How did they do it? (Hacked)

[felter]

red assassin, did you even look at either the stuff I posted or even the link you posted that. The 99.88% protection rate you linked as being good is actually one of the worst out of all of the AV software they tested. Then you have to take into account the other two percentages used, the online and offline detection rates, which were 70.5% and 85.9% respectively which puts them down in the bottom 5 not the top 5 like you are trying to make out that they are. Windows defender is bad, it is not the worst and it is better than it used to be, but it is still one of the worst anti-virus products out there.

[red assassin]

Really? So enterprises that are ditching multi million dollar contracts with Symantec/Broadcom and McAfee in favor of Cylance are just buying into marketing hype?

I can tell ya, as someone who does actually work in IT security for one of the largest healthcare providers in the US, and was directly involved in the efficacy of Cylance countering actual on going threats VS other products we were using at the time, Cylance hit all the marks and did so without consuming inordinate resources on both server and end user systems. We quickly switched products and have not regretted it once. It works, and it works damn well, and doesn't require constant updating of signatures to do it's job. We have had 0 malware or ransomware outbreaks since Cylance was deployed and field techs are no longer spending inordinate amounts of time cleaning or reimaging infected devices.

Their approach to using an AI engine to detect malware is definitely different from all the rest, but I can't argue with results. It's even detected PUPs on my machine that malware bytes and defender completely missed.

I am an infosec professional. Symantec and McAfee are pretty terrible, so I wouldn't exactly describe switching away from them as a bad move. Also, the situation for a corporate network is a bit different from home use under discussion here. Nonetheless, I stand by my statement: there are eleventy billion AI-powered network defence startups out there right now and how loudly they yell about AI in marketing has very little to do with how effective they are. A machine learning detection engine is vulnerable to just the same evasion processes any other detection engine is vulnerable to. As soon as Cylance gets popular enough for malware authors to start testing against it like they do more common AV engines, it'll start missing stuff in the critical early window and needing to push out engine updates just like other AVs.

red assassin, did you even look at either the stuff I posted or even the link you posted that. The 99.88% protection rate you linked as being good is actually one of the worst out of all of the AV software they tested. Then you have to take into account the other two percentages used, the online and offline detection rates, which were 70.5% and 85.9% respectively which puts them down in the bottom 5 not the top 5 like you are trying to make out that they are. Windows defender is bad, it is not the worst and it is better than it used to be, but it is still one of the worst anti-virus products out there.

Did you read anything I wrote? Detection rates are not a useful measure of how an antivirus affects your security posture.

[Vertigo 7]

Really? So enterprises that are ditching multi million dollar contracts with Symantec/Broadcom and McAfee in favor of Cylance are just buying into marketing hype?

I can tell ya, as someone who does actually work in IT security for one of the largest healthcare providers in the US, and was directly involved in the efficacy of Cylance countering actual on going threats VS other products we were using at the time, Cylance hit all the marks and did so without consuming inordinate resources on both server and end user systems. We quickly switched products and have not regretted it once. It works, and it works damn well, and doesn't require constant updating of signatures to do it's job. We have had 0 malware or ransomware outbreaks since Cylance was deployed and field techs are no longer spending inordinate amounts of time cleaning or reimaging infected devices.

Their approach to using an AI engine to detect malware is definitely different from all the rest, but I can't argue with results. It's even detected PUPs on my machine that malware bytes and defender completely missed.

I am an infosec professional. Symantec and McAfee are pretty terrible, so I wouldn't exactly describe switching away from them as a bad move. Also, the situation for a corporate network is a bit different from home use under discussion here. Nonetheless, I stand by my statement: there are eleventy billion AI-powered network defence startups out there right now and how loudly they yell about AI in marketing has very little to do with how effective they are. A machine learning detection engine is vulnerable to just the same evasion processes any other detection engine is vulnerable to. As soon as Cylance gets popular enough for malware authors to start testing against it like they do more common AV engines, it'll start missing stuff in the critical early window and needing to push out engine updates just like other AVs.

