National Cybersecurity
Awareness Month

The goal of National Cybersecurity Awareness Month is to educate individuals and organizations on how to detect and avoid cyberattacks, and be safer and more secure online. Lastline is pleased to contribute our information and expertise towards accomplishing this important goal. This year we’re sharing three types of information:

  1. “Did You Know…” examples of attacks that highlight the wide scope of threats against we all must defend.
  2. “I remember when…” stories that remind us all of how good the bad guys have become.
  3. (Just for fun) Weekly Death Matches that pit two similar strains of malware against each other, with the public voting on which is the nastiest.

Week 3

Who Can Secure Self-driving Cars from Potentially Malicious Hacks?

Any computerized system that has an interface to the outside world is potentially hackable. But why would someone want to hack into a car’s computer systems? One answer is to use the car as a weapon, causing a crash. One example of how this could be done is that the car’s machine learning system could be polluted so that a road sign that looks like a stop sign to a human might look like a different sign to the car. And there are examples of successfully hacking autonomous cars. So, who’s responsible for ensuring these vehicles of the future are safe? Lastline co-founder Engin Kirda thinks this issue can’t be solved with government regulation alone – the systems are simply too complex. What do you think?

Who is best able to secure autonomous cars? (Not who should, but who can?)

Week 2

Change is the Only Constant in Life, and in Security

In our Q417 Malscape Report we presented data on the different tactics in use by attackers and how they differ from region to region. As we go through 2018 we may be witnessing some changes that highlight how quickly attackers adapt their techniques in response to improvements in security technologies. The US is the most mature market on the planet in terms of security, and is where the early adopters and front runners of new technology deployments are most prevalent. The Anti-Virus industry has evolved over the last year or so to include new Artificial Intelligence and math-based solutions to prevent new executable files from evading threat analysis, and it seems to be working. So, attackers needed to up their game. Since we conducted our study, we are already seeing fewer .exe payloads delivered in the US by lure documents. The success of the prevention strategy of math-based static analysis has had a side effect, however – instead of solving the problem it has changed the problem. We now see more diverse file types and a retooling of attack payloads into different scripting languages to subvert the math.

Week 1

Cyberattacks against ships at sea. Is no one safe?

To kick off National Cybersecurity Awareness Month we thought we’d offer a story about a target that, in all likelihood, few of you have considered: container ships at sea. Yes, indeed cybercriminals are launching malware-based attacks against ships with at least two possible objectives: 1) If a criminal can compromise a ship’s systems, such as their navigation or communication system, the shipping company will very likely pay a ransom because of the very dire consequences of those systems being down. They could end up dramatically off course, for example. Or the crew, who is away from loved ones for months at a time, can become completely cut off. And 2) Criminals have accessed files containing details of the containers on board, and rearranged the container numbers so that their illicit contraband that’s in one of the containers is seen as a benign shipment that is less likely to draw attention and get inspected. One of Lastline’s partners, GTMaritime, provides technolgy to ensure vessel compliance, communications, and overall business operability, including threat protection, so that the world’s shipping fleets, and the goods they carry that we’re all anxious to purchase, arrive at their intended destination on time, and safe from criminal tampering. Here’s a recent article on GTMaritime.

When Malware Authors Started Packing Multiple Techniques Together: Conficker

I remember when… malware was singular in nature. That is, it really only had one malicious technique. How times have changed… Looking back in the day compared to the present, malware has matured to evade, disguise, and utilize multiple advanced malware techniques. This is true of Conficker, which was the first of this type, way back in 2008. Conficker targeted Microsoft Windows flaws within the OS and preformed dictionary attacks on passwords to propagate while also creating a botnet. Conficker also utilized many advanced malware techniques that were difficult at the time to counter. Millions of devices were infected because the virus changed its propagation and strategy from version to version. Today this is all too common, and as malware detection capabilities improved, so did evasion techniques, which is the subject of one of our recent blog posts.

Week 2

The First Major Attack by Fileless Malware: SQL Slammer

I remember when… little was heard of fileless malware, which is malware that resides only in memory and does not install on the disk. That was until the novel SQL Slammer worm hit in early 2003, targeting Microsoft’s SQL Server Resolution Service listening on UDP port 1434. SQL Slammer was so small that it didn’t have to write to disk and therefore stayed in memory. The novelty at the time was that it attacked a service, which caused a denial of service of numerous routers across the world given the bombardment of traffic from these infected machines. What compounded the problem was the reactionary routing table updates caused additional routers not in the line of attack to fail. The Internet had to be rebooted. Fast forward 15 years and fileless malware is rampant and evasive, now targeting multiples services and users for monetary gain. To learn more about this, you might be interested in a recent article in Intelligent CISO by Lastline Co-founder and Chief Product Officer, Christopher Kruegel. Chris’ tips for detecting fileless malware include looking for security options that can pick up malicious behavior at the network level. Good overall cybersecurity hygiene will also help, for instance, patching of disclosed vulnerabilities or policies to ensure infected machines are identified and quarantined swiftly.

