WannaCry Hits 150+ Nations Worldwide

Monday, May 15, 2017
Early on Friday, May 12, reports began circulating about WannaCry ransomware outbreaks in the United Kingdom affecting numerous sites at the


Early on Friday, May 12, reports began circulating about WannaCry ransomware outbreaks in the United Kingdom affecting numerous sites at the National Health Service (NHS). Soon after, it became apparent that the impact was global, affecting a large number of victims across Europe, Middle East and Asia with victims identified in over 150 separate countries.

Protection and detection are critical in stopping modern intrusions. Fidelis Network and Endpoint products include coverage for all elements of this campaign.

Important Notes:

  • This is the first true internet-scale worm -- one that can self-propagate over networks - observed since Conficker in 2009.
  • In 2017, "All Roads Lead to Ransomware" -- so it was almost inevitable that the malware installed was a ransomware variant.
  • This campaign has been particularly impactful relative to prior ransomware events since enterprises affected are wide and varied – healthcare, manufacturing, banking, shipping etc. - and truly global in nature.
  • It should be noted that Wannacrypt has not been observed prior to this campaign.
  • Wannacrypt was delivered with a 'kill-switch', a domain that the malware would check with prior to encrypting the system. This was likely an anti-sandboxing measure that researchers then leveraged to successively disable some strains of the infection.
  • Subsequent malware has emerged with other 'kill-switch' domains that have been similarly disabled.
  • As of noon ET on Monday May 15, our reporting is that many new variants have been observed without such mechanisms present.
  • In our observation, the ETERNALBLUE exploit for MS17-010 is the more potent element in this campaign. We expect to see successive waves of malware, possibly all ransomware, that leverage this exploit to Worm across the internet.
  • To this end, it should be noted that Conficker is still active today, despite the vulnerability having been fixed in 2008.
  • While initial reporting suggested that phishing emails were the basis for the original intrusion, this appears unlikely right now. We agree that organizations with open SMB ports to the internet are likely the ones affected right now.
  • Today (Monday, May 15) we have seen researchers note that there have been no instances where victim systems have been successfully decrypted, even when the ransom has been paid. In this respect, this is more like a global wiper event (albeit selective in terms of chosen files), similar to Shamoon.
  • There is considerable mobilization of law enforcement organizations worldwide to pursue those responsible for these events. Many in the private sector, including Fidelis Cybersecurity, are providing assistance as needed.
  • The exploits are strictly for SMBv1, which Microsoft recommended be disabled.

Spying on GoldenEye Ransomware

Thursday, February 2, 2017
Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise.


Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise. Over-the-top supervillain – check. Cool spy gadgets – check. Exotic locations – check. And, of course, 007 saves the day.

The film was also slightly ahead of its time. The internet, computers and cyberespionage all factor into the plot. In the movie, a criminal element called Janus conspires to steal vast sums of money from the Bank of England. To cover their tracks and spark a global financial meltdown, they plan to knock out the planet’s electronics and communications with a devastating electromagnetic pulse using two nuclear-armed satellites dubbed Petya and Misha.

If you’ve never seen the movie, parts of the story may still seem familiar. GoldenEye is the latest iteration of James-Bond themed ransomware. As Avast noted, the ransomware previously went by the name Petya-Mischa. And the creators of the ransomware – you guessed it – call themselves Janus in homage to the spy flick.

GoldenEye is a 'Ransomware as a Service' (RaaS) with a profit-sharing affiliation model based on the amount of money affiliates bring in on a weekly basis. Late in 2016, the threat community observed GoldenEye offered as an RaaS targeting victims with German-themed lures.

Fidelis Cybersecurity Threat Research observed GoldenEye in a recent campaign and analyzed samples of this ransomware. We’re sharing our findings to inform security professionals of this evolving threat.


Fidelis recently observed a wave of GoldenEye deliveries via email starting on December 1, 2016. While the lures themselves all have German themes, such as the use of 'Bewerbung' (“application”) in the title, we saw scattered messages delivered to users elsewhere in Europe, the Middle East and North America.

The delivery tactic typically involves an Excel file with an embedded macro. It is sometimes accompanied by a benign decoy document, possibly to reassure the recipient that all the files attached to the email are safe to open and everything is business as usual. However, once opened, a pop-up window appears asking the user to enable macros – which enables the ransomware.

Later in December, we saw instances of GoldenEye involving higher volumes of emails, indicative that the adversary’s initial trial runs went smoothly and it was time to shift production into high gear.


From our observations, Microsoft Office documents are the primary source of delivery for GoldenEye ransomware. The ransomware uses malicious macro code as a dropper, i.e. it has the next-stage deliverable object already onboard and does not need to download anything. Once it gets through the victim’s firewalls and makes its way into the victim’s inbox, all that separates the victim from a full-on ransomware attack is the user’s judgement to not open the email and its toxic contents.

