Category: Digital Forensics Blog – Binalyze

Binalyze and AHAD announce channel partnership for the GCC region

Tallinn, ESTONIA – June 3, 2021 – Binalyze, the leading provider of advanced Digital Forensics and Incident Response (DFIR) solutions, today announced it has partnered with AHAD as a channel distribution partner for the GCC region (United Arab Emirates, Saudi Arabia, Qatar, Oman, Kuwait, and Bahrain).

SHIELDing DFIR against CryptoLockers!

Some History

It was around 7 years ago when I analyzed my first CryptoLocker which was just a prototype full of mistakes and weird stuff. My first reaction to this ‘new’ way of making money was “Well, not an art piece compared to what we have been dealing for the last three years (mostly low-level kernel-mode rootkits) but it is still promising”.

Back in the day, a quick look into the code was more than enough to create a decrypter. But how? The problem was that the attacker was using AES 256 in CTR mode and he was only encrypting the first 2MBs of the files for making the encryption process faster. Finding that all the affected systems had a video file named “Wild Life” which was also encrypted by the CryptoLocker, we have created a decryptor for FREE (zero bitcoins). This was –as far as I know– the first freely available decrypter for a crypto-locker case. The funny thing is, the author of crypto locker fixed his cheap code by switching to AES CBC mode after finding out that the victims were using our tool to decrypt encrypted files, not his :):):)

shielding

7 years fast forward: Our partner CyberArtsPro calls our support team on a Sunday morning in an urgency stating that IREC TACTICAL can not collect evidence from a crypto-locker infected machine?! We were surprised at first but a quick investigation made it obvious that the crypto locker was not only encrypting the user files but also the evidence collected by IREC.

The moment I was informed about the situation, my reaction was “All right. Let the war started.” which led to the development of our new feature “SHIELD”.

What is SHIELD?

SHIELD is a kernel-mode component added to IREC version 2.2.0 protecting all the evidence collected by our solution regardless of the media it resides in. At its core, it is a Mini Filter driver attaching to all volumes on the affected machine for blocking access of any other application except IREC thus enabling our users to securely collect evidence.

shielding-dfir

At this point, you may be asking what is the point of collecting evidence from an already infected machine. Aren’t crypto locker authors using asymmetric encryption for their ransomware? They mostly do but not always. Remember that most cybercriminals are in chase of easy money which makes them susceptible to making a lot of mistakes. As an example, in a recent case, our partner DIFOSE was able to retrieve the decryption key of VEAM Backups just by using IREC’s Clipboard content collection feature. (Note to attackers: DO NOT copy & paste encryption keys please type them patiently if you want your Bitcoins.)

How to use?

Starting with version 2.2.0, SHIELD will be enabled by default and will stay active until you disable it by clicking the shield icon on the main page of IREC or by clicking one of the two buttons on the acquisition summary page (Open Output Folder / Open Case Html). Please note that IREC will only protect the case files it collects regardless of the location they reside (USB Drive or a network share) which is the reason we suggest you use a USB drive or a network share dedicated for this purpose only.

You can download IREC 2.2 Preview version from the link below: https://cdn.binalyze.ai/irec/IREC-2.2.0(Preview).exe

Enjoy SHIELD and stay safe at home!

Dear Attacker;

Please accept our apologies for decrypting your so-called ultra-secure encrypted files.

5 Measures to Work Remotely in Secure

Covid-19 pandemic has become the most important topic in cyber security as in many other areas. The pandemic has affected people’s lives and caused significant changes in working procedures of organizations. Many organizations including public institutions activated remote working procedures hastily. In fact, the transition has emerged as an imperative to protect employees and to prevent the spread of the pandemic. So it is still unknown whether they are well prepared for the situation, even if they are practicing the work-from-home right now.

The image that has emerged so far do not give any idea of organizations’ preparation level, but it has clearly showed that there are many cyber attackers who try to exploit the situation caused by the pandemic. The increase in cyber incidents related to Zoom application (daily traffic to its download page increased 535 percent in the last month) which used by many organizations and work-from-home employees is one of the most obvious indicators. Another significant indicator is 32X increase in the number of successful daily phishing attacks. It is obvious that cyber criminals are adapting their techniques to new working environment.

covid-malware-phishing

The organizations will face a serious examination because the increasing number of cyber incidents. The employees sitting in front the computer in the office before the pandemic had the capability to check the whole system physically in order to secure the network and the sensitive information of the organization are now at home and trying to do the same job. At this point, while it is now more difficult to supervise the employees working from home, on the other hand, more time may be needed to detect and respond to a possible cyber incident. Traditional methods, based on physical connection, used by the organizations can be insufficient to respond to incidents. So the organizations need a new perspective. Simple and fast applicable automated procedures and practices will make it easier to respond to incidents and minimize the damage by shortening the reaction time.

Covid-19 pandemic does not seem to end in the short term. So the increase in remote working related to the pandemic will not end soon as well. It is estimated that remote working emerged with the pandemic as a mandatory practice will increase 5-6 times in next two years. It will be better to be ready for this new working environment to be permanent after the pandemic.

Five measures to be taken:

  • Developing a new perspective: Developing a new perspective independent from traditional working pattern will be very helpful to solve the problems which are caused by remote working. When security and IT infrastructure of the organization is reviewed in terms of this perspective, it will be easier to find solutions to possible cyber incidents and determine necessary hardware, software and the need of qualified IT personnel.