Week 1

When a Love Letter Was Not So Loving: The I Love U Virus

I remember when…we could trust email from our personal contacts. Yes, there was a time… back in the day. In the 1990’s, email gained popularity and soon the world heard and would become mesmerized by, “You’ve got Mail.” Back in the day, we trusted the email senders just like we trusted senders of physical mail until one fateful day in the year 2000 when tens of millions opened an email from a trusted contact with a subject line of “I Love You.” Yep, your boss, mom, daughter, best friend and colleague loves you and you opened the attachment LOVE-LETTER-FOR-YOU.txt.vbs. The vbs extension, hidden by default on Windows, was executed and began to worm its way sending a copy of itself to all the addresses in your address book while overwriting random types of files on your computer. While this was certainly a nuisance, it was not particularly damaging – no files were encrypted or deleted. Fast forward to today where email is rampant with malicious intent that is far more sophisticated and damaging than what became know as the I Love U virus. Who can you truly trust and how do you dodge the endless attacks launched via email? Here is some useful infomation about the more pervasive email threats, and how to protect against them.

Malware Death Match

What’s the biggest, meanest, nastiest piece of malware? Our Death Match pits two notorious strains against each other, only one of which will emerge from this epic struggle. So, place your vote – what’s the baddest of the bad? The winner will be decided at midnight on Saturday, at which time the next two combatants will enter the ring.

Ordinypt

While appearing to be ransomware targeting German speaking users, Ordinypt is really a wiper, destroying all data. It looks for documents, pictures, archives, and other files containing sensitive information, and then fills them with garbage strings. Having done that, it asks for 0.12 Bitcoin ransom (~$770) to be transferred to a specific Bitcoin address. There were no attempts of transferring ransom so far. Even though the text, asking for ransom, is written in high grade German, obviously targeting German speakers, malware is able to run on any system, which makes it even more dangerous.

Vote for Death Match Round 3

Olympic Destroyer

Olympic Destroyer is a multi-component threat that firstly appeared during the opening ceremony of the 2018 Winter Olympic Games in Pyeongchang. There are several independent payloads stored in encrypted form in the resources of the main module. Each of them is responsible for its own task, including: wiping out the data from the network shares, deleting backups, disabling Windows services, and stealing browser and system credentials. The later is achieved via a Mimikatz-like DLL executed reflectively using a custom loader. For the lateral movement, like Petya Ransomware, it propagates via remote WMI and PsExec using freshly harvested system credentials.

Week 2

LoJack

The Absolute LoJack malware made multiple headlines over the past few years for being one of the most advanced espionage campaigns. While LoJack is initially a legitimate software intended to monitor and track devices in case of theft, some samples were maliciously modified and deployed. Experts associate with moderate confidence this campaign with APT28 threat actor, also known as Fancy Bear or Sednit. It is a sophisticated implant that distinguishes itself for being particularly low level and being already present on some brand new laptops. This threat is still active, and being actively monitored as new functionality are being discovered.

Death Match Round 2 Results

Volgmer

Volgmer is a backdoor malware used by the North Korean government as part of their malicious cyber activity referred to as HIDDEN COBRA. It is designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. Before installed, Volgmer detects Antiviruses and analysis tools, and does not proceed if it finds one of them in the system. It can also evade detection of some modern security solutions such as sandboxes. Overall, these capabilities make it a non-trivial effort to detect it.

Week 1

Petya

A family of ransomware that targeted Microsoft Windows boot records that encrypted the hard drive’s file system table that prevented Windows from booting. Petya installed its own boot loader which overrode the victim’s system’s master boot record and then encrypted the master file table. The victim’s files were still there and still unencrypted but given that the computer can’t access the boot record to boot, they might as well be lost. A Bitcoin payment is demanded to decrypt the hard drive. ($300M for Maersk, not a pervasive infection rate)

Death Match Round 1 Results

Not Petya

A family of malware looking like ransomware primarily targeting Ukraine. This variant utilized the ExternalBlue exploit, believed to be developed by the U.S. NSA. Self propogating, NotPetya encrypted everything and displayed a screen informing the victim to send a Bitcoin to a wallet. The recovery was a farce and NotPetya damaged the victim beyond repair. “$10B in damages.”
About Lastline
Lastline provides innovative AI-driven network and email security products that detect and defeat cyberattacks. We deliver automated detection, analysis, and response to completely remediate advanced threats before damaging and costly data breaches occur, with fewer resources and at lower cost. To learn more, please visit www.lastline.com.