After pulling out the macro code, we can see pieces or chunks of a next-layer script that has been put into multiple variables and shuffled:


Embedded VBA Macro Code

Once we put the pieces together, we have a new script -- but this time in JavaScript. After changing a few things around, we can have the script dump the next layer to a file instead of ‘eval’ or executing it:


Second Stage Script

This script is pretty simplistic in that it just collects all the data up and then base64 decodes it before running it. So all we need to do is mimic the script without executing the payload. Doing this confirms that this is a dropper. Here, we see the PE header of our newly dumped executable:








Dropped PE File


After getting through the packer, one of the first things the bot does is check if it’s running from %APPDATA% or not - this is a customary location for applications to store data on a Windows system. If it finds that it isn't, it will copy itself to that location and launch:


















                                                                              AppData Check

After unpacking all its components, the malware then begins its normal file encryption process, which was previously referred to as Mischa. A ransomware note is placed on the desktop:

Goldeneye5GoldenEye Ransom Note

The malware then begins building a list of all files that have an extension that matches one in its list of extensions that will then be encrypted:


The File encryption piece is performed using AES with the key that’s based on part of a SHA512 hash. Both the AES and the SHA512 routines are onboard the malware, but random data is generated using the Microsoft CryptoAPI.


After encryption, the files are given a random extension. Upon examining the decrypter interface it's safe to say that the extensions are not stored anywhere, that is, they’re probably randomly unique per infection:


 Mischa Decrypter


For the Master Boot Record (MBR) ransom piece, if the malware has the access, it will XOR encode the old bootloader and move it to another segment and then install its own 16 bit bootloader, which will encrypt the hard drive while pretending to be CHKDSK:


Fake CHKDSK Message from bootloader code

The encryption performed is Salsa20, which originally had a few design flaws. But the newer versions have been fixed and the previous techniques for recovering from the hard drive encryption no longer work.


The actor behind this ransomware goes by the moniker “Janus” on the underground and uses a photo of a character from the movie as a profile picture. Like many colleagues, Janus has been very vocal on social media in attempts to generate interest in their products. One such twitter handle --@JanusSecretary -- posts news and updates related to the malware, while boasting that they have a large and successful German-based distributor:



The cybercrime ecosystem is thriving and criminals are continuing to cash in with ransomware attacks. Ransomware-as-a-service gives actors yet another revenue channel and motivates them to innovate and protect their revenue streams. Even as new technical protections are put in place, we expect this ransomware to evolve to evade detection -- and scam as many users as possible.

GoldenEye is a great example of how even complex and innovative malware relies on social engineering and manual clicking – in this case, enabling macros in Microsoft Office files – to infect the user’s computer. It also stands in contrast to more traditional types of server-centric exploits that can be patched against. As actors continue to update their tactics, it’s not very surprising that we’ve observed similar instances of embedded malware in many other recent campaigns.

Administrators should pay close attention to these tactics and continually remind their users to never open suspicious attachments delivered via typical spam lures. Use available administrative controls (e.g. lock down the use of macros delivered from outside the organization) to help prevent your organization from becoming a victim.

-- Fidelis Threat Research Team

Revenge of the DevOps Gangster: Open Hadoop Installs Wiped Worldwide

Wednesday, January 18, 2017
Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said

Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said they’d return the data if they got paid -- otherwise, the data would be erased. In many reported instances, attackers simply deleted the data. Unfortunately, more attacks are underway.

Last week, Fidelis Cybersecurity Threat Research observed similar attacks on Internet-facing Hadoop Distributed File System (HDFS) installations. Like the MongoDB and Elasticsearch incidents, attackers would erase all the data on the system. To make matters worse, we confirmed additional attacks on HDFS instances worldwide.

For these events, attackers are leveraging a logical blend of key technology trends:

  • Minimal security. Many new "big-data" database solutions introduced over the past decade include minimal native authentication and security. It's expected that implementers will handle these vital security functions separately. But many times they do not.
  • Mandatory internet access. A number of these solutions are available within the platform-as-a-service (PaaS) model, which must be accessed via the internet. Undoubtedly, numerous managed instances are also directly exposed to the internet. Researchers such as John Matherly have been talking about the risks of such exposed installations for some time.
  • Denial of access. A few years ago, the consequences of exposed data included theft and resale on the underground. We're now seeing ransomware and outright deletion – a 'denial of access' to the user's data. While attackers are targeting end users with ransomware, it's also being effectively deployed against enterprises and their services in the past 18 months.

These factors have combined in attacks against Mongo and Elasticsearch instances in the past few weeks. The purpose of this post is to make the security community aware of similar incidents involving Hadoop delivered by service providers.


Example HDFS Site where data has been wiped


In this case, we observed an attacker erasing most of the directories and creating a single directory called “NODATA4U_SECUREYOURSHIT”.  There was no attempt to claim a ransom or any other communication -- the data was simply deleted and that directory name was left as a calling card. We estimate that the potential exposure of this attack is around 8,000-10,000 HDFS installations worldwide, but precise numbers are difficult to determine.

