overdue payment

Yesterday one of the mail admin’s at work forwarded me a message to take a look at. It was perpetuating to be from ANZ bank, suggesting a payment was due but macro’s should be enabled to view the document. It’s a pretty standard social engineering vector:

Obviously, this isn’t true. However, compared to other documents I’ve sighted recently a fair amount of effort has gone into this one, and there may have been some thought as to what bank the recipient may use. The other campaigns just seemed to indiscriminately select a bank – even one who didn’t operate in the location of the target. The document, as could be expected, has a macro attached to it that’s used to pull down malware from the internet. Heavy use of CallByName in conjunction with obfuscated strings and the banking vector would suggest it could be used to distribute Dridex, however there’s any possibility it could also be Locky. Unfortunately, by the time I had deobfuscated the contents of the macro the binary looks to have been removed from it’s host (I’ve put the feelers out on Twitter to see if anyone did) – but the process of deciphering the script to obtain the location for possible future incidents is still worth looking at.
Continue reading “overdue payment”

herding sheep

It goes without saying that Pokemon GO is a craze of magnitude that we haven’t seen for a long time, and undoubtedly one that will be around for quite some time. If memory serves me correctly, not even Angry Birds grew in popularity this rapidly – and it didn’t have the same positive effects (e.g. getting gamers outside and socialising with others).

“prepare for trouble, and make it double”

Whilst most observers may see the primary negative effect as the game being yet another contributor to mobile phone addiction – diluting what are likely already diluted “real world” skills – those of us with a more nefarious view of the world will see this as a prime opportunity to pop some shells. Just as the Rio Olympics have spurred a wave of phishing and malware attacks, it comes as no surprise that Pokemon GO has too. So, this made me think… exactly how covert can you make Android malware?
Continue reading “herding sheep”

held to ransom

As of late I’ve been keeping fairly busy, unfortunately with not a lot that I can blog about. I’ve built a new house, planned some overseas travel for later in the year, am in the midst of planning a security conference with some of the other ISIG and OWASP blokes (more on that later) and have been incredibly excited about Battlefield 1. I could have been left for another month and probably remained quiet on the blogging front, alas someone has prompted me to break the silence.

After a recent incident I was quizzed by this someone about how I approach handling situations where defenses fail and malware does make an impact – and they suggested I make a blog post to explain this. Well, I’m feeling pretty motivated today so let’s make that happen.

Most days I receive a couple of suspect files, emails or URL’s passed my way for inspection (the thought of those that I don’t receive is what keeps me awake at night), so I’ve selected one to illustrate my basic analysis process: a pretty standard case of ransomware via email, sent to one of our helpdesk staff.
Continue reading “held to ransom”

building a higher wall

IISFortify is a suite of scripts I produce to optimise the configuration of Windows Schannel and IIS. It bolsters cryptographic standards and HTTP response headers. As my workplace is beginning to dip it’s feet in Server 2016 along with IIS 10, it is about time that the scripts for Server 2012 were updated, along with introducing scripts for Server 2016/Windows 10.
Continue reading “building a higher wall”

revisiting the watering hole – again

One of the most popular developments of mine, and in my opinion one of the most effective at what it is aimed to do, is the Pond Security Awareness Framework. In the last post I made regarding it, I had introduced the concept of mutliple campaigns and collaboration via SignalR. Multiple users could work on the same campaign, saving and resuming work on them whenever they please. My problem was, however, that the attack vector was still limited to email – I wanted more. So, I have introduced an API, meaning that any method of attack can be used where code can be executed to POST to a URL.

Further to this, the code has now – finally – been made public under the Apache license.
Continue reading “revisiting the watering hole – again”

building stronger walls

Speaking at OWASP NZ Day 2016 was certainly quite an experience. Prior to it I had only really spoken to local user groups: 30-50 people max – so being thrown in front of 600 pretty clued up people was, as some would say, akin to being thrown into the deep end. Sadly, I remain quite disappointed that I didn’t manage to catch many of the afternoon talks due to having a bright idea of taking the 6:30am flight to Auckland and subsequently falling asleep in my hotel room during the lunch break. However, what I did manage to see made one thing very clear: the only way a higher standard of security can be produced by your developers is by working alongside them as opposed to taking the stance of a dictator – shooting down their code, questioning their competency and generally doing anything that makes it clear you’re the boss.

In this post I’ll provide a recap on the main content of my talk: the ideas and solutions behind making security a core focal point of your development with minimal disruption to standard processes.
Continue reading “building stronger walls”

revisiting the watering hole

Earlier this year, in May, I wrote about a phishing framework that I used to mount a company wide phishing campaign – for testing purposes, of course. Since then several other companies have used the application for the same purpose, and there has been some real interest in it within the local security community. This interest sparked a revival of the project: complete rearchitecture, redesign and rethinking of how it should be used. Whilst the code isn’t quite ready for public release and I haven’t started on documentation, in this post I’ll outline the new architecture and demonstrate a campaign from beginning to end. Continue reading “revisiting the watering hole”