Category Archives: English

Victim of a ransomware? Call the Crypto Sheriff!

Ransomware are not new but they become more and more efficient and, consequently, make more victims.

RANSOMWARE: Malware encrypting your files on your hard disk, making them inaccessible by you, so they can ransom you to allow you to decrypt them.

Even large companies, despites their multiple layers of security and anti-malware protections, are victims of these. The luckiest can rely on their backups to restore the lost data, the others pay it cash, either to the criminals or in business losses, or sometimes both (as paying doesn’t always guarantee that you will get a cure).

Ransomware is a plague against which smaller companies and individual are often defenceless. Not anymore, as Crypto Sheriff has arrived.

RW-Sheriff

Crypto Sheriff is a free service brought to you by Europol, the Dutch police, Kaspersky labs and Intel Security (ex McAfee) through the website: https://www.nomoreransom.org.

It allows you to submit sample of encrypted files and copies of the ransom note in order to analyse the malware used and possibly find a cure. It provides also decryption tools working on some of the most common malware like Chimera, Teslacrypt or coinvault.

Moreover, as prevention is always better than damage control, it will also provide you some basic tips to prevent such infection.

Let’s visit the Crypto Sheriff. Hihaaa!

Google (also) knows what you said last summer

After, Google knows what you did last summer, this summer, we will give you a little hint to discover (and it migh be creepy) all the things you said to your androïd phone or to your Google search (sometimes just by hitting the wrong button or by saying “OK Google”).

Yes, Googles likes to keep everything and also to share it with you (in case you would like to remeber all those stuff). You just have to go to My Activity on Google (https://myactivity.google.com/myactivity) to have te complete list of things you said to your phone (search this, call Bob, launch this application) and all the things that were heard by your microphone at the same time.

Privacy? At least now you know (a bit more about the cost of using free tools).

By the way, some hackers are using this function to hack your phone by including sounds in YouTube videos that will trigger the voice recognition function without being perceived as a command by a human. If you found something stange in the list, you’ll know.

You’ve been notified!

OK Google, close this page!

Sauron, an APT created by a government?

A few days ago, on the 9th of August, Kaspersky Lab released different reports on the newly found Project Sauron APT (Advanced Persistent Threat). Based on forensic analysis of Kaspersky labs, this APT was running since, at least, 2011 in military or governmental agencies around the world. 5 years, it is indeed persistent, isn’t it? It is also advanced because, from what we can deduct from Kaspersky’s Technical Analysis, it seems that this APT is more a framework than a “simple” Trojan. It is more a set of services and code disseminated across the Windows Servers services, used to copy, sniff, decrypt, encrypt and exfiltrate data, even found on air-gap computers. It is also clearly targeted to find sensitive information protected by a very specific encryption technology. It is also polymorphic as it changes its “appearance” (like the name of the DLL it hides behind) on each installation. It also exfiltrate data through standard channels like DNS or email in order to avoid detection.

Kaspersky named it Project Sauron because the name is used in the LUA scripts of the framework as a variable name prefix (Symantec called it Strider).The use of LUA (a very popular script language amongst gamers) is also quite exceptional in the malware world.

This combination of use of zero day exploits (code exploiting previously unknown vulnerabilities), the modularity, the polymorphism, the use of strong encryption techniques (like RSA2048, RC6, AES), the use of normal channel for exfiltration in order to avoid detection and the long lasting infection (2011-2016), makes it a “Top of the top” (sic), state-of-the-art, APT.

What makes it also exceptional is that Sauron targeted military and governmental agencies around the world and not your everyday computer system used by SMEs. Some of these targets have multiple layers of protection and detection systems, anti-viruses, security analysts, firewalls, network segregation and so on. They are even running some of their services on air-gap (not connected to the Internet) servers or networks. Even there, Sauron was able to get in and out using the USB key used to update the systems. Bottom line, Sauron was evading security measures from some of the best actors on the market. What an achievement!

So, looking at this level complexity, some will directly look at the NSA, the MI6 and the GCHQ or why not the FSB (Russia was listed amongst the victims but it is a well-known technique to get your own poison in order to avoid suspicion of being the poisoner). But, states are not the only actors in the market with such capabilities.Symantec evoque a group call Strider (hence the name of the attack) as being the mastermind behind this attack. For years now cyber-criminal organization are growing in importance and size. With a trillion (1.000 billion $) of estimated revenue per year, supposing there is one single organization that generate a 1/1000 of this revenue, meaning 1 billion $ per year, would not be a crazy idea. 1 billion $ of revenue for an organization of hackers is quite a lot of money, and means, to develop and put such kind of attack in motion. As long there is a return on the investment (and there will likely have states ready to buy such valuable information), criminals are never far away.

It means also that if this project is at least 5 years old, the attackers must have, by now, much more efficient and stealth malware in place somewhere else (or at the same place). It means also that such vector will become more widely available in the community, hence more frequent, like any technical progress in a market. If Sauron his a “private sector” product, how can we protect from organization with such means? We often settle that we are basically powerless against state espionage. Should we do the same with (large) criminal organization in the (near) future?

More on the subject: