Category Archives: Security News

Your Locker of Information for CryptoLocker Decryption

| By and | Security News, Security Perspective |
Comments
4

Ransomware is a particularly nasty piece of malware that takes infected machines hostage. CryptoLocker was successful at garnering multi-millions in ransom payments the first two months of CryptoLocker’s distribution, according to a recent blog by FireEye regarding the takeover of CryptoLocker infrastructure - Operation Tovar.

Operation Tovar helped tear down the infrastructure used by attackers, but there are still many instances where users are still being infected with ransomware. After the success of Operation Tovar, there were few resources available to help decrypt files that were still encrypted with the attacker’s private key.

While not particularly innovative, CryptoLocker was successful because it encrypts the files of computers it infected and then demanded a ransom for a private key to decrypt those files. The harsh reality of a situation like this is, not many people back up their data. In some cases, the backups would be encrypted if mounted to an infected machine. As a result, many of the victims felt helpless at this point, and paid the ransom - typically around $300. A simple description of the way that CryptoLocker works can be found below:

  1. CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
  2. CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
  3. At that point, an AES-256 key is created for each file on the system.
  4. CryptoLocker then encrypts all of the supported files using the generated key from step 3.
  5. The generated key is then encrypted with the downloaded RSA public key from step 2.
  6. And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.
crypto1

Figure 1: Screenshot of victim machine infected with CryptoLocker

Not all CryptoLocker variants are created equal. There are several copycats and hybrid versions of Crytpolocker that exist, ranging from programs like CryptoDefense, PowerLocker, TorLocker and CryptorBit, to variants that are not necessarily named but have modified functionality, such as using Yahoo Messenger as a propagation technique.

Decryption Assistance

To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT. We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware. Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker. Having these private keys allows for decryption of files that are encrypted by CryptoLocker.

FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com, where a user can upload an encrypted CryptoLocker file. Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.

To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.) Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.

crypto2

Figure 2: Screenshot of https://www.DecryptCryptoLocker.com

After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com (Figure 3). In addition, your private key will be sent to the email addresses specified.

crypto32

Figure 3: DecryptCryptoLocker decryption result page

After receiving the email (Figure 4), you will then select the key and utilize it in conjunction with Decryptolocker.exe.

crypto4

Figure 4: Email containing private key

At this point, the user opens a Windows Command Prompt, and browses to the directory of the Decryptolocker.exe tool and the locked file. (Please note that the directory of the locked file must be specified if the file is not local to the tool’s directory.) The user must enter the command exactly as specified on the successful decryption page. The command structure should be used as the following:

Decryptolocker.exe -key “<key>” <Lockedfile.doc>

Upon successful execution of the tool, the user should be presented with a prompt indicating decryption was successful (Figure 5).

crypto5

Figure 5: Successful decryption of File1-1.doc

Conclusion

Operation Tovar made a clear impact on the distribution of and infection of machines by CryptoLocker. However, there have been no known avenues available designed to help users get their encrypted files back without making significant payments to those responsible for infecting machines in the first place. While the remediation of infected machines can be somewhat difficult, hopefully with the help of https://www.decryptCryptoLocker.com and Decryptolocker.exe, we can help you get back some of the valuable files that may still be encrypted.

As always, to help prevent a threat like this from affecting you and your data, ensure you backup your data. Ideally, this would be done in at least two locations: One would be on premises (such as an external hard drive), and the other would be off premises (such as cloud storage).

FAQ

Are all encrypted files afflicted with CryptoLocker decryptable with this tool?

We believe we recovered everything the from the CryptoLocker database. However, we are aware that there could be a limited data chunk that could be missing which is related to either the takedown or interruptions of the CryptoLocker backend infrastructure. As a result, certain files may not be decryptable. Also, new variants of CryptoLocker may be released at any time, and the tools we discuss here or have made available may not be able to decrypt files infected with these more recent variants.

Does this tool work against CryptoLocker variants?

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, this tool may not be successful in all decryption processes because of code and functionality variances.

Does any of our data get stored by FireEye or Fox-IT?

Under no circumstances does personal data get stored, processed or examined by FireEye or Fox-IT when using this tool.

Is this service free?

The Decryptolocker.exe tool is available at no cost via the website to anyone that has been compromised with CryptoLocker.

How can I use the Decryptolocker.exe tool?

The Decryptolocker.exe tool is designed to perform a few different types of functions. Here are some examples of various prompts you can enter, depending on the result you would like to obtain.

