Ransomware slows North Carolina County, officials refuse to pay hackers

Hackers were able to lock down several servers of North Carolina’s Mecklenburg County, which includes the city of Charlotte and surrounding areas, with ransomware on Wednesday, locking local officials out of computer systems that manage inmate populations, child support, and other social services. But despite the outages, the officials aren’t planning to pay the $23,000 ransom demanded by the hackers, believed to be in Ukraine or Iran, for the return of government files.
“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Mecklenburg County manager Dena R. Diorio said in a statement on Wednesday. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”
Diorio said it would have taken days to restore the county’s computer system even if officials paid off the person controlling the ransomware, so the decision won’t significantly lengthen the timeframe.
Diorio said that officials made the decision after consulting with cybersecurity experts, who warned against negotiating with the hackers.
Data was frozen on dozens of servers after one of its employees opened an email attachment carrying malicious software. The cyber attack had forced county officials to revert to paper systems like deputies to process jail inmates by hand, the tax office turned away electronic payments and building code inspectors switched to paper records.
Hackers on Thursday tried to attack the county’s computer systems again through fake email attachments but Diorio said there was no additional damage, The Associated Press reported. She added that the county was disabling employees’ ability to open attachments made by third-party sites.
Population numbers for Mecklenburg County jails are expected to rise, the county said on its website because the inmate releases have to be handled manually and the entire process is significantly slowed down. Calls to a domestic violence hotline are only able to go to voicemail, the AP reported, so counsellors have resorted to regularly checking the messages and trying to get back in contact with callers. The local tax office is also struggling to process payments.

DAST vs SAST – Dynamic Application Security Testing vs Static

In security testing, much like most things technical there are two very contrary methods, Dynamic Application Security Testing or DAST and Static Application Security Testing or SAST.

Dynamic testing relying on a black-box external approach, attacking the application in it’s running state as a regular malicious attacker would.

Static testing is more white-box looking at the source-code of the application for potential flaws.

Personally, I don’t see them as ‘vs’ each other, but more like they compliment each other – it’s easy to have SAST tests as part of your CI/CD pipeline with tools like Code Climate.

DAST – Dynamic Application Security Testing

There are also pros and cons for each methodology, with DAST you aren’t bound to any particular technology or language – but on the downside, you are also limited to the parts of the application visible to the outside World.

An example of such a tool would be:

Wikto Scanner Download – Web Server Security Tool
Spaghetti Download – Web Application Security Scanner

It’s always good to simulate attacks from the outside with the kind of access a real World attacker would have, but it doesn’t give you full visibility of the potentials flaws in your system.

SAST – Static Application Security Testing

For SAST a big con is the toolset you are using needs to be language and even framework specific, for example tools we’ve mentioned before such as:

Brakeman – Static Analysis Rails Security Scanner
RIPS – Static Source Code Analysis For PHP Vulnerabilities

The upside to this is that you get full oversight of the app, libraries, dependencies and parts not visible to the outside World.

IAST – Interactive Application Security Testing

There is actually a combination of the two, a form of ‘greybox’ testing that combines the DAST approach with the the SAST tooling by installing a sensor into the application itself.

A great example of this is Acunetix AcuSensor which is installed on the back-end and relays information during the DAST testing phase (so it acts as a whitebox DAST component).

You can read more in depth about this subject here:

DAST vs SAST: A Case for Dynamic Application Security Testing

Botconf 2017 Wrap-Up Day #3

And this is already the end of Botconf. Time for my last wrap-up. The day started a little bit later to allow some people to recover from the social event. It started at 09:40 with a talk presented by Anthony Kasza, from PaloAlto Networks: “Formatting for Justice: Crime Doesn’t Pay, Neither Does Rich Text“. Everybody knows the RTF format… even more since the famous CVE-2017-0199. But what’s inside an RTF document? As the name says, it is used to format text. It was created by Microsoft in 1987. It has similarities with HTML:

Entities are represented with ‘{‘ and ‘}’. Example:

{iThis is some italic text}

There are control words like “rtf”, “info”, “author”, “company”, “i”, “AK”, …. It is easy to obfuscate such document with extra whitespaces, headers or with nested elements:

{rtf [info]] == {rtf {{{i,nfo}}}}

This means that writing signature is complex. Also, just rename the document with a .doc extension and it will be opened by Word. How to generate RTF documents? They are the official “tools” like Microsoft or Wordpad but they are, of course, plenty of malicious tools:

  • 2017-0199 builder
  • wingd/stone/ooo
  • Sofacy, Monsoon, MWI
  • Ancalog, AK builder

What about analysis tools? Here also, it is easy to build a toolbox with nice tools: rtfdump, rtfobj, pyRTF, YARA are some of them. To write good signatures, Anthony suggested focussing on suspicious words:

  •  info
  • object
  • pict
  • insrsid or rsidtbl

DDEAUTO is a good candidate for a while and is seen as the “most annoying bug of the year” for its inclusion in everything (RTF & other documents, e-mail, calendar entries…). Anthony finished his talk by providing a challenge based on an RTF file.

