NanoCore RAT

It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.
However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.
We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

3 Things I Learned Talking to InfoSec People About Crime

Over the last several years, I have given many many talks about the behavior of criminal rings, how the criminal underground operates and black market economics. I wanted to share with my audiences some of the lessons I have learned about crime. Many people responded well and were interested in the content. Some replied with the predictable, “So what does this have to do with my firewall?” kind of response. One older security auditor even went so far as to ask me point blank “Why do you pay attention to the criminals? Shouldn’t you be working on helping people secure their networks?”  I tried to explain that understanding bad actors was a part of securing systems, but she wouldn’t hear of it…

That’s OK. I expected some of that kind of push back. Often, when I ask people what they want to hear about, or where my research should go, the responses I get back fall into two categories: “more of the same stuff” and “make x cheaper”, where x is some security product or tool. Neither is what I had in mind… :) 

Recently, I announced that I was taking this year off from most public speaking. I don’t think I will be attending as many events or speaking beyond my podcast and webinars. Mostly, this is to help me recover some of my energy and spend more time focused on new research and new projects at MicroSolved. However, I do want to close out the previous chapter of my focus on Operation Aikido and crime with 3 distinct lessons I think infosec folks should focus on and think about.

1. Real world – i.e.” “offline” crime – is something that few infosec professionals pay much attention to. Many of them are unaware of how fraud and black markets work, how criminals launder money/data around the world. They should pay attention to this, because “offline” crime and “online” crime are often strongly correlated and highly related in many cases. Sadly, when approached with this information – much of the response was – “I don’t have time for this, I have 156,926 other things to do right now.”

2. Infosec practitioners still do not understand their foes. There is a complete disconnect between the way most bad guys think and operate and the way many infosec folks think and operate. So much so, that there is often a “reality gap” between them. In a world of so many logs, honeypots, new techniques and data analysis, the problem seems to be getting worse instead of better. Threat intelligence has been reduced to lists of IOCs by most vendors, which makes it seem like knowledge of a web site URL, hash value or IP address is “knowing your enemy”. NOTHING could be farther from the truth….

3. Few infosec practitioners can appreciate a global view of crime and see larger-scale impacts in a meaningful way. Even those infosec practitioners who do get a deeper view of crime seem unable to formulate global-level impacts or nuance influences. When asked how geo-political changes would impact various forms of crime around the world, more than 93% of those I polled could only identify “increases in crime” as an impact. Only around 7% of those polled could identify specific shifts in the types of crime or criminal actors when asked about changes in the geo-political or economic landscapes. Less than 2% of the respondents could identify or correlate accurate trends in response to a geo-political situation like the conflict in Ukraine. Clearly, most infosec folks are focused heavily ON THIER OWN STUFF and not on the world and threats around them.

I’m not slamming infosec folks. I love them. I want them to succeed and have devoted more than 20 years of my life to helping them. I will continue to do so. But, before I close my own chapter on this particular research focus, I think it is essential to level set. This is a part of that. I hope the conversation continues. I hope folks learn more and more about bad actors and crime. I hope to see more people doing this research. I hope to dig even deeper into it in the future.

Until then, thanks for reading, stay safe out there, and I will see you soon – even if I won’t be on stage at most events for a while. ;)

PS _ Thanks to all of the wonderful audiences I have had the pleasure to present to over the years. I appreciate and love each and every one of you! Thanks for all the applause, questions and, most of all, thanks for being there!  

How to Make InfoSec Infographics

Infographics are everywhere! And people either love them or hate them.

That said, many security teams have been asking about building infographics for awareness or communicating threat data to upper management in quick easily-digestible bites. To help with that, we thought we would tell you what we have learned about how to make infographics – as a best practice – so you won’t have to suffer through the mistakes we and others in the security field have already made. :)

So, at a high level, here is what you need to know about making infographics on security topics:

What are infographics & why are they useful?

Infographics are a visual representation of data and information; it is a quick way to look at a lot of in-depth information and get a clear understanding of it. They are used to communicate data in a way that is compact and easy to comprehend and also provide an easy view of cause and effect relationships. Infographics are visually appealing and are composed of three elements:
- visual (color, graphics, reference icons)
- content (time frame, statistics, references)
- knowledge (facts)

Best practices for building infographics: 

- Simplicity: clean design that is compact and concise with well organized information
- Layout: Maximum of 3 different fonts
- Colors: choose colors that match the emotions you are trying to convey. The background should blend with the illustrations
- Boundaries: limit the scope of your information. Attention span is short so try to answer only one question per infographic

The main best practice we have learned is: Keep It Simple! Focus on just a few salient points and present them in interesting tidbits. Use templates, they are available all over the web for your publishing or office platform. Remember, the purpose of infographics is to peak interest in a discussion, not serve as the end-all, be-all of presenting data to the audience.

