Monday, October 30, 2017

Punycode well-formed Camouflage technique leads to the phishing attack. “Phishing attack possible to detect by Naked eyes is not True as you may think”

Punycode well-formed Camouflage technique leads to the phishing attack. “Phishing attack possible to detect by Naked eyes is not True as you may think”

A simple browser Vulnerability is used to target phishing attack.


Facts Stats :



Camouflage Web Site which is identical to real site accessed on the various browser to identify how Punycode is handled.I decided to run the test on my local machine and the results are alarming. The Mozilla browser doesn't distinguish between the Fake and Actual Site.  


 Analysis on the SSL certificate.

A Punycode Converter used to Camouflage the site URL address.

Finally: Google Chrome and IE have patched the issue. Mozilla has to act fast to patch the issue; however, the user can manually enable Punycode flag in the browser.

Wednesday, July 26, 2017

Revenue model: ₹160 crores in 2 years thru Ransomware


Research suggests Ransomware victim has paid over 160 crores in 2 years according to Google study. This shows Ransomware attacks are getting sophisticated due to the Digital Transformation initiatives without proper due diligence to the defense in depth mechanism. A simple query shows 1,838,142 systems which have exposed SMB services on the internet. This is a clear business opportunity for Ransomware Boss. If he is able to get thru 20% of the exposed SMB system, I am sure it will be a huge revenue model without going thru a MBA program :)



Should I pay the ransom?
  • The first option is to pay the ransom, however, It’s like a lottery system, there is NO guarantee that attacker (BOSS) will release your files. Firstly, identify the impact on the system and then follow the Incident response management procedure
  • Please don’t encourage this crime by simply paying the money rather develop required control beforehand.


Friday, July 21, 2017

Human to Cyber Human: Our Journey to Future



A groundbreaking exploration of how cyberspace is changing the way we think, feel, and behave. In recent year the Cyber war will take precedence to human; however, the execution model will change. 



The technology shift will enable mankind to develop an ecosystem which will be self-sustained to take the decision not which are programmed; however will become so powerful that they can self-develop the underlying operating instruction. If we look at the technology advancement it’s very evident that Technology is moving away from Human (Storing the data which is out of our control over the Cloud, IIOT, Analytics/Correlation, Machine learning and much more) and this race will take over all the controls. The future is not far where Cyber Humans will be controlling the National cyber wars using  a Cyber psychologist to predict the cyber movement and behaviors. This is the phase where Human and Technology collide and Cyber Humans will take precedence. Let’s look at the below statics to map the above idea-


The Internet is universal, always delivering rich, Dynamic content—all day, all night, always on. 

Internet Usage Expansion- Statistics  

  • 2000- 6.5 percent Internet Usage 
  • 2015 -43 percent of the global population
  • 2016- more than 3.2 billion people are now online  
  
Internet Devises(Phone) expansion in less than 10 year
  • 2005- than 2 billion
  • 2015-7 billion 
Average Time spend on Internet-
  • In last 2 years the adoption of internet has increased to 65 percent
  • Mobile phone users checked their devices more than 1500 times a week. There are several apps that will count that for you, if you need a little help managing your habit and help to understand the cyber behaviors of the user.  The Cyber psychologist will study of the human mind and its behavior in the online world and provide a roadmap for the larger community for cyber evolution. 

Earlier in the confab, I emphasized my views that it’s very evident that Cyber space is turning into a distinct space which is open to all. Let’s first understand the analogy between Human and Cyber World, which will help to drive this discussion on Process of Building of Cyber Human. 

Human Body
Cyber World
Virus
Virus
Flue/ebola
Malware/Ransomware
External Infection leading to Multiple organ failures
DDOS and other distributed attacks.
Self-healing
 Machine Learning
Mind Control Body
operating instruction control system
Heart is the main component which drives the functioning
CPU driving the functioning.

Human behaviors in the cyber space mutate and hence cyber mutation will drive the swift towards Cyber Human.  So in a nut shell the implication of  online experience and environment will drive this revolution no matter if you are actively participating or not. 

Wednesday, July 6, 2016

3 Ways to Defend Ransomware, a Blooming business across different industries.

In continuation to the previous post, I will try to address how impactful the Ransomware would be across various sectors and 3 ways to handle the below scenario-  
1.     How to develop IT-Border security force to combat
2.     What business should do if they are impacted? How to develop security response mechanism if data is compromised and encrypted.   
3.     Innovation or Innovating Idea to fight back with Ransomware– Virtual Machine based container inside the machine.

Ä  Summary- What happens during a Ransomware attack? 


