<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Fri, 20 Sep 2019 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2019 3600 <![CDATA['We Have to Stop Selling Fear']]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/we-have-to-stop-selling-fear https://duo.com/decipher/we-have-to-stop-selling-fear Fri, 20 Sep 2019 00:00:00 -0400

The United States’ top cybersecurity official is asking for government and private sector security experts to move beyond the platitude of information sharing and cooperate on a deeper level to help protect the country’s networks and critical infrastructure as the 2020 election approaches.

For the better part of two decades, when asked how the federal government could shore up the security of its networks, the go-to answer has been to improve information sharing between specialists in the private sector and their government counterparts. The thinking is that by sharing data on threats and attacks, both private enterprises and government agencies could improve their security postures and help identify emerging threats and vulnerabilities sooner. This has taken many forms over the years, both formal and informal, with organizations such as information sharing and analysis centers (ISACs) in specific industry verticals serving as clearinghouses for information flow.

One of the major complaints about the information sharing programs has been that much of the information flows from the private sector to the government, and little comes back the other way. However, that has improved in recent years as the federal government has been more forthcoming with information, especially regarding nation-state actors and their toolsets. But information sharing is by no means a cure-all and Christoper Krebs, the director of the Cybersecurity and Infrastructure Security Agency (CISA), is asking for enterprises and government agencies alike to do more.

“I don’t know about you but I’m tired of hearing about information sharing and how it is going to solve every problem. It’s not,” Krebs said during the CISA Cybersecurity Summit this week.

“We don’t do it by sharing [indicators of compromise]. That’s part of the solution but it’s not the entire solution.”

“We have to stop selling fear. Fear sells, but we have to do better than looking for the next mark."

With the next presidential election little more than a year away, the federal government’s cybersecurity apparatus is preparing to defend against not just direct attacks on government networks, but also disinformation campaigns by foreign actors and potential threats to the election infrastructure itself. The 2016 election season saw a wide range of disinformation and influence campaigns on social media platforms that have been attributed to foreign actors, and that’s not expected to change for the 2020 election.

But influence campaigns are just one piece of a much larger threat landscape, and Krebs urged defenders to prepare for what may be on the horizon. He cited the ransomware attacks on state and local governments throughout the summer as an example of the incidents defenders need to think about.

“Everyone knows what happens when we have a hurricane, what their role is. We don’t have that same doctrine built out for a large-scale cyber event. I had some sleepless nights this summer so my brain got to thinking, how can we take this thing forward?” he said.

“Ransomware could be deployed against a voter database. What does that resilient posture look like to make sure the American people have confidence in the voting process?”

Although the threats to the election process and federal and private networks are real, Krebs said it was incumbent on those in the security community to keep some perspective on the problem and not exaggerate the risks for short-term gains.

“We have to stop selling fear. Fear sells, but we have to do better than looking for the next mark. We have to take the hysteria out of the conversation. We have to have measured conversations about the risks,” Krebs said.

<![CDATA[Emotet Malware Reawakens]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/emotet-malware-reawakens https://duo.com/decipher/emotet-malware-reawakens Wed, 18 Sep 2019 00:00:00 -0400

The dangerous and highly adaptable Emotet malware has resurfaced after a short hiatus and the new spam campaigns that have cropped up this week are employing clever social engineering and tactics that allow the malware to evade many defensive technologies.

Emotet has been in circulation for more than five years and began its life as a typical banking trojan, stealing credentials for financial sites from infected computers. The main method Emotet’s operators used to accomplish this was injecting malicious code into running processes, and it has been quite successful over the years. Emotet spreads mostly through malicious spam messages, many of which have subject lines and sender addresses that make them appear to be from legitimate companies such as PayPal, Microsoft, and others. The messages typically include an attachment, often a Word document, that contains the malware.

The most recent spam run from the Emotet operators, which began Sept. 16, is using two interesting techniques that help bolster the malware’s successful infection rate and continue its propagation. One of the things the malware does after infecting a new machine is to scoop up the contents of the email inbox. It then uses the contents of legitimate messages in the victim’s inbox to build a new email that appears to be part of an existing thread, attaches the malicious document to it, and sends it to the victim. The technique boosts the legitimacy of the infected message in the eyes of the victim and makes it much more likely that the victim will open the email and the attachment.

“It's easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this, and it is part of the reason that Emotet has been so effective at spreading itself via email. By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter,” Colin Grady, William Largent, and Jaeson Schultz of Cisco’s Talos Intelligence Group wrote in an analysis of the new Emotet campaign.

This technique has helped Emotet slip past many antispam and antimalware systems and find its way into the inboxes of victims. Spam and malware detection systems have become quite effective at catching the vast majority of junk and malicious messages, so people tend to place a fair amount of trust in the messages that do make it their inboxes.

“Emotet's recent campaign didn't manage to evade spam traps entirely though, because some of the harvested emails were spam themselves; possibly with forged senders. Some of the emails we saw in our tests were such replies which, amusingly, included emails with an 'updated document' in response to dating spam,” Martijn Grooten of Virus Bulletin wrote in an analysis of the recent campaign.

“Even so, we noted that many products in our test lab failed to recognise the emails as either spam or malicious. This is part of a worrying trend we have seen for a while, with malicious spam campaigns having much higher delivery rates than regular spam, sometimes as much as ten per cent of the emails piercing through the first defence layer.”

Ninety-two percent of the credentials stolen by Emotet disappeared within one week.

In addition to the inclusion of manufactured email content, Emotet also has been seen using stolen email credentials to help turn infected machines into nodes in its spam botnet. Once it infects a new computer, Emotet will harvest the victim’s email username, password, and outbound mail server information and then use that information to send spam from the account. To feed that spam machine, Emotet’s operators use the hundreds of thousands of previously stolen credential sets in their database. Talos researchers looked at the credentials used in this operation and found that while many of them have quite a short useful lifespan, a small fraction are used for months at a time.

“Over the past 10 months, Cisco Talos collected 349,636 unique username/password/IP combos. Of course, many larger networks deploy multiple mail server IP addresses, and in the data we saw a fair amount of repeat usernames and passwords using different, but related mail server IPs. Eliminating the server IP data, and looking strictly at usernames and passwords, Talos found 202,675 unique username-password combinations,” the Talos researchers said.

“Since Talos was observing infections over a monthslong timeframe, we were able to make an assessment regarding the average lifespan of the credentials we saw Emotet distributing. In all, the average lifespan of a single set of stolen outbound email credentials was 6.91 days. However, when we looked more closely at the distribution, 75 percent of the credentials stolen and used by Emotet lasted under one day. Ninety-two percent of the credentials stolen by Emotet disappeared within one week. The remaining 8 percent of Emotet's outbound email infrastructure had a much longer lifespan.”

This newest campaign surfaced after several months of inactivity from the Emotet operators. It’s not clear why the operators took a break, but now that they have ramped up their activity again it’s a good opportunity for enterprise defenders to remind users to be wary of unexpected emails, and warn against password reuse across multiple accounts.

<![CDATA[Tortoiseshell Targets IT Providers in Supply Chain Attack]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/tortoiseshell-targets-it-providers-in-supply-chain-attack https://duo.com/decipher/tortoiseshell-targets-it-providers-in-supply-chain-attack Wed, 18 Sep 2019 00:00:00 -0400

Symantec has identified a previously unknown attack group that targeted IT providers as an early stage of a supply chain attack operation. Researchers found the group had targeted 11 IT providers, mostly in Saudi Arabia, over the past year.

With heightened geo-political tensions in the Middle East and growing cyberattack capabilities for a number of nation-states in the region, it would be appealing to link TortoiseShell to a specific nation-state or attack group. However, Symantec does not believe Tortoiseshell has ties to previously identified nation-state espionage campaigns or existing cybercrime operations.

"We currently have no evidence that would allow us to attribute Tortoiseshell's activity to any existing known group or nation state," Symantec researchers wrote in their threat report.

Symantec said the fact that IT providers were targeted suggest this was an early stage in a supply-chain attack. Researchers were unable to determine whether Tortoiseshell’s plans involved compromising as many of the IT providers’ customers as possible or if the group was looking for ways to compromise one or few specific organizations. Compromising the IT provider would have likely given the group elevated privileges onto customer networks, specifically because of the nature of the services they offer. Attacks against third-party suppliers are classic supply chain attacks as organizations generally do not scrutinize activity from the suppliers as closely.

IT providers are an ideal target for attackers given their high level of access to their clients' computers,” Symantec said. “This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines.

There are many ways attackers can use the compromised providers on their way to the final target, including hijacking a company’s software update mechanism and distributing modified software updates. NotPetya was such a case, where the attackers compromised a software application’s update mechanism to offer an update package that had been tampered with. Earlier this year attackers compromised computer maker Asus’s update utility and distributed malicious updates to over 1 million users around the world...as part of a highly-targeted operation against several hundred victims.

In at least one case, researchers found that hundreds of computers were infected with malware, indicating the group may have struggled to find the important devices it was interested in and cycled through many different machines first.

This is an unusually large number of computers to be compromised in a targeted attack," Symantec said. “It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.

Supply chain attacks have been increasing in recent years, with Symantec estimating a 78 percent jump in the number of supply chain attacks in 2018.

Enterprise defenders have to sift through a large volume of information about existing threats and try to determine which of those attacks are more likely to impact their organization. Threat modeling requires thinking about the industry, the kind of assets the organization has, and what may be considered valuable. Supply chain attacks complicate the threat modeling exercise further, as the attack vector may be coming from a trusted partner. Or in the case of the suppliers, they may not be targeted because of any special technology or piece of information they may have, but just because they have a particular customer that may be of interest to someone else.

In the case of Tortoiseshell, the group used a combination of custom and off-the-shelf in its attacks, suggesting the group is interested in using whatever tool is available to carry out its goals. If nothing exists, then the group would resort to making custom tools. Organizations can sometimes get bogged down looking in their networks for indicators of compromise associated with sophisticated nation-state linked groups. But organizations have to also make sure they are scanning for and blocking, well-known and readily available malware on their networks.

The initial infection vector remains a mystery, although researchers found a compromised web shell. For at least one victim, the first indication of malware on their network was a web shell," according to Symantec's threat report on Tortoiseshell, published today. "This indicates that the attackers likely compromised a web server, and then used this to deploy malware onto the network.

In at least two of the attacks, the attackers gained domain administrator-level access and used the heightened privileges to deploy known information gathering tools onto the domain controller’s Netlogon directory. This gave attackers access to all machines on the network and the ability to harvest all manner of device and user information whenever the user logged into the network.

Tortoiseshell has been active since at least July 2018 and its most recent activity was in July of this year. In the most recent attack, Tortoiseshell used custom backdoor malware to collect device information such as the IP address, operating system version, and the hostname of the computer on the network. The backdoor then launched other readily-available information stealing malware to harvest user data.

Some of the IT providers had been previously targeted by other groups, as researchers found evidence in their networks of tools typically used by other nation-state backed groups. The presence of other groups should not be considered evidence linking Tortoiseshell to these groups, but that attack groups are intensely interested in the Middle East for various geopolitical reasons.

<![CDATA[Working Group Attempts Consensus on Encryption, Lawful Access]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/working-group-attempts-consensus-on-encryption-lawful-access https://duo.com/decipher/working-group-attempts-consensus-on-encryption-lawful-access Tue, 17 Sep 2019 00:00:00 -0400

Encryption Working Group Tries to Get Warring Sides to Talk


Law enforcement officials want a mechanism that would allow them to access encrypted messages sent between two people. Cryptographers say what the officials are asking for is impossible without undermining the fundamentals of encryption. Even if law enforcement officials like to frame the situation as a debate, it isn't. It is a stalemate.

For years, the two sides have sparred over the feasibility of lawful intercepts and encryption backdoors. The answer isn't "Think harder and make it work."

In an effort to break the logjam and push the conversation forward, the Carnegie Endowment for International Peace and Princeton University’s Center for Information Technology Policy put together an encryption working group to figure out if there was any kind of a starting point, a consensus, between the different groups. The result is the Moving the Encryption Policy Conversation Forward policy paper identifying specific areas where there may be some common ground, Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment, wrote on Twitter.

The working group offered "potentially more fruitful ways to evaluate the societal impact" of any proposed approaches and also attempted to break down the discussion into "its component parts." The group did not have new recommendations or proposals that could work, because they were unable to come up with any.

We pushed hard to try to find consensus," Alexander Macgillivray, a board member for Data & Society and the former deputy CTO of the United States, wrote on Twitter about the group's work. "It will surprise no one that we didn't get consensus on any way to give exceptional access to encrypted info for law enforcement that we believed was worthwhile.

The value of the paper, at least for the working group participants, was in the realization that instead of talking about restricting all encryption, which is an idea that would never gain any kind of traction or support, policymakers should break the issues into component parts. Data needs to be collected to support/refute the component parts, and the risks and benefits of lawful access should be considered for each area separately. There are differences in types of encrypted data and that there are specific challenges for each.

"There will be no single approach for requests for lawful access that can be applied to every technology or means of communication," the working group wrote.

Instead of talking about restricting all encryption, it separates encrypted data at rest (storage) from encrypted data in motion (communication). Any debate about access to encrypted data should focus on data encrypted on a device rather than data being transferred across the network or between devices, the report said. Data in-motion poses challenges because modern cryptographic protocols use a separate "session key" for each message, unrelated to the private/public key pairs used to initiate the communication, to make sure the contents of a message is kept independently secret from other messages. Any attempt to simply the collection, or tracking, of these session keys, would break that, or substantially weaken the independence.

Encrypted data-in-motion “may not offer an achievable balance of risk vs benefit, and as such as not worth pursuing and should not be the subject of policy changes,” the report suggested.

Noted security expert Bruce Schneier expressed skepticism that there were any benefits to backdooring encryption for data at-rest (or any type of encrypted data), but agreed with the working group that the two aspects "should be treated independently.” Policymakers should pick the problems there is some chance of solving, and not demand systems that put everyone in danger, such as no key escrow (a master key that law enforcement would have capable of decrypting everything), or software updates designed to break into devices (such as what the FBI wanted Apple to provide when it was trying to access the contents of an iPhone related to the 2015 shooting in San Bernardino, Calif.).

However, any discussion of proposals, such as on accessing data at-rest, must take into account the costs and benefits of providing that level of access to determine whether the proposal is viable. In the past, law enforcement has focused on the benefits (such as being able to solve investigations and arrest dangerous criminals) while the technology side—the security experts and the engineers making the technology—have focused on the costs. Both are necessary for a discussion to go anywhere.

The policy paper described a framework for weighing the costs and benefits, including defining use cases against which any proposal should be tested. The current conversation gets bogged down with those on the side of lawful access demanding ideas, so this framework provides a starting point on how to properly explore why bad ideas are bad.

Just because the working group recommended focusing future conversation on encrypted data-at-rest doesn't mean it suggested that it was okay, tolerable, even, to weaken the encryption that is used to secure the data where it is stored. The paper's stance was that if there had to be a discussion, this was one area where it may make sense to begin.

"We have not concluded that any existing proposal in this area is viable, that any future such proposals will ultimately prove viable, or that policy changes are advisable at this time," the working group warned.

The working group pulled together a number of well-known security experts and government officials, such as Jim Baker, the former general counsel of the FBI, Chris Inglis, the former deputy director of the NSA; Alexander Macgillivray, the former deputy U.S. CTO and co-founder at technology non-profit Alloy; Susan Landau, a cybersecurity and policy professor at Tufts University' and Sean Joyce, the cybersecurity and private leader at PwC.

Every group member signed off on the paper's consensus but also likely has opinions well beyond it," Macgillivray wrote. "I am skeptical that we will ever find a worthwhile approach, but others might believe one is near. This was an attempt at consensus not enumeration of views.

The group rejected the "two straw men," absolutist positions stating that there should no attempt whatsoever to try to find ways to "enable access to encrypted information," and that law enforcement cannot protect the public at all if it can't access encrypted data. The point here isn't that law enforcement can't try to find ways to get at the data—but that they shouldn't undermine encryption basics in the process.

"We believe it is time to abandon these and other such straw men," the working group wrote in the report.

Errata Security's Rob Graham called out the group's use of "absolutist" as a "code word" on Twitter as it seems to refer to those opposing encryption backdoors. Any discussion of accessing encrypted data and what law enforcement can or cannot do, stems from law enforcement's conviction that the government has the right to view all information. Graham's point was that the absolutist position is not saying that encryption cannot be backdoored, but rather that law enforcement "must have absolutist access," in the first place.

"I would suggest that that law enforcement give up it's absolutist claim that they need 100% access to everything. I suggest that they accept the position that they can still protect the public without being able to decrypt every phone," Graham wrote.

Earlier this summer, Attorney-General William Barr pushed for a law that would force encrypted messaging apps such as WhatsApp to provide law enforcement officials with a decrypted copy of the message in a speech at Fordham University. The working group's main point seems to be that lawful access for smartphones should not compromise the encryption used to protect communication systems. The framework reframes the current situation where the technology companies and security experts are cast as the non-cooperating party into one that forces the ones making the request to consider the risks of what is being proposed.

"If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas," the working group said.

<![CDATA[LastPass Fixes Bug That Leaked User Credentials]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/lastpass-fixes-bug-that-leaked-user-credentials https://duo.com/decipher/lastpass-fixes-bug-that-leaked-user-credentials Mon, 16 Sep 2019 00:00:00 -0400

The LastPass password manager extension for some browsers had a serious vulnerability that, under some specific circumstances, would leak the credentials for the last site the user visited.

The vulnerability affects the Lastpass extension for Chrome and Opera and it arises from the way that the extension produces pop-up windows in some cases. Security researcher Tavis Ormandy of Google’s Project Zero discovered the bug and reported it to LasPass, which released version 4.3.3 of the extension on Sept. 12 to fix it. Ormandy discovered that the browser extension doesn’t call a specific function, which means the extension will fill a new tab with the credentials that were used on the last site.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab,” Ormandy said in his bug report.

Exploiting the bug would require several steps, but the process isn’t overly complicated. Ormandy found that an attacker could get around the LastPass extension’s prompt if he tried to clickjack or copy and paste the credentials into the popup.

“This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false. This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page. Google will do this, for example,” he said.

LastPass has fixed the vulnerability and pushed an update that will install automatically for users of the browser extension. The update applies to all versions of the extension, although only the Chrome and Opera versions were affected by the vulnerability.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” Ferenc Kun of LastPass said in a post on the flaw.

Vulnerabilities in password managers such as LastPass or 1Password tend to attract quite a bit of attention, and for good reason. Many enterprises rely on them to store sensitive credentials that could be quite damaging if they leaked. But password managers generally are still a safer option for most environments than storing passwords in the browser or rotating through a list of easy-to-remember passwords.

<![CDATA[Simjacker Attack Exploits Deep-Seated Weakness in Phones]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/simjacker-attack-exploits-deep-seated-weakness-in-phones https://duo.com/decipher/simjacker-attack-exploits-deep-seated-weakness-in-phones Fri, 13 Sep 2019 00:00:00 -0400

A modern smartphone is less a phone than it is a collection of small computers housed in a very expensive glass and polished metal case. Those computers run a variety of software, much of which is invisible to the user, and software has bugs, some of which can be exploited in devastating ways.

Researchers have uncovered an arcane vulnerability in a piece of software buried deep in many mobile phones that can allow an attacker to gain control of a target phone surreptitiously, simply by sending a malicious SMS to the phone. The attack has been used by at least one group against victims in several countries and does not require the victim to click on a link in the message or visit an attacker-controlled website. The SMS contains a set of instructions for the SIM card, which is a tiny computer that gives the phone its identity and allows it to access data networks. Some cards hold a number of different applications on them that control low-level operations for the device. The attack that researchers at AdaptiveMobile Security observed and have named Simjacker exploits an issue with the SIMalliance Toolbox Browser, or S@T browser, an older piece of software on some SIM cards on GSM networks.

The researchers said they have seen the attack targeting phone numbers from a number of different countries. The specific attack that AdaptiveMobile has observed requires the target device to have the S@T Browser on the SIM card and to accept the kind of SMS messages that carry the instructions.

“This Simjacker Attack Message, sent from another handset, a GSM Modem or a SMS sending account connected to an A2P account, contains a series of SIM Toolkit (STK) instructions, and is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device. In order for these instructions to work, the attack exploits the presence of a particular piece of software, called the S@T Browser - that is on the UICC,” Cathal Mc Daid, CTO of AdaptiveMobile, wrote in a post explaining the vulnerability and attack scenario.

“Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset. For the main attack observed, the Simjacker code running on the UICC requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the UICC then collates it and sends the combined information to a recipient number via another SMS (we call this the ‘Data Message’), again by triggering logic on the handset. This Data Message is the method by which the location and IMEI information can be exfiltrated to a remote phone controlled by the attacker.”

"In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques."

The result of the attack is that the remote adversary has access to a wide range of information on the exploited phone, including real-time location data, and also has the ability to send texts, make calls, open apps, and take other actions on the device. Mc Daid said most of the devices that the company has observed being targeted are attacked just once a week, although a small number are hit several times per week. This suggests that the attackers are not maintaining persistent access to the devices once they’re exploited.

“A few phone numbers, presumably high-value, were attempted to be tracked several hundred times over a 7-day period, but most had much smaller volumes. A similar pattern was seen looking at per-day activity, many phone numbers were targeted repeatedly over several days, weeks or months at a time, while others were targeted as a once-off attack,” Mc Daid said.

“These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time.”

Mc Daid, who plans to present more details on the vulnerability and attack at the Virus Bulletin conference next month, said the company has been working with mobile providers and network operators to address and mitigate the threat.

“We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure. But whereas successful SS7 attacks required specific SS7 knowledge (and access), the Simjacker Attack Message require a much broader range of specific SMS , SIM Card, Handset, Sim Toolkit, S@T Browser and SS7 knowledge to craft,” Mc Daid said.

“This investment has clearly paid off for the attackers, as they ended up with a method to control any mobile phone in a certain country, all with only a $10 GSM Modem and a target phone number. In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques, and this new investment and skillset means we should expect more of these kinds of complex attacks.”

<![CDATA[Decipher Podcast: Parker Thompson]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-parker-thompson https://duo.com/decipher/decipher-podcast-parker-thompson Thu, 12 Sep 2019 00:00:00 -0400

The state of IoT security is not great, and despite increased pressure from lawmakers and regulators, vendors are actually going backward in some respects. A year-long study by the Cyber Independent Testing Lab of millions of IoT firmware binaries found that many manufacturers are removing various hardening technologies such as ASLR from their binaries over time. Dennis Fisher spoke with Parker Thompson of CITL about the results and what can be done to turn things around.

<![CDATA[Attack on Power Utility Highlights Need for Layered Defense]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/attack-on-power-utility-highlights-need-for-layered-defense https://duo.com/decipher/attack-on-power-utility-highlights-need-for-layered-defense Wed, 11 Sep 2019 00:00:00 -0400

The key takeaway from the recent Lesson Learned report from the North American Electric Reliability Corporation (NERC) is that utilities need layered defense. Relying on multiple controls ensures that even if one step is missed, something else would stop, or slow down, an attacker.