The next talk was presented byPaul Jung: “PWS, Common, Ugly but Effective“. PWS also know as “info stealer” are a very common piece of malware. They steal credentials from many sources (browsers, files, registries, wallets, etc).

They also offer “bonus” features like screenshot grabbers or keylogger. How to find them? Buy them, find a cracked one or open sources. Some of them have also promotional videos on Youtube! A PWS is based on a builder that generates a specific binary based on the config file, it is delivered via protocols like email, HTTP and data are managed via a control panel. Paul reviewed some well-known PWS like JPro Crack Stealer, Pony (the most famous), Predator Pain or Agent Tesla. The last one promotes itself as “not being a malware”. Some of them support more than 130 different applications to steal passwords from. Some do not reinvent the wheel and just use external tools (ex: the Nirsoft suite). If it is difficult to detect them before the infection, it’s quite easy to spot them based on the noise they generate in log files. They use specific queries:

  • “POST /fre.php” for Lokibot
  • “POST /gate.php” for Pony or Zeus

Very nice presentation!

After the first coffee refill break, Paul Rascagnères presented “Nyetya Malware & MeDoc Connection“. The presentation was a recap of the bad story that affected Ukraine a few months ago. It started with a phone call saying “We need help“. They received some info to start the investigation but their telemetry did not return anything juicy (Talos collects a huge amount of data to build their telemetry). Paul explained the case of M.E. Doc, a company providing a Windows application for tax processing. The company servers were compromised and the software was modified. Then, Paul reviewed the Nytia malware. It used WMI, PsExec, EternalBlue, EternalRomance and scanned ranges of IP to infect more computers. It also used a modified version of Mimikatz. Note that Nyetya cleared the infected host logs. This is a good reminder to always push logs on an external system to prevent losing pieces of evidence.

The next talk was about a system to track the Locky ransomware based on its DGA: “Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples“. Yohai Einav Alexey Sarychev explained how they solved the problem to detect as fast as possible new variation of domain names used by the Locky ransomware. The challenges were:

  • To get the DGA  (it’s public now)
  • To be able to process a vast search space. The namespace could be enormous (from 3 digit seed to 4 then 5, 6). There is a scalability problem.
  • Mapping the ambiguity (and avoid collisions with other DGA’s)

So solution they developed is based on GPU (for maximum speed). If you’re interested in the Locky DGA, you can have a look at their dataset.

The next talk was, for me, the best of the day because it contained a lot of useful information that many people can immediately reuse in their environment to improve the detection of malicious behaviour or to improve their DFIR process. It was titled “Hunting Attacker Activities – Methods for Discovering, Detecting Lateral Movements” and presented by Keisuke Muda and Shusei Tomonaga. Based on their investigations, they explained how attackers can perform lateral movement inside a network just be using standard Windows tools (that, by default, are not flagged as malicious by the antivirus).


They presented multiple examples of commands or small scripts used to scan, pivot, cover tracks, etc. Then they explained how to detect this kind of activity. They made a good comparison of the standard Windows audit log versus the well-known Sysmon tool. They presented pro & con of each solution and the conclusion could be that, for maximum detection, you need both. There were so many examples that it’s not possible to list them here. I just recommend you to have a look at the documents available online:

It was an amazing presentation!

After the lunch, Jaeson Schultz, also from Talos, presented “Malware, Penny Stocks, Pharma Spam – Necurs Delivers“. The talk was a good review of the biggest spam botnet active. Just some numbers collected from multiple campaigns; 2.1 messages, 1M unique sender IP addresses from 216 countries/territories. The top countries are India, Vietnam, Iran and Pakistan. Jaeson explained that the re-use of IP address is so low that it’s difficult to maintain blacklists.

IP Addresses Reuse

How do the bad guys send emails? They use harvested accounts (of course) but also auto-generated addresses and common / role-based accounts. That’s why the use of catch-all mailboxes is useful. Usually, big campaigns are launched from Monday to Friday and regular campaigns are constantly running at a low speed. Jaeson presented many examples of spam, attachments. Good review with entertaining slides.

