Gabriel Bergel

Generation Z or "post Millenials" is the demographic group born between 1994 and 2010, mobile malware was born in 2004 with Cabir, the first virus to affect Symbian Series 60 phones. At the time, Nokia was the market leader in mobile phones, and this malware spread from phone to phone via the Bluetooth OBEX insertion protocol. I personally believe that mobile malware was born deliberately with a criminal objective and focused on obtaining money illegally, not like computer malware which is considered to have a link to old school and in particular to electronic disobedience, digital revolution, fame or peer recognition. Mobile Malware History Once this first malware, known as Cabir, was "released", it only took a year for virus developers to adapt their malicious techniques for mobile use, and progress was very rapid: 2005: the first trojan. 2006: the first data theft. 2008: the first fake antivirus. This would mark the beginning of the main vector of compromise: fake applications. From 2012 onwards: mobiles start to be used for cyber-espionage and Android becomes the main target for malware. In 2013: 98.1% of malware was already targeting Android. In this area, in 2020 an interesting botnet called Terracotta, based on Android and hosted (of course) on Google Play, perpetrated traffic attacks and fake ads in a peculiar way in both its tactics and techniques. In June, it achieved 2 billion fake requests, with 65,000 phones infected. For more information on what happened in 2020, see the 2020 H2 State of Security Report. In 2020, we also learned what happened to Jeff Bezos via WhatsApp on his mobile phone, with a simple message and a malicious RAT file that compromised his mobile phone. Figure 1: infographic, history of mobile malware Mobile Security, The Big Challenge Today the mobile phone is the most used, most popular and "most important" technological device in our lives, even more so in pandemic times. However, there is still little awareness when it comes to installing applications, sharing information, connecting to public Wi-Fi networks, etc. Furthermore, we can still find mobile spying applications or services that are marketed completely openly, such as FlexiSpy. Therefore, there is a great challenge and responsibility that requires a lot of attention from people. At this point, you must be wondering, what is the main vector that could compromise the security of your mobile phone? The answer is the applications that you install, as you can see in div 2 below. Figure 2: Infographics, main vector used (Source: Pradeo) Main Mobile Malware Adware: malware that automatically delivers unwanted or misleading ads, present in websites, applications, pop-up ads, in order to generate profit for its authors or worse. RAT (Remote Administration Tool): it is a tool for remote administration, but it is also used for non-legitimate purposes, which is why it was renamed Remote Access trojan. Spyware: Malware that collects information and then transfers this information to an external entity without the owner's knowledge or consent. Trojans: malicious software that presents itself as a seemingly legitimate and harmless application, but when executed, performs its malicious action. They are usually hidden. Mobile Security Recommendations Do not jailbreak or root the phone. Avoid installing third-party applications (validate sources). Block the installation of programs from unknown sources. Check the list of applications to find out if suspicious programs have been installed without our consent. Install an Antivirus and/or Antimalware. Do not click on or download files from masked, unknown links sent by strangers. Beware of phishing, smshing, phishing in RRSS, etc. Read the terms and conditions as if you were a lawyer before accepting them and stop the download process if anything looks like permission to load adware. Perform security scans and keep updates up to date. If you also like to research and analyse malware, I recommend our CARMA platform, a free service provided by our Innovation and Lab area. It provides a free set of samples of malware, adware and other potentially dangerous files collected for the Android operating system. These samples may be used exclusively for research or academic purposes, and their use for any other purpose is strictly prohibited. These sets are intended to provide quality samples that can be used for analysis within expert systems such as Machine Learning, Artificial Intelligence or any method to improve future detection of these types of threats.