"Even in cases involving low-impact BES assets, an entity should strive for good cybersecurity policies and procedures," NERC said, a piece of advice that is relevant for all kinds of organizations, not just the ones in the energy sector.

A report from the National Energy Technology Laboratory from earlier in the year said a “cyber event” had caused “interruptions of electrical system operations” at an unnamed power utility in the western part of the United States. While the report didn’t provide any more details, energy and environment news outlet E&E News reported at the time that the incident involved exploiting a known vulnerability to cause a denial-of-service.

The good news is that the attack didn’t cause a blackout. The outages were not related to power generation, but with how different sites communicated with each other. The fact that the outages happened at several sites spurred an internal investigation, and led the utility to to report the incident to regulators.

According to NERC's report, the vulnerability that was exploited existed in the web interface of the firewall used by the affected utility to provide "outer layer security." The vulnerability was a known flaw: if exploited, it would trigger a denial of service condition and cause the firewall to reboot.

A patch for the vulnerability was available in the form of a firmware update, but was missed by the utility’s defenders.

While NERC did not name the utility, the attack hit a grid control center and multiple remote small power generation sites, causing communication outages between them. The outages—which was the time it took for the devices to reboot—lasted for less than five minutes, but occurred repeatedly over a 10-hour timeframe. The outages stopped after the firewalls were updated.

“After an initial internal investigation, the entity decided that, in order to fully characterize the nature of the reboots and the potential causes, the firewall manufacturer should review logs,” NERC said. “Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability. After receiving this notification, the entity initiated their event reporting procedure as dictated by their cybersecurity incident response plan.”

Not all the devices at the site that was impacted by the firewall reboot experienced communications disruptions, NERC said. Sites running fiewalls in high availability/redundant pair configuration pair were unaffected because the secondary firewall continued to work while the primary firewall rebooted.

"Firewall redundancy preserves functionality in the event of a single firewall failure," NERC noted. It also means there's less chance of service interruption or downtime when deploying firmware updates because one firewall will stay up while the other is being updated.

The utility has reviewed its process for updating firmware and reviewing vendor updates, but NERC didn't stop with just patch management in its Lessons Learned recommendations. The report is intended for transmission operators and owners, generation operators and owners, and distribution providers. As such it includes recommendations such as deploying virtual private networks and implementing access control lists as an additional filter to inbound traffic, even before they reach the firewall.

"Have as few internet facing devices as possible," NERC said. That would reduce the attack surface and minimize the impact. Segmenting the network, whether that's with internal firewalls or microsegmentation, will restrict lateral movement and minimize impact of a breach.

NERC also suggested monitoring monitoring of exploits out in the wild.

"Layer defenses. It is harder to penetrate a screening router, a virtual private network terminator, and a firewall in a series than just a firewall (assuming the ACLS and other configurations are appropriate)," NERC said.

Security experts have warned for years about possible attacks against the electric grid. The report confirmed that it was possible, that it has happened, and most concerning of all, that an attacker wouldn't need need fancy tricks or complex tools to disrupt the electric grid.

<![CDATA[NetCAT Attack Can Leak Data From Some Intel Processors]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/netcat-attack-can-leak-data-from-some-intel-processors https://duo.com/decipher/netcat-attack-can-leak-data-from-some-intel-processors Wed, 11 Sep 2019 00:00:00 -0400

A feature that Intel introduced in some of its server processors several years ago to help improve performance in some use cases brought with it a serious security weakness that researchers have discovered can be used to monitor keystrokes across a network and steal sensitive information, without the use of any malicious software.

The weakness is in the Data-Direct I/O (DDIO) feature in some Intel Xeon processors and the attack that researchers from Vrije University in Amsterdam developed allows them to leak information from the cache of a vulnerable processor. The NetCAT attack, as it’s known, can be run remotely across a network and the researchers said it could be used to steal information such as keystrokes in an SSH session as they occur.

“We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server,” the researchers from VUSec wrote in their explanation of the attack.

“More precisely, with NetCAT, we can leak the arrival time of the individual network packets from a SSH session using a remote cache side channel. Why is this useful? In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet.”

The vulnerability that the VUSec team discovered affects Intel Xeon E5, E7, and SP processors that support DDIO and Remote Direct Memory Access (RDMA). Intel has published an advisory on the vulnerability and recommends that customers limit direct access from untrusted networks in an environments where DDIO and RDMA are enabled. DDIO is a feature Intel introduced in 2011 and it’s designed to improve server performance by allowing peripherals to write to and read from the processor’s low-level cache rather than slower traditional memory. The VUSec researchers discovered that they could exploit the way DDIO works to leak sensitive data over the network. Their attack is particularly problematic for cloud providers and data center operators, which rely on shared resources.

"In our example we launch a cache attack over the network to a target server to leak secret information."

“In our attack, we exploit the fact that the DDIO-enabled application server has a shared resource (the last-level cache) between the CPU cores and the network card. We reverse engineered important properties of DDIO to understand how the cache is shared with DDIO. We then use this knowledge to leak sensitive information from the cache of the application server using a cache side-channel attack over the network. To simplify the attack, similar in spirit to Throwhammer, we rely on Remote Direct Memory Access (RDMA) technology. RDMA allows our exploit to surgically control the relative memory location of network packets on the target server,” the researchers said.

“The attacker controls a machine which communicates over RDMA to an application server that supports DDIO and also services network requests from a victim client. NetCAT shows that attackers can successfully spy on remote server-side peripherals such as network cards to leak victim data over the network.”

In a statement, Intel officials said the risk of compromise for most customers is low.

“Intel received notice of this research and determined it to be low severity (CVSS score of 2.6) primarily due to complexity, user interaction, and the uncommon level of access that would be required in scenarios where DDIO and RDMA are typically used. Additional mitigations include the use of software modules resistant to timing attacks, using constant-time style code. We thank the academic community for their ongoing research," the statement says.

The NetCAT attack is somewhat similar to other side-channel attacks that have emerged in recent years, but it does not rely on any user interaction or require the attacker to have compromised the target machine. Rather, the attacker just needs to be able to send packets to the target machine in order to execute the NetCAT attack.

“We assume the attacker can interact with a target PCIe device on the server, such as a NIC. For the purpose of instantiating our attack in a practical scenario, we specifically assume the attacker is on the same network as the victim server and can send packets to the victim server’s NIC, thereby interacting with the remote server’s DDIO feature,” the research paper says.

“In particular, in our example we launch a cache attack over the network to a target server to leak secret information (such as keystrokes) from the connection between the server and a different client.”

CC By 2.0 license image from Dr GMC.

<![CDATA[Mozilla Testing Firefox Private Network]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/mozilla-testing-firefox-private-network https://duo.com/decipher/mozilla-testing-firefox-private-network Tue, 10 Sep 2019 00:00:00 -0400

Mozilla is launching a new extension for Firefox that adds VPN-like functionality to the browser and automatically protects users’ traffic when they’re on public networks.

The new extension is in a limited beta release right now and is only available for desktop Firefox users in the United States, but the company plans to make it broadly available in time. The Firefox Private Network extension isn’t exactly like a traditional virtual private network (VPN), but it is designed to provide some of the same functionality and privacy protections for people on public WiFi networks. The network hides users’ IP addresses and creates a private tunnel through a proxy to the destination website.

“The Firefox Private Network is an extension which provides a secure, encrypted path to the web to protect your connection and your personal information anywhere and everywhere you use your Firefox browser,” Marissa Wood, vice president of product at Mozilla, said.

“Your IP address is like a home address for your computer. One of the reasons why you may want to keep it hidden is to keep advertising networks from tracking your browsing history. Firefox Private Network will mask your IP address providing protection from third party trackers around the web.”

The Firefox Private Network relies on a proxy server on Cloudflare’s network, so traffic from an individual’s browser will be encrypted and sent from the browser to a Cloudflare data center and then to the destination website. In a typical VPN setup, a dedicated client on the user’s device establishes a secure connection to a server, usually on a corporate network. Many enterprises use VPNs as a way for remote or traveling employees to access corporate resources such as email or HR systems. And there are commercial VPN services available for consumers to use on public networks, which require the user to trust the network of the provider.

That’s also the case with the Firefox Private Network. The configuration requires users to trust Cloudflare’s network, one of the larger content delivery networks in the world. In a privacy statement about the Firefox Private Network, Cloudflare officials said that for each request made from the extension, Cloudflare will see the source and destination IP addresses, as well as the source and destination port numbers. That data will be deleted within 24 hours after each individual request. The company also emphasized that the Firefox Private Network is not designed to help people evade censorship controls in some countries.

“The intended use of the proxy service is to shield HTTP/HTTPS requests from eavesdropping by edge network providers such as public WiFi hotspots. Avoidance of geographical restrictions on content access is explicitly not a goal. The Mozilla extension will always make a secure request to the Cloudflare network, regardless if the request is for TLS or plaintext content,” Cloudflare’s statement says.

“When you access Internet properties that are not secured using Transport Layer Security, your HTTP request data will not be encrypted while in transit from the Firefox Private Network to the requested hostname. Cloudflare will not log your HTTP request data and will not use it for any purpose other than to provide the Firefox Proxy service.”

Firefox users can get the beta of the Private Network extension now.

<![CDATA[Decipher Podcast: Tanya Sam]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-tanya-sam https://duo.com/decipher/decipher-podcast-tanya-sam Mon, 09 Sep 2019 00:00:00 -0400

Sometimes the most interesting careers don't follow a straight line, and that's certainly the case for Tanya Sam, the director of operations and partnerships at TechSquare Labs in Atlanta. Tanya spent years as an oncology nurse in Toronto and New York before moving to Atlanta and finding her way into the startup and security culture that thrives there and helping found a seed fund and incubator for early stage companies. As if that wasn't enough, she joined the cast of the Real Housewives of Atlanta this year, adding another layer to an already fascinating career.

<![CDATA[Exim Bug Allows Root Privileges]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/exim-bug-allows-root-privileges https://duo.com/decipher/exim-bug-allows-root-privileges Mon, 09 Sep 2019 00:00:00 -0400

A serious vulnerability in the Exim mail transfer agent could be used by a remote attacker to gain root privileges on servers that have TLS enabled.

The weakness is present in all versions of Exim through 4.92.1 and can be triggered quite easily, with just one packet. The maintainers of Exim have developed a fix for the vulnerability and released version 4.92.2 to address it. Exim is one of the more popular MTAs and is included in several Linux distributions. It’s designed to serve as the mail relay between machines and is installed on millions of servers.

The specific problem patched in the new release lies in the way that Exim servers handle incoming TLS connections, which are a vital part of many installations. By sending a specially crafted sequence during the TLS handshake at the beginning of a connection, an attacker could trigger the vulnerability and gain root privileges on the vulnerable server.

“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC,” the Exim advisory says.

The vulnerability also can be exploited locally. The one mitigation that is available for this flaw until installing the new version is to disable TLS, but it’s not a recommended move as it would remove the confidentiality provided by TLS.

Although there has not been any report of a public exploit for this vulnerability, it’s the type of flaw that generally attracts the attention of attackers rather quickly. In June researchers at Qualys discovered a separate vulnerability in Exim that also was remotely exploitable.

“This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” the Qualys advisory says.

Within a few days of that vulnerability disclosure, a worm emerged to exploit the flaw and began hitting unpatched servers en masse. The worm exploited the vulnerability and then installed a cryptominer on the compromised machine.

<![CDATA[Money for Nothing: Ransomware Plagues Local Governments]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/money-for-nothing-ransomware-plagues-local-governments https://duo.com/decipher/money-for-nothing-ransomware-plagues-local-governments Fri, 06 Sep 2019 00:00:00 -0400

The string of ransomware attacks against state and local government agencies that began to ramp up a couple years ago is continuing unabated, and the attackers in some incidents are becoming quite aggressive with their ransom demands.

In July, municipal workers in New Bedford, Mass., returning from the Independence Day holiday found that some of the city’s computers were infected with the Ryuk ransomware. It wasn’t immediately clear how the infection happened or how far it had spread, but this week the mayor revealed that four percent of the city’s systems were affected and that some of those computers were still unusable. The number of infected machines is on the lower side as these attacks go, but the ransom demand certainly was not. The attackers wanted $5.3 million.

That would be a significant payout for a large enterprise, let alone a mid-sized city government. Which is the same conclusion the New Bedford government came to, so the city offered the attackers $400,000 instead, to be paid from an insurance fund. A $400,000 payoff from someone opening your malicious attachment is a tidy wage, but the attackers saw it differently and rejected the offer. And then a funny thing happened: the attackers went dark. There were no further communications from them, so the New Bedford IT teams set about recovering from backups, a process that’s still ongoing.

City officials said that a total of 158 machines were infected by Ryuk and the IT team has completely rebuilt the city’s server network and replaced all of the computers that were hit by Ryuk.

“We live in a world now that is so interconnected that simply pulling up the proverbial drawbridge is unrealistic,” New Bedford Mayor Jon Mitchell said.

The New Bedford situation is unusual with regard to the ransom demand, but it’s increasingly common for ransomware to not only infect but cripple the systems in state, city, and local governments. Last month, more than 20 government agencies in Texas were hit with ransomware in a coordinated attack attributed to a single adversary. The City of Baltimore also was hit by a significant ransomware infection in May, an attack that brought down much of the city’s computer infrastructure for several weeks and prevented residents from paying city bills and completing many other transactions. As with the New Bedford attack, Baltimore’s city leaders refused to pay the ransom demand--about $100,000 in this case--and opted to try to recover from backups.

Data collected by security firm Barracuda on ransomware attacks shows that there were 55 attacks on governments through the end of August (excluding the Texas agencies, which had not been confirmed yet), and 38 of the attacks were on local governments and 14 were on county governments. About 45 percent of the municipalities hit by ransomware have fewer than 50,000 residents. This is likely not by chance. Smaller cities and counties have smaller budgets and fewer resources to devote to IT in general and security specifically. New Bedford is on the higher end of that population scale, with close to 100,000 residents, but the city still faced a tough challenge in dealing with the ransomware infection.

The costs of running ransomware operations are vanishingly small for attackers and the returns can be quite high.

“Going forward we’re going to have to spend some money on perhaps adding some personnel to MIS and perhaps a person with a security focus,” Mitchell said in a press conference Wednesday.

This week also saw a ransomware attack on the network of the Flagstaff Unified School District in Arizona that forced the city to close schools on Thursday and Friday. School officials haven’t said what strain of ransomware was involved and have not paid the ransom at this point.

“All Flagstaff Unified School District schools will be closed on Friday, September 6, 2019 due to the continuing work to respond to the cyber security attack. Progress was made today in securing critical FUSD systems, but unfortunately, work will need to continue through the weekend to ensure that students can return to school on Monday,” the school district said.

Although officials in many municipalities have refused to pay the ransom, some others have shelled out significant amounts of money to recover their data. Lake City, Fla., recently paid around $500,000 to ransomware attackers and Riviera Beach, Fla., paid almost $600,000 to get encrypted data back. Baltimore officials declined to pay a $100,000 ransom but has incurred recovery costs of more than $18 million to clean up the ransomware infection and last year officials in Atlanta committed more than $8 million to recovery efforts after refusing to pay a $51,000 ransom demand.

Though the costs of recovering without paying the ransom can be exponentially higher, depending on the city’s backups and incident response plan, a new survey by IBM Security found that most people would rather their governments not use tax revenue to pay ransoms. Nearly 60 percent of people did not want their government paying ransoms with tax dollars, while more than 60 percent said they would rather see higher recovery costs than use tax dollars to pay ransomware demands.

The costs of running ransomware operations are vanishingly small for attackers and the returns can be quite high, so as long as that economic imbalance exists, the attacks will persist.

<![CDATA[Firefox Now Blocks Third-Party Cookies by Default]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/firefox-now-blocks-third-party-cookies-by-default https://duo.com/decipher/firefox-now-blocks-third-party-cookies-by-default Wed, 04 Sep 2019 00:00:00 -0400

Mozilla has turned on blocking of third-party trackers by default in Firefox, a move that provides desktop and Android users with always-on protection against a wide range of tracking technologies that seek to follow people’s movements across the web.

The new protection is included in Firefox 69, which Mozill released Tuesday, and is the latest step in a process that Mozilla started more than a year ago when it added the feature to the Nightly Firefox channel. By adding the feature to the main Firefox release and turning it on by default, Mozilla is relieving users of the burden of figuring out how to block trackers and which ones to block.

“For today’s release, Enhanced Tracking Protection will automatically be turned on by default for all users worldwide as part of the ‘Standard’ setting in the Firefox browser and will block known “third-party tracking cookies” according to the Disconnect list. We first enabled this default feature for new users in June 2019. As part of this journey we rigorously tested, refined, and ultimately landed on a new approach to anti-tracking that is core to delivering on our promise of privacy and security as central aspects of your Firefox experience,” Marissa Wood, vice president of product at Mozilla, said in a post explaining the move.

“Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today’s release, we expect to provide protection for 100% of ours users by default. Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior across websites — often without your knowledge or consent. Those profiles and the information they contain may then be sold and used for purposes you never knew or intended. Enhanced Tracking Protection helps to mitigate this threat and puts you back in control of your online experience.”

"Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you."

Third-party cookies are one of the many mechanisms that site owners and ad networks use to keep tabs on what content people interact with and what sites they visit. The networks and site owners can use that information to build histories and profiles of individuals, which they then use to tailor ads and other content. Firefox’s Enhanced Tracking Protection gives people the ability to click on an icon in the address bar to see which specific tracking cookies the browser is blocking on a given site. Firefox 69 also includes protection against cryptominers, a feature that was in beta builds of earlier releases.

“Cookies are not the only entities that follow you around on the web, trying to use what’s yours without your knowledge or consent. Cryptominers, for example, access your computer’s CPU, ultimately slowing it down and draining your battery, in order to generate cryptocurrency — not for yours but someone else’s benefit. We introduced the option to block cryptominers in previous versions of Firefox Nightly and Beta and are including it in the ‘Standard Mode‘ of your Content Blocking preferences as of today,” Wood said.

Firefox 69 also includes fixes for several security vulnerabilities, most importantly a critical code-execution flaw that affects Firefox on Windows.

“Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder,” the advisory says.

<![CDATA[Modified Orcus and Revenge RATs Infesting Networks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/modified-orcus-and-revenge-rats-infesting-networks https://duo.com/decipher/modified-orcus-and-revenge-rats-infesting-networks Tue, 03 Sep 2019 00:00:00 -0400

Getting persistent malware onto a corporate network is one of the main goals of many attack groups and they’re constantly looking for new methods to get the job done. But sometimes it’s the tried-and-true techniques that are the most effective. Researchers have been following the activity of one group that is using high-quality spear phishing emails targeting financial services companies and government agencies to install a modified version of the well-known Orcus RAT and exfiltrate a variety of sensitive data.

Remote access trojans (RAT) have been popular tools for many different types of attack groups for a long time. They usually offer a broad feature set and give attackers one of the things they covet most: persistent remote access to a target network. Some RATs are developed for the specific use of one person or group and don’t become public, but many others are sold widely in underground forums. In some cases, the source code for the malware also becomes public, and that was the case with the Orcus RAT and the RevengeRAT. Having the source code allows attackers to make modifications, which can not only make the malware more effective but also help it slip past defensive systems.

In a recent set of campaigns that have targeted a variety of high-profile organizations, one adversary group was using modified versions of both Orcus and RevengeRAT to steal information. The campaigns rely on targeted phishing emails that pretend to come from organizations such as the Better Business Bureau and inform the recipient about an alleged complaint against the company or agency. The messages contain either a malicious ZIP attachment or a link to an attacker-controlled server where the malware is hosted.

“A PE32 executable is inside of the ZIP archive. It needs to be executed by the victim to infect the system with Orcus RAT. The PE32 filename features the use of double extensions (478768766.pdf.exe) which, by default on the Windows operating system, will only display the first extension (.PDF.) The PE32 icon has been set to make the file appear as if it is associated with Adobe Acrobat,” Edmund Brumaghin and Holger Unterbrink of Cisco’s Talos Intelligence Group wrote in an analysis of the campaign.

“This loader (478768766.pdf.exe) is protected by the SmartAssembly .NET protector (see below), but can easily be deobfuscated via d4dot. It is responsible for extracting and decrypting the Orcus RAT. It extracts the Orcus executable from its Resource "人豆认关尔八七".”

After the extraction process, the malware goes through several more steps that ensure that the Orcus RAT file isn’t written in clear text to the compromised machine’s disk. It then creates a shortcut in the Startup directory that points to the executable, which gives the malware persistence on the machine. Some versions of the malware used in the campaigns also employed a variety of obfuscation techniques designed to make it more difficult for researchers to analyze the malware. Interestingly, the attackers in the campaigns that Talos analyzed also took the extra step of trying to disguise the command-and-control infrastructure by using Dynamic DNS and forwarding traffic to Portmap, which is a port-forwarding service.

“The adversaries used at least two different RATs in the campaigns which we have closely analyzed: Orcus RAT and RevengeRAT. For both RATs, the source code was leaked in the underground and several adversaries have used it to build their own versions,” the Talos analysis says.

“The adversaries changed the source code slightly. They moved the original code into separate functions and changed the execution order a bit plus added other minor changes like additional variables, but overall the code is still very similar to the leaked code. On the other hand, it is modified so that the resulting binary looks different for AVs.”

The type of phishing campaigns that are spreading these RATs have been deployed widely in the last few years, especially against organizations in highly regulated industries such as financial services, insurance, and government. A number of separate attack groups have been linked to this type of campaign and the techniques and malware families involved tend to vary and have also included ransomware infections.

<![CDATA[Long-Running Attack Campaign Targeted iPhones]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/long-running-attack-campaign-targeted-iphones https://duo.com/decipher/long-running-attack-campaign-targeted-iphones Fri, 30 Aug 2019 00:00:00 -0400

For at least two years, an unknown group of attackers was using several complex chains of exploits for vulnerabilities in iOS to compromise the iPhones of visitors to a handful of hacked websites and install a piece of malicious software that could steal any information on the device and send real-time location tracking data back to the attackers.

The exploit chains were in use from around the time that iOS10 was released in September 2016 up through the beginning of 2019 and each individual chain worked against the latest, fully patched version of iOS available at the time. Researchers with Google’s Threat Analysis Group discovered the hacked websites that the attackers were using in early 2019 and eventually uncovered the five individual exploit chains. Working with researchers from Google’s Project Zero, the team analyzed the exploits, the attack techniques, the vulnerabilities the exploits targeted, and the victim profiles and pieced together the details of a long-running, expertly crafted campaign targeting iPhone users.

Two of the vulnerabilities that Project Zero discovered were still unpatched at the time, and the team reported the bugs to Apple, which released an out-of-band update for iOS in February to fix them. Interestingly, unlike many campaigns that use zero day vulnerabilities, this campaign didn’t target a small group of users.

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Ian Beer of Project Zero wrote in one of a series of detailed posts on the iOS attack campaign.

“TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”

The attack scenario in this campaign, known as a watering hole attack, is a common one but it’s more often used in lower-level campaigns carried out by cybercrime groups. The technique relies on victims happening upon the hacked sites on their own, rather than being directed to the sites through a spear phishing campaign. The combination of spear phishing, zero day vulnerabilities and exploit chains that work against fully patched iOS devices is more indicative of a nation-state campaign than a cybercrime operation.

The malware that this campaign installed on victims’ devices also was quite sophisticated. It has the ability to access unencrypted messages stored on the device by apps including iMessage and WhatsApp, both of which encrypt messages from end to end. The implant also makes copies of the photos on a victim’s device and the entire contacts database and uploads the contents of the device’s keychain, which contains the victim’s credentials and other sensitive data. In short, the implant is the kind of malware that attackers dream of having on an iPhone.

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly."

“There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds,” Beer said.

“The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.”

The implications of this attack campaign are quite interesting. Most campaigns with this level of effort, investment, and expertise are constructed to target a relatively small number of people. That could be a handful of diplomats or political dissidents in a specific country or it could be executives at a few companies in a specific industry. The financial and technical resources needed to develop the exploit chains as well as the implant are significant, which limits the number of groups capable of producing them. This is the kind of work most often associated with intelligence agencies and other nation-state affiliated adversary groups, but those groups typically don’t expend their resources on indiscriminate watering hole attacks.

For people who don’t necessarily fall into a high-risk group, this research underscores the fact that high-level adversaries may not be targeting them specifically, but exploitation is still a possibility.

“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” Beer said.

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

<![CDATA[Disinformation Attacks Aren't Just Against Elections]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/disinformation-attacks-aren-t-just-against-elections https://duo.com/decipher/disinformation-attacks-aren-t-just-against-elections Thu, 29 Aug 2019 00:00:00 -0400

Lies proliferate on social media, and it is even harder to sift out truth from fiction when it looks like the message is coming from a real person. Mix in some uncertainty as to whether the falsehood is part of a deliberate campaign to hurt the company or just typical online shenanigans, and it's the beginnings of a security headache.

Dealing with false claims posted on social media or other online platforms falls under online reputation management and is generally the responsibility of marketing or public relations, not traditional security. And while disinformation is getting a lot of attention in security circles, the discussion primarily tends to be in the context of election security. However, hacking social media accounts, or creating fake accounts, to post false messages about a company is absolutely a disinformation campaign and warrants at least some kind of a discussion within the security team.

“We are seeing more instances of individuals and groups using disinformation tactics to target companies, which is much more than a brand issue,” said Cindy Otis, director of analysis at Nisos.

Earlier this week, a Twitter account belonging to an English professor posted that Olive Garden was one of the companies “funding Trump’s election in 2020” and suggested that people should stop going to the restaurant. As is fast becoming common whenever politics and well-known brands collide, Twitter users responded with calls for a boycott. Over a two-day period, the #BoycottOliveGarden received more than 52,500 mentions (including tweets, quote tweets, and retweets) by 48,700 users, and had a reach of 139.4 million and 169.4 million impressions.

The initial message was false.

“We don’t know where this information came from, but it is incorrect. Our company does not donate to presidential candidates,” the restaurant chain posted on its social media channels over and over again, trying to counter the boycott messages. When the speculation switched to the restaurant’s parent company, Olive Garden added, “To clarify, Darden does not donate to federal candidates.”

While this looked like just another day of social media monitoring and political discord on Twitter, there was a twist: the person was not responsible for the initial message.

A Cascade

About a day after the initial message was original posted, the owner of the account said someone had compromised the Twitter account and posted that false detail about Olive Garden. The original message was removed and the account owner tried to set the record straight, but lies spread much more readily on social media than truth. And once a lie gains traction, it is really hard to debunk it.

“Social media posts like this were often the initial stages of a cascade,” said Greg Young, vice-president of cybersecurity at Trend Micro. The more legitimate an account appears, the more likely that the message will get amplified. A compromised account—such as that of an established English professor—is the “perfect seed,” Young said.

While disinformation campaigns frequently rely on a bot army or a network of fake accounts to post and spread the false content, a Massachusetts Institute of Technology research found that false reports get retweeted more by humans than bots. This is the cascade Young mentioned—as the false information percolates through the platform, the legitimate uncompromised accounts increase the campaign momentum as regular people start pushing the content.

“The idea was to get the ball rolling in order for the natural effects of a social network to take the planted message and make it trend,” Young said.


Abusing social media to damage an organization’s reputation is commonly used tactic, and according to Trend Micro’s research on Twitter activity, spreading misinformation is a common service offered in underground and “gray” marketplaces. Researchers identified examples of services offering to post messages by "influential" accounts with thousands of followers and other types of manipulation campaigns in an earlier Trend Micro report on disinformation online.

These offerings can be considered an “outgrowth of existing services such as black hat search engine optimization, click fraud, and the sale of human and bot traffic, Trend Micro wrote at the time.

In this instance, one false tweet was able to reach more than 100 million people. “A coordinated plan to hack multiple accounts to spread disinformation could have more devastating consequences,” Otis said.

Breach Lesson

The Olive Garden incident highlights another important lesson about post-data breach response. The email address associated with the Twitter account responsible for the initial post about the restaurant and the password for that email account were both exposed in an earlier (different) data breach, Otis said. As the information was available in underground forums, there are two possible ways the Twitter account was compromised: the attacker tried the email password and found that the password had been reused, or the attacker had control of the email account (using the exposed credentials) and reset the password using Twitter’s forgot-password mechanism.

It’s not known whether the same password was reused for Twitter, but password reuse continues to be a problem. The original poster admitted having been advised, repeatedly, to change passwords after the email account was compromised, but had not done so. With the recent wave of data breaches, the reminders to change passwords can get annoying, but it is an important first line of defense to keep accounts from getting compromised. Turning on multi-factor authentication boosts the odds even more.

Typically, when victims are told to change their passwords, and to make sure they aren't reusing passwords, the focus is on follow-up attacks against them. Lose control of the email account and bank accounts will be compromised. Personal information leaked means potential for spear phishing attacks. But as this incident shows, the attacker may not care about the owner of the account at all. The account is a way to get ahold of the tools necessary to carry out an attack completely unrelated to the breached victim. In this case, a social media account that can be used to mess with a chain restaurant.

Might be a Coincidence

Earlier in the month, a handful of Twitter accounts circulated a list of popular fast-food restaurants supposedly supporting the re-election campaign. The list didn't get a lot of attention initially, and the Washington Post said the information was incorrect, but the list continued to float around. The fact that Olive Garden was included on that list may just be a coincidence, or it may indicate some kind of an advance effort was underway to lay the groundwork for this kind of a campaign.

It's a cycle. Someone may see a post on social media about a company. If a quick search (usually on the same platform) pulls up other people talking about the same post, as well as older posts that seem to be talking about the same thing, then it gives credibility to what is on the post.

Social media monitoring is a valuable intelligence gathering tool, as security teams can uncover details about ongoing threats and attack indicators buried inside social media posts. Social media posts are often the first indicator when issues are being exploited or a company is being targeted. This also means expanding the definition of disinformation to consider that things posted online can directly impact a company's overall risk, as well.

<![CDATA[Imperva Discloses Data Breach, Theft of Customer API Keys]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/imperva-discloses-customer-data-breach-theft-of-api-keys https://duo.com/decipher/imperva-discloses-customer-data-breach-theft-of-api-keys Wed, 28 Aug 2019 00:00:00 -0400

Security firm Imperva says that the API keys and SSL certificates of some of the customers who use the company’s Cloud Web Application Firewall were exposed in a recent breach, along with the email addresses and hashed passwords of a larger group of customers.