1) If you would like to test a file if it is encrypted with CryptoLocker, you can enter:
Decryptolocker.exe -find File1.doc

2) If you would like to find all files encrypted with CryptoLocker in a directory, you can enter:

Decryptolocker.exe -find -r “C:\FolderName”

Note: Remember to include the “-r”

3) If you would like to decrypt a file encrypted with CryptoLocker, you can enter:

Decryptolocker.exe -key “<your private key provided in email>” File1.doc

4) If you would like to decrypt all files in a folder, you can enter:

Decryptolocker.exe -key “<your private key provided in email>” C:\FolderName\*

Note: Remember to include the “*” at the end

5) If you would like to decrypt all the files in a folder or drive recursively, you can enter:

Decryptolocker.exe -key “<your private key provided in email>” -r C:\

Note: Decryptolocker.exe creates a backup of all encrypted files in the same directory before writing the decrypted file. If you do not have enough space for these files, then the prompt may not execute, and your computer may run more slowly. Ensure you have sufficient file space before proceeding.

 

Disclaimers

There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, the tools discussed here may not successfully decrypt files encrypted by every variant because of differences in the programs or for other reasons. Also, while we have many unlocking keys, there is a possibility that we will be unable to decrypt your files.

References

https://www.fireeyesolution.com/blog/technical/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html

http://blog.fortinet.com/A-Closer-Look-at-CryptoLocker-s-DGA/

https://www.fox-it.com/en/

FireEye’s Threat Analytics Platform Honored as Best Cloud Service at Interop Japan

| By | Security News, Security Perspective, Technology |
Comments
0

The theme of this year’s Interop Japan was “To an Increasingly Interconnected World,” with a focus on how organizations can manage a future where interconnectivity between endpoints, devices, infrastructure and everything else continues to increase exponentially. Many of the vendors at the show focused on the infrastructure required to support such a vision, particularly on delivering the “as-a-service” cloud deployment model, big-data and Software Defined Networking (SDN) needed to create a connected world.

What were conspicuously underrepresented in the conference were the solutions that would secure such an interconnected world. That the judges at Interop chose FireEye’s Threat Analytics Platform (TAP) as the Best of Show for the Cloud Services category from all of the innovative “connected world” solutions was a nod to the importance of security in this new world.

FireEye COO, Kevin Mandia accepts the award for “Best of Show for Cloud Services” at Interop Japan

As companies and governments move towards greater interconnectivity, securing the requisite infrastructure is only going to get exponentially harder. Organizations today already have challenges securing and monitoring all of their network equipment, endpoints, and security equipment. It is not uncommon for organizations to see millions or even billions of events a day from their infrastructure. Unfortunately, collecting the information is the easy part, finding the events that matter is the hard part. Sophisticated attackers know this as well and prey upon the inability of organizations to find evil in all of the noise to continuously target specific industries with a variety of malware and non-malware based attacks.

Protecting organizations from these threats require a different solution paradigm and FireEye’s Threat Analytics Platform (TAP) was created to specifically solve this challenge. TAP is a security incident detection and response management platform specifically designed to help organizations secure themselves by finding the events that matter and remediating the issue before any damage can be done. It applies interlinked strategic intelligence on threat actors and threat intelligence gleaned from the front lines for faster detection and response to malware & non-malware based-attacks across network, host and event data. Delivered as a hosted security Platform-as-a-Service (PaaS) solution, TAP leverages a highly scalable and secure architecture to scale as necessary without burdening the organization with the operational complexity, hardware infrastructure or support resources required for traditional on premise solutions.

The FireEye TAP team is pleased to be acknowledged by Interop Japan on the importance of our mission to help our customers find evil and secure themselves from determined adversaries. We are committed to continuing to deliver on our mission and we have a lot of new exciting capabilities that we are launching soon. Stay tuned to our upcoming TAP announcement by subscribing to the FireEye blog today.

DoJ Indicts Chinese Military Hackers: First Impressions

| By | Advanced Threat Trends, Business of Security, Security News, Security Perspective |
Comments
0

Today, the US Department of Justice (DoJ) took actions previously unseen in the world of computer security. The press release announcing the activity noted the following:

“A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”

The accompanying indictment begins with the following excerpt:

“From at least in or about 2006 up to and including at least in our about April 2014, members of the People’s Liberation Army (“PLA”), the military of the People’s Republic of China (“China”), conspired together and with each other to hack into the computers of commercial entities in the Western District of Pennsylvania and elsewhere in the United States.”

