Is the sky falling Henny Penny?

Sony fell victim yet again to a large scale breach.

http://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.html?utm_source=twitterfeed&utm_medium=twitter

And why do I post this in the Wapack Labs blog? Nearly all of the open source lists are buzzing with this right now, but I've not seen anything in the local sphere, so here's the deal folks...

Holidays are upon us. You need to know this.. no retailer will be safe from theft. Sony spent an enormous amount of money, recruiting top talent and diving deep into security after the first breach (Playstation) a couple of years ago.

When you swipe your card, or when you watch a customer in your store swipe a card, there's a strong probability that somewhere along the value chain between swipe to processor all the way back to the bank that issued it, and the network that it's carried on, are going to have vulnerabilities that will allow it to be stolen.

Here's what you do about it...

Pay attention. Watch your bill. The fraudsters usually hit you with small charges (<$20). Call your card company immediately.

One of my favorite sites is the Federal Trade Commission's educational site. I went to school with the guy that leads the cyber education effort... there are some great (and short) education pieces here for consumers and companies alike.

From the consumer perspective? Try this. 

Business? Try this.

I should mention... it's not always your fault... when security vendors fail to do the work, but they still pass on the 'trusted seal', both businesses and consumers end up with the short end of the stick. In one case, a noted security company attested to the fact that a site was secure, when in fact it wasn't..

Realizing education takes time, and most people don't like to read, if you've got a concern, and you're a business in the area, give us a call.  We're here to help and we can both answer your questions, and monitor your network for bad things that may be happening.  Doing your best to make sure you keep your customers information (payment information, private information, etc.) safe, is a massive responsibility --but it is just that -- a responsibility.

Enjoy the read. Give us a call if you need help!
Jeff

11/28/14: Wapack Labs Priority Intelligence Report: Regin

This is a slimmed down version of a couple of white papers, describing new espionage focused malware known as Regin.   There's been a ton of activity on this in the security circles, but not really in any form that could be read by folks without a security team who can digest and use the information.  And while we're not as interested in knowing who wrote it, we do want to make sure folks have tools to help identify and protect against it. 

Wapack Labs has not analyzed any malware, rather publishes this to ensure background is known and current mitigations are published in a simple form. Yara rules are shown at the end of this three page priority intelligence report.  And as always, sources are shown. Please feel free to download the full papers from Kaspersky and/or Symantec for deeper analysis. 

-Jeff 

-------------------------------------------------------------------------------------------------------------------------

Regin

Wapack Labs Priority Intelligence Report

Publication date: 28 November 2014; information cutoff date: 26 November 2014

Handling requirements: Traffic light protocol (TLP) WHITE.

TLP: WHITE information may be distributed without restriction, subject to copyright controls.

Background

A new dangerous piece of malware has emerged, and nearly all are talking about attribution, pointing to government-sponsored authorship from the UK and US. Wapack Labs has not evaluated linkages to any government, but thought it necessary to identify any mitigations that might be available for this new, highly complex piece of code. This report is a situation report, based on what we (Wapack Labs) currently know.  The lab has not yet obtained samples of the malware, thus, have not performed this analysis directly. This report is a compilation of what others have reported, and is only meant as a means of outlining the first steps in mitigation/defense.

Executive Summary

Regin is a multi-purpose family of malware that has been observed in the wild since at least 2008.  It is unknown exactly when the first samples appeared; however, compilation timestamps have been observed dating back to 2003.  Regin is extremely modular across its multistage infection process and has a wide range of standard capabilities.  The malware is capable of installing a large number of payloads, some of which are highly customized for the targeted system.

Details

Regin is reportedly a complex piece of software designed with espionage in mind.  Regin is said to steal passwords, monitor network traffic, and gather information on processes and memory utilization using a multi-phased approach and ‘modules’ of code that are dropped into a system independently of each other to avoid detection and defenses.  Regin modules have been observed parsing mail from Microsoft Exchange email databases, scanning for deleted files on an infected computer and retrieving them, and collecting administration traffic for telecommunications (cellular - GSM) base station controllers.

Regin employs several techniques to obfuscate exactly what information has been exfiltrated.  Targeting is reported to include telecom operators, government institutions, multinational political bodies, financial institutions, research institutions, and individuals involved in advanced mathematical and cryptographic research.  The level of customization found in Regin samples indicates a high level of specialist knowledge in the targeted sectors.  It is reported that actors utilizing the Regin malware have been focused to date on two main objectives - intelligence gathering and facilitating additional sophisticated attacks.

