Forensic Bulletin Advanced

executive summary

Any Organization – big or small, can be target of any  Cyber-attack. Password only protection are weak   authentications and are too risky. Also, with the adoption of Cloud based IT Infrastructure, Organizations are expected to   secure what they don’t own, manage or control. Users want the complete freedom to browse on web, not only when and how but also with the devices of their own choice. Cyber criminals are taking advantage of today’s “any-to-any” world where individuals are using any device. The threats targets are across domains without discriminating by Industry, Businesses, size or Country. Cyber criminals are constantly evolving new techniques to bypass security. “Forensic Bulletin” is special CCFIS monthly Series Bulletin based on advancements and upcoming trends in digital forensics as per research work done by CCFIS Team, who is constantly watching vigilantly all new advanced techniques and cyberspace threats.

As per recent survey by one of reputed Research Center, 50% of Organizations had experienced at least one occurrence of  economic crime in last 1 year. Instances of such frauds losing   billions of dollars. Those, who commit frauds have become   craftier and are launching more complex plan. However, only few of the Organizations are responding to growing threats by tightening up their controls and investing in fraud detection and prevention as per professionals/expert opinion.  

The “any-to any” evolution already involves billions of internet connected devices and is expected to grow many folds in next few years.

hiding data like a ninja

A cyber-espionage case study

We all have some data either related to our business or personal that we don't want to share with anyone. These data may be your trade secrets, financial documents, patent files or whatever that matters to your business and hence your life. To achieve this, we use diffeent of encryption software, folder locks and what not but due to increase in responsible disclosures we have came to know that no matter what you do, your data is not secure at all. Encrypting data isn't a good option, as the most trusted encryption utility 'truecrypt' announced that 'WARNING:  Using TrueCrypt is not secure as it may contain unfixed security issues'. Now most of us are not left with any options to rely upon for security of our data. Data theft can not be curbed completely but it can be minimized.

First of all torn out the label pasted on your HDD that tells about its specification like size, RPM, brand, model no etc. Now create the size of HDD to 250 GB with just one partition having OS installed on it. To understand it more, let us explain the basic structure of internals of an HDD.As shown in the pictograph, inside a HDD there are two platters and two heads to perform read/write functions on them, data    exists on both the platters.

Now behold the genius of the plan: What if you stores the confidential data on the second platter and disables its head and    configures HDD such it only works with one head and reads data off only one platter?

This method is effective as its known to very few of us. The head count of the HDD will show Two (2) heads in total but the   engaged head count will show only one (1) head in total.

Now store your confidential data on that hidden drive. Later on when you want to access it back, reconfiguring the HDD, enable the disengaged head of the Hard Disk and you will get your  hidden partition. For better security, you can encrypt this drive too.  So now you can make a 500 GB HDD into 250 GB HDD with 250 GB as your hidden ninja storage.

Note : - For technical specifications, drop a mail at info@ccfis.net.

man in the ‘email’ attack

Email Scam Alert in Indian Small & Medium Enterprises

In last one year CCFIS has been asked to give expert advisory in cases related to email spoofing from various LEAs and  private companies. This particular email scam can be called as ‘Man-in-the-E-mail’ attack. Following are two most prominent email scams using ‘Man-in-the-E-mail’ attack technique:

The modus operandi of this particular email scam victimizing businesses         nationwide starts with compromising the email accounts of businesses, studying the email correspondence of active business deals which involves a substantial amount of money transfer. The perpetrator then identifies the target company’s e-mail domain and creates a similar domain by altering one or two letter in the email address. To an unsuspecting eye it is easily deceptive and passes as the original email address. The perpetrator then starts acting as a relay point between both the parties passing on either party’s email message to the other. Thus gaining control over the communication, editing & forwarding the content of email messages to his benefit. In other cases, the perpetrator identifies when the company executives are travelling from the information gathered from social media sites like  Facebook/twitter or compromised the executive’s e-mail account. 

When the executives are out-of-town, the subject sends an e-mail to an individual in the company who is authorized for wire transfers and bill payments. The e-mail usually appears to come from the company’s CFO requesting the wire-transfers on behalf of the CEO. To make the request appear legitimate, the e-mail contains a fraudulent e-mail chain started by the CEO requesting the transfer. The email              consistently asks for money to quickly be wired to a specified account and usually states that the wire transfer should be coded to  “Misc.    Expense-executive” or “Admin-Expense.” The success of these email spoofing scams largely depends on the awareness of the employee. A normal employee fails to identify the differences between a spoofed email and a genuine email. Lack of cyber security training is must for small and medium enterprises of our country to prevent such loses in the future.