A core issue is similar to MongoDB, namely the default configuration can allow “access without authentication.” This means an attacker with basic proficiency in HDFS can start deleting files. On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target: 


  Port 50070 traffic from the SANS Internet Storm Center


Port 50070 Traffic Graph from Qihoo 360

Port statistics from the SANS Internet Storm Center (above) and the Qihoo 360’s Netlab (below) show a significant spike in traffic when this attack occurred on January 5-6. Qihoo shows this almost exclusively from a single Chinese IP of However, it's important not to jump to conclusions about the attacker's location simply by looking at an IP address. Attackers use infrastructure all over the world to hide their identities. Coincidently, the second highest scanner  is adjacent to our suspect,

A quick scan using Shodan shows just how prevalent exposed HDFS installations are. In many cases, installations also lack authentication. In researching this post, the screen capture was taken  from the initial few hits showing those sites had been wiped.  It’s unclear what the motivation of the attacker is, but it seems like this was an intentional “security awareness training” exercise, albeit a criminal one.

So what can you do to prevent these attacks?

  • First, avoid having HDFS on internet-facing connections. If that's not possible, use built-in methods that require authentication and only use the HTTPS versions of these web services.
  • Second, remember that no authentication is required by default, so if anything running HDFS connects to the internet, the entire world has access to your data.
  • Third, brush up on attacker tools. Check out some of the freely available Hadoop attack tools, like the Hadoop-attack-library, that make these kinds of attacks easy (note, we found no evidence this specific tool was used in this case).


"Big data" databases are often consumed as a service from third parties or installed and managed from cloud assets. Any database service directly exposed to the internet without adequate authentication is at risk. Exposed data will be stolen, encrypted and/or erased.

Service providers should implement strong authentication and access isolation. Users of such services should assess these protective measures before entrusting their data to these services. Always back up data using a robust monitoring program to detect and respond to instances in the event unauthorized access occurs.

 -- Fidelis Threat Research Team

Shining a Light on Xenon: Unravelling the Crypter

Tuesday, June 28, 2016
We've recently observed a new crypter called Xenon used to deliver Locky, a strain of ransomware, and Ruckguv, a type of malware that can download

We've recently observed a new crypter called Xenon used to deliver Locky, a strain of ransomware, and Ruckguv, a type of malware that can download and install other types of malware. Xenon employs a novel trick to bypass debuggers, which we’ll describe here along with the techniques it uses. We also provide a Python script to decrypt objects packed using Xenon and the Krypton crypter, which we believe is its predecessor.

Delivering and monetizing malware involves a large chain of independent tools – exploit kits, traffic distribution systems, spambots and more. The crypter occupies a special place in this chain, where it's typically used by threat actors to evade common security measures, such as antivirus and spam filters.

Many companies use crypters for legitimate purposes – to guard their systems, protect their code and products, and safeguard their intellectual property by protecting their binaries from reverse engineering. Crypters sold on underground forums serve similar purposes, but are more focused on bypassing sandbox/antivirus detections. The authors of these tools are acutely aware that researchers are poking at them, so they go to great lengths to evade detection and analysis.

The Xenon crypter seems aptly named. Parallels exist between Xenon crypter and Xenon, an odorless and colorless gas with very low chemical reactivity. Ultimately, every crypter author aspires to effectively hide malware to render it virtually invisible to evade observation.

In early 2016, Krypton was used along with Radamant ransomware. It was also sold on underground forums. When we first looked, Xenon struck us as familiar in that it uses the same unhandledexceptionfilter chaining method to start the real code. It also uses the beingdebugged flag as part of the XOR decoding process, so if you’re in a debugger the payload will not run properly.

But most interestingly, Xenon uses an undocumented NtYieldExecution interrupt that will give up the current thread's execution time to any other thread. So if the current thread is in a debugger, but running a single-threaded program, then the timing will be off. It appears Xenon uses this technique in a loop to run a custom sleep routine.

Xenon uses the same header structure as Krypton but uses a third XOR key:





The XOR loops in both Krypton and Xenon -- as well as in previous crypters -- are always the same, using the IsBeingDebugged flag as an offset to the XOR key:








The offset to the payloads header is stored in a dword val, as shown above.


In the above diagram, you can see:

  • The second XOR after it executes the long NtYieldExecution unhandledexception chain, followed by an
  • LZNT Decompress, and the
  • Third XOR

These collective techniques form an effective defense against detection and analysis. And yet uncracking just this one layer can reveal numerous malware strains hidden beneath the crypter. Xenon uses some tricks that we haven't seen to good effect.

