An exclusive look into the Toronto C3X cybersecurity competition

Comodo Cybersecurity

As an active member of Toronto’s cybersecurity community, I was honored that RedBlack Cybersecurity founders Lee Kagan and Ben Wells invited me to be a mentor for this year’s C3X competition, which involves students from multiple Toronto colleges. RedBlack describes C3X as

“The Canadian Collegiate Cyber Exercise (C3X) is designed to develop, broaden and enhance the skills base of the next generation of Cyber Security and ICT professionals. redblack cybersecurity

The concept in brief: The students were tasked with defending a ‘simulated’ corporate network from intrusion and exploitation by a red team comprised of cyber security pros with a sophisticated skillset.

The students needed to learn to be organized, develop a strategy to combat the intrusion, and communicate with each other and the management team.

There are a variety of goals for C3X – amongst them are helping students connect a technical threat to business impact, cope with the time sensitive nature of an unexpected threat and effectively communicate the needs of the defensive team – while staying in line with company capability, culture and industry standards.”

cybersecurity competition

This year’s event took place at George Brown College between October 22nd and the 24th. There were red teams, blue teams, and white teams playing offensive and defensive roles. I helped out the white team. Honestly, I spent a lot of time waiting around and watching the white team and blue team do their work. But when a few blue team members needed to find useful information in their Active Directory logs coinciding with a cyberattack, I came to their aid. How do you weed out the true positives from the false ones? I got the students to narrow down a possible time range for the attack incident. I told them that if they had log analysis tools and a SIEM, they wouldn’t have to sort through their logs manually. It’s tedious work but the students put a lot of effort into being careful and thorough.

I asked RedBlack’s Ben Wells why they had launched C3X.

“There were a variety of reasons we started C3X. Events like CDX and CCDC in the United States were not matched by similar events north of the border. There didn’t seem to be a lot of excitement or cache to cyber here. The market here is dominated by a few large players who’ve eroded the value of pen testing and security in general by commoditizing it.

We also heard, through a plethora of channels, both professional and academic, that keeping the cyber curriculum current was immensely challenging because the market and the threats therein move far faster then the committees could augment class material to meet those requirements. C3X provides a mechanism for the teaching of applied, practical and modern topics that can’t be deployed to classrooms quickly enough.”

I also asked RedBlack’s Lee Kagan about the inspiration behind C3X.

“C3X came originally to me as an idea to start something in Toronto (and eventually for Canada) that would have a similar feel to CCDC and CDX in the US. There’s CTFs (capture the flag competitions) all over the place and while they’re great for what they can teach, there isn’t really anything for us and specifically students that simulates an aggressor targeting an organization that they may have to defend. Plus, we needed to design it into a pressure cooker form with time constraints, limited time and so on.

I also had noticed a gap in something with education. Students involved in infosec courses don’t really get exposed to red versus blue scenarios. Plus there’s the option to put it all to the test before they go join the workforce, and are then are expected to be able to do it. Most organizations are Windows environments, and most certainly involve ActiveDirectory. So we tailor the network and systems to revolve around that. The gap, was when I would hear things like ‘well, students don’t really get exposure very often to that stuff so this will be too hard on them.’ Ironically, I would then hear things all the time like, ;these co-op or junior SOC (security operations center) analysts know nothing about investigating Active Directory or reading Windows Event Logs.; See the problem? It’s a damned if they do, damned if they don’t type of situation. So we built it.”

Lee also elaborated on the birth of C3X.

“In the early days of RedBlack we had some very small events and workshops we held for ‘non-techie, non-security’ folks where they could come ask us questions about hacking and cybersecurity. This was more of a community project to help raise education and inform families about staying safe. Ben Wells, from our company, also has a lot of experience in event planning from other times in his career.

Combined with running a business, being people who attend lots of events and having so many friends who have experience with event organization made it a far easier task than it would have been without all of that.

For me personally, I tried to attack it like a red team! Just adapt to the situations and problems as they come up, and lean on other sfor help when I’m not equipped to handle it.”