CCFIS advises that while reporting similar incidents to the authorities, victim organizations should maintain the e-mails with the original extended headers and any attachments such as .PDF files that provide directions for the money transfers as these can proved to be crucial  evidences.

chip-off forensics

As digital forensic professionals we are accustomed to face  challenges. How do we obtain a full forensic image from embedded flash memory chips if physical extraction is not supported, what if the device is itself physically broken &  damaged beyond repair? In such cases we perform chip-off forensic analysis, defined as the extraction and analysis of data stored on flash memory chips.

Few chip-off scenarios we encountered at CCFIS:

A phone broken in two pieces – with its connecting ports  damaged there is no way to access the data or image the data stored inside. We need to take of the chip and perform recovery procedures on it.

Pen drive shot by an AK 47 bullet – The pen drive was broken  and the connecting port was melted by the heat of the bullet. A    chip-off analysis is now required to access the data inside.

Also, the chip-off process makes it possible for water damaged devices and items lacking connection ports to be acquired or analyzed. A chip-off requires a different setup than a normal   computer forensics lab has. An ideal chip-off workbench has  electrical rework equipment and chip programmers.

The rework equipment is used to remove, clean, and prepare memory chips prior to data acquisition. The chip programmers are used to actually interface with the memory chip and download the stored data to a raw image file.

The ultimate goal of a chip-off project is to capture and analyze the raw data saved on a target device's flash memory chip on the printed circuit board (PCB). In order to accomplish this, A    typical chip-off project progresses through three distinct          phases - Assessment, Acquisition and Analysis.

The Assessment Phase - The assessment phase involves researching the target device to make sure it is a good chip-off candidate and to confirm no other    full-physical memory extraction possibilities exists then only preparing it for the extraction.

The Acquisition Phase - The acquisition phase involves the actual chip removal and capture of data. This is when the rubber meets the road and actual chip-off happens. This is accomplished by disordering the chip from PCB, utmost care is to be taken.

The Analysis Phase – The analysis phase involves the recovery and interpretation of the acquired data. Once the raw data has been extracted, analysis can begin. The data examination is often the most challenging aspect of a chip off project. In addition to vast differences in device operating systems, file systems, and data storage structures, the examiner must understand and account for the low-level characteristics of flash memory.

The process can be daunting and may require development of custom programs or scripts for a particular device. In addition to vast differences in device operating systems, file systems, and   data storage structures, the examiner must understand and  account for the low-level characteristics of flash memory. The   process can be daunting and may require development of  custom programs or scripts for a particular device.

The common issues & problems faced by the examiner is to    identify the target memory chip and virtually built the controller of the chip. In these cases, the examiner will need to communicate with the various programmer manufacturers and request support be added for the new chip model. The removal process does  carry some risk of damage to the memory chip and loss of data when the chips are exposed to high-temperature profiles which are required to melt lead-free solder.

The chip-off process is definitely an advanced technique and can be utilized in majority of devices as flash memory is utilized in all sorts of other devices.

Certainly, the vast majority of chip-off projects we work involve mobile phones, but nearly any device that contains embedded permanent storage capabilities can be extracted these include tablet, GPS units, voice recorders, printers/ scanners, music players, cameras ,video game consoles, vehicles, industrial machines, medical testing equipment, network devices and security systems.

byod forensics

Extracting a full bit-stream image from devices containing embedded flash memory

The concept of BYOD is not new, the oldest example of BYOD would be carrying personal USB thumb drives to work. Since then technology grew so did the BYOD trend, statistics indicate that the medium by which most people access the internet wirelessly is using a portable device like a smartphone or a tablet.

As mobile devices continues to evolve and expand their availability, utility and versatility increases. Corporations and law firms face increasing pressure from employees and consultants to permit the use of personal devices on the organization's network. With BYOD policies implemented employees shows improved productivity, ease of mobility, and a more satisfying end-user     experience.

But this trend of BYOD, poses serious challenges and risks for organization’s data and its network security. There is the significant risk that permitting such connectivity might introduce viruses,   malware and other forms of trouble into the organization's file  servers, email systems and mission critical infrastructure. Second, there is the increased likelihood of data breaches, theft of proprietary information and trade secrets, and loss of intellectual property.