Cylance isn't a startup... Research, my friend. They've been around since 2012 and were bought by BlackBerry in 2018. They are constantly evaluating processes for malicious code. Sometimes, at least on the enterprise level, a bit too over zealously and flagging activity as suspicious that isn't, but not that often and nothing that has majorly impacted business.

Anyway, since I have actual real world experience with Cylance and have seen first hand it stopping zero-day threats long before any other AV product is able to, I'll stick with what I'm seeing first hand. As I said, it works. If something else comes along down the road that can do the job better, great. For now, I'm putting my trust in Cylance's ability to neutralize threats since it's accomplishing its task where others have failed.

We would not rely on Windows Defender in the corporate network, even with all of the strict controls and security appliances in place to prevent bad actors from gaining access. With far less controls on a home network, why should anyone rely on Windows Defender to keep their data safe? Cuz it's free? It's not nearly as effective as you claim it to be, again... PUPs were detected by Cylance on my machine that defender missed. Shit that GOG and Twitch threw out there. Hell, I wasn't even aware of it and I like to stay on top of what's going on with my machine. Not to mention, both Malware Bytes and Defender have been directly circumvented by certain malware and Cylance has built in process protections that prevent tampering.

Bottom line is, as I said, I can't argue with results. Show me something better, I'll take it into consideration. "marketing" is not a sufficient reason to dismiss an effective product.

[silenced]

But on a side note: Wasn't Cyclance the one that could be circumvented by using "whitelisted" files that had been infected after being "whitelisted" and so the system totally failed?

I think it was them, and they said all of this was not true, but lots of patching and hotfixing was made a very short time after ...

[Vertigo 7]

I don't think so. Cylance evaluates processes in active memory, it doesn't care what the filename is.

[red assassin]

Cylance isn't a startup... Research, my friend. They've been around since 2012 and were bought by BlackBerry in 2018. They are constantly evaluating processes for malicious code. Sometimes, at least on the enterprise level, a bit too over zealously and flagging activity as suspicious that isn't, but not that often and nothing that has majorly impacted business.

Anyway, since I have actual real world experience with Cylance and have seen first hand it stopping zero-day threats long before any other AV product is able to, I'll stick with what I'm seeing first hand. As I said, it works. If something else comes along down the road that can do the job better, great. For now, I'm putting my trust in Cylance's ability to neutralize threats since it's accomplishing its task where others have failed.

We would not rely on Windows Defender in the corporate network, even with all of the strict controls and security appliances in place to prevent bad actors from gaining access. With far less controls on a home network, why should anyone rely on Windows Defender to keep their data safe? Cuz it's free? It's not nearly as effective as you claim it to be, again... PUPs were detected by Cylance on my machine that defender missed. Shit that GOG and Twitch threw out there. Hell, I wasn't even aware of it and I like to stay on top of what's going on with my machine. Not to mention, both Malware Bytes and Defender have been directly circumvented by certain malware and Cylance has built in process protections that prevent tampering.

Bottom line is, as I said, I can't argue with results. Show me something better, I'll take it into consideration. "marketing" is not a sufficient reason to dismiss an effective product.

I know who Cylance are. I don't dispute it works well, but being machine learning doesn't make it better than other AV products, or not vulnerable to the same attacks as they are. If your attacker cares about not getting caught by Cylance, then they'll test until they don't get caught by it. I'm not saying don't use it on a corporate network, I'm saying don't assume it's going to work at the critical moment because "machine learning". I believe the particular attack silencer is referring to is this one, where researchers figured out last year that they could just embed a bunch of strings from known-good executables into their malware to get Cylance to flag it as a good file, which is slightly hilarious. Specifics of individual attacks aren't particularly important though - the point is that they exist and any attacker who cares enough will find them.

A home network is enormously easier to defend than a corporate network, for the very obvious reasons that the attack surface is vastly smaller and the amount it's worth an attacker investing in compromising you is vastly smaller. Would I run free Defender on a typical existing corporate network, where the security posture is weak enough I'm a lot more likely to actually need the AV to find things? Probably not, but I'm sure not gonna count on the AV to actually find stuff in that situation either. Also, again, AVs are also an attack vector in themselves and have a long history of exploitable security issues: it's not an automatic net security positive installing one in your network. Relatedly, pretty much every AV has anti-tampering protection. That doesn't make it effective.