Reportings of Regin operations have been noted in Algeria, Afghanistan, Austria, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Ireland, Kiribati, Malaysia, Mexico, Pakistan, Russia, Saudi Arabia, and Syria.

Figure 1: Regin Geographic Distribution

Mitigations

For the defender, four command and control nodes have been identified.  Users are recommended to monitor in/outbound network activity for command and control on the following Internet Protocol (IP) addresses:

·       61.67.114.73      Taiwan, Taichung - Chwbn

·       202.71.144.113    India, Chetput - Chennai Network Operations

·       203.199.89.80     India, Thane - Internet Service Provider

·       194.183.237.145   Belgium, Brussels - Perceval S.a.

Several unique strings have been identified in Regin modules so far. While these strings may not be indicative of Regin activity, each should be monitored.  False positives, however, are highly likely.  Users without the capability to perform host based scanning may perform searches of their computers for the following terms.  If identified, without legitimate use, contact your security team, system administrator or Wapack Labs for assistance.

·       legspinv2.6

·       LEGSPINv2.6

·       WILLISCHECKv2.0

·       HOPSCOTCH

·       U_STARBUCKS

·       shit

The following Yara[1] rules have been provided by Kaspersky Labs, and have not been tested by Wapack Labs. 

rule apt_regin_vfs {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect Regin VFSes"

strings:

$a1={00 02 00 08 00 08 03 F6 D7 F3 52}

$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}

$a3={00 04 00 10 00 10 03 C2 D3 1C 93}

$a4={00 04 00 10 C8 00 04 C8 93 06 D8}

condition:

($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)

}

rule apt_regin_dispatcher_disp_dll {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect Regin disp.dll dispatcher"

strings:

$mz="MZ"

$string1="shit"

$string2="disp.dll"

$string3="255.255.255.255"

$string4="StackWalk64"

$string5="imagehlp.dll"

condition:

($mz at 0) and (all of ($string*))

}

rule apt_regin_2013_64bit_stage1 {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect Regin 64 bit stage 1 loaders"

filename="wshnetc.dll"

md5="bddf5afbea2d0eed77f2ad4e9a4f044d"

filename="wsharp.dll"

md5="c053a0a3f1edcbbfc9b51bc640e808ce"

strings:

$mz="MZ"

$a1="PRIVHEAD"

$a2="\\\\.\\PhysicalDrive%d"

$a3="ZwDeviceIoControlFile"

condition:

($mz at 0) and (all of ($a*)) and filesize < 100000

}

rule apt_regin_2011_32bit_stage1 {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect Regin 32 bit stage 1 loaders"

strings:

$key1={331015EA261D38A7}

$key2={9145A98BA37617DE}

$key3={EF745F23AA67243D}

$mz="MZ"

condition:

($mz at 0) and any of ($key*) and filesize < 300000

}

rule apt_regin_rc5key {

meta:

copyright = "Kaspersky Lab"

description = "Rule to detect Regin RC5 decryption keys"

strings:

$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}

$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}

condition:

any of ($key*)

}

Open source white papers:

https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

About Wapack Labs

Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

---

[1] YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. (http://plusvic.github.io/yara/)

Check your video folks!

Twice in one week... a Russian website that offers a view into as many as 73,000 webcam/video systems out there with default passwords set, and now this one discovered by Rapid7 offering another 150,000.

http://www.bbc.com/news/technology-30121159

I used to average about 72 investigations every quarter. At least one had to do with default passwords set on video security systems. One, earned me a free trip (business of course) to Brazil to find out who'd been logging into the IP Cameras in the US. Turned out to be a sales engineer using default passwords.

Here's the deal folks... video systems have servers at the heart of the security system... those servers are computer systems designed to capture video, but nonetheless, they are simply computers. Other systems use servers too --badging for example. If you swipe, carry an RFID, or punch in a code that records accesses, guess what? The data is stored on a server.

So do yourself a favor. Make sure the security systems (physical security systems) have the default password changed. Default passwords are often times overlooked, and it's one of the simplest things you can do to keep yourself secure.