As Russian state TV broadcast a military parade as part of Victory Day celebrations in Moscow, viewers of some channels were greeted by a message that certainly wasn’t approved by Putin’s propaganda machine…
Read more in my article on the Hot for Security blog.
Apple Mail now blocks email trackers by default.
Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address. This quirk of internet history means that marketers can track exactly when you open an email and your IP address, which can be used to roughly work out your location.
So, how does Apple Mail stop this? By caching. Apple Mail downloads all images for all emails before you open them. Practically speaking, that means every message downloaded to Apple Mail is marked “read,” regardless of whether you open it. Apples also routes the download through two different proxies, meaning your precise location also can’t be tracked.
Crypto-Gram uses Mailchimp, which has these tracking pixels turned on by default. I turn them off. Normally, Mailchimp requires them to be left on for the first few mailings, presumably to prevent abuse. The company waived that requirement for me.
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Once a malicious actor has gained initial access to an internal asset, they may attempt to conduct command and control activity. The ‘Command and Control’ (C&C) tactic, as identified by the MITRE ATT&CK© Framework, consists “of techniques that adversaries may use to communicate with systems under their control within a victim network.” Cobalt Strike is an effective adversary simulation tool used in security assessments but has been abused by malicious actors for Command and Control of victim networks. If configured by attackers, it can be used to deploy malicious software, execute scripts, and more.
This investigation began when the Managed Extended Detection and Response (MXDR) analyst team received multiple alarms involving the detection of Cobalt Strike on an internal customer asset. Within ten minutes of this activity, the attacker launched a Meterpreter reverse shell and successfully installed remote access tools Atera and Splashtop Streamer on the asset. These actions allowed the attacker to establish multiple channels of command and control. In response, the MXDR team created an investigation and informed the customer of this activity. The customer determined that an endpoint detection and response (EDR) agent was not running on this asset, which could have prevented this attack from occurring. This threat was remediated by isolating the asset and scanning it with SentinelOne to remove indicators of compromise. Additionally, Cobalt Strike, Atera, and Splashtop Streamer were added to SentinelOne’s blacklist to prevent unauthorized execution of this software in the customer environment.
An initial alarm was triggered by a Windows Defender detection of Cobalt Strike on an internal customer asset. The associated log was provided to USM Anywhere using NXLog and was detected using a Windows Defender signature. Multiple processes related to Cobalt Strike were attached to this alarm.
Cobalt Strike, as mentioned previously, is a legitimate security tool that can be abused by malicious actors for Command and Control of compromised machines. In this instance, a Cobalt Strike beacon was installed on the compromised asset to communicate with the attacker’s infrastructure. Windows Defender took action to prevent these processes from running.
Immediately following the Cobalt Strike detection, an additional alarm was triggered for a Meterpreter reverse shell.
A Meterpreter reverse shell is a component of the Metasploit Framework and requires the attacker to set up a remote ‘listener’ on their own infrastructure that ‘listens’ for connections. Upon successful exploitation, the victim machine connects to this remote listener, establishing a channel for the attacker to send malicious commands. A Meterpreter reverse shell can be used to allow an attacker to upload files to the victim machine, record user keystrokes, and more. In this instance, Windows Defender also took action to prevent this process from running.
During post-exploitation, an attacker may leverage scheduled tasks to run periodically, disable antivirus, or configure malicious applications to execute during startup. To query for this activity, specific event names, such as ‘Windows Autostart Location’, ‘New Scheduled Task’, and events containing ‘Windows Defender’, were added to a filter in USM Anywhere. An additional filter was applied to display events occurring in the last 24 hours. This expanded event search provided context into attacker activity around the time of the initial Cobalt Strike and Meterpreter alarms.
Event deep dive
Just after the Cobalt Strike and Meterpreter detections, a scheduled task was created named “Monitoring Recovery.” This task is identified by Windows Event ID 106:
This scheduled task was used to install two remote monitoring and management (RMM) applications: Atera and Splashtop Streamer.
Shortly after this task was created and executed, an event was received indicating “AteraAgent.exe” was added as a Windows auto-start service.
AteraAgent.exe is associated with Atera, a legitimate computer management application that allows for remote access, management, and monitoring of computer systems, but has been abused by attackers for command and control of compromised systems.
This change was followed by an event involving “SRService.exe” being added as a Windows auto-start service on this asset:
SRService.exe is associated with Splashtop Streamer Service, a remote access application commonly used by IT support, also abused by attackers for C&C communications.
At this point, the attacker attempted to create multiple channels for command and control using Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer. While the Cobalt Strike and Meterpreter sessions were terminated by Windows Defender, Atera and Spashtop Streamer were successfully added as startup tasks. This allowed the attacker to establish persistence in the customer environment. Persistence, as identified by the MITRE ATT&CK framework, allows the attacker to maintain “access to systems across restarts, changed credentials, and other interruptions that could cut off their access.”
All alarms and events were carefully recorded in an investigation created in USM Anywhere. The customer was immediately contacted regarding this compromise, which lead to an ‘all-hands-on-deck’ call to remediate this threat. This compromise was escalated to the customer’s Threat Hunter, as well as management and Tier 2 analysts.
The MXDR team worked directly with the customer to contain and remediate this threat. This asset was quarantined from the customer network where it was scanned for malicious indicators using SentinelOne. The customer installed the SentinelOne EDR agent on this asset to protect it from any current threats. Additionally, the unauthorized applications Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer were added to SentinelOne’s blacklist to prevent future execution of these programs in the customer environment.