[Vertigo 7]

Cylance isn't a startup... Research, my friend. They've been around since 2012 and were bought by BlackBerry in 2018. They are constantly evaluating processes for malicious code. Sometimes, at least on the enterprise level, a bit too over zealously and flagging activity as suspicious that isn't, but not that often and nothing that has majorly impacted business.

Anyway, since I have actual real world experience with Cylance and have seen first hand it stopping zero-day threats long before any other AV product is able to, I'll stick with what I'm seeing first hand. As I said, it works. If something else comes along down the road that can do the job better, great. For now, I'm putting my trust in Cylance's ability to neutralize threats since it's accomplishing its task where others have failed.

We would not rely on Windows Defender in the corporate network, even with all of the strict controls and security appliances in place to prevent bad actors from gaining access. With far less controls on a home network, why should anyone rely on Windows Defender to keep their data safe? Cuz it's free? It's not nearly as effective as you claim it to be, again... PUPs were detected by Cylance on my machine that defender missed. Shit that GOG and Twitch threw out there. Hell, I wasn't even aware of it and I like to stay on top of what's going on with my machine. Not to mention, both Malware Bytes and Defender have been directly circumvented by certain malware and Cylance has built in process protections that prevent tampering.

Bottom line is, as I said, I can't argue with results. Show me something better, I'll take it into consideration. "marketing" is not a sufficient reason to dismiss an effective product.

I know who Cylance are. I don't dispute it works well, but being machine learning doesn't make it better than other AV products, or not vulnerable to the same attacks as they are. If your attacker cares about not getting caught by Cylance, then they'll test until they don't get caught by it. I'm not saying don't use it on a corporate network, I'm saying don't assume it's going to work at the critical moment because "machine learning". I believe the particular attack silencer is referring to is this one, where researchers figured out last year that they could just embed a bunch of strings from known-good executables into their malware to get Cylance to flag it as a good file, which is slightly hilarious. Specifics of individual attacks aren't particularly important though - the point is that they exist and any attacker who cares enough will find them.

A home network is enormously easier to defend than a corporate network, for the very obvious reasons that the attack surface is vastly smaller and the amount it's worth an attacker investing in compromising you is vastly smaller. Would I run free Defender on a typical existing corporate network, where the security posture is weak enough I'm a lot more likely to actually need the AV to find things? Probably not, but I'm sure not gonna count on the AV to actually find stuff in that situation either. Also, again, AVs are also an attack vector in themselves and have a long history of exploitable security issues: it's not an automatic net security positive installing one in your network. Relatedly, pretty much every AV has anti-tampering protection. That doesn't make it effective.

First off, I cited it's AI engine as opposed to needing signatures to detect malware as a plus, not a reason for using Cylance. I specifically spoke to it's efficacy where other products have failed to provide protection. And it's not like we've just installed Cylance and went home. Your assertion is a bit ludicrous. We trust that it's going to do a better job because we don't have to wait on the vendor to release a signature to detect a threat, as we're seeing in real time. That's why I say this product is more effective than any signature based AV solution on the market to date. We are seeing it first hand countering threats before any other AV product has the capability to do so. It's not marketing, it's not articles, it's real time data showing us what's being stopped long before any threat analysis is released.

I looked over your link. Okay, so they were able to circumvent Cylance by locally altering code of known good processes. That's great, they found a vulnerability, and I'm sure it will be addressed, if it hasn't been already. That's not uncommon for vulnerabilities to be found by "white hats" and patched for just about anything. The problem with that scenario, though, is that it requires an attacker to gain local access to a system and if they're able to do that, there's more problems than a vulnerable AV solution. I'm not gonna go down this rabbit hole, but that's a highly unlikely scenario if you're staying current on security patching. I'm not really sure why you find that funny, unless you're just saying "oh look, Cylance failed this one time! It SUX! LOL" cuz if that's the case, I'll link dump you into next year with the number of times defender and others have failed for the lols.

