Month: August 2017

The growing danger of Fareit, the password stealer

Posted on

By: RaviKant Tiwari and Yashashree Gund

People, businesses, and governments increasingly depend on systems and devices that are protected only by passwords. Often, these passwords are weak or easily stolen, creating an attractive target for cybercriminals. Credentials are our primary method of security and have thus become a primary attack vector for cybercriminals intent on profiting from those relationships. Unfortunately, human behavior is the weakest link in those relationships. Most people minimize the importance of good security hygiene. They do not take care when creating passwords, thereby exposing themselves to bruteforce attacks. Even worse, they sometimes do not protect themselves at all by not setting or changing default passwords.

Gradually, cloud computing is changing the way we use computers. It is increasingly common among consumers and businesses to store important information and services in the cloud. Yet we generally use the same credentialing scheme, subject to the same weaknesses in human behavior, to gain access to cloud-based information and services. And because the data and computing are centralized, the cloud has become an ever more attractive target for cybercriminals.

Using password stealers for credential theft

Password stealers are used in the early stages of nearly all major advanced persistent threats. This type of malware adds economic value to the overall attack lifecycle. Lateral malware movement in networks is mainly dependent on credentials harvested by password stealers. New password-stealing malware variants have enhanced their capabilities from grabbing banking credentials to Bitcoins and gaming currency. Fareit, also known as Pony, is one of the top malware families currently used for stealing passwords; it can snatch credentials from more than 100 applications, including email, FTP, instant messaging, VPN, web browsers, and many more. As more sensitive information is moved to the password-protected cloud, the value of stolen credentials has increased. As a result, password stealers have become more popular.

Fareit/Pony can snatch credentials from more than 100 applications

The earliest tracked version of Fareit/Pony was Version 1.7, which included most of the capabilities that the latest version, 2.2, possesses today. Fareit/Pony is among the most successful password-stealing software ever developed. This success story has led to its use in almost all major cyberattacks whose intent is to steal sensitive information.

Infection methods

Fareit/Pony spreads through mechanisms such as phishing/spam email, DNS poisoning, and exploit kits:

  • Spam—The victim receives a malicious spam email containing a Word document, JavaScript, or archive file as an attachment. Once the user opens the attachment, Fareit/Pony infects the system. It then downloads additional malware based on its current campaign and sends stolen credentials to the control server.
  • DNS poisoning—In this technique, malware such as Rbrut gains router administration access through a brute-force attack. It then changes the primary DNS settings and redirects infected systems to rogue DNS servers. The rogue DNS servers redirect users to malicious websites, which deliver Fareit/Pony.
  • Bot and control server architecture—Unlike most botnets, which are operated by specific groups and have centralized control servers, Fareit/Pony can be purchased by any willing attacker on the dark web. The purchaser sets up a personal control server to start the attack process or purchases a control panel service hosted by another attacker. The purchased panel provides the stolen credential reports.

Many campaign authors incorporate Fareit/Pony into their attack methodologies including the author of the Andromeda botnet.  The Andromeda author demonstrated how to make Fareit/Pony into a plug-in for the Andromeda botnet. Below is explained how Fareit/Pony was crafted for the DNC attack, packaging just code to steal user and FTP passwords.

The DNC attack

The Democratic National Committee breach in 2016 has been attributed to a malware campaign known as Grizzly Steppe. Grizzly Steppe targets government organizations, critical infrastructure companies, think tanks, political organizations, and corporations around the world. It uses tactics such as shortened URLs, spear phishing, lateral movement, and escalating privileges to infect systems and networks. According to published reports, the Grizzly Steppe campaign ran in two phases. In 2015, it executed a spear phishing campaign to send malicious links redirecting to malware downloads. Then in 2016, it tricked people into changing passwords through fake lookalike domains. Credentials and other information (including emails) were stolen from victims’ systems and published in the public domain. Fareit/Pony hashes were found in the indicators of compromise lists published by the US government in its Grizzly Steppe report.