These two sentences are packed with meaning for anyone who has been working to counter the Chinese digital threat, either within, or on behalf of, victim organizations. First, the indictment zeroes in on the military aspect of the threat. DoJ isn’t talking about nebulous “Chinese hackers,” perhaps working as contractors for hire. These are PLA troops, some of whom are pictured in the indictment wearing their uniforms. Second, these sentences confirm the temporal span of the activity, roughly an eight year period. This is a sustained, persistent, resourced campaign. Third, they emphasize economic espionage against commercial American targets, not targets in the US military or intelligence communities. The US government has always been clear that it will not tolerate Chinese hacking to financially and scientifically accelerate Chinese economic growth.

For those of us who worked on exposing this threat over the years, the indictment contains many other relevant details. We read that the five defendants “worked together and with others known and unknown to the Grand Jury for the PLA’s General Staff, Third Department (“3PLA”), a signals intelligence component of the PLA, in a Unit known by the Military Unit Code Designator 61398 (“Unit 61398”), and in the vicinity of 208 Datong Road, Pudong District, Shanghai, China.” This is exactly the same unit, designation, and location identified in the 2013 Mandiant report, APT1: Exposing One of China’s Cyber Espionage Units. This statement is the first open, unclassified, official confirmation of the core attribution element in the Mandiant report. It shows that APT1 aka United 61398 aka the Second Bureau of the Third Department of the General Staff Directorate of the PLA is a threat to US economic and security interests.

There are many other aspects of the indictment that I find fascinating, but in the interest of time I will mention one other. Paragraph four states the following:

“During the period relevant to this Indictment, Chinese firms hired the same PLA Unit where the defendants worked to provide information technology services. For example, one SOE involved in trade litigation against some of the American victims mentioned herein hired the Unit, and one of the co-conspirators charged herein, to build a ‘secret’ database to hold corporate ‘intelligence.’”

This is a remarkable statement, because it may answer one of the burning questions those of us analyzing the problem have often asked: how does stolen Western data pass from the Chinese military to the Chinese private sector? According to the indictment, a State Owned Enterprise (SOE) simply hires Unit 61398 to provide IT services, and the military hackers leave the “intelligence” behind in a “database” for the benefit of the SOE.

As the story develops over the coming days, I will keep an eye on it and report back as newsworthy items appear.

Reporting on Key Issues in Cybersecurity: Panel Discussion with Renowned EMEA Reporters

| By | Business of Security, Security News, Security Perspective

Last week, FireEye held a panel podcast featuring renowned reporters covering Europe in advance of the highly anticipated Infosecurity Europe conference.

The panel includes reporters from some of the most credible publications covering information security, including Eleanor Dallaway from Infosecurity Magazine, John Leyden from The Register, Tom Brewster, a freelance journalist for TechWeek Europe and Guardian, and Dan Raywood, editor of IT Security Guru.

In the podcast the panelists discuss key issues in cybersecurity today, including the recent Heartbleed controversy. They also touch on why Infosecurity Europe is crucial for the information security community, and hint at what we can expect from the big event.

To listen to the full podcast, click here.

FireEye Enters Agreement to Acquire nPulse Technologies

| By | Business of Security, Executive Perspectives, Security News, Security Perspective
Today, I’m excited to announce that we’ve entered an agreement to acquire nPulse Technologies, the performance leader in network forensics. The acquisition is expected to close during the second quarter of 2014, subject to standard closing conditions. nPulse has the fastest solution available for high-speed full packet capture and indexing. By combining the nPulse products with the FireEye platform, we’re building enterprise forensics capabilities that will enable incident investigation and remediation that no other security vendor can match. When combined with Mandiant services and the services capabilities of our partners, we’ll be able to provide customers complete visibility into the network with quality analytics that accelerate the path from detection to resolution. This acquisition is a vital part of our long-term strategy to build a single security platform that protects against the most advanced threats and offers customers one solution to detect, contain, resolve and prevent threats.

With the acquisition, FireEye will further expand its security platform with the following:

  • FireEye will offer the industry’s first Enterprise Forensics solution with a unified view of network to endpoint forensics, enabling enterprises to minimize risk and drive down mean time to resolution.
  • The Enterprise Forensics solution, coupled with the FireEye threat analytics solution, will form a comprehensive intelligence platform.
  • The FireEye Network Threat Prevention Platform combined with newly introduced IPS capabilities and the addition of nPulse’s forensics will offer a comprehensive threat management platform.
  • The Enterprise Forensics solution together with FireEye Managed Defense™ will enable the industry’s most advanced managed service capabilities, bringing together deep visibility and rich context from Enterprise Forensics with active defense capabilities of the Managed Defense portfolio.

The New Reality of IT Security
Our Mandiant services team has investigated thousands of breaches and from this experience we know that no matter how good your defenses, with users in the system, every organization has some malicious code within their network. In fact, we know the median number of days attackers were present on a victim’s network before being discovered was 229 days in 2013. But today, when a data breach can result in being called to testify in front of Congress, every organization should be prepared to answer questions about how an attacker got into their network and what data was impacted. Preventing malicious code from entering the network is always key, but now we need to know more - when the malicious code appeared, how the network was compromised and if any data was removed. This is the new reality of enterprise security.

Enterprise Forensics - A Black Box For Your Network

Previously adding enterprise forensics involved building a customized solution that correlated data from multiple point products monitoring different parts of the network and across endpoints. Overwhelmed by cost and complexity, many organizations simply put this off, leaving a wide hole in their IT security and response capabilities. After entering into a technology partnership with nPulse Technologies earlier this year, we saw how our joint customers benefited from bringing together nPulse network information with FireEye threat intelligence and endpoint data.

With this acquisition, FireEye will combine nPulse network forensics with the endpoint products acquired from Mandiant to incorporate attack information from the host, endpoint, network and cloud. We like to think of enterprise forensics as adding a flight data recorder – or a black box – to the network. With complete visibility into the network, the FireEye platform will be able to produce higher quality alerts to help protect against threats as well as quickly quantify the impact of a breach following the discovery of malware on a network. With big-data analytics and real-time capabilities, FireEye will offer enterprise forensics that help answer the most important questions an organization has after a breach.

nPulse extends our reach into an organization’s history because it can log all network activity for as long as they choose to retain that data. With the industry’s fastest lossless, intelligent capture and retrieval, nPulse gives us the ability to “go back in time” to see the full extent of how malicious code behaved on the network. By being the first to deliver end-to-end (network and endpoint) detection and forensics at scale, FireEye enables enterprises to minimize risk by quantifying the impact of a breach while accelerating detection and resolution from days to a matter of minutes. For our Mandiant team and partners, this means we can deliver better service and more comprehensive incident response capabilities.

And most importantly, by reducing incident investigation time, providing validated breach information and improving the quality of alerts, our customers and clients can reduce their exposure to attacks while substantially reducing operational expenses.

At FireEye we’re building the most comprehensive security platform and I look forward to welcoming the nPulse Technologies team to the FireEye family. In the short term after the acquisition, nPulse will continue to operate normally and current customers should expect no disruption in current capabilities and service. Over the coming months after the acquisition, we’ll work to combine the nPulse products with the FireEye platform and bring enterprise forensics to all our customers and partners. Once again, FireEye is leading the way to solve the most complex and time-consuming security challenges.

 

Forward-Looking Statements
This blog post contains forward-looking statements about the expectations, beliefs, plans, intentions and strategies of FireEye relating to its pending acquisition of nPulse. Such forward-looking statements include statements regarding the impact of the pending acquisition of nPulse on FireEye’s competitive position, future product offerings and potential benefits of current and future product offerings. These statements reflect the current beliefs of FireEye and are based on current information available to us as of the date hereof, and FireEye does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made. The ability of FireEye to achieve these business objectives involves many risks and uncertainties that could cause actual outcomes and results to differ materially and adversely from those expressed in any forward-looking statements. These risks and uncertainties include market adoption of FireEye’s virtual machine-based security platform; the termination of FireEye’s pending acquisition of nPulse if FireEye and nPulse fail to satisfy the conditions for closing in the definitive agreement; the failure to achieve expected synergies and efficiencies of operations between FireEye and nPulse; the ability of FireEye and nPulse to successfully integrate their respective technologies, products, personnel and operations; FireEye’s ability to attract and retain new customers and expand and train its sales force; the failure to timely develop and achieve market acceptance of combined products and services; the potential impact on the business of nPulse as a result of the pending acquisition; the loss of any nPulse customers; the ability to coordinate strategy and resources between FireEye and nPulse; the ability of FireEye and nPulse to retain and motivate key employees of nPulse; general economic conditions; as well as those risks and uncertainties included under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” in FireEye’s Form S-1 filed with the Securities and Exchange Commission on April 22, 2014, which is available on the Investor Relations section of FireEye’s website at investors.fireeye.com and on the SEC website at www.sec.gov. Any future product, feature, or related specification that may be referenced in this blog post are for information purposes only and are not commitments to deliver any technology or enhancement. FireEye reserves the right to modify future product or service plans at any time.