No one imagined what could happen in the field of cyber security during the Covid-19 pandemic. Perhaps some colleagues were visionary, or others were basically guided by the statistics of recent years regarding incidents and security breaches, which have been steadily increasing. I hope everyone understands that no one is free from a cyber incident nowadays. A Little Bit of History The beginnings of ransomware do not date back to the 2000's as most people believe. As early as December 1989, when the first website had not even been created yet, 20,000 diskettes of 5¼" were sent from London to companies in the UK and abroad, to subscribers to PC Business World magazine and also to participants at an AIDS conference organised by the World Health Organisation. On the sticker of these diskettes was written AIDS Information Introductory Diskette, it was and said to be from the PC Cyborg Corporation. All of this was a deceit, it encrypted the hard drive of the computers and asked for a ransom. AIDS was the first ransomware to also spread globally, reaching over 90 countries by postal mail. Nowadays, 31 years have passed, and ransomware has already become an industry, with incredible advances in the field. The Covid-19 pandemic has only accelerated the development of infection campaigns. The numbers and incidents that have occurred in the pandemic, I would say, are unprecedented. Remote working could be one of the causes, as cyber security controls are weaker in the home than in the corporate environment, but mainly it has to do with our anxiety and uncertainty, which makes us more "prone" to fall into a phishing operation containing ransomware. However, this increase in numbers in the region is already evident in several studies since last year: Ransomware by country. Source: Symantec The Ransomware Business Not long ago, ransomware was classified as an incident (DBIR) rather than a breach, because data encryption does not necessarily involve a disclosure of confidentiality. However, that has changed: the business of ransomware is no longer so much about encryption but about making money from the threat of information leakage, and there are cases to back this statement up. Not long ago, ransomware was classified as an incident (DBIR) rather than a breach, because data encryption does not necessarily involve a disclosure of confidentiality. However, that has changed: the business of ransomware is no longer so much about encryption but about making money from the threat of information leakage, and there are cases that demonstrate this. At Elevenpaths, we have been tracking the several ransomware campaigns that exist and shared them with the community through our weekly briefings and cyber security research reports. I also talked about it a month ago, after giving many interviews about the incident at Banco Estado de Chile, allegedly provoked by Sodinokibi. A ransomware whose campaigns, we at ElevenPaths, had already been following since January this year. On the other hand, advances in ransomware development are evident. For example, Conti occupies 32 CPU threads in parallel during the infection process of a computer. Sergio de los Santos wrote a highly recommended post called " What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You?" which may be useful to understand what is happening in this new era. To sum up, the non-profit volunteer hacker initiative called the CTI League (Cyber Threat Intelligence League), a global community of emergency response volunteers who defend and neutralize cyber security threats and vulnerabilities to life-saving sectors related to the current Covid-19 pandemic, should be highlighted for the great work they have done in helping and preventing more health institutions from being affected by these types of cyber attacks. Just a question: what will be the next level in this battle? Download our new guide created in partnership with Palo Alto to help you prepare, plan, and respond to Ransomware attacks

We continue with the second part of this article in which we analyse the current situation in its three dimensions. Let's remember that in the first part of the post we talked about the first dimension: people. Now we will develop the other two: cybersecurity and the pandemic. Second Dimension: Cybersecurity Weird enough, it could be said that everything has already been hacked. If you don't believe me, I invite you to check our cybersecurity research reports or visit the computer graphics from Information is Beautiful. The latest DBIR 2020 report indicated that "times do not change", since credential theft, social engineering attacks (phishing and email compromise) and human errors caused most of the security breaches in 2019 (67%). Employees working from home today could be particularly vulnerable to these attacks, so this is where we should focus prevention efforts. I will also add a couple of additional facts: on the one hand, three years ago there was a cyberattack every 39 seconds; on the other hand, Cybersecurity Ventures predicts that cybercrime damage will cost the world $6 trillion in 2021, compared to $3 trillion in 2015. Why is cybercrime so popular nowadays? Because it moves a lot of money. The cybercriminals are most likely earning much more than the owner of a successful, profitable company. Here are some divs taken from Digital Shadows' research: Illegal online markets: $860 billion Trade secret, intellectual property theft: $500 billion Data trade: $160 billion Crimeware / Cybercrime-as-a-Service (CaaS): $1.6 billion Ransomware: $1 billion Regarding cybercriminals, the age range has become wider and their attacks more advanced. I would dare to say that most cybercriminals are millenials and behave as their generation dictates: they want quick results using the minimum of resources, effort and time. As a further illustration, we have, for example, kids like Kane Gamble, who in 2015, at the age of only 15, accessed the accounts of then CIA Director John Brennan and FBI Deputy Director Mark Giuliano using social engineering. Another example is that of Park Jin Hyok, the alleged leader of the Lazarus group, who is also a millenial and is one of the most wanted people by the FBI. Many of the actions of this group helped Kim Jong-Un financed his nuclear arms race. Profile of Park Jin Hyok. Source: FBI Third Dimension: The Pandemic The COVID-19 pandemic, declared worldwide on 11 March 2020 due to its high levels of contagion and lethality, is a critical health situation without precedent in the 21st century. It has forced us to remain in quarantine or social isolation, which entails a series of psychological, sociological and occupational challenges, such as adapting to teleworking over an extended period of time. Nowadays we are concerned about the number of deaths and people infected by the virus, the lack of a vaccine, etc. In addition, we are beginning to be distressed by the uncertainty of a return to "normality" and we are beginning to experience a global economic crisis. In short, the overall picture is not encouraging at all. From a corporate point of view, today there are more remote workers and therefore fewer IT and security personnel ready to mitigate attacks and intrusions. This reason and all of the above make it a conducive environment to cyber criminals, who take advantage of these situations of concern, uncertainty and stress to activate their fraud and scam campaigns. The widespread deconcentration and global expansion of the pandemic makes the job of cybercriminals easier and increases the likelihood of success of their campaigns. This is reflected in the unprecedented divs and statistics provided by different sources such as Google, which through its transparency report indicated that in January this year it registered 149,000 active phishing websites. In February, that number almost doubled to 293,000, and in March it reached 522,000, this is to say, a 350% increase since January. By May there were 1,915,000 sites. Nowadays, deception, fraud and phishing by e-mail comes first. Also telephone scams, where they call victims introducing themselves as members of the staff of a clinic or hospital and claim that a relative of the victim has been infected with the virus in order to ask them to pay for the corresponding medical treatment, etc. We also find fake applications of infection maps or impersonating governments or hospitals. Furthermore,there is even the sale of fake vaccines. Nowadays, whoever is thinking of buying medical supplies online should think twice and check very carefully that the supplier is a legal and accredited company. Conclusions Considering all three dimensions, we can see that cybersecurity is more necessary today than ever before. We must invest in it and be concerned about the risks we are exposed to on the Internet. The picture has changed: it no longer matters whether the company is known or attractive to cybercriminals, no longer matters its size or the sector it belongs to. All companies must be aware of the potential risk involved in their daily basis at work, as they are dealing with personal data and sensitive information about employees and customers. From the CyberThreats service of the Security Cyberoperation Center (SCC), we carried out a useful guide to risks and recommendations in cyber security for the COVID-19 that I highly recommend. For more information, follow us on social networks, visit our website and our blog.