This analysis has been captured in a pair of unpacking scripts available for download at: https://github.com/fideliscyber

-- Fidelis Threat Research Team researcher Jason Reaves


Vawtrak Trojan: Bank on it Evolving

Thursday, May 26, 2016
On May 12, 2016, Fidelis Cybersecurity witnessed an update to Vawtrak malware, a banking trojan, spread via an email campaign using subpoena- and

On May 12, 2016, Fidelis Cybersecurity witnessed an update to Vawtrak malware, a banking trojan, spread via an email campaign using subpoena- and lawsuit-related themes.  The configurations observed in this campaign point to an attempt to harvest user credentials when visiting accounts on major financial websites in the U.S. and U.K., such as ADP, Capital One, Citibank, Lloyds Bank, etc. The downloaded Vawtrak malware displays characteristics unlike previously seen variants, including new obfuscation and potential antivirus injection. The full list of targets and details around the technical evolution are discussed in detail below. Further, we're publishing an IDA decoder script to aid fellow researchers.

Vawtrak (aka Neverquest) is a modularized banking trojan active since at least 2013. Banking trojans are malware designed to steal your credentials through various methods (harvesting, keylogging, Man-In-The-Browser, etc.). Historically, Vawtrak has been broken down into “projects” by researchers; the current campaign is referred to as Vawtrak project id: 82.

Vawtrak has been observed being pushed both by Angler Exploit Kit and spam campaigns utilizing many delivery mechanisms.  In this campaign, the malware utilizes a macro document that drops and executes an embedded executable file, the downloader H1N1, which then downloads a pony dll and Vawtrak. It has a larger target list when compared to other banking trojans (See “Project 82 Targets” below), includes a tested and expansive webinject system, and comes with at least five modules that are commonly downloaded in both 32- and 64-bit variety: injecter_(32|64).dll, dg_(32|64).dll, keylog_(32|64).dll, pony_(32|64).dll and bc_(32|64).dll.

Once Vawtrak makes it to disk, it commonly uses the same loader program to inject the AP32 compressed DLL, depending on whether the system is 32- or 64-bit architecture.


1. The strings are encoded using a linear congruential generator (LCG) fed by a psuedorandom number generator (PRNG) (#4 and #5).  The strings in this loader were encoded the same way as the dll strings.

Decoded strings


GET /?id=%0.8X00%0.4X

Host: %s

http:// %s/?id=%0[.]8X01%0[.]4X



2. The traffic pattern generated with these strings is not a normal Vawtrak traffic pattern. Typically, traffic would be generated by the injected dll and not the loader. If the domain resolves, then the loader generates the traffic pattern with swprintf after gathering some information about the system(VolumeID and adapter settings). In the case of this recent and updated version, the parameters passed to swprintf were in the wrong order and caused the loader to crash. This could be some sort of mechanism for trying to track new infections or, possibly, could be used to limit the loader to running only until that domain is activated.


Parameters in wrong order




Parameters fixed


Generated traffic

A Vawtrak sample later delivered by H1N1 on May 16, 2016 did not appear to contain this logic, which suggests that it’s being actively tested during development. However, the May 16 version used the domain found in the loader piece of the May 12 sample as a C2 domain.


3. Both samples contained the string of antivirus names. The loader enumerates the list of running processes, stripping off the ‘.exe’ of each one and then seeing if the name appears in that long string.



















If the string is found, then it sets a flag and immediately begins searching for explorer.exe in an attempt to inject. To test, we spun up a fake Sophos program that appeared to have been injected as suspected. Once the DLL is injected, the malware patches certain functions in memory (CreateProcessInternalW and RegGetValueW) for every process it injects, with the patched in routine looking for Chrome-related objects. We didn’t see any signs of the malware attempting to do anything specific to the injected AV processes, but the functionality could be added in the future to disable or attempt to circumvent them in some way.

Vawtrak is one of the more advanced banking trojans used by cybercriminals today. The observed changes to the malware demonstrate continued development to circumvent detection and thwart AV protection mechanisms. Since Vawtrak began to gain strength late 2015, its target list has grown steadily.  As Vawtrak development continues, we expect the target list to expand and additional techniques to be leveraged to infect systems. 


View the IOCs on GitHub https://github.com/fideliscyber



12may2016 Vawtrak

MD5: 5238cd34caae600b3f592e2595aa6949



dringeraout[.] com/rss/feed/stream










16may2016 Vawtrak

MD5: 6fad86a0fcc912f32474f6c7a86fe37a

















Project 82 Targets

































IDA python script for decoding unpacked loader and dll strings

def PRNG(seed):

            seed = (seed * 0x41c64e6d) + 0x3039

            return (seed & 0xFFFFFFFF)

#Unpacked loader - Md5: 3678dc31a2be281fa7ed178d535364fb

for addr in XrefsTo(0x401a1b, flags=0):

