For the past few years, the team at Fidelis has been running a contest at Black Hat USA called “Decode This.” Kudos to our 2012 winner, David Schuetz, and our 2011 winner Rob Elkind!
For those heading to Las Vegas for the conference, we are pleased to announce the third annual Decode This puzzle contest. This year’s winner will receive a $1,000 check and a very special place among Decode This legends (well ok, David and Rob!).
This year, we will be releasing 16 clues (6 before Black Hat and 10 during the conference). All of the clues will be issued via the @FidSecSys Twitter handle using the hashtag #DecodeThis and also posted here at Threat Geek using our Twitter widget on the right hand side of the homepage. Will Irace will also be tweeting each clue from his Twitter handle @spblat.
Where’s the puzzle? We asked Will this question and he brushed us off. He said he already released the puzzle back in March! Maybe he hid it in one of his weird product videos.
1. Contest will begin on Tuesday, July 23 at 12 PM PST with clue #1.
2. All remaining pre-Black Hat clues will be issued at 12 PM PST on the following days:
Wednesday, July 24 – clue #2
Thursday, July 25 – clue #3
Friday, July 26 – clue #4
Monday, July 29 – clue #5
Tuesday, July 30 – clue #6
3. The final 10 clues will be released at the Fidelis Black Hat Booth (620) as well as on Twitter and Threat Geek (all times are Pacific Time):
Wednesday, July 31 – 9 AM (clue #7), 11 AM (clue #8), 1 PM (clue #9), 3 PM (clue #10), 5 PM (clue #11)
Thursday, August 1 – 9 AM (clue #12), 11 AM (clue #13), 1 PM (clue #14), 3 PM (clue #15), 5 PM (clue #16)
4. The winner will be the first to present the correct answer to Fidelis booth staff.
5. The lawyers made us say that any irregularities in the contest will be resolved at Fidelis' sole and final discretion. We reserve the right to alter or cancel this contest with or without notice.
Good luck and as they say….keep calm and puzzle on!
Yesterday brought news that a cyber attack caused widespread data destruction in the South Korean banking and media sectors. Researchers at General Dynamics Fidelis Cybersecurity Solutions obtained a copy of the malware involved in the attack and have some preliminary results to share. Our compliments to the talented folks at Alien Vault Labs, whose research on this subject can be viewed on their blog.
For purposes of our research, we’ll call this specimen “239ed75323.exe." It’s a malicious file capable of wiping data in disk drives. One of the areas it targets is the disk’s Master Boot Record (MBR), without which a computer cannot load its operating system. Multiple variants of this malware were observed in the community.
The malware writes a 512 bytes pattern to the disk. This pattern contains a repeating pattern of the word “HASTATI."
It was observed that the malware didn’t overwrite this pattern over the whole disk, so there is still data that can be recovered. We will release further information on a recovery process in an advisory to follow shortly.
The malware also tries to shut down security tools from the following two South Korean companies:
- AhnLab, Inc. (AhnLab Policy Agent process)
- HAURI Inc. (ViRobot ISMS process)
The file we examined has the following attributes:
At time of analysis, antivirus tools identified the file as follows:
Reversing the file revealed some of the following code responsible for writing the wiping pattern to the disk:
General Dynamics Fidelis Cybersecurity Solutions researchers detonated the malware in a controlled environment and confirmed it does indeed overwrite the disk with a repeating “HASTATI” pattern. The following will show the area in the VMDK disk before and after it was overwritten with the pattern:
First area at disk offset 0x3D0000 (location of MBR in virtual disk):
Second area at disk offset 0x3D7000 (location of VBR in virtual disk):
According to Wikipedia, the word “HASTATI” refers to “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment, light amour and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the front battle line of the legion. They fought in a quincunx formation, supported by light troops.” J. Rickard, writing in a December 2002 article on HistoryOfWar.org, adds “the Hastati were expected to take the first clash of battle and blunt the enemy attack before the second line, the Principes took over and won the battle.”
The following are the two processes the malware tries to shutdown/kill:
Command executed: “taskkill /F /IM pasvc.exe”
Online research associates the “pasvc.exe” with a process from a company called AhnLab, Inc.
AhnLab, Inc. is a security software company in South Korea. The company sells antivirus software.
In specific, online research suggests that this process is associated with the AhnLab Policy Agent process.
Command executed: “taskkill /F /IM Clisvc.exe”
Online research associates the “Clisvc.exe” with a process from a company called HAURI Inc.
HAURI Inc. is a security software company in South Korea.
In specific, online research suggests that this process is associated with the HAURI Inc. ViRobot ISMS security tool.
Researchers from the General Dynamics Fidelis Cybersecurity Solutions Network Defense and Forensics and Threat Research teams continue to monitor and study this event. Results of our research into a process for recovering a system infected by this attack will be released shortly.
Article Introduction: “IT pros can be excused for feeling besieged by the influx of user-owned smartphones and tablets that are linking up to corporate WLANs, email systems and Web apps. But employees are only one source of IT's stress. The other is vendors. Companies large and small are stampeding IT into buying MDM software and services as the wonder app to fix all their BYOD security problems. But MDM isn't a silver bullet, nor necessarily needed for all situations, particularly at SMBs.”
Article Introduction: “Let's face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.”
Article Introduction: “Advanced cybersecurity threats, whether they are posed by cyber criminals, hacktivists or nation-states, have been damaging organizations for years. Leveraging social engineering, spear phishing, custom malware, and stolen credentials, they have been evading detection and stealing intellectual property and customer data seemingly at will.”
Ryan Vela's commentary: Cumulatively, the eight creative tactics presented by Joe Goldberg are very beneficial for any company in which its revenue lines rely on an integrated IT environment. I would recommend that such companies incorporate all of these tactics into its security posture, with the exception of honeypots. The implementation of these tactics should be measured as a part of the whole and its individual benefit to mitigate risk. For some companies, each item will be tailored higher or lower depending on its business need and risk requirements. When weighing the necessity of each tactic individually and all cumulatively, a company should engage outside consultants. Outside consultants are able to view the forest for the trees or see the whole picture without feeling stuck in the business tunnel. These consultants offer a valuable guide that will see things that may be overlooked and could save the company significant costs in the long term.
Article Introduction: “An Adobe (NSDQ:ADBE) Reader zero-day exploit has surfaced in a new wave of attacks targeting activist groups and is dropping an advanced piece of malware, according to researchers analyzing the new threat.”
Article Introduction: “Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.”
The ThreatGeek Top 5 is a weekly post that identifies relevant industry news and stories. Check in to stay up to date with the latest happenings throughout the industry