<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Tue, 07 Jul 2020 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2020 3600 <![CDATA[Citrix Patches 11 Vulnerabilities in Several Products]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/citrix-patches-11-vulnerabilities-in-several-products https://duo.com/decipher/citrix-patches-11-vulnerabilities-in-several-products Tue, 07 Jul 2020 00:00:00 -0400

Citrix has released patches for 11 vulnerabilities in several of its popular products, including the Citrix ADC and Gateway, some of which can be used to bypass authorization to inject code under certain circumstances.

The vulnerabilities affect several Citrix products across the company’s line and range from a relatively low-risk local elevation of privilege flaw to more serious code injection and cross-site scripting weaknesses. Fortunately, there are a number of mitigating factors for several of the vulnerabilities that make possible exploitation more difficult. Though many of the new vulnerabilities affect the Citrix Application Delivery Controller (ADC), they’re not connected to the much more serious directory traversal flaw (CVE-2019-19781) in that product that Citrix patched earlier this year. And unlike with that previous vulnerability, there is not any known exploit activity against the bugs Citrix disclosed today.

The new set of vulnerabilities only affect physical versions of the Citrix products and not cloud versions. The most serious result of an exploit against one of the vulnerabilities is that an attacker could become an authenticated user on the target appliance.

“There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue,” Fermin Serna, CISO of Citrix, wrote in an explanation of the effects of the flaws.

“Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk. Further, while I am not discounting the risk of privilege escalation, two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.”

The products affected by the 11 new vulnerabilities include the Citrix ADC, Citrix Gateway, and several models of the Citrix SD-WAN WANOP appliances. Citrix is not disclosing most of the technical details of the vulnerabilities or patches in order to limit potential exploitation by attackers who monitor patch releases for possible new targets.

“Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Serna said.

<![CDATA[Attackers Already Exploiting BIG-IP Vulnerability]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/attackers-already-exploiting-big-ip-vulnerability https://duo.com/decipher/attackers-already-exploiting-big-ip-vulnerability Mon, 06 Jul 2020 00:00:00 -0400

A critical vulnerability in F5 Networks’ BIG-IP networking gear is under active attack, just days after the company first announced the flaw.

F5 released an urgent advisory on June 30 on two vulnerabilities in its line of BIG-IP products which could result in “complete system compromise.” The more serious of the two, a remote code execution vulnerability (CVE-2020-5902) in the Traffic Management User Interface (TMUI), could potentially allow unauthorized users to intercept information, access networks, carry out system commands, create or delete files, disable services, and remotely execute Java code, F5 said. It received a 10 (out of 10) score on the CVSSv3 (Common Vulnerability Scoring System) severity scale. The other vulnerability (CVE-2020-5903), is a cross-site scripting vulnerability in the configuration utility. It, too, can also remote code execution without authorization.

F5 released updates addressing the vulnerabilities. It took just three days for security researchers to start seeing attacks exploiting the critical flaw.

United States Cyber Command urged government and private business users to apply the updates on affected equipment as soon as possible, saying the patching was “URGENT.” The Cybersecurity and Infrastructure Security Agency from the Department of Homeland Security also released an alert on Saturday.

“If you didn’t patch by this morning, assume [you are] compromised,” CISA Director Chris Krebs said Sunday. “Keep patching and check logs.”

Potential Impact

Many products in the BIG-IP family of networking equipment use the impacted TMUI, including load balancers, firewalls, rate limiters, and web traffic shaping systems. Vulnerable versions include 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, and 15.1.x. BIG-IQ and Traffix SDC products are not vulnerable.

To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to servers hosting the BIG-IP TMUI, said Mikhail Klyuchnikov, a researcher with Positive Technologies who reported the issue to F5. The issue is particularly serious for a small number of BIG-IP owners who have exposed the TMUI to the Internet, as they can be discovered by tools such as Shodan. Klyuchnikov estimated approximately 8,000 vulnerable devices exposed to the Internet. The good news is that most companies did not leave the configuration interface accessible from the Internet.

This particular line of networking equipment is widely used, and can be found in banks, government agencies, internet service providers, and some of the world’s largest companies. BIG-IP devices can decrypt traffic going to web servers, so an attacker could potentially steal the private keys to the organization’s certificates to see all the encrypted traffic. An attacker could also use the compromised device to move around the network, or collect administrator credentials. It would also be possible to intercept existing sessions by stealing session cookies and license keys.