It’s an organized crime as said in my previous blog post, where attacker forms a small business unit to generate the revenue by a marketing campaign. As part of this campaign, the attacker injects malware (using emails attachment or any other social engineering technique) which hijacks your files and then demand that you pay in the form of Bitcoin in order that they are “released”.
? Bitcoin is a digital asset and a payment system and came into existent in 2009. Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the then network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part and hence it’s used for many Criminal activities.?
One should keep in mind that it’s not necessary that your system is infected today or yesterday. It might be possible the malware code is residing in dormant for many years as well. So the process is not very straightforward as it looks like!!!.
MLet’s understand “What if” scenario across different vertical-
1.  What if, attacker infects your core financial system and demand Ransom to release Transactional data file? Result in financial crisis and will affect the core financial transaction and havoc across citizens. Catastrophic impact i.e, No Business!, No food!, No life!!!
2.     What if, attacker infects your healthcare related information? Result is major havoc
3.  What is attacker infect your Police stations or criminal tracking system? This will result in no information available of the criminal?
Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment. 
The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private info security firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin. 
4.     What if attacker infects your mobile platform? Result in citizens using mobile devices getting trapped in cyber-attack which could affect the daily usage of the device.   
A family of mobile malware called "Godless" has affected over 850,000 Android devices worldwide with almost half of these devices in India alone. This malware puts 90% of Android devices at risk
5.     What if attacker infects schools or Universities? The complete student details will be at stake and may be re-exam needs to be conducted. Or the student may need to lose a complete year or Universities/school needs to pass all the student. Both the approaches are morally not accepted.

Ä   Should I pay the ransom?

1.     The first option is to pay the ransom, however, It’s like a lottery system, there is NO guarantee that attacker (BOSS) will release your files. It is advisable to follow the steps to remove this Ransomware from your computer and hopefully, decrypt your files. According to our research, some users get their data back and some others don’t. Firstly, identify the impact on the system and then follow the Incident response management procedure as mentioned below.
2.     Please don’t encourage this crime by simply paying the money.


Ä   How to defend or to get the files back?

Do not lose sight that we are talking about cyber crime here and there are chances that you may not able to decrypt the file. Having said that please don’t lose hope; since there are many ways by which you can combat with Ransomware using
Defending from Ransomware is not an easy task; it requires collaborative effort and Management buying to define and develop strong security control across the organization. It may require
1.  Proactive- To establish Border Security Force(IT- BSF UNLIKE BSF)
The below table outline the proactive approach to handling cyber-attack.
Area
Controls
Governance and Policies
§  Establishing Strong Governance Framework  
§  Establishes the context for all the standards in the series, defining concepts and terminology, as well as lifecycle and compliance metrics.
Cybersecurity Monitoring & countermeasures
Behavioral Network Pattern Analysis- Deploy solutions which will not just perform the monitoring; however also perform Behavioral monitoring, so that APT can be identified and controlled. The solution like SIEM to be a fine tune and integrated with all systems. In case any abnormal activities are noticed in terms of spikes, an unknown process, popup etc. immediately system can be turned offline. I know some of you may not agree with me considering Custody of chain to get the evidence; however, this will simply break attack. This is because cryptovirus works on the principal that for encrypting any files it needs to communicate with hacker command and control system. If it’s not successful, the infection won’t able to get the public.
Cyber security countermeasures at Network Layer
§  Deploy Stateful inspection firewall with Intrusion detection/prevention capability
§  Network segmentation to segregate the network so that impact of Ransomware is minimized.
§  Deploy Email Gateway at the right place with correct Polices. Email Gateway Policy refinement to block .exe, .scr, .vbs, .js, .jar, .bat, .pif, or .cpl attachments, so that email attachment never able to reach users.
Cyber security countermeasures at User  Layer
§  Conduct User Awareness to minimize social engineering-based attack.
§  Conduct User Awareness drill by sending a piece of code as part of mail, so that success of user awareness exercise is calculated. This drill should replicate a phishing attack as part of Campaign and will provide a clear indication of risk level. Phishing Simulator can be used to change risky employee behavior when it comes to being able to recognize and report malicious phishing emails.
§  In line with this, SIEM based solution provide more insight i.e. it can replay the incident to identify the origin of the attack i.e. which user got infected by clicking the link so that corrective actions can be taken for that business unit.  
Cyber security countermeasures at System  Layer
§  Keep your OS and software up to date
§  Keep Anti-virus solution updated with latest security policy and update
§  Use Software whitelisting tools like Windows AppLocker
§  Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) provides an additional protection layer
§  Keep macros disabled
§  Treat ActiveX with caution
§  Configure Windows to show file extensions
§  Enable Windows firewall on
§  Install a popup blocker
§  Disable Windows PowerShell
§  Don’t give admin rights to the end users
§  Disable file sharing
§  Remote services
§  Implement restricted use policy
§  Renaming vssadmin.exe which administers the Volume Shadow Copy Service (VSS) on a Windows machine. Typically Ransomware disables this process and deletes the shadow copy so that recovery of the file is not possible.
Cyber security countermeasures at Data  Layer
Strong backup management strategy to maintain secure backups and battle Ransomware. In the case of infection, an organization can restore the backup to retrieve the file back.
Incident response management
§  Select vendor who has right skill and knowledge in incident response management.
§  Have complete day monitoring instead of business hrs since the majority of the incident are driven from different geography which contributes to the time difference.
§  Incident response drill to get assurance for procedure and responsibilities of parties involved.
§  Alignment with Agencies who can take necessary actions against Cybercrime.