#Unpacked dll - Md5: 54db3f86aabaf3e87016bcff923dba41

#for addr in XrefsTo(0x10007df8, flags=0):

            addr = addr.frm


            addr = idc.PrevHead(addr)

            while GetMnem(addr) != "push":

                        addr = idc.PrevHead(addr)


            #Get first param pushed which is address of domain

            data_addr = GetOperandValue(addr,0)

            init_seed = Dword(data_addr)

            data_addr += 4

            xork = Dword(data_addr)

            data_addr += 4

            length = (init_seed ^ xork) >> 16

            out = ""

            for i in range(length):

                        init_seed = PRNG(init_seed)

                        out += chr((Byte(data_addr) - (init_seed & 0xFF)) & 0xFF)

                        data_addr += 1

            if out[-2:] == '\x00\x00':




addr = 0x1000f8a0

for i in range(10):

            data_addr = Dword(addr)

            addr += 4

            init_seed = Dword(data_addr)

            data_addr += 4

            xork = Dword(data_addr)

            data_addr += 4

            length = (init_seed ^ xork) >> 16

            out = ""

            for i in range(length):

                        init_seed = PRNG(init_seed)

                        out += chr((Byte(data_addr) - (init_seed & 0xFF)) & 0xFF)

                        data_addr += 1



-- Jason Reaves, Threat Researcher

Part 2: Bolster Defenses to Prepare for Ransomware Attacks

Thursday, March 31, 2016
As criminals continue their relentless ransomware attacks on healthcare providers, organizations are asking how to prepare and minimize the impact of

As criminals continue their relentless ransomware attacks on healthcare providers, organizations are asking how to prepare and minimize the impact of an attack.

What can an organization do to bolster their defenses? Prepare! We advise the following strategy to handle a ransomware incident:

1. Assess your current capabilities focusing on your users’ awareness posture and data security. This involves a risk assessment that looks at systems and employees. Companies also need to test email phishing vulnerabilities and safe browsing habits (e.g., social engineering). Deploy safe browser configurations and test your company’s ability to respond to an incident. It is one thing to have a plan and another to execute the plan successfully.

2. Consider implementing session-based network detection tools that can detect, analyze and block exploit kit (EK) activity. As exploit kits deliver ransomware (teslacrypt, etc.) to your network, you may be able to block the EK and see the encryption keys exchanged prior to encrypting your data. You may also detect shifts in infrastructure, which will trigger an alert. Be proactive to avoid putting your entire infrastructure at risk.

3. Develop a Disaster Recovery and Business Continuity (DRBC) plan and consider purchasing cyber insurance to transfer risk. Insurance companies are adjusting coverage based on a company’s security profile and response plans. For example, Ironshore offers full policy limits for both network and data extortion. “But if the applicant doesn't have a DRBC plan in place, then we will cap the limit to $1 million,” says Kurt Suhs, vice president, Ironshore.

4. Finally, if you are hit with ransomware, turn to outside counsel and forensics firms for help. They can negotiate and pay ransom fees if needed without creating a Bitcoin account. They can manage company fallout and repair brand reputation. Organizations may also need assistance in recovering data from backups, volume snapshots or restore points.

A solid (DRBC) plan and experienced cybersecurity partners are critical to keeping networks and information secure. Learn how we can help your organization with proactive and compromise assessments, and incident response.


-- Barnaby Page

Part 1: Pay Up, It’s a Hostile Hospital Takeover!

Thursday, March 31, 2016
Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March, Washington DC-based MedStar Health

Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March, Washington DC-based MedStar Health became the latest in a series of providers to fall victim to ransomware.

The impact of a network-wide ransomware attack grinds operations to a standstill. Patient care is often at stake. In the wake of the MedStar attack, staff scrambled to provide services without access to emails and electronic patient records. It is not very surprising that Hollywood Presbyterian Medical Center in Los Angeles paid the perpetrators $17,000 in Bitcoin to regain access to their files after the February ransomware attack.

With these attacks, we’re seeing new attack strategies come into play. Ransomware, once a scourge largely against individuals, is now hitting companies and critical infrastructure where it hurts. These attacks demonstrate that data is becoming the new human ransom as criminals seek to cripple organizations by encrypting files with a private key – available at high cost – known only to the attacker.

When criminals target critical infrastructure, ransomware crosses an especially serious line, according to one of our partners who is a leading expert in cybersecurity law. “This case [the Hollywood Presbyterian incident] is an example of how cyber can impact the physical world – here, [it affects] the provision of medical services as some patients were diverted to other facilities,” says Tony Kim, global co-chair of cybersecurity at Orrick, Herrington & Sutcliffe LLP, a leading global law firm. “We’ve seen similar dynamics in relation to hacked vehicles, power grids, and other critical services.”

Criminals are also getting more aggressive in their attacks and demanding higher ransom payments, according to a partner who is a top expert on cyberinsurance. “Cyber extortion and ransomware are, without question, on the rise,” shares Toby Merrill, senior vice president, global cyber practice leader for Chubb, the world’s largest publicly traded property and casualty insurer. “A concerning aspect is that the demand values are increasing exponentially. What used to be a few thousand dollars with commoditized ransomware is turning into larger cyber extortion events."