Active Attacks

Troy Mursch of Bad Packets said the company’s preliminary scans for the BIG-IP vulnerability found more than 1,800 vulnerable hosts, and the honeypots had detected opportunistic mass scanning activity originated from multiple locations targeting those servers.

On Saturday, exploitation attempts were coming from Italy, although by Monday morning, the majority of remote code execution attempts targeting the BIG-IP vulnerability were originating from China, according to Rich Warren, a researcher with NCC Group.

“We are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python,” Warren wrote on Twitter.

According to NCC Group, active exploitation started on Friday, the company said in a report released on Sunday.

Multiple proof-of-concept exploits for arbitrary file read and remote code execution are already available. There is also a public Metasploit module which can obtain a root shell. There are also scanners available for security teams to check if the BIG-IP equipment in their network is vulnerable to attacks.

The fact that attack attempts are already happening means security teams now have two tasks: first to update their BIG-IP equipment, but also check the network logs, examine other systems, and check their devices for clues that it may already have been used in an attack.

“This is an incident response, not a patching drill,” said network security specialist Jason Kikta.

<![CDATA[Facebook Changes Developer Rules After Apps Improperly Got User Data]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/facebook-changes-developer-rules-after-apps-improperly-got-user-data https://duo.com/decipher/facebook-changes-developer-rules-after-apps-improperly-got-user-data Thu, 02 Jul 2020 00:00:00 -0400

On the heels of yet another privacy incident where Facebook app developers received user data when they shouldn’t have, the social networking giant rolled out new terms and policies for developers.

As part of the general crackdown after the Cambridge Analytica data-sharing scandal, Facebook changed the rules so that access to user data was cut off to app developers if the user hadn’t used the app for more than 90 days. In a recent review, Facebook found that some apps were still receiving data from inactive users, wrote Konstantinos Papamiltiadis, the company’s vice-president of product platforms. Papamiltiadis didn’t say how many users were affected or how long the data was being shared beyond three months of inactivity.

The problem has been fixed—”We fixed the issue the day after we found it,” Papamiltiadis said—but it is unclear when that occurred.

This isn’t the first time Facebook let third-parties see user data when they shouldn’t have been able to. In November 2019, Facebook found “some apps,” primarily social media management and video streaming apps, had retained access to group member information such as names and profile pictures via the Groups API “for longer than we intended,” Papamiltiadis said.

Facebook had locked down the Groups API in April 2018 and had implemented new rules around the API a few months later. Even with that oversight, at least 11 partners had accessed group members’ information over the prior 60 days, and 100 developers since the rules had changed, Papamiltiadis said. That incident prompted Facebook to remove the Groups API entirely.

Facebook this week introduced new Platform Terms and Developer Policies, which squarely placed the responsibility of safeguarding user data and respecting user privacy on to the businesses and developers using the platform. The new terms limit the information developers can share with third parties without receiving explicit consent from Facebook users, strengthen data security requirements, and clarify when developers must delete data, said Eddie O’Neill, Facebook’s head of platform.

The new policies and terms go into effect Aug. 31.

Data will be grouped into a two-tiered structure and developers have “clear guidance” on how each tier can be used and shared. “ This new distinction between Platform Data and Restricted Platform Data limits the information developers can share with third parties without explicit consent from users and strengthens our protection of user data,” O’Neill said.

Under these changes, developers are now required to delete data that’s no longer required for a legitimate business purpose, in the event that the app is shut down, or if the data was received in error. Developers also have to delete user data if Facebook tells them to, as well. TechCrunch noted that Facebook’s Terms already allow Facebook to audit third-party apps by requesting remote or physical access to developer systems, which means the company could conceivably reach out to developers if they notice data access problems and force the developer to delete non-compliant data this way.

The latest privacy misstep involves the mechanism which allowed users to use Facebook to sign into third-party apps. Developers can request access to a subset of that user’s data, such as email address, user likes, gender, location, birthday, age range, and preferred language. If someone using a third-party app, say a fitness app, invited Facebook friends on to the app, the app developer was able to see the subset of that friend’s data even if that invited friend was inactive on the app.