[Alan Phipps]

Why is this starting to remind me of the AMD/Nvidia debate threads?

Is the AV chosen relevant, in this case, to the OP being hacked/phished/whatever? - Genuine question.

[red assassin]

First off, I cited it's AI engine as opposed to needing signatures to detect malware as a plus, not a reason for using Cylance. I specifically spoke to it's efficacy where other products have failed to provide protection. And it's not like we've just installed Cylance and went home. Your assertion is a bit ludicrous. We trust that it's going to do a better job because we don't have to wait on the vendor to release a signature to detect a threat, as we're seeing in real time. That's why I say this product is more effective than any signature based AV solution on the market to date. We are seeing it first hand countering threats before any other AV product has the capability to do so. It's not marketing, it's not articles, it's real time data showing us what's being stopped long before any threat analysis is released.

I looked over your link. Okay, so they were able to circumvent Cylance by locally altering code of known good processes. That's great, they found a vulnerability, and I'm sure it will be addressed, if it hasn't been already. That's not uncommon for vulnerabilities to be found by "white hats" and patched for just about anything. The problem with that scenario, though, is that it requires an attacker to gain local access to a system and if they're able to do that, there's more problems than a vulnerable AV solution. I'm not gonna go down this rabbit hole, but that's a highly unlikely scenario if you're staying current on security patching. I'm not really sure why you find that funny, unless you're just saying "oh look, Cylance failed this one time! It SUX! LOL" cuz if that's the case, I'll link dump you into next year with the number of times defender and others have failed for the lols.

You know "standard" AV products use a lot of heuristics and behavioural analysis, right, some of which are very good? Some of the big names have machine learning components as well. It's not like newer pure-machine learning tools have a monopoly on finding unknown threats. The problem is that malware authors will test their malware against specific AV engines to ensure that it's not caught by the heuristic signaturing engines before they deploy. This is a process which is just as possible to conduct against Cylance's tool or any other. Cylance is still a reasonably small player, so I would guess that the typical criminal malware author isn't yet bothering to do much work against Cylance. But as Cylance gets bigger, or if anybody decides that one of the organisations you protect is a particularly interesting target, you'll see more stuff shipping that's designed to evade Cylance in just the same way.

I don't think you've understood what they did here. They haven't "locally altered code of known good processes". They produced a set of strings which could be appended to arbitrary malware samples to cause Cylance to flag that otherwise unmodified malware as good. This was done by reverse engineering Cylance to locate an internal whitelisting mechanism, and they then extracted a list of strings from a whitelisted executable. But the key point is they had a blob of data which, appended to nearly any executable, even very common known-malicious ones, would cause Cylance to process it as good with no further per-sample tuning. You don't need to have access to the system already - you just append that to whatever tool you're going to drop via whatever vector you have, and away you go. It's funny because this is adversarial machine learning 101, and it's an easier bypass than most AV products because the single static blob of appended strings works on nearly every file. But as I say, the details of this specific attack are not very interesting: the point is that as soon as somebody cares, Cylance is just as bypassable as any other AV tool.


edit @ Alan Phipps: My point here is that the choice of AV has very little relevance to the security of an average home user such as OP, and therefore it's better to use one that's free, competently developed, and not up to anything with your personal data (more than the OS itself is), i.e. Defender.

[Vertigo 7]

First off, I cited it's AI engine as opposed to needing signatures to detect malware as a plus, not a reason for using Cylance. I specifically spoke to it's efficacy where other products have failed to provide protection. And it's not like we've just installed Cylance and went home. Your assertion is a bit ludicrous. We trust that it's going to do a better job because we don't have to wait on the vendor to release a signature to detect a threat, as we're seeing in real time. That's why I say this product is more effective than any signature based AV solution on the market to date. We are seeing it first hand countering threats before any other AV product has the capability to do so. It's not marketing, it's not articles, it's real time data showing us what's being stopped long before any threat analysis is released.