Then, Łukasz Siewierski presented “Thinking Outside of the (Sand)box“. Łukasz is working for Google (Play Store) and analyze applications. He said that all applications submitted to Google are reviewed from a security point of view. Android has many security features: SE linux, application sandbox, permission model, verified boot, (K)ASLR, Seccomp but the presentation focused on the sandbox. First, why is there a sandboxing system? To prevent spyware to access other applications data, to prevent applications to pose as other ones, make easy to attribute action to specific apps and to allow strict policy enforcement.  But how to break the sandbox? First, the malware can ask users for a number of really excessive permissions. In this case, you just have to wait and cross your fingers that he will click “Allow”. Another method is to use Xposed. I already heard about this framework at Hack in the Box. It can prevent apps to be displayed in the list of installed applications. It gives any application every permission but there is one big drawback: the victim MUST install Xposed! The other method is to root the phone, inject code into other processes and profit. Łukasz explained different techniques to perform injection on Android but it’s not easy. Even more since the release of “Nougat” which introduced now mitigations techniques.

The last slot was assigned to Robert Simmons who presented “Advanced Threat Hunting“. It was very interesting because Robert gave nice tips to improve the process of threat hunting. It can require a lot of resources that are … limited! We have small teams with limited resources and limited time. He also gave tips to better share information. A good example is YARA rules. Everybody has a set of YARA rules in private directories, on laptops, etc. Why not store them in a central repository like a gitlab server? Many other tips were given that are worth a read if you are performing threat hunting.

The event was close to the classic kind word of the team. You can already book your agenda for the 6th edition that will be held in Toulouse!

The Botconf Crew

Are you GDPR compliant? [Video]

As cyber crime rises globally, the European Union has decided to revise its data protection laws and introduce a unified model for everyone who processes customer data.

Those revisions take effect May 25th, 2018 under the General Data Protection Regulation, or GDPR.

The Regulation says that any organization handling “personally identifiable information” of any EU citizen must comply with new and improved data protection norms by May of next year.

According to a survey by SAS, awareness in government organizations is the lowest of any sector: only 26% of government organizations are aware of the impact of GDPR.

Privately held companies aren’t much better off. Most global organizations either lack a structured plan for compliance or they don’t fully know the consequences of not complying with the Regulation.

Companies found noncompliant may have to pay penalties of 4 percent of their annual revenue, or up to 20 million euros, whichever is higher.

Analysts estimate that last year’s fines would be 79 times higher under the new regulation. Studies indicate global organizations are entering murky waters. With only a few months to go, it’s high time everyone knew what they are up against.

Today, we’re going to look at five important steps that pave the way for GDPR compliance.

#1 Find out if the GDPR affects you

If your organization processes customer data – with full power over how that data is stored, managed and moved around – you are essentially a data controller. This means you must comply with GDPR rules and regulations. Now! it’s important to develop and implement a data governance plan.

#2 Appoint a Data Protection Officer

Companies can pick a DPO from within their ranks, or they can outsource the role. This officer must act as a point-of-contact for authorities monitoring compliance.

#3 International data transfer

Special precautions are needed when personal data is transferred to countries outside the European Economic Area that do not provide the same standard of data protection as the EU.

Your organization needs to carefully consider the appropriate mechanism for each country to ensure compliance with the GDPR.

Remember that not every European country is an EU member state, so different levels of data protection may be required for different countries. And even if your business is not in the EU, you may still have to comply with the Regulation.

#4 Demonstrate accountability

To be compliant with the GDPR, you must prove that you can and will protect customer data. This can include:

  • creating new data protection policies
  • making data protection impact assessments
  • issuing documents on how data is processed
  • obtaining clear and express consent (or consent withdrawal) from your customers
  • and more

Speaking of customers…

#5 Be prepared for customers exercising their rights

Under the GDPR, data subjects can invoke the “The Right To Be Forgotten.” This means EU citizens can have their personal data deleted from any records, upon request.

Your customers are also entitled to the right to receive a “Data Portability Notice” under the Regulation.

Data requests for personal information will be made free-of-charge.

Finally, you have to be fully prepared to handle a data breach, or your customers might sue you out of business.

According to UK information commissioner Elizabeth Denham, the new regulation is only a “step change” for organizations that already comply with existing data protection laws. But if recent studies are any indication, many organizations processing large pools of data are nowhere near compliant yet.

Bitdefender and its competitors are making it their job to educate global companies to help them comply by May 2018.

For more information on GDPR, visit businessinsights.bitdefender.com.