The company became aware of the breach on August 20 when a third party informed company officials of the problem. The data exposure only affects customers of the Cloud WAF product, which was formerly known as Incapsula, and is limited to customers who had accounts through about two years ago.

“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” said Chris Hylen, CEO of Imperva.

“We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe.”

Though the exposure of customer email addresses and hashed and salted passwords is problematic, the much larger issue is the exposure of the API keys and SSL certificates. With those in hand, an attacker would privileged access to the target customer’s Cloud WAF installation. That access could allow the attacker to modify rules on the WAF to allow his own traffic or that of other attackers through.

As part of the response to the breach, Imperva officials have forced password resets for all of the affected customers and encouraging them to enable two-factor authentication on their accounts. The 2FA options that Imperva provides include getting passcodes through email or SMS, or using the Google Authenticator app.

The Imperva Cloud WAF is one of a handful of enterprise-class WAFs that are designed to provide protection from web-based attacks through a cloud-based implementation.

<![CDATA[Attackers Targeting Vulnerability in Pulse Secure VPN]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attackers-targeting-vulnerability-in-pulse-secure-vpn https://duo.com/decipher/attackers-targeting-vulnerability-in-pulse-secure-vpn Tue, 27 Aug 2019 00:00:00 -0400

Attackers are actively scanning for endpoints running versions of the popular Pulse Secure VPN software that are vulnerable to a critical remotely exploitable vulnerability that was disclosed recently.

There is a publicly available exploit for the bug, and researchers have seen large-scale scanning activity by attackers searching for vulnerable machines. Pulse Secure is an SSL VPN that is used in many enterprise environments and the details of the vulnerability have been public for several weeks now. The weakness allows a remote attacker to read an arbitrary file on a vulnerable system, potentially stealing passwords or other sensitive data. It affects several versions of the Pulse Connect Secure and Pulse Policy Secure software. Pulse Secure posted an initial advisory on the vulnerability in late April, but after researchers discussed the bug at Black Hat in early August, attackers took notice.

“This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment,” the advisory says.

In the last few days, researchers began noticing widespread scans by systems looking for machines that are vulnerable to CVE-2019-11510, the arbitrary file read vulnerability. The attackers typically are trying to get to the file that contains users’ passwords for the VPN.

“On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network,” Troy Mursch of threat intelligence firm Bad Packets said in a post on the scanning activity.

“On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain. In both cases, the exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). A successful “HTTP 200/OK” response to this scan indicates the VPN endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely the attackers have enumerated all publicly accessible hosts vulnerable to CVE-2019-11510.”

The vulnerability is obviously quite serious on its own, but late last week an exploit for it was published on GitHub, making the situation even more concerning. Pulse Secure has patches available for all of the vulnerable versions, and enterprises should prioritize that fix, given the current scanning and availability of the exploit.

Mursch said Bad Packets did a scan of its own to enumerate vulnerable endpoints and found more than 14,000 systems that were still vulnerable to CVE-2019-11510, more than a third of which are in the United States.

<![CDATA[Encryption Experts Asked G7 to Set the Right Example]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/encryption-experts-asked-g7-set-right-example https://duo.com/decipher/encryption-experts-asked-g7-set-right-example Tue, 27 Aug 2019 00:00:00 -0400

Prior to the beginning of the G7 summit in France, encryption experts around the world wrote an open letter to G7 leaders asking them to not undermine encryption. While the end of the summit didn’t result in any pro-encryption statements from the G7 leaders, the fact that there weren’t any more calls for lawful access may be a relief.

Lawful access is a legal concept about how governments can intercept or seize information as part of law enforcement or intelligence activity. Some governments want to legally require companies to provide to law enforcement and intelligence agencies access to encrypted content. Even though cryptographers and encryption experts had warned that there isn’t a way to set up encryption so that only “good guys” can read it and “bad guys” can’t, government officials continue to argue that there must be a technical way to make this happen.

The G7 Open Letter was a “call to the G7 and other world leaders not to undermine encrypted services in pursuit of law enforcement access to encrypted content,” said Christine Runnegar, senior director of Internet Trust at the Internet Society. That includes not asking for intentional backdoors in services and products that use encryption, not disclosing vulnerabilities in a timely manner so that they can be patched, disabling encryption where it is turned on by default, and banning/restricting the use of encrypted services.

Insisting on this course of action would undermine the security of digital communication and data, and make everyday activities such as online banking, online shopping, and keeping in touch with friends and family hard to do.

“[Notably,] we ask you to protect and promote strong encryption which is the foundation for our digital economies, digital societies, and interdependent lives,” the experts wrote in the the A Joint Call to World Leaders for a Secure and Trusted Digital Economy. The letter was signed by over 30 global organizations, including the Internet Society, Access Now, Electronic Frontier Foundation, Association for Progressive Communications, and the World Wide Web Foundation.

These are troubling times. The United Kingdom and Australia have passed legislation requiring service providers to be able to hand over to law enforcement the contents of encrypted communications. India wants message traceability for end-to-end encrypted messaging apps. The government of Kazakhstan asked the country’s internet service providers to encourage users to install a government-controlled root certificate on their computers. The United States has long called for lawful access, and Attorney-General William Bar signaled that the Department of Justice is willing to push for lawful access, especially for personal encrypted messaging apps such as WhatsApp.

At the last G7 ministers summit in April, the finance ministers expressed support for law enforcement to have backdoor access to encrypted communications, while acknowledging the importance of “not prohibiting, limiting, or weakening encryption.” The resolution from that summit urged technology companies to “establish lawful access solutions for their products and services, including data that is encrypted,” for law enforcement (and related authorities) to access when necessary (in the case of an investigation, for example), “while ensuring that assistance requested from internet companies is underpinned by the rule of law and due process protection.”

This G7 summit did not release a similar statement.

However, the “Five Eyes” nations—intelligence agencies from the United Kingdom, United States, Australia, Canada, and New Zealand—met in London recently, and echoed the demands for backdoor access (UK’s GCHQ has called it a “ghost protocol”) so that they can investigate serious crimes and acts of terrorism. UK police have claimed that at least one of the people involved in the terror attack on the London Bridge used the encrypted messaging app WhatsApp, but that they are unable to see the contents of the messages.

For the encryption experts, it was critical they reminded the G7 leaders that encryption technologies “protect the integrity and confidentiality of digital data and communications” by securing web browsing, online banking, and critical public services like electricity, elections, hospitals and transportation. The demands for lawful access brings “uncertainty and impact to customers’ buying decisions” because they are wondering who to trust with their data, Runnegar said. The diminished trust in security products and, by extension, the company itself, would have “consequences for tech export markets, jobs, and innovation in the security industry,” Runnegar said.

Just before the G7 leaders met, a coalition of trade groups representing some of the largest technology companies in the United States, Europe, and the Asia-Pacific sent a letter of 12 recommendations on global technology issues. In that letter, which touched upon digital trade, cross-border data flows, tax policy, and AI, the trade groups recommended the G7 enhance cybersecurity by using “risk-based approaches grounded in global, consensus-based, industry-led standards and best practices.” The letter was signed by trade groups such as the Information Technology Industry Council (ITI), Computer & Communications Industry Association, the Communications and Information Network Association of Japan, Software and Information Industry Association, and techUK.

The groups said the member countries should “Oppose measures that force disclosure of source code, algorithms, encryption keys, or other sensitive information as a condition of doing business,” something companies are worried will happen more as countries pass their own laws around encryption.

“Other countries look to the G7 when making their own policies and laws, so what the G7 countries do could be replicated across the world,” Runnegar said. “We are asking leaders to set the right example on encryption.”