  • Training of the employees: Most of the cyber incidents are based on users. Therefore training is of the employees will minimize the risk of a possible incident. Otherwise, even if all necessary measures are taken, the cyber incident is inevitable.

  • Preparing an Incident Response Plan: It vital to have a path to follow when a cyber incident occurs. Because in case of an incident knowing what to do step-by-step will help everyone (employees, IT personnel, experts, managers) and protect the organization from possible simple mistakes and waste of time. Developing an Incident Response Plan, will help organizations get out of the crisis where the time is so valuable and prepare them for future cyber threats.

  • Using VPN: Remote working (probably from a public network) inevitably will cause a need of remote access to organizations critical data. Creating an encrypted and secure tunnel to access the servers of the organization will reduce the risk of a cyber incident. You can make use of the VPN opportunities offered by operating systems as well as the commercial VPN providers.

  • Continuous IT Auditing: It is now more difficult to audit the computers and the network of organizations systematically and to keep the system under control with hasty transition to remote working. This process made the organizations more vulnerable to cyber-attacks. Creating an auditing system for the employees away from IT personnel of the organizations, without a secure internet connection, connecting organizations’ servers from various locations is a mandatory issue to prevent cyber incidents and minimize the response time.

The First Step to Forensic Readiness: Risk Assessment

The first step in achieving forensic readiness is to do a complete risk-assessment analysis of all your business operations. The main goal is to identify any potential risk and vulnerabilities in your business processes so you can understand and define where digital evidence may be required and may benefit the organization.

SUNBURST Back Door knocking on the World’s Front Door

FireEye has uncovered a malicious campaign that gains access to victims via trojanized updates to Orion, SolarWinds’ IT monitoring and management software.

While the fireworks are only visible to us now, the fuse for this malicious campaign was lit in March 2020. SUNBURST is the product of highly evolved cyber criminals that resulted with significant lateral movement and data theft.

Nationwide Damages

The malicious campaign that compromised just one piece of the SolarWinds IT toolkit potentially gained access to multiple entities nationwide including government agencies, telecommunications companies, top accounting firms and big players from the private sector. Unfortunately, this still only represents a small piece of the extraordinary array of possible SolarWinds’ customers.

SUNBURST Backdoor: ‘update is available, click here to download’

In the spring of 2020 IT staff got a pop up notification from a trusted popular software provider to install a new update and so with one click around 18,000 customers across various government and private organizations downloaded the update and with that the silent game began.

Little did they know that the new update came with a Trojan, secret malicious code, that stayed in their system silently for a couple of weeks, just observing while the victims carried on with their hardworking jobs oblivious to the threat. When the time was just right, SUNBURST sprang into action inside thousands of computer networks in government, technology and telecom organisations across North America, Europe, Asia and the Middle East opening the door for its creator to enter as well. According to BBC the damages are not yet known, but for months the professional cyber criminal team could spy and keep on stealing information of different organisations worldwide.

 

DFIR Guide

Download our DFIR Guide and learn more how you can elevate your incident response processes.

{{cta(‘b738efd9-03c6-4b79-8e63-1667724d6ddc’,’justifyleft’)}}

 

SUNBURST: It’s time to take an initiative

Attacks of this nature don’t just affect the infected organisations, they also deal a blow to the entire cyber-security space by undermining trust in our solutions and planting seeds of doubt in users’ minds.

At Binalyze, our core mission is to help our users and the DFIR community to respond faster. As part of this mission we have decided to give support to SUNBURST damaged entities and we hope that this initiative will be supported by other cyber security vendors and professionals.

Today we are releasing a version of Binalyze AIR with the codename SUNBURST that will enable anyone to identify their exposure to the attack and pinpoint their network vulnerability in under an hour.

This version is available FREE OF CHARGE for 15-days and 25,000 endpoints to help all organizations potentially affected by SUNBURST.

Heads up for the DFIR community

To investigate this SUNBURST breach it will take a lot of time, research and financial resources, just when we were getting ready for the Christmas and New Year holidays. Now instead of planning a cosy vacation you have to respond to the biggest breach of the year and plan your DFIR strategies and methods, working hours of overtime trying to manage breach damages.

Binalyze is the fastest evidence collection, triage, and IR investigation platform that now also contains the YARA Rules for SUNBURST thanks to our colleagues at FireEye. We are here to give support to any DFIR community member requesting it that has clients damaged by the hack to help speed up the investigation process and ease your workload.

Over the next few days, we will post videos and blogs sharing DFIR methods and tactics that we believe will be useful to the DFIR community. If you have or had a trojanized version of SolarWinds Orion on your infrastructure, Stroz Friedberg have released this excellent document with advice for a risk-based approach to the situation. Click here for more details.

We are all striving for a safer cyber world and taking our part in this global effort.

Stay safe.

Ransomware Attacks: Plan or Pay

Ransomware is not new but it continues to be one of the biggest challenges for every kind of organization in recent years. There were a total of 308 million ransomware attacks in 2020. This means a 62 percent increase from 2019. At the same time, ransom payments are also increasing. In the first quarter of 2021, the average of ransom payments was over $220,000.