ITG recommends these steps to avoid infection by threats such as Fareit/Pony

  • Create strong passwords and change them regularly. The longer and more varied a password, the stronger it is. Incorporate numbers, uppercase and lowercase letters, and special characters. ITG recommends changing passwords two to three times per year, and immediately after any breach. If this sounds like too much to track, consider using a password management tool.
  • Use different passwords for every account or service. This prevents access to other accounts and services even if one account is compromised.
  • Employ multifactor authentication. In the event of a compromised account, the attacker will not be able to access the account until the next authentication factor is verified.
  • Do not use public computers for anything that requires a password. Avoid using systems in coffee shops, libraries, or other public Wi-Fi locations because those networks are susceptible to keystroke-logging software and other types of malware.
  • Be extra cautious when opening email attachments. This is a big one! Do not open any strange-looking attachments or click on links from suspicious or unknown senders. Even if the attachment or link is received from a friend, make sure that the email or social network post does not look questionable before clicking on it. This person may have already had their account compromised.
  • Install comprehensive security on all devices. Practice basic security hygiene such as keeping security software up to date. This simple step significantly reduces the chance of being infected by Fareit/Pony or other malware.

Integrated Technology Group Reduces Your Company’s Vulnerability to Network Breaches

Posted on Updated on

Word of the Day: managed service provider (MSP)

Daily updates on the latest technology terms | August 9, 2017 Courtesy of

A managed service provider (MSP) is a company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

MSPs usually charge a flat monthly fee under the subscription model. This approach provides the MSP with a monthly recurring revenue stream, in contrast to IT projects that tend to be one-time transactions. MSPs often provide their offerings under a service-level agreement, a contractual arrangement between the MSP and its customer that spells out the performance and quality metrics that will govern the relationship.

To keep labor costs in check and improve efficiency, most MSPs employ remote monitoring and management (RMM) software to keep tabs on clients’ IT functions. RMM software lets MSPs remotely troubleshoot and remediate issues with servers and endpoint devices. With RMM, MSPs can manage numerous customers’ IT systems simultaneously.

Integrated Technology Group is a managed service provider. But, what stands us apart is that we design and implement network infrastructure built around your business needs.  Like an IT solutions provider, we do provide services on a time-and-materials basis, but our preference is to establish long-term relationships with our clients, becoming in effect, an integral part of their team.  We focus on your business to enhance the demands of your operation with improved access, performance and security.

In addition to managed services, we provide cloud solutions and security, currently a major focus of many companies; corporate network security and support which we approach with a comprehensive network security audit that outlines potential vulnerabilities; email solutions; and disaster plan and recovery.

Network security is our business

Following the network security audit, our approach to securing your network is to provide your company with: a list of potential security threats; remediation effort recommendations; and then correct any addressed security risks. We have the computer and network security expertise to help you plan, install, optimize and manage the complex network infrastructure that enables your critical business applications.

Keep your network safe! Contact us today for more information at or call 518.479.3881.

Breach at Third Party Contractor Affects 18,000 Anthem Members

Posted on

by Chris Brook

A month after it agreed to settle 2015’s massive data breach, Anthem Inc., the United States’ largest healthcare company, has a new problem on its hands.

The Indianapolis-based company began notifying 18,000 members affected by another

Anthem reported the breach on July 24 to the U.S. Department of Health and Human Services Office for Civil Rights, which keeps track of data breaches per 2009’s HITECH Act.

According to Anthem, the breach stems from a 2016 incident involving a third-party company, LaunchPoint Ventures, that provides insurance coordination services to Anthem. LaunchPoint said last week that on July 8, 2016 an employee emailed a file containing personal information about Anthem members to his personal email address. LaunchPoint didn’t learn of the incident until April of this year, 10 months after the fact.

The company says the employee, who has since been fired, jailed and is under investigation for an unrelated incident, was “likely involved in identity theft related activities.” LaunchPoint learned the employee was involved in the activities in April and learned a month later, in May, that some non-Anthem data may have been misused during his tenure at the company.