Student Laura Harris worked on the blue team. Her involvement began with an invitation to a war room.

“Initially, we were told about the opportunity to get involved in a blue team/red team war room during one of our classes. Many students including myself decided to jump on this opportunity and sign up. It is extremely rare to experience defending against an advanced adversary and gain real-world experience only obtainable through exposure in the workplace and not the classroom. I believe my team and I walked away with valuable skills and knowledge that we can now be apply in the future. I am looking forward to seeing what the next C3X has to offer, and possibly playing some tricks back on the red team.”

“The experience overall was much more challenging than expected. I think we all went in with a mindset that we would have a lot more guidance. However, in actuality we had to implement a lot of security controls from the start that were not done until later down in the day. Along with exploring other tools and tactics outside of the ones that were provided to us.”

Laura’s entry into cybersecurity was almost accidental.

“Well to be completely honest, when I just started my undergrad I was actually going to school to become a radiologist, but very quickly realized that the sciences was not something I wanted to do for the rest of my life. I think decided to take a view IT courses and get involved in my cybersecurity club who very frequently participated in CTFs. I think from there I developed a love for the field and the challenges and tools that came with it. To this day I can say I would never look back or regret the decision of changing my career path.”

What has Laura learned about cybersecurity so far?

“Hmm. that’s a good question. I would probably say that security is a continuous learning path. You will never stop learning, especially because there is always a new kind of threat being created, tools and strategies that as a security professional you will have to keep up with. Especially if you want to be competent in the industry.”

I would recommend every student wanting to get into security to get involved as much as possible with events like these and CTFs both online and on site to improve skills. Definitely don’t be discouraged when things don’t go perfect the first time around.”

I’m excited about C3X in 2019! I will probably get involved again in some capacity. It’s really exciting to observe the developing skills of our next generation of cybersecurity professionals.

Related Resources:

How To Improve Your Company’s Cyber Security Readiness

Why you’re putting your network at risk with a defensive approach to malware

The Seven Advantages of Hiring a Cyber Security Provider

A Poisoned Gift for Thanksgiving Day: Emotet Comes in a New Disguise to Break into Your Bank Account

Spam Email Filtering Service

Cybercriminals fond of celebration dates like Thanksgiving Day — but not for the same reason that upstanding people do. For the perpetrators, it’s the favorite time to attack. Why? Because people are tuned on pleasant and good thoughts and feelings on such days. Unfortunately, it makes them more vulnerable. When they see a greeting letter in the inboxes, they feel gratitude and curiosity — who sent it?—and click on the attached file without thinking about potential danger.

On the eve of this Thanksgiving day Comodo specialists intercepted a cunning attack aimed at propagating one of the currently most nefarious malware – Emotet trojan, usually used for stealing banking credentials and other private information.

Usually this malware spread mostly as a finance-related email like a message from a bank. Here is an example of such email intercepted by Comodo facilities.

Bill-Pay-Alert

As you can see, the attackers used well-prepared fake able to deceive even security aware user. The link in the email leads to “rozdroza.com/En_us/Clients_Messages/11_18” URL. If a user clicks the link, the poisoned Microsoft Office document file automatically drops on her machine.

But on the eve of the Thanksgiving day the perpetrators decided to make something special and disguise the infected file as a greeting card. Below are the samples of the phishing emails they are using in the new attack.

Thanksgivingday-congradulation

 

Thanksgivingday-Greeting_Card

As you can see, these emails are also carefully worked out to look plausible. They have different content but in every case it’s build to inspire pleasant and warm emotions in the victims. Be it a hearty greeting, admiration of a colleague or even a piece of poetry, it arouses a good mood in the victims, thus weakening their vigilance.

The quotes of great people at the bottom of the messages also used to inspire trust in the victims, raising chances they will open the document – and let the enemy in the house. In reality, the “greeting card” is a Word document infected with Emotet.

Let’s look at the whole killing chain of this cunning malware.

The infected file has embedded Macro script. When a user opens a “greeting card”, the macros downloads Emotet on the victim’s machine.  

First, the user is instructed to enable the execution of Macro content as the document contains a VBA stream designed to download and execute the malware.