Let us know your success stories or tell us what you have learned about infographics on Twitter (@lbhuston or @microsolved). Thanks for reading!

Using TigerTrax During the Pre-Negotiation Phase of an M&A

Throughout my career, I have worked for organizations that have purchased and integrated 4 companies. The acquired companies ranged from an organization with revenues of less than $3 million per year to a publicly traded company with annualized revenues of almost $1 billion. While the acquisitions all carried their own set of challenges, they remain among the highlights of my career.

Unfortunately, TigerTrax did not exist while I was working to integrate the IT systems of the aforementioned organizations. However, if it did, the entire process would have been significantly easier to manage. Our clients frequently leverage TigerTrax during each phase of the M&A process. However, I think they find the most value during the pre-negotiation phase. TigerTrax has helped our clients identify everything from an organization’s breach history to employee morale. All of this valuable intelligence can be obtained before an offer is made.

Here are a few other ways that TigerTrax is commonly used during the pre-negotiation phase of an M&A:

  • Using data obtained during a passive network assessment to help understand the security posture and technology footprint of the organization
  • Identifying whether the organization has been recently targeted by attackers or is demonstrating any indicators of compromise
  • Obtaining a list of key players associated with the company along with determining whether or not they are affiliated with any organizations or activities that could harm your company’s reputation
  • Discovering any legal, reputational, financial or operational risks associated with the prospective company

If you have any questions about how you can levere TigerTrax to gather intelligence to help reduce the risk associated the M&A lifecycle, feel free to contact us by emailing <info> at microsolved.com.

Hiring Data Analysts Who Love Security

MSI is growing again! We are interested in talking to folks about a full time position in our Columbus HQ to help our Intelligence Team.

If you dig being heads down with data, performing deep research and chasing threats around the Internet, this is the gig for you! These folks will be focused primarily on threat profiling, research of companies, crime rings and security news from around the world. The job requires you be familiar with Linux,  have an understanding of information security and to be a power user of the Internet. You should also enjoy python, BASH scripting, command line kung fu and staying bleeding edge current on security happenings. Light public speaking on webinars and conference calls, familiarity with the Mac and excellent writing skills are also preferred.

MSI is an interesting place to work. Our team is seriously dedicated to helping our clients. We are known for doing excellent work, thinking outside the box, going deep into a problem and laser focusing on customer success. Our conversations among team members are fast and full of high density data exchange. It is exciting, fulfilling and demanding work, but we do it with joy, precision and mindful innovation!

Sound like something you might enjoy? If so, get in touch. Send your resume and a cover letter that explains why you are the best choice for our team to info@microsolved.com. You can also touch base with me on Twitter if you have questions (@lbhuston). We hope to hear from you if you truly love deep diving on data and hammering out the truth from content all around the web!

PS – Don’t worry, we know we have to train you. We are looking for people with strong core skills, an eagerness to learn and out of the box thinking. We’ll teach you the rest… :)

Lots of PHP Web Shells Still Circulating

Many PHP-based web shells are still making the rounds, and while many of them are based on old code, mutations, customizations and updates abound. They are so common, that new variants and modified versions are often seen at the rate of about 10 a day in our TigerTrax Threat Intelligence systems and honeypots.

Variants exist for a wide variety of platforms and human languages, many with some very nasty features and even some cool ASCII art. There are many variants for attackers to choose from for just about any of the popular PHP-based content management platforms. From WordPress to Joomla and beyond to the far less common apps, there are easily used exploits and shell kits widely available.

If you run a PHP-based site or server, it’s a good idea to keep an eye on the file system changes and watch closely for new files being uploaded or added. Pay particular attention to those using the “base64_decode” function, since it is so common among these tools.

Thanks for reading, and until next time, stay safe out there! 

Malware Can Hide in a LOT of Places

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Podcast Episode 2 is Now Available

In this episode we sit down with Mark Tomallo, from Panopticon Labs, and RSA’s Kevin Flanagan. We discuss mentoring, online crime, choosing infosec as a career and even dig out some tidbits from Mark about online gaming fraud and some of the criminal underground around the gaming industry. I think this is a very interesting and fun episode, so check it out and let us know what you think on Twitter (@microsolved, or @lbhuston). Thanks for listening! 

Listen Here:

Pay Attention to this Samba Vulnerability

We have a feeling that this recent Samba vulnerability should be at the top of your mind. We are seeing a lot of attention to this across a variety of platforms and we wanted to make sure you saw it. It should be patched as soon as possible, especially on highly sensitive data stores and critical systems.

Let us know if you have any questions.

Keep Your Hands Off My SSL Traffic

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? :)

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? :)

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter!