Misc
by Frank Block

Dissection of an Incident – Part 2

After our last blogpost regarding Emotet and several other Emotet and Ransomware samples that we encountered, we recently stumbled across a variant belonging to the Gozi, ISFB, Dreambot respectively Ursnif family. In this blogpost, we want to share our insights from the analysis of this malware, whose malware family is mainly known for being a banking trojan that typically tries to infect browser sessions and sniff/redirect data. In particular, we are going to provide details about the first stage Word Document, the embedded JavaScript/XSL document, an in-depth runtime analysis of the downloaded executable, and some details regarding detection.

Also, with this blog post, we are releasing a Rekall plugin called pointerdetector that enumerates all exported functions from all DLLs and searches the memory for any pointer to them (essentially a search for dynamically resolved APIs). This plugin can assist in identifying dynamically resolved APIs and especially memory regions containing DLLs loaded with techniques such as reflective DLL injection. This blog post will contain some examples illustrating the usage of this plugin, as well.

If you are interested in a hands-on analysis of Incidents and malicious files, we are giving another round of our Incident Analysis workshop at Troopers20.

Continue reading “Dissection of an Incident – Part 2”

Continue reading
Misc
by Aleksandar Milenkoski

Windows Insight: Code integrity and WDAC

The Windows Insight repository now hosts three articles on Windows code integrity and WDAC (Windows Defender Application Control):

  • Device Guard Image Integrity: Architecture Overview (Aleksandar Milenkoski, Dominik Phillips): In this work, we present the high-level architecture of the code integrity mechanism implemented as part of Windows 10.
  • Windows Defender Application Control: Initialization (Dominik Phillips, Aleksandar Milenkoski): This work describes the process for initializing WDAC performed by the Windows loader and the kernel when Windows 10 is booted.
  • Windows Defender Application Control: Image verification (Aleksandar Milenkoski): This work discusses the workflow of WDAC for verifying images.

– Aleksandar Milenkoski

Continue reading
Events
by Rachelle Boissard

Medical Device Security Summit 2019, 19th of November of 2019

*This event will be held in German*

Inspiriert durch die erfolgreichen Round-Table-Diskussionen der TROOPERS-Konferenz freuen wir uns, Ihnen heute mit dem Medical Device Security Summit 2019, eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.

Continue reading “Medical Device Security Summit 2019, 19th of November of 2019”

Continue reading
Events
by Priya Chalakkal

TelcoSecDay 2020 CFP is open

We are back again with another TelcoSecDay 2020 (TSD20) which is going to happen on March 16th, 2020 as an additional event to TROOPERS. This year, it is going to be on Monday of the TROOPERS week. We are delighted to inform that the event is happening for the 9th year in a row. The CFP is open now. If you have an interesting topic related to the field of Telco Security, please make a submission. The deadline is November 17, 2019. The final notification for TSD submission is December 20, 2019.

Continue reading “TelcoSecDay 2020 CFP is open”

Continue reading
Breaking
by Nils Emmerich

Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)

Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.

Continue reading “Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)”

Continue reading
Misc
by Dennis Heinze

PSD2 – Mandatory Account Access for Third Party Providers

On September 14th the final deadline of complying with the new Payment Service Directive PSD2 will be reached. Among other things, this directive will bring quite a few technical challenges for credit institutions. These include new requirements on two-factor authentication and API access for third parties. In this blog post we will give a short overview of what this means for banks from a security perspective and outline a few of the security-related issues based on what we have been observing during recent assessments of such APIs.

Continue reading “PSD2 – Mandatory Account Access for Third Party Providers”

Continue reading
Misc
by Friedwart Kuhn

A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources

Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”. We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in the future.

Continue reading “A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources”

Continue reading