It took several weeks but according to Anthem, LaunchPoint was eventually able to confirm in mid-June that the file the employee emailed contained sensitive health information pertaining to Anthem members. The file contained individuals’ Medicare ID numbers, Social Security numbers, Health Plan ID numbers, Medicare contract numbers, and dates of enrollment. The companies claim that in some limited instances, individuals last names and dates of birth were also included but that they’re notifying those members directly.

In a blog post last Monday, Anthem said the incident could ultimately affect 18,580 Medicare members. It’s unclear at this point whether the victims are confined to a specific regional branch of Anthem or spread out nationwide. Regardless, as is customary following incidents like this, LaunchPoint said it’s working with law enforcement on an investigation and is supplying victims with two years of credit monitoring and identity theft restoration services.

While the incident wasn’t technically Anthem’s fault, it’s still the latest in a series of rough patches for the company.

The company agreed in late June to pay $115 million to settle a 2015 breach of data belonging to 79 million members. Data in that breach, which was far worse both in scope and sheer number of records, contained individuals names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses, and employment information.

The judge presiding over the case, Lucy Koh of the United States District Court for the Northern District of California, is scheduled to hear the Plaintiff’s motion later this month, on August 17. If approved the settlement will mark the largest pertaining to a data breach in recorded history.

Identifying Intrusive Mobile Apps Using Peer Group Analysis

Posted on


Posted by: Martin Pelikan, Giles Hogben, and Ulfar Erlingsson of Google’s Security and Privacy team

Mobile apps entertain and assist us, make it easy to communicate with friends and family, and provide tools ranging from maps to electronic wallets. But these apps could also seek more device information than they need to do their job, such as personal data and sensor data from components, like cameras and GPS trackers.

To protect our users and help developers navigate this complex environment, Google analyzes privacy and security signals for each app in Google Play. We then compare that app to other apps with similar features, known as functional peers. Creating peer groups allows us to calibrate our estimates of users’ expectations and set adequate boundaries of behaviors that may be considered unsafe or intrusive. This process helps detect apps that collect or send sensitive data without a clear need, and makes it easier for users to find apps that provide the right functionality and respect their privacy. For example, most coloring book apps don’t need to know a user’s precise location to function and this can be established by analyzing other coloring book apps. By contrast, mapping and navigation apps need to know a user’s location, and often require GPS sensor access.

One way to create app peer groups is to create a fixed set of categories and then assign each app into one or more categories, such as tools, productivity, and games. However, fixed categories are too coarse and inflexible to capture and track the many distinctions in the rapidly changing set of mobile apps. Manual curation and maintenance of such categories is also a tedious and error-prone task.To address this, Google developed a machine-learning algorithm for clustering mobile apps with similar capabilities.

Our approach uses deep learning of vector embeddings to identify peer groups of apps with similar functionality, using app metadata, such as text descriptions, and user metrics, such as installs.

Then peer groups are used to identify anomalous, potentially harmful signals related to privacy and security, from each app’s requested permissions and its observed behaviors. The correlation between different peer groups and their security signals helps different teams at Google decide which apps to promote and determine which apps deserve a more careful look by our security and privacy experts.

We also use the result to help app developers improve the privacy and security of their apps.Apps are split into groups of similar functionality, and in each cluster of similar apps the established baseline is used to find anomalous privacy and security signals.These techniques build upon earlier ideas, such as using peer groups to analyze privacy-related signals, deep learning for language models to make those peer groups better, and automated data analysis to draw conclusions.

Many teams across Google collaborated to create this algorithm and the surrounding process. Thanks to several, essential team members including Andrew Ahn, Vikas Arora, Hongji Bao, Jun Hong, Nwokedi Idika, Iulia Ion, Suman Jana, Daehwan Kim, Kenny Lim, Jiahui Liu, Sai Teja Peddinti, Sebastian Porst, Gowdy Rajappan, Aaron Rothman, Monir Sharif, Sooel Son, Michael Vrable, and Qiang Yan.

For more information on Google’s efforts to detect and fight potentially harmful apps (PHAs) on Android, see Google Android Security Team’s Classifications for Potentially Harmful Applications.