I looked over your link. Okay, so they were able to circumvent Cylance by locally altering code of known good processes. That's great, they found a vulnerability, and I'm sure it will be addressed, if it hasn't been already. That's not uncommon for vulnerabilities to be found by "white hats" and patched for just about anything. The problem with that scenario, though, is that it requires an attacker to gain local access to a system and if they're able to do that, there's more problems than a vulnerable AV solution. I'm not gonna go down this rabbit hole, but that's a highly unlikely scenario if you're staying current on security patching. I'm not really sure why you find that funny, unless you're just saying "oh look, Cylance failed this one time! It SUX! LOL" cuz if that's the case, I'll link dump you into next year with the number of times defender and others have failed for the lols.

You know "standard" AV products use a lot of heuristics and behavioural analysis, right, some of which are very good? Some of the big names have machine learning components as well. It's not like newer pure-machine learning tools have a monopoly on finding unknown threats. The problem is that malware authors will test their malware against specific AV engines to ensure that it's not caught by the heuristic signaturing engines before they deploy. This is a process which is just as possible to conduct against Cylance's tool or any other. Cylance is still a reasonably small player, so I would guess that the typical criminal malware author isn't yet bothering to do much work against Cylance. But as Cylance gets bigger, or if anybody decides that one of the organisations you protect is a particularly interesting target, you'll see more stuff shipping that's designed to evade Cylance in just the same way.

I don't think you've understood what they did here. They haven't "locally altered code of known good processes". They produced a set of strings which could be appended to arbitrary malware samples to cause Cylance to flag that otherwise unmodified malware as good. This was done by reverse engineering Cylance to locate an internal whitelisting mechanism, and they then extracted a list of strings from a whitelisted executable. But the key point is they had a blob of data which, appended to nearly any executable, even very common known-malicious ones, would cause Cylance to process it as good with no further per-sample tuning. You don't need to have access to the system already - you just append that to whatever tool you're going to drop via whatever vector you have, and away you go. It's funny because this is adversarial machine learning 101, and it's an easier bypass than most AV products because the single static blob of appended strings works on nearly every file. But as I say, the details of this specific attack are not very interesting: the point is that as soon as somebody cares, Cylance is just as bypassable as any other AV tool.


edit @ Alan Phipps: My point here is that the choice of AV has very little relevance to the security of an average home user such as OP, and therefore it's better to use one that's free, competently developed, and not up to anything with your personal data (more than the OS itself is), i.e. Defender.

If "standard" AV products were "very good" at heuristic and behavioral analysis, as you said, why did Wannacry slip in undetected by all of them except Cylance at day zero? Are you telling me they specifically targeted every AV vendor out there EXCEPT for Cylance? Or is it more likely that the vendors didn't have the code samples to create a detection signature and their behavioral and heuristic analysis capabilities are just marketing?

Anywho, the exploit reported by Skylight Cyber of Cylance was reported on July 18, and Cylance patched it on July 21. Again, not uncommon for vulnerabilities to be reported and subsequently patched. Ask MS how many times they've patched defender based on reported exploits.

I never said Cylance was perfect. But I am saying it's better. If you wanna believe Defender is the greatest thing out there, go for it. I definitely won't claim it's "competently developed". If it were, there wouldn't be a market for better solutions. That coming from a guy that's all about some MS products. I like MS. I like Windows, have since NT4. I love my Xbox. I will push Office 365 over anything out there. But Defender... helllllllll no. It's been a garbage AV solution from the get go, even their enterprise version. It's easy to manage, sure... but it's just dog crap at actually doing anything meaningful.

[Nanook]

@vertigo, red assassin: Get a Room! i.e., take your argument elsewhere please. Your private debate has completely derailed the OP's thread. And I'd bet your walls of text are only being read by you two.

[Vertigo 7]

@vertigo, red assassin: Get a Room! i.e., take your argument elsewhere please. Your private debate has completely derailed the OP's thread. And I'd bet your walls of text are only being read by you two.

You read it

[Nanook]

Actually, I 'browsed' it. Too much text, too little time.
Besides, it's my job.