The Hollywood Presbyterian hospital ransom was particularly vicious in that criminals sought an extremely high dollar payment of $3.4 million. The final amount negotiated, $17,000, was substantially less. Is this a new approach in which the terrorist expects the victim to negotiate, as with human ransoms? Start with an outrageous sum and settle for less? This figure is much higher than the average payout for ransomware. Will we see future ransomware victims adopt this practice of negotiating settlements to eke out maximum value from the payer?

Hospitals and companies can manage and minimize ransomware risk if they are prepared. These organizations must be as aggressive and flexible as the attackers to avoid hostile takeover of their networks, proprietary data and user information. Stay tuned for our next blog post on actionable steps organizations can take to guard against ransomware attacks. 

-- Barnaby Page

Strengthen Your Defenses against DDoS Cyber Extortion

Tuesday, January 19, 2016
This month, a multi-national law enforcement team led by Europol arrested a key player believed to be behind the 2015 distributed denial of service

This month, a multi-national law enforcement team led by Europol arrested a key player believed to be behind the 2015 distributed denial of service (DDoS) extortion attacks by the criminal gang DD4BC (short for Distributed Denial of Service for Bitcoin). The gang formed in 2014 by targeting online gambling interests, and more recently expanded operations to another lucrative target -- financial institutions.

The attack unfolded as DD4BC honed in on their target and triggered a DDoS attack in the 25-35 Gbps range. Victims received a “ransom note” demanding 30 to 40 bitcoins (about $13,000 to $17,000) as insurance against a second, stronger attack as detailed in this threat intelligence report.

While the arrest of the threat actors behind DD4BC is good news, DDoS attacks will continue as targeted organizations pay the ransom fees. However, previous extortion attempts show few reasons to pay up. A larger secondary attack rarely occurs. In fact, paying an attacker could lead to additional attacks. In 2015, Switzerland-based ProtonMail paid a ransom as part of a DDoS extortion attack and went public with its actions. The result? Other DDoS attackers zeroed in and demanded payoffs.

Fortunately, most organizations can defend themselves against DDoS attacks using the following guidelines. First, institute strong external network-facing access control lists (ACLs) to keep all out-of-profile traffic off servers. For example, on a web server, only allow TCP port 80 and/or 443. Block out all other traffic, and aggressively time-out “half-open” network traffic designed to fill up connection tables. High-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks.

Most importantly, set up robust monitoring to identify these types of attacks and patterns during the early stages of an attack. The upstream ISP should be notified to place mitigations on their connected devices to protect networks. DDoS commercial products are an option, but organizations can take several proactive steps to help minimize the impact of these attacks.

While the exact numbers of victims targeted by DD4BC are unknown, best estimates place the numbers in the thousands. Collecting and sharing information with law enforcement is crucial. Unfortunately, many organizations fail to report extortion attacks. To assist law enforcement, organizations should provide several key pieces of information to law enforcement and/or their security vendors. An e-mail threatening DDoS should be preserved with full headers, timestamps of the attack with the victim’s IP, size of attack, and a profile of the type of DDoS attack (with packet captures if possible). Collection should not be limited to these items -- basically any data that can be shared can be helpful in tracking these attacks to their originator and bringing cyber criminals to justice.

-- John Bambenek

Top Cybersecurity Trends to Watch in 2016

Wednesday, January 6, 2016
Major data breaches exploded in 2015 as hacktivists, cybercriminals and nation states set their sights on stealing troves of sensitive information

Major data breaches exploded in 2015 as hacktivists, cybercriminals and nation states set their sights on stealing troves of sensitive information and proprietary data. Evolving malware, as we saw with AlienSpy RAT reemerging as JSocket RAT, kept cybersecurity professionals on the lookout and vigilant throughout the year. The rise of cyber legislation emerged as lawmakers tackled encryption and access issues. As we look forward, Fidelis Cybersecurity CSO Justin Harvey shares his thoughts on the top security trends and advanced threats to hit in 2016.  

Expect organizations to embrace encryption: The extent to which data threats should be considered real – or can be dismissed as hype – will largely depend on the security precautions taken by enterprises. At an absolute minimum, data must be encrypted while it is at rest or in transit. Recent incidents, such as the TalkTalk breach in the United Kingdom, demonstrate how this lack of encryption can expose vulnerabilities enabling an attack.

Prepare to shore up the endpoint: The network perimeter is rapidly disappearing – as phones, tablets and cloud computing replace traditional PCs and on-premise servers. Bring-your-own device policies and the ubiquity of cloud services keep files encrypted between users and cloud networks, and increasingly hidden from IT – creating security gaps that are ripe for attacks. In 2016, enterprises must evaluate their cloud service policies, monitoring strategies, and endpoint detection and response capabilities. They will continue to improve how they classify the sensitivity of their information, better understand where it resides within the network, and secure and monitor all endpoints.