2.  Reactive- Fight back to retrieve the file back  
As per the study, Security vendor provides protection against malware, however; 97 percent guarantee offered by security vendors is not enough: 3 percent will still mean a large number of endpoints being compromised. To address the above concerns following mitigation plan should be considered
  • Identify suspicious activity- Quickly scan the system with tool along with manual review in order to identify a potential threat.
  • Closed Review- Check log files/process task for any suspicious activity
  • Known Variant- Once confirmed on the attack, Identify the known variant by understanding the behavior/characteristic. Identify the ransomware and download corresponding Anti-Ransomware tool if available. Example-Downloading and using Trend Micro™ Ransomware Screen Unlocker Tool. Download [Download Bitdefender Trojan.Ransom.Ice Generic Removal Tool]

  • Unknown Variant- If it’s a new variant, then the tool may not able available and hence manual process needs to be performed to retrieve your data.
    • Review security forums- Quite a few ransomware variants, including TeslaCrypt, DMA Locker, and AlphaLocker, were decrypted by researchers who released free decrypt solutions for everyone infected. Therefore, if confronted with a ransom Trojan, do not fail to look up the name on the Internet and surf security forums like BleepingComputer, where recovery breakthroughs appear once available.
    • Delay the trigger- Shutdown your system and change the BIOS clock back-Crypto infections provide a deadline for the victim to submit the ransom, after which its ransom increases. It’s usually somewhere between 4 and seven days, with the starting point being the time of complete data encryption. Fortunately, there is an easy way to get around this restriction. Setting the system BIOS clock to an earlier date will trick the countdown timer and give you an additional time span to find and implement a fix.
    • Response Plan and Management buying-When hit by a ransomware threat, it’s critical for an enterprise to adopt timely countermeasures and mitigations before the payment deadline expires and the ransom goes up. To this end, IT executives should do an inventory of critical data resources, know where these assets are located, and evaluate the damage from the possible unavailability of this data. Also, quickly need to understanding and scan the complete network for a potential threat. Don’t pay money for it glance!!!
    • Restoration- Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
      1. Restore file from shadow copies- Before restoring your files from shadow copies, make sure the Ransomware process is not running. You have to remove this malware permanently using the anti-malware scanner.
      2. Restore file from backup copies- The key challenge is to understand when your machine was infected so that you can restore that backup copy; otherwise, it might be possible that infection is relapsed since backup copy itself was infected
      3. Try to restore previous versions of files using Windows folder tools
3.  Innovation or Innovating Idea– Virtual Machine based container inside the machine.
In future, we can expect this approach to handle cyber-attacks.  The core of this approach is running a virtual container within your machine. The virtual container will host all applications which require access to the internet like Browser, Outlook etc. Example- A new browser instance would be run inside its own virtual machine, so if the user accidentally clicked on a rogue link or went to a malicious URL, the infection would be contained within that virtual machine. "You don't really care whether that URL is malicious or not because it's only going to do damage that virtual machine and not the entire laptop. It's not going to have access to your documents or your credentials. There's nothing else on that machine. The virtual machine will get killed as soon as the application is closed or machine is restarted. 

Conclusion- To run a sustainable business operation against online digital extortionists, individuals and organizations should be continuously assessing and enhancing their security posture.

Tuesday, June 28, 2016

Ransomware a Digital Era weapon, a high Revenue business!!!

The world today is full of unlimited business opportunities. We all operate in the digital era to perform business operations (by Connecting people, enterprises, Smart Cities, systems, LOT, Utilities, Smart Grids/Meters, Big Data and Analytics and SMAC across the globe). We follow standard operating procedure defined during Stone Age without giving due diligence to the upcoming threat landscape.