Cybersecurity is even more important in these times of pandemic and increasing cyberattacks, yes, but in addition to being a business focus at the corporate level, it must also be an integral part of our lives. At the beginning of this year we summarised it in a ElevenPaths Radio podcast (in Spanish): We like to analyse the current situation in three dimensions (people, cybersecurity and pandemic). Focusing on people dimension, in this post we will talk about nomophobia, phubbing, IAD and FOMO. First Dimension: People Today, smartphones have become the most important electronic devices in our lives, and we are completely connected. Social networks have become the de facto channel of communication and human relationship, and we make totally intensive use of the Internet, as you can see in the infographics published every year by Lori Lewis. However, smartphones, social networks and the Internet have not only brought benefits, since for many (depending on your age and level of education) it has meant a forced and complex process of digital transformation. Therefore, in the digital world it is usual to observe little awareness of the risks existing on the Internet and lack of digital hygiene. For some years now, we have been observing new pathologies and phobias derived from this intensive use, and we will analyse them in the following lines. Nomophobia This term comes from No Mobile Phone Phobia, phobia of not having the phone or not being able to use it, either because of lack of battery or data signal. If you feel uncomfortable leaving your phone, or nervous when you know you will lose service for a few hours, or even if you feel anxious about going without it, you may be experiencing nomophobia. Here is a very interesting note from RTVE about this (in Spanish). This is very serious because different studies suggest that it affects more than 53% of users worldwide. There is even a test that measures the scale of dependency and addiction to smartphone and includes 40 questions. Phubbing This pathology derives from the previous one. It occurs when we are talking, in a meeting, having lunch or doing some activity of interaction with someone and that person stops paying attention and starts looking at the smartphone. The term comes from the union of the words snubbing + phone and was coined during an advertising campaign led by the McCann advertising agency for the Australian dictionary Macquarie. The agency asked its employees for proposals to designate a new word to describe this behaviour. An Australian university student named Alex Haigh, who had been an intern at McCann while the campaign was underway, coined the term and in 2016 created the website Stop Phubbing to avoid (as he said) future couples from losing the ability to communicate face-to-face and relying on updating their status. On the website, Haigh concluded in his research that 90% of teenagers preferred text contact over face-to-face contact and that 97% of diners said their food tasted worse when they were victims of this behaviour. Today, those divs are likely to have increased. IAD Another older pathology, considered the basis of the others, is the one known as IAD or "Internet Addiction Disorder". If you play too much online video games, make compulsive online purchases, actively participate in social networks and because of all this you consider that the use of the computer and/or mobile phone interferes with your daily life, relationships with other people, etc. you may suffer from IAD. This disorder was described in 1995 by Ivan Goldberg. Research by the US National Center for Biotechnology Information (NCBI) in 2012 indicated that its prevalence in American and European cultures was staggering: It affected up to 8.2% of the total population. However, other reports suggested that it affected up to 38% of the general population. If you think you may suffer from it, you can take this quiz created by Psycom. FOMO Finally, FOMO (Fear Of Missing Out) is the fear of missing something, a new anxiety that has emerged since the popularisation of smartphones and social networks. FOMO is the modern form of a typical fear: Exclusion. In a way, we are animals programmed to be part of a group, and currently social networks play the role of physical friendships. In the real world it is easy to ignore what is happening outside our field of vision, but in the digital world we are just a click away from knowing what our family, friends and acquaintances are doing at any time. Given these behaviours and disorders, it is somewhat clearer why people have become the main target of cybercriminals. We will continue developing this post in a second part, so keep an eye on our blog. In the meantime, we invite you to listen to the sixth part of our podcast "News with our CSAs" (in Spanish) on ElevenPaths Radio.