Office-365

 

Auto-Open

If the user allows the active content to run, the code will call cmd.exe with modified parameters that will again call cmd.exe with obfuscated parameters that, finally, pass a script to powershell.exe designed to download and run binaries from the internet.

The obfuscated parameters used to launch cmd.exe are stored in a textbox that is resized to be unnoticeable for the victim.

Command-Box

 

Explorer-window

After that, the script probes five locations to download Emotet: anora71.uz/aH3i9EM, egyptmotours.com/EfRRkqPucD, friskyeliquid.com/xspcYyA63, m3produtora.com/QOlBVnrL40, litsey4.ru/V5XLXxDubY.

Then it downloads the malware to the user’s Temporary folder and executes it. Emotet moves itself to C:\Windows\SysWOW64\cachingplain.exe and creates a service to run during system startup.

Parameters

 

Create-Service

The newly created service connects to the C&C server to notify availability and receive commands.

From this moment, the infected machine is under total control of the attackers. They can extract the users’ credential, banking and other private information from the PC and continue the attack by downloading other types of malware.

Frame-Summary

“The attack is a complicated poisoned merge of refined well-disguised malware and psychological manipulation tricks”, says Fatih Orhan, The Head of Comodo Threat Research Labs. “It’s not only dangerous and destroying from the technical point of view but especially cynic and immoral because of exploiting peoples’ bright feelings in a grand holiday. It’s always bad to be robbed but it’s much worse to be robbed in such a great holiday and aware that perpetrators used your own bright feelings against you. I’m really glad we protected our customers from these painful consequences and didn’t let the perpetrators spoil a celebration of such a grand day”.

 

The heatmap and details of the attack

The attack started on November 19, 2018 at 18:34:12 and was continuing at the moment of creating this article. It was conducted from 26 IPs of 10 countries. 108 phishing emails are discovered for the moment and supposedly, the attack will reach its peak on Thanksgiving day.

 

The countries involved in the attack and number of emails sent per country

table-data

The heatmap

Map-Locations

Live secure with Comodo!

Comodo Wishes You all Thanksgiving Day 2018: Secure Shopping Tips to Stay Protected Against Internet Scammers!

Thanksgiving Day

Thanksgiving is a cultural holiday which signifies peace, thankfulness, and the beginning of the festive season. It was in the year1789, President George Washington declared a day in late November as one for public thanksgiving and prayer. However, it was not until 1863 (during the Civil War) that Thanksgiving was recognized as a federal holiday by President Abraham Lincoln to be celebrated by everyone in the country.

There is a lot of trust, happiness, and love that gets shared around particularly in this season. The act of gifting one and another plays a major role in spreading joy across millions. Apart from the gifts, arguably the vital ingredient of the day, the holiday is the cherished time of year when people in the country come together to celebrate what they are thankful for – either with friends or family.

Besides that, Thanksgiving kicks off the Black Friday shopping extravaganza early online at just about every major retailer in the nation. On this Thanksgiving Day – Thursday, 22 November 2018 – the sales at bricks-and-mortar stores are scheduled to start by 6 p.m. in Walmart and 5 p.m. in Best Buy and Target. Yup, that’s much earlier than many families even serve up their pumpkin pie!

However, this year numerous retailers like BJ’s Wholesale Club, Sam’s Club, and Costco have decided to remain closed on the Thanksgiving.

Black Friday earned its nickname due to the reason it was viewed as the day of the year retailers earned profitability or were “in the black.” Approximately a decade ago, sales gradually began creeping into Thanksgiving and by 2011, every major retailer was open on the fourth Thursday in November. This year, it is noticed that despite the fact of public outcry and shoppers warning to boycott, the opening times have moved earlier.

With so much happening in the background, Thanksgiving opens the profiting doors for online shopping websites too. Notorious online scammers, fraudsters, and criminals are waiting out there to grab their share illegally. There are a few things that you will need to do to steer clear from such menace during this Thanksgiving season. Adhere to the below said tips to escape from the online dangers.

Be safe online:

The first and foremost thing to remember is to stay safe online, look for a small lock icon in the URL and an extra “s” for safety (https the extra “s” is for secure). Be precautious and don’t fall a prey for look-alike websites that mimic famous brands.

Use your Credit Cards:

That’s right, use the credit card instead of your debit card for online buying, as it has more fraud protection than a debit card.

Update Your Anti-Virus Software:

Make sure your anti-virus software is up-to-date and avoid clicking on links in unsolicited email and social media messages. Try downloading Comodo Free Antivirus. The Comodo Antivirus Software consists of Multi-layered levels of malware removal and protection to keep your system safe.

Mobile Security:

Most of us today use mobile devices to shop online, it’s vital to have a secure device in place to steer clear of the dangers. Make sure that the updated version or the latest one is in control to ward off all attacks. If you are downloading the apps be sure all apps have appropriate access to your information.

Email Phishing:

During the Thanksgiving season – scammers will be out in full force since plenty of promotional emails will be sent during the holidays. At all costs avoid clicking on those links from senders you don’t recognize. Simply “hover” the mouse over links without clicking to check if the address is really taking you to where it says it is.

Public Wi-Fi

Public Wi-Fi is vulnerable to online fraudsters who aim at stealing the personal information. When accessing public WiFi in stores or restaurants, do not use apps especially the banking apps that contain your sensitive personal data.

Internet Security

Black Friday is well-recognized for “door busting” sales, this is the time when the online fraudsters target innocent netizens. When the unauthorized user gains access to your computer systems, email accounts or websites – they may try implanting viruses and other malicious software or malware, to harvest on your personal information or to damage data or to make systems vulnerable to other threats. It is recommended to install the Comodo free antivirus software and stay safe from all kinds of online attacks. Try downloading now.

As for Website owners, install Comodo cWatch which is one of the leading website security software today that will effectively detect and remove web security threats – including DDoS attacks. It will also improve the speed of your website. With a powerful cloud-based malware scanning and ‘Default Deny’ approach, Comodo cWatch will go beyond your expectations. Try cWatch today!

Website Security

Visited An Adult Website? Then You Are In Danger Now!

email security

If the headline above frightened or at least alarmed you, that means you really can fall prey of this cybercrime. Because it is a bit different from others. While the perpetrators usually aim at a vulnerability of your PC, this attack targets vulnerabilities of your mind. Throughout the crooks use no malware, it lets them empty pockets of thousands victims. Many users have already fallen prey of this cybercrime combined of scam, porn, blackmail and cyber technologies.

Here the freshest example.

Comodo specialists detected 9382 malicious emails sent to potential victims. The crooks used the impressive amount of 8590 IPs for spreading the emails – the eloquent fact sharply demonstrating the massive scope of the attack.

What were inside these criminal emails?

Just message. But this message made thousands of people to open their wallets in benefit of the crooks.

Criminal Emails

The message begins with the stunning statement (spelling is kept):
“I do know hafizah is your passphrase. Lets get right to the point. You do not know me and you are most likely thinking why you are getting this e-mail? Not one person has compensated me to investigate about you.

actually, I setup a malware on the xxx videos (sex sites) site and do you know what, you visited this website to experience fun (you know what I mean). When you were watching video clips, your internet browser started out functioning as a RDP that has a key logger which gave me access to your screen and web camera. Immediately after that, my software obtained your complete contacts from your Messenger, Facebook, as well as emailaccount. After that I created a double video. 1st part shows the video you were watching (you have a good taste haha . . .), and 2nd part displays the recording of your web cam, & it is you.

You got two alternatives. Lets study these options in details:

Very first solution is to ignore this email message. In that case, I most certainly will send out your actual tape to almost all of your contacts and also visualize regarding the awkwardness you will get. Not to mention if you are in an affair, just how it will certainly affect?

Next choice would be to pay me $4000. Lets think of it as a donation. Then, I most certainly will straightaway delete your video footage. You could continue your life like this never took place and you never will hear back again from me.

You’ll make the payment through Bitcoin (if you do not know this, search for “how to buy bitcoin” in Google).