Just a month ago we came to know about  serious data theft in a company who lost a million rupee tender by a thin    margin. Company officials were baffled on how could their rival company come so near to their bid. They suspected someone from their company leaked those confidential bidding    documents. Later on it was revealed that one of their employee used her iPod to copy those documents by accessing the USB port of the computer system on the name of charging it.

In a similar case, an IT company had to face serious repercussions after its software code was stolen. On investigation it was  established an android smartphone opened in USB Mass Storage Mode was used to copy the source code.

So how can organizations reach a compromise betweenappropriate and adequate security while implementing an effective BYOD policies which fulfils the technology wants and needs of their internal client base?

Through proper planning, appropriate policy, and periodic review and assessment, organizations can successfully permit employees' use of personal devices, without sacrificing information security.

Android Malware Investigation

As smart phones are increasing, so does the mobile malware

In fast few years we have seen that companies hire competitor’s employees to perform better. Now competitors hack into each other’s email accounts, servers to get data relevant to their business. Now a days competitor are now targeting mobile devices which are now equally powerful as desktop pc holding more confidential data. Sophistication of mobile hacking has  increased to such a level that the victim never realizes that he was ever comprised.

Our internal research shows that these types of attacks has increased exponentially and mostly in IT industry. We everyday hear about incidence of e-mail security breach and email  stealing of a top level official of an IT Company due to which    confidential files, client details, their account numbers and financial information are compromised. When these incidence happens, most of us are in  suspicion that email server or the  personal/official computer might have been compromised by a malware. But we rarely notice that we also accesses emails through our Android based smart phone. Most of android  malware are detected by security software but targeted malware are always dormant and smart enough to perform their tasks  without leaving any suspicion. 

It can be analyzed by acquiring dumps of physical, logical and memory of the smartphone. From the physically acquired dumps of the mobile phone, every application executable file can be   extracted along with metadata like installation date and time.

The extracted android executable (.apk) can be then installed and executed in android emulator (a virtual phone that runs on computer) for further analysis. Out of all installed applications,  you may find some application behaving suspiciously. Further analysis can be done of these suspicious executable (.apk) like reverse  engineered to know the permissions given to the application, source code of the application and associated JAR files ( java   executable). For in-depth analysis one can also connect mobile phone in a sandboxed environment and capture all data packets for several hours to analyze its behavior.

 If your device is compromised that very soon you will get IPs  to which your device is communicating. Close all applications and run only selected suspicious applications, you will see a lot of data packets are exchanged between your device and detected IP.

If you run a business then there are possibilities that the IP can be of your competitor.

The internet is full of these types of malicious android apps that can compromise your android device in minutes using 0-day exploits.

  

  

  

IntSec Bulletin

executive summary

Any Organization – big or small, can be target of any Cyber-attack. Password only protection are weak  authentications and are too risky. Also, with the adoption of Cloud based IT Infrastructure, Organizations are expected to   secure what they don’t own, manage or control. Users want the complete freedom to browse on web, not only when and how but also with the devices of their own choice. Cyber criminals are taking advantage of today’s “any-to-any” world where      individuals are using any device. The threats targets are across domains without discriminating by Industry, Businesses, size or Country. Cyber criminals are constantly evolving new techniques to bypass security. “IntSec” is special CCFIS monthly Series Bulletin based on Internet Security as per research work done by CCFIS Team, who is constantly watching vigilantly all new advanced techniques and cyberspace threats.

As per recent survey by one of reputed Research Center, 50% of Organizations had experienced at least one occurrence of  economic crime in last 1 year. Instances of such frauds losing   billions of dollars. Those, who commit frauds have become   craftier and are launching more complex plan. However, only few of the Organizations are responding to growing threats by tightening up their controls and investing in fraud detection and prevention as per professionals/expert opinion.  

The “any-to any” evolution already involves billions of internet connected devices and is expected to grow many folds in next few years. IntSec Bulletin is a small step to make our Users aware about Internet Security.

 in-transit encryption

 Vulnerability worse than Heartbleed and Shellshock

Cloud computing is the technology that brings a complete changing the way we use internet for personal and business use. From running a complete web application on virtual server to baking up our personal files on online  storages, we use cloud technology. Researchers have developed many encryption   technologies to keep our files secure and encrypted on cloud. But the issue we found in our CCFIS research labs in the channel through which our files are sent. Unfortunately, our files are only encrypted once they reach the server, not in-transit.

The biggest issue with this attack vector is that incredibly popular services like Dropbox and Google Drive that are used for business as well as personal purposes are vulnerable to in-transit  encryption. As per researched conducted at CCFIS HQ, we found that data sent to these services are only encrypted once it is stored on the service, not in transit to the service.