Decepticons. Those of you from Generation X will remember very well who they were: the fictional faction of modular robotic life forms with mechanical self-configuration of the planet Cybertron led by Megatron, and they are the main antagonists of the fictional universes of Transformers. Without realising it, we were already talking about Decepticons and self-configuring robots in the 1980s. The current situation of the Covid-19 pandemic has forced us to be confined to our homes and, therefore, we have been forced to work from home. The virus has changed the way we use the Internet and web traffic has increased by 70%. From a social and psychological point of view, we are all under social and emotional stress – which is quite normal in this type of situation. These circumstances become the perfect scenario for cybercriminals, who more than ever are trying to take advantage of it to achieve their goals and get money or something that will allow them to get it (information, generally). What Does This Have to Do with Decepticons? Decepticons fit very well into this "new reality". Considering that cybercriminals are increasingly using social engineering to deceive us, especially phishing (the most prominent form of cybercrime according to the FBI Cyber Crime Division), we must be cautious, especially in these times when we are most distracted because of the pandemic. So, if cybercriminals are using deception as their main weapon, why shouldn't we? Among all the techniques and strategies we have adopted in the field of cybersecurity, one of the most important is "deception". In the military field, this term is used to describe those actions carried out with the aim of deceiving adversaries about the capabilities, intentions and operations of their own military forces, so that they draw false conclusions. The United States military doctrine uses the acronym MILDEC (MILitary DECeption), and the former military doctrine of the Soviet Union and now of Russia uses the term Maskirovka (in Russian: маскировка), which literally means camouflage, concealment, masking. A Few Historical Examples There are numerous cases of the use of this technique in different situations of conflict or war, such as the mythical Trojan horse used by the Achaeans as a strategy to enter the fortified city of Troy; or as in World War II, when a ghost army deceived Adolf Hitler with an itinerant procession of tanks, cannons and planes (largely crewed by actors and artists) impersonating the Allied Army near the front line. This diverted attention away from U.S. troops, separating German forces and giving the Allies a tactical advantage. In an episode of the well-known Vikings television series we see how Ragnar Lodbrok also uses a clever strategy to enter Paris, pretending to be on the verge of death and requesting a Christian burial in the cathedral. Once inside and to everyone's surprise, Ragnar comes out of his coffin and [...] What happens next is a spoiler. This episode actually happened, according to the Viking sagas, although the main character was not Ragnar, but the one who would later be King of Norway, Harald Hardrada (Harald III of Norway). Image 1: Harald III, King of Norway Deception and Honeypot, Are They the Same? In our blog we already talked about deception, and Nikos Tsouroulas explained it very well: These approaches allow us to deploy false scenarios simulating infrastructures, assets and profiles within our organization to misdirect an attacker towards a controlled and monitored environment, where they will face new challenges and difficulties along an attack tree designed specifically on the basis of the nature of each organization. By doing so, we manage to lead the resources of an attacker towards a false infrastructure, while our real assets are protected, so we manage to obtain intelligence from the adversary (indicators about their C&C, tools used, capacities, motivations, etc.) In my last fieldwork before the pandemic, I had the opportunity to work with the technology developed by the colleagues from CounterCraft (Spanish company selected by Telefónica in 2016 to invest and support its expansion) and I was amazed at how far this type of platform had come. Probably, a term they did know and which is closely related to this approach is "honeypot". It is a bait that can be used with any technology, most commonly in a web server. There are many open-source solutions that allow you to do this at a very low cost, but deception is a broader concept than just a bait. Image 2: Honeypot Before 2010, there were only a few cybersecurity companies offering deception products, but thanks to the great evolution experienced by this type of platform, I dare say that today there are already more than 15 deception technology providers. These types of solutions can be a great accelerator for detection and response teams, as they generate alerts that security departments can use to react and respond in a more accurate and timely manner. In the face of the new cybersecurity challenges that companies are facing during this health crisis, CounterCraft has prepared specific security packages, and has a portfolio of 25 ready-to-use deception campaigns: phishing, data exfiltration, SWIFT attack, lateral movement detection, etc. Conclusions We should not forget what Gartner said some time ago: deception is simple and economical, increases detection time by 12 times and improves dwell time by over 90%. What I like about this solution is that it combines advanced intelligence, collected by the campaigns and enriched with MITRE ATT&CK, so that you can have a broad view of what, who and how you are acting against the organisation. This way, we can get threat, TTP and IOC data from adversaries that can be shared immediately with cybersecurity solutions such as SIEM, SOAR, MISP, Sandbox, among others. Ultimately, I have to say that deception in the field of cybersecurity is a means of staying proactive rather than reactive. We are trying to make this battle more symmetrical, so this time we must not only support the Autobots, but also join the Decepticons. All warfare is based on deception. Sun Tzu It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change. Charles Darwin