This post is informative in nature and will help people who think cyber-attacks are not meant for them or they will never get affected due to either nature of their business or scale of their business. Be prepared, you can be the easy Target!!!

I would like to share a true incident happened in a Non-IT organization which resulted in big havoc and made complete operation at a stand still for few days. Million dollar loss!!!

It was a normal day when I received a call from my friend requesting some help since I understand security operations. I casually inquired the reason behind; however, I felt he was little hesitating. During the conversation, he mentioned that his customer is facing major issue due to malware attack and he requested my help to rescue. On his request, I agreed to socialize with the customer. Let me narrate the complete conversation-
During the conversation, I came to know that he is heading the IT operation and seems to be in a deep problem. Initially, he was hesitating in sharing the issue due to company reputation and market share. However, based on my assurance he stated to me that the complete IT operation is stopped due to malware attack. With a deep breath, I asked him more detail on the behavior of malware and the issue so that I can suggest mitigation plan. According to him……
  • The organization is Touching lives of millions across India, Asia, the Middle East, Europe, Africa and America. Huge Network!!!
  • The malware has encrypted all the business operation devices and asking for money to decrypt the file system.
  • The files are encrypted with.AAA extension.
  • Not sure how many systems are infected and will infect
  • Antivirus solution is not protecting… Antivirus claim to be zero-day exploits
  • A local vendor who is supporting the operation is not a commitment to handle security incident.Technical competency issue with local vendor
  • We can’t align with CERT-In (Indian - Computer Emergency Response Team) to report and to take their concurrence and advice due to company reputation.  

With a deep breath, I understood the complete issue. It was an “Encrypted Ransomware” attack. A Highly-Profitable Evolving Threat!!!
Okay, let me brief you exactly how it functions.

Ransomware, as terms, says it’s related to ransom; however in the current circumstance, it’s related to Digital Ransom”. In the current context, the attacker has encrypted the digital information and asking Ransom money to rescue/decrypt the data so that it can be used for the business operation. It’s a big call which customer has to make, considering

  • How to make business operational with no impact on business and Market Share
  • The impact of the encrypted file. Data Restoration, if we plan to delete everything and restore from backup. Which day backup to refer, since no clarity if the backup itself is infected. 
  • How many systems affected due to self-replicating behavior
  • Do we have any controls to identify the Source of the attack  
  • When it was infected since much malicious code remains undetected due to APT behaviors.
  • What would be the impact on company reputation, if the Ransom is paid
  • How we can safeguard considering attacker might have key to our network
  • How to mitigate the same incident again 


Before Business takes a call on the above alarming question, let’s understand little more on how it works and how it’s impacting the users across the Globe.
  
Ransomware can exhibit worm-like behavior and can remain undetected. The ransom leverages removable and network drives to propagate itself and affect more users. There are many forms of Ransomware someone of which has destructive nature i.e. they are designed with automated counter, once reached the threshold it will start deleting the files. If you restart the computer or try to stop its services, it becomes more disruptive and may delete 1000 of files. Ransomware Boss (In IT Terms, can be referred as a Program Head) will establish the complete program like a project J.The leader (In IT Terms can be referred as a Technical lead) is recruited from 10 to 15 affiliates that supported him in spreading the ransomware via:
  1. Botnet installs
  2. Email and social media phishing campaigns
  3. Compromised dedicated servers
  4. File-sharing websites


Let’s understand the market analysis so that we can Say “No to Digital Threat in cross connected ecosystem”  

Facts
Revenue Business from Ransomware
  • Half of the users can’t accurately identify ransomware
  •  Half of the victims are willing to pay up to $500 to recover encrypted data. This means according to the graph; there are nearly 200K infected users. If half of them pay 500 USD, it makes a total of 50,000,000 USD!
  • Personal documents rank first among user priorities.
  • UK consumers would pay most to retrieve files.
  • US users are the main target for ransomware.
  •  Indian Users are also targeted; however never reported.
  • One of the most interesting aspects of ransomware campaigns is that they could also be very profitable for small gangs without specific skills.
  • A ransomware-as-a-service campaign operated by a Russian gang since December 2015
  • The gang requested the victims a payment of a $300 fee to rescue to encrypted files, the communications with the victims are handled directly by the boss.
  • 93% of phishing emails are now ransomware




Growth of Encrypted Ransomware Q1 2016



The best preparation for tomorrow is doing your best today. In my next post, I will be guiding on developing a holistic approach on how to battle with ransomware proactively to avoid massive destruction along with Mitigation approach. Till then stay safe!!!