Category Archives: Information Security

Sauron, an APT created by a government?

A few days ago, on the 9th of August, Kaspersky Lab released different reports on the newly found Project Sauron APT (Advanced Persistent Threat). Based on forensic analysis of Kaspersky labs, this APT was running since, at least, 2011 in military or governmental agencies around the world. 5 years, it is indeed persistent, isn’t it? It is also advanced because, from what we can deduct from Kaspersky’s Technical Analysis, it seems that this APT is more a framework than a “simple” Trojan. It is more a set of services and code disseminated across the Windows Servers services, used to copy, sniff, decrypt, encrypt and exfiltrate data, even found on air-gap computers. It is also clearly targeted to find sensitive information protected by a very specific encryption technology. It is also polymorphic as it changes its “appearance” (like the name of the DLL it hides behind) on each installation. It also exfiltrate data through standard channels like DNS or email in order to avoid detection.

Kaspersky named it Project Sauron because the name is used in the LUA scripts of the framework as a variable name prefix (Symantec called it Strider).The use of LUA (a very popular script language amongst gamers) is also quite exceptional in the malware world.

This combination of use of zero day exploits (code exploiting previously unknown vulnerabilities), the modularity, the polymorphism, the use of strong encryption techniques (like RSA2048, RC6, AES), the use of normal channel for exfiltration in order to avoid detection and the long lasting infection (2011-2016), makes it a “Top of the top” (sic), state-of-the-art, APT.

What makes it also exceptional is that Sauron targeted military and governmental agencies around the world and not your everyday computer system used by SMEs. Some of these targets have multiple layers of protection and detection systems, anti-viruses, security analysts, firewalls, network segregation and so on. They are even running some of their services on air-gap (not connected to the Internet) servers or networks. Even there, Sauron was able to get in and out using the USB key used to update the systems. Bottom line, Sauron was evading security measures from some of the best actors on the market. What an achievement!

So, looking at this level complexity, some will directly look at the NSA, the MI6 and the GCHQ or why not the FSB (Russia was listed amongst the victims but it is a well-known technique to get your own poison in order to avoid suspicion of being the poisoner). But, states are not the only actors in the market with such capabilities.Symantec evoque a group call Strider (hence the name of the attack) as being the mastermind behind this attack. For years now cyber-criminal organization are growing in importance and size. With a trillion (1.000 billion $) of estimated revenue per year, supposing there is one single organization that generate a 1/1000 of this revenue, meaning 1 billion $ per year, would not be a crazy idea. 1 billion $ of revenue for an organization of hackers is quite a lot of money, and means, to develop and put such kind of attack in motion. As long there is a return on the investment (and there will likely have states ready to buy such valuable information), criminals are never far away.

It means also that if this project is at least 5 years old, the attackers must have, by now, much more efficient and stealth malware in place somewhere else (or at the same place). It means also that such vector will become more widely available in the community, hence more frequent, like any technical progress in a market. If Sauron his a “private sector” product, how can we protect from organization with such means? We often settle that we are basically powerless against state espionage. Should we do the same with (large) criminal organization in the (near) future?

More on the subject:

How to detect fake or stolen IDs?

Identification is one of the big challenges faced by security managers. It is a challenge when it comes to IT systems but even before that, to identify people. Even with the rise of national electronic identity cards (like eID in Belgium), fake or stolen IDs are still possible.

Even better, you might just make a Google Image search using a picture of an eID (like the one below) and find some other pictures of legitimate ID available on the web (not to say it is a breach of the European Data Privacy regulation).

Fake-eid

Sometimes, you might just receive a photograph of an eID or even just an ID card number or National Register number in a registration form or in a job application form. Shall it be for recruitment, background check or customer identification (like de KYC, Know your Customer, process for financial institutions), you might need to check, as much as possible, if the credential you have received are legit or not.

In Belgium, luckily for us, the ministry of interior provides a partial access to its database to validate an ID card number or an national register number. This application, Checkdoc, will just tell you if the number is still valid (No Hit) or if it is outdated or stolen (Hit).

You need to register first before being able to use Checkdoc (https://www.checkdoc.be/) .Also, notice you have to inform your customer or contacts that you will run their information through the database before doing it.

Additionally, you’ll find also pictures of every type of ID card being used at the moment and an explanation of the various security features you can use to spot a fake.

(Updated on 13/08/2016)

At the international level, Interpol provides the same kind of services to airlines operators through its Stolen and Lost Travel Documents (SLTD) database. Although there is plance to extend the access to this service to other industries, it is not the case yet.

 

Good hunting!

Blockbusters, a new risk to add to our threats’ list?

On 20th of July, BBC News announced that Businesses in southern India have given their employees the day off on Friday so they can attend screenings of a new film starring Tamil cinema superstar Rajinikanth“.

According to BBC News, this decision was made because companies where trying “to avoid people calling in sick, turning off their phones or simply failing to turn up for work“.

“Crazy indians” some might say! But, such behaviour already happened in the US or even, at a lesser scale, in Europe when the latest opus of the Star Wars sequel arrived in theaters. Some people where even sleeping in front of some theater to be sure to have their seats. In some places, the 4th of May, the Star Wars Day (“May The 4th be with you”), is also considered has a holiday. Of course, these are anecdotal but, they are growing in importance and frequences.

Although not frequent, likelihood of blockbusters seems to be higher than earthquake or tornados in some countries and a bit lower than flu epidemics. So, the probability of occurence is non neglectable. But, what could be the impact on your business?

Let’s see what the future will be 🙂