During last weeks we have seen all kinds of analyses and theories around Covid-19. However probably many may have not realized that we can apply the methodology of risk analysis, a methodology so well-known by us hackers and by those professionals working in the field of cybersecurity. In the first season of our webinars #11PathsTalks we already discussed this topic, especially because of the importance of understanding this process in order to perform an appropriate technological risk management within our companies, but also to understand well how to face the new cyberthreats. This process is increasingly recognized within the industry, there are many methodologies, ISO (ISO 27005) and it’s increasingly required in international certification processes, such as the case of PCI DSS that includes it as a requirement in the process of Ethical Hacking. The current situation of confinement, quarantine, tension, overexposure to information, the challenge of proper time management at home, etc. have increased my levels of paranoia and scepticism so I question everything twice over. Among those issues, and discussing with colleagues and non-colleagues, I realized that most of them found it difficult to understand how to protect themselves in an adequate way to face this new COVID-19 pandemic. Also, I realized in the weekly call with my CSA colleagues about the many analogies present in the risk analysis process that we regularly perform (I hope) to analyze the risks present within our organization. Qualitative Risk Analysis Applied to COVID-19 Risk (Macmillan Dictionary): 1. The possibility that something unpleasant or dangerous might happen. Risk analysis is a process that seeks to identify the security risk of an asset, determining its probability of occurrence, its impact on the business and the controls that mitigate the impact (or the probability of occurrence). Approach based on: Probability - Impact As we would do traditionally, but in this case focusing only on COVID-19 as the threat we wish to analyze. We will identify the asset(s) that could be affected by such threat; the vulnerabilities that could allow that threat to affect the asset; the probability of occurrence of that threat (considering the vulnerabilities) affecting the asset, and the impact associated with that threat (through vulnerabilities) affecting the asset. As always, one of the objectives is to define which controls minimize the probability of occurrence or impact. Let's see the general context: Figure 1: General context of information security Threat: Event that can adversely affect the confidentiality, integrity or availability of information assets. In this case it is an event that can affect our health (integrity), the COVID-19. Asset: Anything of value to the organization. In our case, the asset to be protected is the people. Vulnerability: A weakness that makes it easier the materialization of a threat. In our case they would be: Being over 80 years old Being in poor health or physical condition Suffering from chronic diseases Having special needs (disability) Having bad habits (not washing hands, coughing without covering mouth) Not following the recommendations (mask, quarantine) Probability of risk: Frequency with which the risk could occur in a given period of time. Levels of probability of occurrence (of infection in this case): High Medium Low Impact: Consequences if a particular asset is affected in terms of confidentiality, integrity or availability. In our case they are the consequences that would occur if an asset (person)'s health is affected. Potential impact: Low: to be infected with COVID-19 and have no after-effects. Medium: to be infected with COVID-19 and have after-effects. High: to die from COVID-19. Simplified Risk Analysis Matrix - COVID-19 - Inherent Risk Absolute or inherent risk is the risk that does not consider controls. Simplified Risk Analysis Matrix - COVID-19 - Residual Risk The residual risk is the risk resulting from the application of controls. Risk Analysis Result Figure 2: Matrix of risks identified Results of the Risk Analysis to COVID-19 - Inherent Risk Figure 3: Matrix of inherent risks Results of the Risk Analysis to COVID-19 - Residual Risk Figure 4: Matrix of residual risks Conclusions As it can be seen, the process of risk analysis aims to identify and apply controls to reduce the probability of occurrence or the associated impact, or both at best. Figure 3 shows that the risks are all at medium and high levels, so they must be managed by applying the controls identified. This way, Figure 4 shows how control application decreased the probability of occurrence or associated impact and thus risks decreased. The most important point to understand in this case of COVID-19 is that by applying all these controls or expert recommendations we are not killing the virus, just decreasing its probability of infection. However, by applying these recommendations we are also decreasing the impact: if we don't get infected, we are not at risk of dying from the virus (highest impact of this threat).