[Chips]

Install updates for your OS and your software immediately. Keep backups. Don't download stuff you can't verify. Use Defender. And follow the password advice from my other post.

You should absolutely know that the user is the weakest link in any, and every, scenario. So this advice alone fails to secure the majority because... users.
Also Defender may work for many. Doesn't mean it's the most comprehensive free suite available. Suitable for most? Maybe. Best? demonstrably not.

[Mightysword]

You should absolutely know that the user is the weakest link in any, and every, scenario. So this advice alone fails to secure the majority because... users.
Also Defender may work for many. Doesn't mean it's the most comprehensive free suite available. Suitable for most? Maybe. Best? demonstrably not.

I think on this topic, "what is the best" perhaps is a fairly pointless and unproductive question. Rather, "is is good enough" or "is this so bad it's not worth considering" would be the better questions to ask. And as noted, even with the most expensive defensive in place and a dedicate IT team to keep track of thing, it often just takes one gullible user to compromise the whole thing.

[jlehtone]

And as noted, even with the most expensive defensive in place and a dedicate IT team to keep track of thing, it often just takes one gullible user to compromise the whole thing.

The size of dedicated, expert IT team in home LAN is probably 0. The amount of gullible users in home LAN ... can it be 100%?

[apogee]

From the op, Did you get the info about location from netflix site? And ever used the netflix app on your phone?

I had locations listed in Scotland and London both places i've not been recently for android, i use android netflix app.

If you have location switched off, and you connected via mobile data its likely the location comes from where your mobile provider connects to the internet, this could be several places depending on where the mobile data is routed in their mobile network.

I did change passwords recently when 2 items appeared in 'mylist' that I'm sure i never added.

[Gavrushka]

From the op, Did you get the info about location from netflix site? And ever used the netflix app on your phone?

I had locations listed in Scotland and London both places i've not been recently for android, i use android netflix app.

If you have location switched off, and you connected via mobile data its likely the location comes from where your mobile provider connects to the internet, this could be several places depending on where the mobile data is routed in their mobile network.

I did change passwords recently when 2 items appeared in 'mylist' that I'm sure i never added.

Ah, yeah, I do have it on two phones, both Android, and location is switched off. - Thing is, I'd not used either phone for Netflix for a very, very long time, *BUT* one of the phones had been on charge at the time, and I believe the Netflix app updated. - There's a more than reasonable chance it was this that caused it, especially considering just how ridiculously obscure (and long) all my passwords are.

[Gavrushka]

I would still suggest a scan with Malwarebytes, just incase there is a miscreant onboard.

Malwarebytes was brilliant. Very easy to use, and ever so quick. Today I tried upgrading to premium, but when I went to the payment screen, the amount they were trying to charge my card was 30% higher than the one stated on the link I'd just clicked (within the antivirus software itself.) Obviously I did the rational thing and raged at the screen, claiming they were all liars and cheats, before uninstalling the software and rebooting. - As a parting Malwarebytes gift, this had the effect of deleting every damned password off my computer, and I had to manually reenter a number of ridiculously long convoluted strings of symbols, letters and numbers. I invented many new expletives, each directed at malwareshytes, with each errant keyclick.

So, as I said, Malwarebytes is the pits.

[g04tn4d0]

I have the most exquisitely complex passwords imaginable, and yet someone just logged into my Netflix account from a phone... - I don't even get how such a thing is possible. - It'd be impossible to guess it (a VERY long series of upper and lower case letters, numbers AND symbols) and I don't manually type it in anywhere, so key presses can't have been logged, and I've antivirus (and all related malware /ransomware bla bla) on the computer.

So how is it possible? Eliminating the possibility of someone guessing (it would be over a trillion to one against,) I can only imagine there's been an oops away from my computer. (And the email was a genuine Netflix one, not a phishing attempt.)

*EDIT* only recent change to my computer was to download and install Shogun 2, Total War, which was free on Steam. - Hack report arrived a few minutes afterwards.

Have you ever logged into Netflix while on public wifi? A lot of easy hacks revolve around man-in-the-middle.