ElevenPaths #NoticiasCiberseguridad: Boletín de ciberseguridad semanal 9-13 de diciembre Los ataques y vulnerabilidads más destacados de la última semana, recopiladas por nuestros expertos del Security Cyberoperations Center de Telefónica.
ElevenPaths Qué hemos presentado en el Security Innovation Day 2019: Innovación y diversidad en ciberseguridad (IV) Tras hablar del futuro de las SecOps y la automatización gracias a la IA, presentar varias proyectos innovadores de Start-ups y analizar cómo mejorar la resistencia frente a ataques...
ElevenPaths #CyberTricks de ElevenPaths El pasado jueves, 30 de noviembre, se celebró el Día Mundial de la Ciberseguridad. Desde ElevenPaths hemos redactado un decálogo de #CyberTricks con ciberconsejos de algunos de nuestros expertos: Chema Alonso, Pablo...
ElevenPaths GSMA IoT Webinars dedicado a la Seguridad en IoT: “SIM-ply Secure – Leveraging the SIM to Create a Trusted IoT” El próximo 23 de enero a las 16:00h, la GSMA presenta este webinar de IoT en inglés dedicado a la Seguridad en IoT: “SIM-ply Secure – Leveraging the SIM...
ElevenPaths #NoticiasCiberseguridad: Boletín de ciberseguridad semanal 9-13 de diciembre Los ataques y vulnerabilidads más destacados de la última semana, recopiladas por nuestros expertos del Security Cyberoperations Center de Telefónica.
ElevenPaths Qué hemos presentado en el Security Innovation Day 2019: Innovación y diversidad en ciberseguridad (IV) Tras hablar del futuro de las SecOps y la automatización gracias a la IA, presentar varias proyectos innovadores de Start-ups y analizar cómo mejorar la resistencia frente a ataques...
Área de Innovación y Laboratorio de ElevenPaths ¿Te atreves a descifrar estos archivos secuestrados por un malware? Concurso #EquinoxRoom111 Mientras investigábamos un nuevo ransomware en nuestro laboratorio, hemos detonado la muestra en nuestro sandbox, pero, por accidente, también se ha propagado hacia un sistema algo más crítico. En él estudiábamos los efectos...
ElevenPaths Cybersecurity Shot_Fuga de Información de AEDyR Cybersecurity Shot es un tipo de informe de investigación sobre casos de actualidad relacionados con bases de datos filtradas en la red así con algunas recomendaciones que podrían haberlo evitado. Cada entrega trae...
ElevenPaths #NoticiasCiberseguridad: Boletín de ciberseguridad semanal 9-13 de diciembre Los ataques y vulnerabilidads más destacados de la última semana, recopiladas por nuestros expertos del Security Cyberoperations Center de Telefónica.
Sebastián Molinetti 5 maneras en las que los usuarios crean incidentes de ciberseguridad De acuerdo con la Encuesta del Estado Global de la Seguridad de la Información (GISS) 2018, aunque las empresas están gastando más recursos en ciberseguridad para mejorar sus defensas,...
Sergio De Los Santos Fallo en WhatsApp: a grandes errores, peores conclusiones Los sucesos que ocurren (malos o buenos) nos permiten avanzar y mejorar gracias a las conclusiones, enseñanzas o experiencias que podemos extraer de ellos. Sin aprendizaje, los eventos propios...
ElevenPaths Qué hemos presentado en el Security Innovation Day 2019: Futuro de las SecOps, de la automatización a la Inteligencia Artificial (I) El pasado 13 de noviembre celebramos la VII edición de nuestro evento de innovación en seguridad: Security Innovation Day, ambientado esta vez en el futuro distópico que proponía Blade...
Another month, another new rooting malware family for AndroidElevenPaths 11 julio, 2016 Several months ago there was a media explosion about Android-rooting malware on Google Play. Those families were discovered by Cheetah Mobile Security Research Lab, Check Point, Lookout, FireEye, and Trend Micro and variously named NGE MOBI/Xinyinhe, Brain Test, Ghost Push, Shedun or Kemoge. In a previous report, we tried to connect the dots and concluded that there was a good chance each malware was developed by the same group which evolved its techniques dating back to 2014. Now, it’s happening again: There are numerous reports in the media about HummingBad, Hummer, and Shedun Reloaded. Do them belong to the same malware family? It all depends which lab is doing the analysis. Three different families or not? HummingBad In February, Check Point alerted the market about HummingBad. It followed the same “rules” established by the Brain Test family, which means it introduces a rootkit on the phone, is almost impossible to remove, and installs fraudulent apps automatically. But it was stunningly more sophisticated. It was installed by drive-by-downloads, its content was encrypted, and it used several redundancy methods to ensure infection (including automatic and, if not possible, social engineering). Some of the infrastructure used as a C&C was hxxp://manage.hummerlauncher.com domain, hxxp://cdn.sh-jxzx.com/z/u/apk, hxxp://fget.guangbom.com and hxxp://d2b7xycc4g1w1e.cloudfront.net. And it gets worse. In early July, Check Point researchers attributed HummingBad to a “legitimate” advertising company called Yingmob, responsible as well for the iOS malware called Yispecter that took advantage of its enterprise certificate to install itself and was discovered in late 2015. Hummer Also in July, Cheetah Mobile wrote about a malware it called Hummer, a new threat different from GhostPush (its own name for Shedun, Kemoge, BrainTest, etc). Although Cheetah Mobile does not explicitly says so, Hummer is HummingBad, as we can easily confirm with Tacyt because, for example, it uses the same infrastructure and rooting file called right_core.apk, which is sometimes embedded and sometimes downloaded. A HummingBad/Hummer sample with some of the singular URLs used Shedun? Lookout thinks differently. They claim HummingBad, or Hummer, is the same as Shedun, discovered in November 2015. It maintains Shedun is closely related to the BrainTest/GhostPush family, but it only describes the HummingBad malware as “not new” without any further technical details. So, is this HummingBad/Shedun an evolution from the same cybercriminal group we connected in our previous report, or does it come from a different group? Let’s take a look. Our analysis HummingBad, or Hummer, comes from