BTC Address: 13JtJDtepN4MARpKbDrWADpd592seKW1kj

[CASE SENSITIVE copy & paste it]

In case you are thinking about going to the cops, okay, this email cannot be traced back to me. I have taken care of my actions. I am also not attempting to ask you for much, I simply prefer to be paid.

You now have one day to make the payment. I’ve a specific pixel within this mail, and at this moment I know that you have read through this email message. If I don’t get the BitCoins, I will definately send your video recording to all of your contacts including family members, coworkers, and many others. However, if I receive the payment, I’ll destroy the video immediately. If you want proof, reply Yea! then I will certainly send out your video to your 11 friends. This is a nonnegotiable offer, and thus do not waste my personal time & yours by responding to this email message”.

Looks frightening, doesn’t it? And it’s not surprising: they call your real password right from the beginning, so they must had been really hacked you, right? More of that, they described how exactly they hacked you in details. They “setup a malware on the xxx videos (sex sites)” and turned your internet browser “in an RDP that has a key logger which gave me access to your screen and web camera”. And they even have all “contacts from your Messenger, Facebook, as well as email account”.

So it seems it’s not a hoax. They can really send this terrible video to all your friends… your coworkers… your boss … your friends … your lover… You’re breaking into cold sweet, your heart starts racing, you’re short of breath. You feverishly effort to prevent this horror, and the only reason to get rid of all that is to pay the attacker. So you rush to google how to make a payment in Bitcoins and …

Stop! You can relax. All this is nonsense. Nobody has implanted a malware in “xxx videos”. Your browser has never turned into “RDP that has a keylogger” (by the way, what a rubbish!). And nobody has stolen your contacts.

But… what about the password? How did they know it if they didn’t hack you?

Most likely, they found it in a database dump bought in Darknet. There are plenty of such dumps derived from databases hacked by cybercriminals. For example, in the past you could use the password for signing in to an online shop. After that, the shop’s database was hacked and sold via Darknet.

So aren’t you under threat?

No way. All you should do is just deleting the email and change the burned password if you still use it. Ah… also, you can laugh at your worries.

This email is just a scam that tries to exploits your emotions. Manipulating the feelings of guilty, shame and fear, it makes victims open their wallets. The text includes professional psychological tricks to manipulate the readers, so it’s hard for many people to resist its influence. That’s why, throughout it’s definitely a soap-bubble from technical point of view, it should be taken as a serious threat. And no doubt, many cybercriminals will use it in the nearest future.

What’s interesting, the scam emails intercepted by Comodo technologies were sent from different domains. The first was yahoo.jp and the others were from the range formed by the pattern “smith + numbers iterating from 1 to 999” + .edu”. The similar pattern was used in the email addresses with domain yahoo.jp. Actually, it’s much easier to understand by seeing than reading, so just have a look at the picture below:

email id

 

Throughout all the emails include “Aaron Smith” name, the content of the emails is a bit different sometimes. Here are two other examples of the emails.

Aaron Smith email

Aaron Smith spam email

As you can see, the discrepancies are not significant and relate to some words and phrases changing. For example, “if you are making plans for going to the police” is changed for “in case you are thinking about going to the cops” etc. These changes do not alternate the sense of the message and, obviously, are created to bypass security filters. Another distinction is different Bitcoin wallets addresses. The aim is obviously the same – avoid putting all eggs in one basket. If one wallet is blocked, the others will continue gaining criminal profit. And it’s one more evidence – along with the crafted text and wide attacking IPs range – that the attack was prepared carefully.

The details of the attack

The attack started on October 09, 2018 at 7:31:36 UTC and ended on October 26, 2018 at 12:09:30 UTC. The emails was send by little chunks from 8590 IPs of 159 countries around the world.

