. The tactic, ...
  • Your email password expires today
    Here we have a fairly boring phish. The page it links to was already 404'd by the time I got to it. I suspect it was a credential...