In simpler words, the photos of files which you are uploaded are not encrypted the moment it leaves the system. Hence the data is not encrypted and ultimately not protected before it reaches the cloud, and a hacker with advance knowledge of Man in the   Middle attack or sniffing can steal these data.

There should be a mechanisms of local encryption of encrypting the data before it leaves the system. But the challenge is that if the encryption algorithm is locally stored on systems then hackers can reverse engineer it to generate the decryption algorithm and again the encrypted data can be captured in-transit and can be decrypted.

To resolve this issue, CCFIS team has already started working on open-source cloud based encryption tool that will act as a middle man agent between cloud based services and users. This tool will give GUI interface to users for uploading data on cloud. The file will be automatically encrypted before leaving the system and hence the data will be encrypted even during transit. Hence the data will be protected during the transit and even if the cloud storage of a user is compromised then also the data which attacker will get will be encrypted.

mayhem

Linux botnet 'Mayhem' spreads through Shellshock exploits

We all know about shell shock, a bug that is game over for any of Linux user. Shell shock bug was discovered recently and it left many systems & servers vulnerable.

Earlier in 2014, when we deployed out Advance Threat Protection Sensor (ATP Sensor) which captures malware and attacks in different national as well as international location, we captured a sophisticated malware called Mayhem. After malware analysis and reverse engineering our malware analysis team conformed that it gets installed through a PHP script that attackers upload on servers via compromised FTP passwords, website vulnerabilities or brute-forced site administration credentials.

Mayhem’s main component is a malicious ELF (Executable and Linkable Format) library file that, after installation, downloads     additional plug-ins and stores them in a hidden and encrypted file system.The plug-ins enables attackers to use the newly infected servers to attack and compromise additional sites. After reverse                 engineering, we found that around 1,400 infected servers were connecting to two separate command-and-control servers

Recently we captured another variant of Mayhem. After deep analysis, our malware analysis team found that that Mayhem’s  authors have added Shellshock exploits to the botnet’s arsenal.We also found that the Shellshock attacks originating from the Mayhem botnet target Web servers with CGI support. The bots probe Web servers to determine if they’re vulnerable to the Bash flaws and then exploit them to execute a Perl script.

This upgraded script contains malicious Mayhem ELF binary files for both 32-bit and 64-bit CPU architectures embedded into it as   hexadecimal data and uses the LD_PRELOAD function to extract and run them on the system.

badUSB

We use USB every day, from phones to laptops to servers and whatnot. We all have more than 10 devices in our offices and homes that interacts with USB. Now days, almost every device has USB connection functionality. Even healthcare equipment has feature to connect USB ports for different purposes. We knew about possibility of hardware backdooring but the procedure and programs were confidential and wasn’t accessible to common peoples.  But in a recent Blackhat conference, the process was demonstrated publically and source code has been uploaded on Github to anyone to download and tinker with.

CCFIS research lab found that these backdooring are not only possible in USB drives but can be done very easily in keyboard, cameras,    printers and almost all components that can be connected with via USB. The vulnerability exists in USB controller chip’s firmware which offers no protection from reprogramming and reverse engineering.   After reverse engineering, even a thumb drive can be used to       compromise a computer or an entire network. Following are some BadUSB threats –

· Any USB device can emulate a keyboard and issue commands on behalf of the logged-in user, for installing malicious files or malwares.

· A small pendrive can spoof network card and can change the computer’s DNS settings and can redirect entire traffic to hacker’s IP.

· It can also be configured to infect system before the system boots up. The malware can detect when the computer is booting up and it can plant a small virus on boot

Backdooring is possible by many other techniques too. Hackers can read the program stored on keyboard’s microcontroller and bind the program with a malicious code and then write it back to keyboard. If installed microcontroller doesn’t allow rewriting then hackers can install a new microcontroller with malicious code. We also found that addition another microcontroller along with original microcontroller is also possible. Now this keyboard will send all the data typed through this malicious keyboard to a hacker’s FTP.

Unfortunately there isn’t any effective way to detect a malicious USB device because malware scanner or antivirus cannot access the   firmware running on any USB device. USB firewalls that block certain device classes do not exists till date. Also behavioral analysis is quite difficult since a BadUSB device’s behavior when it changes its persona looks as through a user has simply plugged a new device.

windows 10 technical preview keylogger

Microsoft is gathering information from its Windows 10 Technical Preview in every way possible.