Expect increased cyber-related legislation. We watched lawmakers rush to enact legislation around the classification of sensitive data, sharing of cyber threat intelligence, consumer privacy issues, and breach notification. We’ll continue to see encryption topics making political headlines. Expect ongoing interest by both federal and state/local authorities to obtain back doors into devices and user communications.

The data broker industry will face greater scrutiny. Just a few years ago, a typical data broker collected an average of 40 data points per consumer. Today, these companies gather up to 1,500 data points. Expect a push toward a data broker governance law as well.

Anticipate discussions around the vulnerability of the Internet of Things: Manufacturers are jumping on the IoT craze by introducing both new and traditional products – from toys to lightbulbs to home sensors – with a connected twist. These new IP-equipped products make it possible to send telemetry data to the owner, back to the vendor, and even receive remote commands – a disturbing concept should access fall into the wrong hands.

The burgeoning IoT market and mainstream adoption of connected technologies represent large security risks because most homes lack appropriate protection levels. Many new IP-enabled products cannot be secured, leaving them vulnerable to a variety of attacks (denial of service, exposed latent vulnerabilities, etc.). IoT devices and internet-enabled automobiles pose potential risks in causing bodily harm, as seen with the Jeep Cherokee breach.

Brace for bigger, badder breaches. Enterprises capture and retain data at levels unfathomable just a generation ago – making them an attractive target for cyberattacks. In 2015, we witnessed organized crime syndicates and nation states hit federal, retail, healthcare, and financial services companies, grabbing sensitive data on millions of people. Look for more large-scale attacks to continue -- resulting in higher losses of personal and proprietary information.

Attacks will focus on both the public and private sector. Cyber criminals will set their sights high, zeroing in on industries that hold vast amounts of valuable company and consumer data. Global corporations and governments – especially those involved in defense interests – will be in the crosshairs of state-sponsored espionage actors. Expect additional breaches designed to embarrass or enact retribution, as we saw with the Ashley Madison breach.


The Many Paths to Angler

Wednesday, December 23, 2015
Over the past few months, we have seen Angler Exploit Kit activity increase across our observed telemetry. In some instances, Angler EK relies on

Over the past few months, we have seen Angler Exploit Kit activity increase across our observed telemetry. In some instances, Angler EK relies on redirects (also known as “gates”) to funnel victim traffic to its landing pages. In others, Angler EK does not use redirect techniques but instead sends victims directly from a compromised site to the landing page. 

Redirects are URLs or specifically crafted websites that forward victims to the Angler EK landing page. They could provide Angler EK operators the functionality to:

  • Obscure the source compromised site
  • Prevent more than one redirect from a single IP
  • Target specific regions
  • Make automated analysis and tracking more difficult

There are four redirect methods in active use today. Most of these methods have been discussed in varying detail elsewhere. In this post, we will consolidate the knowledge and share additional details of each method used. And because Angler continues to send victims directly from a compromised site to landing pages, we will also explore that infection path and provide recent landing page IPs.

Angler Exploit Kit Activity

Angler EK activity decreased in October (hat-tip to Cisco) but rebounded in November based on our telemetry. Figure 1: Observed Angler landing page detections by month

EITest Redirect

Status: Active as of December 2015

 Current IP(s)
31.184.192[.]206 31.184.192[.]197 31.184.192[.]216
31.184.192[.]202  85.93.0[.]32  

URL Format: /page.php? id=4646BCDD83AB2C1F3AAE14BA34C1622E0EB31BE3B5E1632E19710D

Example of code on compromised site:

Angler-2Figure 2: EITest redirect method compromised site code example

Called “EITest” by Malwarebytes due to the static id value in the html, this redirect method uses an Adobe flash file to filter victims based on certain criteria. If met, the victim is redirected to the Angler EK landing page.

The obfuscation function format embedded within the flash file recently analyzed (354206353ee3d4e7b279bc66a0727bcf) is different than the one from 2014. However, the criteria for Angler EK redirection (browser version) remains the same.

Below is the obfuscated ActionScript as well as the decoded iframe output.


Figure 3: Obfuscated ActionScript embedded in flash file

Figure 4: Deobfuscated ActionScript embedded iframe

As shown, if the criteria within the flash file is met, the victim will be redirected to the Angler EK landing page.


Figure 5: Redirect to Angler Exploit Kit

This method relies heavily on the use of non-standard TLDs:

















Figure 6: Observed TLDs associated with this method in use since October 2015


Shadowed Redirect

Status: Active as of December 2015

 Current IP(s)
85.143.220[.]153 85.143.217[.]31 85.143.219[.]167
85.143.217[.]31 85.143.220[.]95 85.143.216[.]253
85.143.220[.]44 85.143.220[.]18 85.143.219[.]200
85.143.220[.]109 85.143.217[.]50 85.143.219[.]77
85.143.219[.]65 85.143.219[.]232 85.143.219[.]163
178.33.200[.]161 188.227.74[.]75 188.227.19[.]86
85.143.217[.]191 212.116.121[.]51 188[.]227[.]72[.]137 

URL Format: attendance.workforthis[.]com/law/lang.js

Example code on compromised site:


Figure 7: Shadowed Redirect method compromised site code example

As discussed here, this method relies on the initial iframe on the compromised site to send the victim to the redirect intermediary server. This server will respond with either an HTTP 200 and no content, HTTP 200 and an iframe redirecting to the Angler EK landing page, or HTTP 404 “Not Found” depending on a variety of circumstances.


Figure 8: Response if criteria not met for landing page redirect

If the client request meets the redirect criteria, they will be redirected to the Angler EK landing page.


Figure 9: Angler Exploit Kit landing page redirect


Dynamic DNS Redirect

Status: Active as of December 2015

Current IP(s): 46.161.2[.]73

URL Format: /wordpress/?bf7N&utm_source=le

Example code on compromised site:


 Figure 10: Dynamic DNS redirect method compromised site code example

This method relies on an iframe on the compromised host pointing to a dynamic DNS resource. This resource will then send the victim to the Angler EK landing page or respond with a 404 Not Found. Here are a few of the recent domains we’ve seen using this redirect method:

gffpkdhftg.ddnsking[.]com uftbacu.ddnsking[.]com dvusepghqm.ddnsking[.]com
npmmeiuxek.ddnsking[.]com odlbzv.ddnsking[.]com skuuiz.ddnsking[.]com
bgfnloc.ddnsking[.]com koiwjesyz.hopto[.]org naagdoisa.hopto[.]org
onndutoiys.hopto[.]org bfevqjozap.ddnsking[.]com bmlarlfqco.ddnsking[.]com
fevxeta.hopto[.]org fobrsvvqz.ddnsking[.]com mbpskt.ddnsking[.]com
mpfpgjf.ddnsking[.]com oscvkeqg.ddnsking[.]com sagchixhv.hopto[.]org
xebxaidld.hopto[.]org dngtejhj.ddnsking[.]com dosluaxap.hopto[.]org
glxpljmuv.ddnsking[.]com iyzxwcki.ddnsking[.]com krxolxmi.ddnsking[.]com
orahwg.ddnsking[.]com oubboyft.ddnsking[.]com pimdzgov.hopto[.]org
ynftos.hopto[.]org fhouwwwp.hopto[.]org phwanzr.hopto[.]org
qrkehvc.ddnsking[.]com szwpcp.ddnsking[.]com wchszwypr.hopto[.]org
ykdvjvsrb.ddnsking[.]com yskivegvvb.ddnsking[.]com  

Figure 11: Dynamic DNS domain example


301/302 Location Redirect

Status: Active as of December 2015

Current IP(s): 185.104.8[.]50

URL Format: Various. This method uses HTTP 301 or 302 and the Location HTTP header to send the victim to the Angler EK landing page. Below is an example of the request and the 302 found with the Angler EK URL in the Location header.


 Figure 12: GET request and HTTP server response with Angler Exploit Kit landing page


Angler Exploit Kit Landing Page

Status: Active as of December 2015

Current IP(s): Various; see IOCs below

URL Format:

/civis/search.php?keywords=90qs9&fid0=6m.tm0x360w12 /civis/index.php?PHPSESSID=7o&action=0x7.012g1815k447rr05"


/civis/search.php?keywords=36ez&fid0=0meicaot4b4jolntuyg8apov2p0wmvi95c5jasm2nob3z6bfh1s-zstibz1176ecs1tg3c5hey7va464mwmt05_sgl2txuo5 /forums/viewtopic.php?t=833l4&f=st41.285w9309da15577


With this example, victims are redirected to Angler EK landing pages directly from compromised sites. In some cases, the iframe exists on the main page of the compromised site. In others, the main page refers to other site resources that eventually lead to Angler EK as shown below.


Figure 13: The main page of a compromised site pointing to the local “stats” resource


Figure 14: The “stats” resource with iframe to the local “/1/” subdirectory


Figure 15: /1/ directing victims to the Angler Exploit Kit landing page

The recent list of IPs hosting Angler EK landing pages for November and December is available for download to aid analysts in detecting related activity.

Angler Exploit Kit remains one of the most active exploit kits in use. Security analysts can improve their detection success rate by using combined network, analytic, and endpoint response platforms to stay ahead of this fast moving threat.

Fidelis Cybersecurity’s products detect the activity documented in this paper. Additional technical indicators are published to the Fidelis Cybersecurity github.

- The Fidelis Threat Research Team