The top 5 countries involved in the attack and the number of the emails sent from each country.

table

The heatmap of the attack

 

The heatmap of the attack

“This attack sharply indicates that sophistication of cyber fraud grows as well as malware- based cyberattacks”, says Fatih Orhan, the Head of Comodo Threat Research Labs.” “In the past we got used to think that scam in the Internet is something like Nigerian scam easy detectable by any reasonable person and something not to take too seriously. However, this case is much harder. Actually, the criminals’ message can be compared to a trojan for human minds. The scammers play on the people’s fear of cybercriminals — the description of how they “hacked” the victims looks very plausible, because it’s very similar to what people read in media or see on TV about malicious hackers. This plausibility helps to bypass victims’ critical thinking. And like real trojan, this psychological malware takes control on a victim’s mind and make her to pay the crooks. I’m glad that Comodo technologies helped to secure thousands people from this dangerous scam”.

Live secure with Comodo!

Viro Botnet Malware Takes Many Different Forms

Viro Botnet Malware

The latest, strangest new ransomware appears to come from France, or at least from French speaking cyber attackers.

If your Windows PC has been successfully infected by the brand new Viro botnet ransomware, you will see this ransom note no matter where in le monde you are. Tout le monde is a possible target:

Viro Botnet Malware

Vos fichiers personnels ont été chiffré.

Pour les déchiffrer, evonyez 500€ de bitcoins à cette adresse: xxxxx

Toute tentative de destruction de ce logiciel entraïnera la destruction da la clé de déchiffrement.

Toute tentative de déchiffrement avec une clé erronée entraïnera la perte définitive de vos fichiers.

Vous avez 72 heures pour effectuer le paiement. Après quoi, la clé de déchiffrement sera supprimée.

I understand French seulement un peu, so I’ll attempt an imperfect translation. I learned that les fichiers are files, and chiffré is encryption, so let’s give it a go:

Your personal files have become encrypted.

To decrypt them, send €500 worth of Bitcoin to this address: xxxxx

All attempts to destroy the software will lead to the destruction of the decryption key.

All attempts at decryption with the wrong key will lead to the loss of your files.

You have 72 hours to make your payment. After that, the decryption key will be deleted.

Contrary to popular belief, most Canadians aren’t English-French bilingual, and although my French is a little better than most Anglo Canadians, it’s still a bit weak. Oh well – c’est la vie.

Instances of ransomware are becoming a little bit less frequent in 2018 than in 2017. But many new ransomware strains are getting really, really weird. Viro botnet malware is an excellent example.

The Viro botnet attacks seen so far infect a user’s Windows machine through a malicious email attachment. If the user executes the attachment, a random encryption and decryption key is generated, which is also sent to the Viro command and control (C&C) servers.

The Viro malware then looks for two Windows registry keys, “ProductId” at “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion” and “MachineGuid” at “SOFTWARE\\Microsoft\\Cryptography.” If both are found, the malware will then use an RSA cipher to encrypt all files with the following extensions

  • ASP
  • ASPX
  • CSV
  • DOC
  • DOCX
  • HTML
  • JPG
  • MDB
  • ODT
  • PDF
  • PHP
  • PNG
  • PPT
  • PPTX
  • PSD
    • SLN
    • SQL
    • SWP
    • TXT
    • XLS
    • XLSX
    • XML

The list covers most important documents and media file types, but nothing that would prevent the user from using Windows in a basic way. However, losing your documents is surely enough to compel most people to pay the ransome to the cyber attacker, but not enough to completely cripple them. There may be a method to the cyber attacker’s madness.

The ransom note will appear on the user’s screen when the encryption process commences. Then, the machine also becomes a part of the Viro botnet, sending emails with malicious attachments to other possible targets.

In the malware’s code, researchers have also found a keylogger which sends the logged keystrokes back to the C&C servers. They also found that infected targets may download more malware from the C&C servers and execute it through Windows PowerShell.

It appears that the cyber attackers have much greater ambition for Viro than just a botnet that transmits a unique strain of ransomware. The malware probably is still in development, and the PowerShell exploits could be used to completely control victims’ computers.

There’s no news yet as to whether or not paying the ransom will actually decrypt your files. Either way, never ever open an email attachment from an unfamiliar sender! Or check out Comodo Advanced Endpoint Protection, that will render even Viro harmless!