Microsoft is keeping a very close eye on those participating in the    Windows 10 Technical Preview—closer than you might think, in fact.

The Technical Preview has been released for two reasons. First, it gives the demo to crowd users to try out the next big thing Windows 10. But the other, more important reason for Microsoft is to gather data on both how Windows 10 is running on your system, and how you’re using the OS and maybe that’s why as per         researchers they have installed a keylogger in their new Windows 10.

Well, how many of you actually read the “Terms of Service” and “Privacy Policy” documents before downloading or installing the Preview release of Windows 10? I believe none of us even read those documents, because most computer users have habit of ignoring that lengthy paragraphs and simply clicking "I Agree" and then "Next", which is not at all a good practice. Do you really know what permissions you have granted to Microsoft by installing Free Windows 10 Technical Preview edition? You actually gave permission to keylog your system.

If you are unaware of Microsoft’s new privacy policy, then now you should pay attention to what the policy says. Microsoft is watching your every move on the latest    Windows 10 Technical Preview, as mentioned in Microsoft's privacy policy, which indicates that the technology giant is using     keylogger to collect and use user’s data in a variety of ways   without the information of user.

“If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of] it for purposes such as improving performance, or [if you] enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving            autocomplete and spell check features,” the privacy policy states.

Essentially by accepting the Windows 10 privacy policy you are  allowing Microsoft to screen your files and log your keystrokes. This means, if you open a file and type, Microsoft have access to what you type, and the file info within. In our research lab, we found that all the keystrokes that were typed in Internet Explorer of Windows 10 were stored in below hidden location -

C:\Users\CCFIS\AppData\Local\Microsoft\Windows\inetcache\low\ie\ZPBXU1LL

Microsoft says it may collect even more data. The company will be watching your apps for compatibility, and collect voice information when you use speech to text. This information will be used to improve speech processing, according to Microsoft."When you acquire, install and use the Program, Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks," the privacy policy states. "Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

The data Microsoft collects could have thousands of username and password combinations stored in a database somewhere.

Several researchers over security blogs has already started talking that Microsoft might have started a mass surveillance program with collaboration with some intelligence agencies. Whatever the rumors are, at least Microsoft is asking you before using your data.

bot based bruteforce ‘ylmf-pc’

SMTP connection at HELO/EHLO matching machine name

We all use mailservers, cPanel and many more other service in which are        somehow vulnerable to bruteforce        attacks. There are many best practices to block a bruteforce attack but         everything fails when it’s a targeted bruteforce attack.

Recently our team received a case from one of our major client that their mailboxes are being compromised, no matter how  complex password they are using, their mailboxes arecompromised and confidential information about organizations is leaked. During investigation, we came to know that it was a     successful bruteforce attack in their Smartermail even after properly updated server and password policies properly defined.

To conform this, we clustered several systems of our cyber lab and launched a bruteforce attack and we were able to crack the password using bots installed on all machines. We created one Command & Control server and controlled all systems to launch bruteforce attack on one dummy account which was using a strong password. The test attack was successful and account was compromised. Then we realize that even after implementing all best practices, one cannot stop a bruteforce attack.

Performing bruteforce to break a 12 character long password will take more than a year if attack is performed with single system and user has used combination of small caps, large caps, numbers and special characters.

But now days, attackers have developed a malware based bot. This bot search for vulnerable machines and servers connected to internet to compromise it and connect back to Command &  Control server which is actually the master of all these bots. If this bot has compromised 10000 systems, then the same password which it was cracking in 1 year, can be crack it in few minutes.

Enabling CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) image verification doesn’t work always as hackers have already identified to bypass it   because almost all of the CAPTCHA verification API’s relied on plain text HTTP protocol to perform CAPTCHA validation. Because of this, the CAPTCHA provider’s identity are not validated,  message authentication checks are not performed and the entire CAPTCHA validation are performed on an unencrypted channel. Also one cannot implement CAPTCHA when bruteforce is coming to SMTP. Blocking an IP after few failed login attempts will also not work as in an organization, 1000s of users share the same gateway IP and if one user fails to login into his account and cross the limit then the gateway IP will be blocked by server and no one from that organization will be able to access their mails.

On later stage, we found a bot, representing itself as ‘ylmf-pc’ which was used to perform the bruteforce attack to break password of email accounts. The bot first compromised users across the globe and then performed the bruteforce attack through these compromised users to hide its original IP and to     remain untraceable. In our research lab, we performed pattern analysis on logs of mail sever and we found the bot’s behaviour and we were able to locate the Command & Control Server.