While this compromise was quickly detected and contained, the customer lacked the protection required to prevent the applications Atera and Splashtop Steamer from being installed and added as Windows auto-start programs.
To protect an enterprise network from current threats, a multi-layered approach must be taken, otherwise known as ‘Defense in Depth.’ This entails multiple layers of protection, including Endpoint Detection and Response, implementation of a SIEM (Security Information and Event Management System), and additional security controls. With the addition of an EDR agent installed on this asset, this malicious behavior would have been prevented. AT&T’s Managed Endpoint Security (MES) provides endpoint detection and response and can be utilized along with USM Anywhere to actively detect, prevent, and notify the customer of malicious activity in their environment.
Mike Engle started on the CISO career track early in his career, moving up to senior vice president of information and corporate security at Lehman Brothers in the early 2000s
Engle says he thought the professional path was a good fit, explaining that he found security technologies, such as encryption, fascinating and the cat-and-mouse aspects of the work challenging.
“I liked that thrill of putting solutions in place that stop something bad from happening,” he adds.
But Engle says he didn’t like other aspects of his position, particularly the governance and regulatory requirement tasks that intensified following the 2002 passage of the Sarbanes-Oxley Act.
Because of DevOps’ agile, continuous, and fast nature, building in security is essential, but many organizations struggle to do so. While that struggle is often a cultural lack of organizational priority, or even a process challenge, good tools can help enterprises to put the Sec in DevOps. These tools help organizations to help keep security embedded within DevOps organizations by making developers, operations teams, and security teams on the same page when it comes to managing risks.
The need for DevSecOps is growing, fueled by rapid expansion of custom code development, Emergen Research estimates the demand for DevSecOps tools will grow from $2.55 billion in 2020 to just over $23 billion by 2028. Below is a roundup of some of the most important tools in the core DevSecOps categories.
Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.
Image: Blog.google
The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.
Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.
According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.
“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.
Sampath Srinivas, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.
“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”
As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.
Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”
“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.
Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.
Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.
“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”
Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.
“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”
Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”
“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”
Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.
“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”
The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.
Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.
A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.
Like most things in life, online privacy is a 2-way street. As consumers, we expect the companies we deal with online to manage and safeguard our data to a super professional level however we also have a role to play here too. So, this Privacy Awareness Week (PAW), let’s focus on what we can do to ensure our personal information is kept as secure, and private as possible.
There’s nothing like a dedicated ‘week’ to renew our focus and in my opinion, this year’s PAW does just that. This year’s theme is – The Foundation of Trust – we all have a role to play, a great reminder of how it’s up to all of us to ensure we manage online privacy. There’s no doubt that managing our privacy is low on the to-do list for many. And I get it – we’re all strapped for time, and we don’t ever think privacy breaches will affect us. Well, my friends, I’m here to tell you that privacy breaches do happen. Identity theft is a reality of living life online. In fact, in 2020/21, nearly 155,000 Aussies had their identities stolen and they were the cases that were reported. But the good news is that if you take a proactive approach, you can minimise the risk of this ever happening.
Believe it or not, most of your privacy action plan involves small steps that are, I promise, relatively painless. The most important thing here is that you need to commit to doing them. The last thing you want is to spend months dealing with the fallout from having your identity stolen. It’s exhausting, stressful, and absolutely worth avoiding.
Without further ado, here’s your action plan:
Strong and complex passwords are essential to keeping your online information tight. Ideally, a password should have between 8-10 characters and be a combination of letters – both lower and uppercase, numbers and symbols. Each online account should also have its own password too – which is a very overwhelming concept! Consider using a password manager such as McAfee’s TrueKey to help generate and manage passwords.
Ensure all the family checks their social media accounts to ensure they are set to private. This will mean that only their chosen friends can see their private information. Each social media platform will have its own ‘help’ page which provides specific steps on how to do this.
If you are serious about your online privacy, then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly, consider investing in a VPN. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. A great insurance policy!
Adding an additional layer of security to protect yourself when accessing your online accounts is another great way of guarding your online privacy. Turn on two-factor authentication for Google, Dropbox, Facebook and whatever other site offers it. For those new to this option, this means that in addition to your password, you will need to provide another form of identification to ensure you are who you say you are. Most commonly, this is a code sent to your mobile phone or generated by a smartphone app.
Most web surfers rely on Google for their searching but why not use a search engine that doesn’t collect and store the information? And there are loads of more ‘privacy focussed’ options to choose from. Check out DuckDuckGo, that doesn’t profile users or track or sell your information to third parties.
Comprehensive security protection software is an easy way to help firm up your online privacy too as it does a great job of keeping malicious software (malware) at bay. Malware can wreak absolute havoc: from installing pop ups to scanning for personal information. And if you’re likely to click dodgy links (we’re all human after all), then this is a no brainer! Super-duper security software will also guard you against viruses and online threats, direct you away from risky websites and dangerous downloads and protect your smartphones and tablets too, it can also back up your files. McAfee’s LiveSafe protection software comes with a 100% guarantee to protect you against viruses.
So, this Privacy Awareness week, please take the time to ensure you are doing all you can to nail your online privacy. And of course, please get your kids involved too. Do your research and find some stories of ‘real life’ people who have had their identity stolen to share around the dinner table because identity theft can absolutely happen to anyone!
Till next time,
Stay Safe!
Alex
The post Are You Playing A Role In Protecting Your Online Privacy? appeared first on McAfee Blog.
