Researchers flag two zero-days in Windows Print Spooler

In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More

The post Researchers flag two zero-days in Windows Print Spooler appeared first on Help Net Security.

Security analysis of legacy programming environments reveals critical flaws

New research from Trend Micro highlights design flaws in legacy languages and released new secure coding guidelines. These are designed to help Industry 4.0 developers greatly reduce the software attack surface, and therefore decrease business disruption in OT environments. The layers of the software stack (including automation task programs) and what their respective vulnerabilities could affect Conducted jointly with Politecnico di Milano, the research details how design flaws in legacy programming languages could lead to … More

The post Security analysis of legacy programming environments reveals critical flaws appeared first on Help Net Security.

PE Tree: Free open source tool for reverse-engineering PE files

PE Tree, a malware reverse-engineering, open source tool developed by the BlackBerry Research and Intelligence team, has been made available for free to the cybersecurity community.

free tool reverse-engineering

About PE Tree

PE Tree allows malware analysts to view Portable Executable (PE) files in a tree-view using pefile – a multi-platform Python module that parses and works with PE files – and PyQt5, a module that can be used to create graphical user interfaces.

“PE Tree is developed in Python and supports the Windows, Linux and Mac operating systems. It can be installed and run as either a standalone application or an IDAPython plugin,” Tom Bonner, a threat researcher at BlackBerry, explained.

The Python-based tool parses PE files and maps them into a tree view, them provides a summery of various headers. Suspicious findings are highlighted, and analysts can deepen their research by doing a VirusTotal search, export portions of the PE file to CyberChef for further processing, finding and dumping PE files from an IDA database and reconstruct imports, etc.

“Reverse engineering of malware is an extremely time- and labor-intensive process, which can involve hours of disassembling and sometimes deconstructing a software program,” BlackBerry stated.

“The BlackBerry Research and Intelligence team initially developed this open source tool for internal use and is now making it available to the malware reverse engineering community.”

What’s next?

It’s not unusual for cybersecurity and IT firms (as well as government agencies) to open source security tools they used internally.

Bonner noted that this free tool for reverse-engineering is under active development and new features will be added frequently.

“The next major release will focus on rekall support, offering the ability to view and dump processes from either a memory dump or live system,” he shared. The Rekall Framework is collection of tools used for extracting and analyzing of digital artifacts computer systems.

“As cybercriminals up their game, the cybersecurity community needs new tools in their arsenal to defend and protect organizations and people,” said Eric Milam, Vice President of Research Operations, BlackBerry.

“We’ve created this solution to help the cybersecurity community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”

Analysis of 92 billion rejected emails uncovers threat actors’ motivations

Mimecast released the Threat Intelligence Report: Black Hat U.S.A. Edition 2020, which presents insights gleaned from the analysis of 195 billion emails processed by Mimecast for its customers from January through June 2020. Of those, 92 billion (47%) were flagged as malicious or spam and rejected.

malicious emails analysis

Blocked impersonation attacks

Main trends

Two main trends ran throughout the analysis: the desire for attacker’s monetary gain and a continued reliance on COVID-19-related campaigns, especially within certain vertical industries.

One of the most significant observations was that threat actors are launching opportunistic and malware-based campaigns across multiple verticals at volumes at an alarming rate. The report also forecasts what types of attacks will likely spike in the next six months.

Attacks and malware-centric campaigns

The majority of attacks seen by Mimecast during this period were simple, high volume forms of attacks, such as spam and phishing that is likely a reflection of the ease of access to tools and kits available online. As the attacks progressed, exploits evolved to more potent forms of malware and ransomware with the attacker’s goal appearing to be monetary gain.

In addition, malware-centric campaigns have been a fixture of 2020 and have become increasingly sophisticated. 42 significant campaigns were identified during the six-month period that the report covers. The campaigns showed a significant uptick in the use of short-lived, high volume, targeted and hybridized attacks against many sectors of the U.S. economy.

Researchers believe it is highly likely a consequence of threat actors targeting industries that remained opened during the ‘stay at home’ period in the U.S., as well as those essential to the nation’s recovery from the current pandemic. Interestingly, the media and publishing sectors suffered high volumes of impersonation attacks, potentially as a vehicle for cybercriminals to spread disinformation across the U.S.

“If one thing is for certain, the pandemic we’re living in today has caused significant challenges. We’ve continued to see threat actors tap into the vulnerabilities of humans and launch campaign after campaign with a COVID-19 hook, in attempt to get users to click harmful links or open malicious files,” said Josh Douglas, VP of product management, threat intelligence at Mimecast.

malicious emails analysis

Mimecast signature detections

Understanding the modern threat landscape

Threat actors go where the money flows. The attacks from January-June 2020 incorporated a vast array of threats, including Azorult, Barys, Cryxos, Emotet, Hawkeye, Lokibot, Nanocore, Nemucod, Netwired, Remcos, Strictor, and ZLoader, and involved a combination of mass generic Trojan delivery with phishing campaigns with the goal of monetary gain.

Industries that remained opened during the pandemic where the hardest hit. The top sectors for attacks in the U.S. were: manufacturing, retail/wholesale, finance and insurance. In addition, the media and publishing sector suffered high volumes of impersonation attacks (48.4 million detections), potentially was a vehicle to spread disinformation across the U.S.

Organizations are at a higher risk of being attacked by ransomware. Researchers found that it is highly likely that U.S. businesses are at risk of ransomware attacks, due to threat actors’ efforts towards the high volume, opportunistic attack of multiple verticals. The circumstances of the pandemic make organizations more vulnerable to ransomware, so it will likely remain a significant threat for the second half of 2020.

Impersonation attacks continue to accelerate. The volume of sender impersonation attacks increased by 24% between January and June to nearly 46 million per month.