a “legitimate” adware company called Yingmob which, for a while, had its “Hummer Launcher” app on Google Play. Google eventually removed the app in May 2015. Hummer Launcher signed with the same certificate as some HummingBad samples As we determined using Tacyt, even the aggressive payloads are signed with the same certificate. From our previous report in October, we saw some very specific behaviors that associated all the malware families. For example, the use of a few particular domains and the presence of some files inside the APK like “sys_channel.ng”. One of the particular domains shared by several samples analyzed in October One of the particular file names shared by several samples analyzed in October Our analyst team used Tacyt to conclude that there is strong evidence suggesting a relationship between several different reports from different security companies, and confirmed that some of the aggressive apps discovered were on Google Play in early 2015. The evidences suggested that these supposed different families of malware, may be just the same Chinese cybercriminals (because of using the infrastructure, domains, topics, files, etc.) evolving the same idea about serving aggressive ads, rooting the devices, sending commands and installing new packages. We came to this conclusion because of several similarities that relate the families: domains, dates, permissions, names, certificates, resources, etc. The Chinese group started their activities maybe in late 2014, using the OPDA “brand” and trying to introduce malware on Google Play as well as legitimate apps. Later, they evolved new techniques, from Xinyinhe adware, which seems to be just a variant of Ghost Push, Brain Test to Kemoge, all technically related in some way. What about HummingBad? Checking HummingBad’s singularities we determined that it uses a completely different infrastructure with little in common with our previous findings, even though it follows the same philosophy of rooting the device and silently installing apps. We can find no evidence about certificates, files, or any other hint that helped us to tie both families together as we did before. Of course, we may have not found them. For example, HummingBad uses mainly these domains: guangbom.com, hummerlauncher.com, hmapi.com, cscs100.com… They are not shared with previous Chinese families, except hmapi.com, which seems common place for adware and malware. All apps containing this particular domain on Google Play are eventually removed hmapi.com shared between several different aggresive adware or malware samples eventually removed As another example, HummingBad uses right_core.apk as a payload, which is either downloaded or embedded. Searching for samples using a specific file downloaded or embedded With HummingBad we can only go back to early 2015 with “legitimate” adware samples. With the BrainTest family we can go back to 2014. Signing date for all the samples we have labeled by our analysts as HummingBad Another point of interest is that it appears that Brain Test was not very interested in tracking their ads with UMENG (the popular Chinese platform), while HummingBad seems to use UMENG in many more samples. The keys do not match in any case. Comparing keys between families Philosophy matches but the code, infrastructure, and “history” do not Shedun and HummingBad seem to operate from the roots of “legitimate” Chinese companies (OPDA and Yingmob), and they may be related in other ways, but the owners, resources and developers appear different. So we can conclude a couple of insights: HummingBad is Hummer, but it does not seem to be Shedun/GhostPush/Brain Test itself. This is important, because it would mean cybercriminals are learning from each other. It is not just the same group evolving its own product. That is a scary since they will most likely improve technically to gain market share when they have “competitors”. Attribution is always a risky exercise for every researcher (including us), but we believe HummingBad is not an evolution but is instead another new, dangerous rooting malware that was developed alongside previous malwares (just as there are different ransomware or banking Trojan families with the exact same philosophy). And we also think this malware it here to claim its market share and stay for a while. Desde un sueño hasta la primera oficina de ElevenPaths en LatinoaméricaNo te pierdas nuestro Tour de Seguridad Zona Norte en Chile
ElevenPaths #NoticiasCiberseguridad: Boletín de ciberseguridad semanal 9-13 de diciembre Los ataques y vulnerabilidads más destacados de la última semana, recopiladas por nuestros expertos del Security Cyberoperations Center de Telefónica.
ElevenPaths Qué hemos presentado en el Security Innovation Day 2019: Innovación y diversidad en ciberseguridad (IV) Tras hablar del futuro de las SecOps y la automatización gracias a la IA, presentar varias proyectos innovadores de Start-ups y analizar cómo mejorar la resistencia frente a ataques...
Área de Innovación y Laboratorio de ElevenPaths A la caza del replicante: caso de uso de CapaciCard en el Security Innovation Day 2019 Descubre cómo funciona CapaciCard, nuestra tarjeta con propiedas capacitivas, con este caso de éxito del Security Innovation Day ambientado en Blade Runner.
ElevenPaths ElevenPaths Radio – 1×13 Entrevista a Pilar Vila Todo lo que rodea a la figura del perito informático forense en esta entrevista en formato podcast con Pilar Vila, CEO de Forensics&Security.
ElevenPaths #NoticiasCiberseguridad: Boletín de ciberseguridad semanal 2-6 de diciembre Segunda edición de nuestro boletín semana del noticias sobre ciberseguridad. Los ataques y vulnerabilidades más relevantes, analizadas por nuestros expertos del SCC: Strandhogg: vulnerabilidad en Android que permite obtener credenciales...
ElevenPaths Qué hemos presentado en el Security Innovation Day 2019: Mejorando la resistencia entre ataques distribuidos de denegación de servicios (III) La última edición de nuestro evento de innovación en ciberseguridad: Security Innovation Day, dio para mucho. En esta serie de posts analizamos los temas tratados, tras explicar qué se...