 

Clarifying the Origins of FireEye

| By | Business of Security, Security News, Security Perspective

Today, Bloomberg Businessweek reported on the methods hackers used to steal millions of credit card numbers from Target. In the report, FireEye was mentioned as having discovered the attack prior to the broad discovery by Target as well as providing services to the CIA. It is FireEye policy to not publically identify our customers and, as such, we cannot validate or comment on the report’s claims that Target, the CIA, or any other companies are customers of FireEye.

Additionally, certain follow-on media coverage has reported that the CIA was involved with the founding of FireEye. These claims are not true. To clear any misconceptions in the market, we wanted to provide more information about how FireEye was founded. Continue reading »

Cybercriminals Continue to Target Retail Sector

| By | Advanced Threat Trends, Security News, Targeted Attack, Threat Intelligence

A series of spectacular cyber attacks have breached big-name retail stores in recent months, including Target, Nieman Marcus, and Michaels. These incidents are the only latest in what has become an alarming trend.

In 2013, for example, the U.S. Department of Justice (DoJ) profiled a financial hacking scheme in which four Russians and one Ukrainian penetrated the computer networks of retail organizations. This series of attacks yielded more than 160 million credit card numbers — and cost corporations and consumers hundreds of millions of dollars. The cybercriminals sold the credit card data (which was stored on computers scattered around the globe) and sold it via hacker forums. They charged $10 for American cards and $50 for European cards.

The FireEye Dynamic Threat Intelligence™ team can confirm that the retail sector faces an increased risk from actors using point-of-sale (POS) malware to steal customer credit card data. Ongoing attacks against our retail clients align closely with the DoJ revelations and recent headlines. FireEye is actively tracking one financial threat group that we believe is associated with Russian and Ukrainian attackers.

Continue reading »

Targeted Attacks in 2013: Israel

| By | Advanced Threat Trends, Executive Perspectives, Security News

Continuing our region-by-region analysis of the global threat landscape, we turn to Israel, which faces unique cyber threat challenges. Cyber terrorism and cyber warfare are two of the biggest threats facing Israel, says Israeli Deputy Foreign Minister Ze’ev Elkin.

Well-funded and highly motivated threat actors have evolved their techniques from generic, opportunistic, and scattershot attacks to an approach that is targeted, resilient, and evasive.

The findings, based on data gleaned from FireEye Dynamic Threat Intelligence (DTI), are alarming:

  • More than 1.5 APTs per hour were detected
  • 40 APT variants were identified
  • More than half of all callbacks from Israeli targets appear to contact first-tier CnC nodes based in the U.S.
  • The volume of detected malware quadrupled between January and December
  • Defense/airlines, government, and financial services were the most-targeted verticals

Continue reading »

Notes from the Field: Yahoo Malvertisement Attack

| By | Exploits, Security News

Yahoo visitors got a nasty New Year’s surprise when third-party advertisements on the site triggered drive-by malware infections. Around the end of December, Yahoo inadvertently began serving malicious ads, also known as “malvertisements,” that redirected visitors to a site hosting the Magnitude exploit kit. This resulted in drive-by malware downloads for thousands of unsuspecting users who merely visited the Yahoo site — even those who didn’t click on anything.

Yahoo quickly removed the ads and says it is working with law enforcement to investigate.

While we don’t know exactly how the malvertisers infiltrated Yahoo’s advertisement network, we are familiar with this type of attack.

This blog post examines some of technical details of the attack to help security professionals spot and combat this type of threat.

Continue reading »

What You Don’t Know Can Hurt You: Finland’s Hidden Cyber Threat

| By | Advanced Threat Trends, Business of Security, Security News

Many in Finland assume that their IT assets are safe, comforted by the country’s geographic isolation from cyber hot spots and by its reputation for having some of the best-maintained networks in the world.

Unfortunately for Finnish organizations, it’s a false sense of security.

A study commissioned by KPMG Finland and conducted by FireEye with help from local technology services partner Cybersec Oy found that nearly half of all systems had already been breached. The study detected a new malicious incident every four minutes on average. And it identified nine advanced persistent threat (APT) events.

The study, titled “The Unknown Threat In Finland,” analyzed network traffic from about 30,000 endpoints over a roughly three-week period in November. To monitor network traffic, researchers installed FireEye NX series threat prevention platform between organizations’ existing security defenses and their IT environments. In other words, all of the malicious activity occurred on systems that were thought to be protected.

Continue reading »