Thwarting APT

Hey Everyone, I wanted to tell you about a great blog that CTO and Co-Founder of AlgoSec did at Infosec Island. In an article titled: “Back to basics: how simple techniques can thwart complex APT attacks.”

In the article he goes on to state some basic things that everyone can do to lower their risk level. I wanted to share some of his excellent and simple steps for an enterprise to do. He writes:

“Whilst it is very difficult to prevent attackers from carrying out the first stage in their APT journey – after all, there’s nothing particularly secretive about many OSINT scanning techniques – it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics principles.

  • Segment your network. Break up your flat internal network into multiple zones, based on the use pattern and category of data processed within each zone. This segmentation then prevents the APT from jumping from one ‘stepping stone’ machine to another.
  • Place firewalls to filter traffic between those zones. ‘Choke points’ – i.e. firewalls – must be placed between the zones to filter the traffic entering and exiting. In other words, firewalls must be placed on internal, lateral traffic paths, not just your network perimeter.
  • Write restrictive security policies for those firewalls to enforce. Gartner Research has suggested that 99% of firewall breaches are caused by firewall mis-configurations, not firewall flaws. The message is clear – your firewalls absolutely must be configured accurately and intelligently, to analyze and block the kind of internal communications that signal APTs.”

This is excellent advice for anyone looking to lower the risk of APT in their environment and good practice in any event. In the article he also explains the different steps that an attacker takes to infiltrate your network. See the full article here at:


Flaw in Facebook Messenger found !

Check Point Software disclosed details about a vulnerability found in Facebook Messenger, both in the online and mobile applications. Following Check Point’s responsible disclosure, Facebook promptly fixed the vulnerability.

Check Point Security Researcher Roman Zaikin discovered the vulnerability allows hackers to control the Facebook chat and adjust the messages according to his needs, including deleting them and replacing text, links, and files.

There are a few potential attack vectors abusing this vulnerability. These schemes could have a severe impact on users due to Facebook’s vital role in everyday activities worldwide, one of which could be used to distribute malware.

Check out a video demo of it here:

You can also read the specifics here:


Hacking WhatsApp

This was a great blog post by Vijay Prabhu from Techworm that explained both in his post and with video’s how easy it is to take advantage of a SS7 telecom flaw that has been known since 2008! Check it out here:

How To Hack WhatsApp Using SS7 Flaw

How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.



In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.

US-CERT to Windows Users: Apple Ends Support for QuickTime for Windows

I wanted to share this with everyone as this is something that is very important for folks to do. recently reported that Microsoft is saying to remove Apple QuickTime for security concerns. Krebs reports:

“Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT).

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”

See the post from Apple “QuickTime 7 for Windows is no longer supported by Apple”


Thanks to Brian Krebs at for alerting us to this.

Adobe Critical Vulnerability and Patch

Brian Krebs wrote an article at Krebs on Security about Adobe. Seems they had to rush an emergency patch out because the security hole was already being exploited in active attacks.

Adobe said a “critical” bug exists in all versions of Flash including Flash versions and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS.

Check Out the full article here at:


MDM for iPhone/iPad – You are at Risk !

Check Point disclosed details about SideStepper, a vulnerability that can be used to install malicious enterprise apps on iPhone and iPad devices enrolled with a mobile device management (MDM) solution. The Check Point mobile research team presented details about this vulnerability at Black Hat Asia 2016 in Singapore on April 1, 2016. The vulnerability impacts millions of iPhone or iPad devices enrolled with an MDM solution.

Check out the read about it here:



“Drown” Attack

There is a great article written by Swati Khandelwal on the “Drown” attack.  It is yet another attack against OpenSSL. Swati writes:

“DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”

DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can decrypt passively collected TLS sessions from up-to-date clients…It is a low cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…

…and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.”
This is a great read including some diagrams on how it is carried out. Check it out here at: Hacker-News
Good Times !

More Ransomware called Locky

There has been a new type of Ransomeware currently taking the internet by storm right now. It is being spread by office365 or by an email in the form of an invoice. This has an attachment with a word doc that has embedded macros. It encrypts everything, and you either have to wipe your PC or pay between $200-$800 dollars to decrypt it.

*The Locky Ransomeware also has the ability to encrypt also your network backups so beware !*

Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus

Here is an excerpt taken from the Hacker News ( “Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states “enable macros”.

Here comes the bad part:
  • Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
  • This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky Ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.”

You can read more about Locky at Kevin’s blog post here:

Time to move those backups from network accessibility!!