Based on the “last several months of data,” Papamiltiadis estimated that “approximately 5,000 developers” continued to collect data such as the user’s preferred language and gender, even after access was supposed to be cut off. Papamiltiadis said there was no evidence that data the user didn’t authorize as part of the original app permissions were shared.

Developers should use the Data Use Checkup tool to review the types of data they have access to via Facebook Platform APIs and confirm that they are using the data in a compliant manner, Facebook’s O’Neill said.

<![CDATA[ACM Calls for Suspension of Facial Recognition Use]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/acm-calls-for-suspension-of-facial-recognition-use https://duo.com/decipher/acm-calls-for-suspension-of-facial-recognition-use Wed, 01 Jul 2020 00:00:00 -0400

As both houses of Congress consider bills that would ban the use of facial recognition software by federal agencies, a key group of computer engineers and scientists is calling for an immediate suspension on the use of the technology until regulation is in place.

Citing the problems with accuracy and the issues of racial and gender bias that have surfaced with facial recognition systems, the Association for Computing Machinery’s U.S. Technology Policy Committee on Tuesday issued a statement that says those systems should not be used in private or government applications in the absence of meaningful regulation.

“For both technical and ethical reasons – pending the adoption of appropriately comprehensive law and regulation to govern its use, oversee its application, and mitigate potential harm – USTPC urges an immediate suspension of the current and future private and governmental use of FR technologies in all circumstances known or reasonably foreseeable to be prejudicial to established human and legal rights,” the statement says.

The ACM is among the oldest computing professional societies in the world and the announcement of its committee’s position on facial recognition comes as sentiment in Washington and the technology industry to regulate or outright ban the use of the technology is building. Last week, a bill was introduced in both the House of Representatives and the Senate to prohibit federal entities from using facial recognition, and withhold some federal funds from state and local agencies that use it. Like the ACM, the sponsors of those bills referenced the biases and inaccuracies of the systems, along with the ethical questions of deploying them without notice, as driving the need for the legislation.

“Facial recognition technology is fundamentally flawed, systemically biased, and has no place in our society,” said Rep. Ayanna Pressley (D-Mass.), one of the sponsors of the bill. “Black and brown people are already over-surveilled and over-policed, and it’s critical that we prevent government agencies from using this faulty technology to surveil communities of color even further. This bill would boldly affirm the civil liberties of every person in this country and protect their right to live free of unjust and discriminatory surveillance by government and law enforcement.”

Facial recognition systems have been in use in various environments for many years, especially in high-security settings such as airports, banks, and military bases, but its use in public spaces has increased dramatically recently. Often, people in those spaces are unaware that facial recognition is in use and there is little or no transparency about how or when the images from the systems will be used. The inaccuracy of facial recognition systems and their tendency to misidentify women and people of color has generated considerable opposition to their use by law enforcement, and the ACM’s statement calls for restrictions on facial recognition deployments by private organizations, as well.

“Though powerful today and likely to improve in the future, FR technology is not sufficiently mature and reliable to be safely and fairly utilized without appropriate safeguards against adversely impacting individuals, particularly those in vulnerable population,” the statement says.

“Their potential to help meet significant societal needs, as well as political and marketplace forces, have driven the adoption of FR systems by government and industry ahead of the development of principles and regulations to reliably assure their consistently appropriate and non-prejudicial use.”

The questioning of facial recognition is not coming just from lawmakers, policy groups, and privacy advocates, but also from some of the makers of the technology. Microsoft, Amazon, and IBM all have said recently that they will not sell their facial recognition systems to law enforcement for the time being.

<![CDATA[UCSF Pays Portion of $1.14M Ransom to Regain Medical School Data]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/ucsf-pays-portion-of-usd1-14m-ransom-to-regain-medical-school-data https://duo.com/decipher/ucsf-pays-portion-of-usd1-14m-ransom-to-regain-medical-school-data Tue, 30 Jun 2020 00:00:00 -0400

After being hit with a ransomware attack in early June, the University of California San Francisco School of Medicine has paid a portion of the $1.14 million ransom that the attackers demanded in order to regain access to the encrypted servers.

The attack took place on June 1 and the university disclosed it two days later, saying that the school’s IT staff had discovered and limited the intrusion as it was going on. Although the intrusion specifically affected some of the School of Medicine’s servers, the IT team also isolated a number of the school’s other servers to ensure that the scope of the attack was contained. The wider UCSF network was not affected by the ransomware, but the attackers were able to exfiltrate some data from the affected servers, though not any patient medical records, the school said.

“Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted. The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed,” UCSF said in an update on June 26.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

The UCSF staff did not say how much of the ransom the school paid or what strain of ransomware was deployed. But the UCSF infection is by no means an anomaly. Ransomware gangs have been targeting schools, government agencies, and health care facilities with alarming frequency in the past couple of years. Many municipalities, local governments, school districts, and other public entities have been hit by ransomware, with some victims paying the ransom and others opting to rebuild or restore from backups.

Last July, the City of New Bedford, Mass., was hit by the Ryuk ransomware, which affected a small percentage of the city’s computers. The attackers demanded $5.3 million, which the city refused to pay and eventually rebuilt or replaced the affected systems. On the other side of the fence, two small towns in Florida, Lake City and Riviera Beach, each paid ransoms last year of several hundred thousand dollars.

Sentiment within the security community on whether organizations should pay ransoms in these cases is divided, but for the victims the decision often comes down to business imperatives, as was the case for UCSF. Because some of the servers that the attackers were able to encrypt contained information that the school needed for academic work, the UCSF staff decided to pay some of the ransom.

<![CDATA[Palo Alto Fixes Critical Authentication Bypass Flaw]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/palo-alto-fixes-critical-authentication-bypass-flaw https://duo.com/decipher/palo-alto-fixes-critical-authentication-bypass-flaw Mon, 29 Jun 2020 00:00:00 -0400

Palo Alto Networks has patched a critical vulnerability in many of its firewalls, VPNs, and security gateways that allows a network attacker to bypass authentication and gain access to sensitive network resources.

The vulnerability lies in the way that the company’s PAN-OS software checks signatures when SAML authentication is enabled and it affects PAN-OS 9.1 versions before 9.1.3, PAN-OS 9.0 versions before 9.0.9, PAN-OS 8.1 versions before 8.1.15, and all versions of PAN-OS 8.0, which is not supported any longer. In order for an attacker to exploit the vulnerability, the target system must have SAML enabled for authentication and the Validate Identity Provider Certificate must be disabled.

“When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability,” the Palo Alto advisory says.

The security assertion markup language (SAML) is a standard that allows identity providers and service providers to share authentication and authorization information and is used in a number of SSO products and solutions.

The vulnerability (CVE-2020-2021) affects a number of Palo Alto products which can be protected by SAML-based single sign-on, including the GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, the PA-Series and VM-Series next-generation firewalls, and the Panorama web interfaces. The consequences of a successful exploit against the vulnerability varies depending on the target system.

“In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal, or VPN server,” the Palo Alto advisory says.

“In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions.”

On Monday, U.S. Cyber Command warned enterprises to patch quickly, saying attackers would likely be attracted to this vulnerability.

"Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon," the group said.

Palo Alto said it is not aware of any current exploitations attempts against the vulnerability, but encouraged customers to upgrade to the fixed versions of PAN-OS as soon as possible. There are a couple of workarounds for the vulnerability for security teams that can’t update immediately, the simplest of which is to use an authentication method other than SAML and disabling SAML authentication altogether.

<![CDATA[Bills Would Ban Federal Use of Facial Recognition]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/bills-would-ban-federal-use-of-facial-recognition https://duo.com/decipher/bills-would-ban-federal-use-of-facial-recognition Fri, 26 Jun 2020 00:00:00 -0400

As experts and privacy advocates continue to voice concerns about the accuracy and biases in facial recognition systems, legislators in both the House of Representatives and Senate are planning to introduce measures to ban the purchase or use of the technology and other biometric recognition and surveillance systems by federal agencies, including law enforcement.

The bills emerge at a time when the use of those technologies by law enforcement during the nationwide protests has drawn sharp criticism. Facial recognition systems are in use in many office buildings, stadiums, and airports, as well as in some public spaces, and it’s often nearly invisible to people in those environments. On Thursday, two Senators and two members of the House announced bills that would ban the use of biometric recognition systems and withhold federal funds from state and local agencies that use those systems. The Facial Recognition and Biometric Technology Moratorium Act is sponsored by Sens. Ed Markey (D-Mass.) and Jeff Merkley (D-Ore.) and Reps. Pramila Jayapal (D-Wash.) and Ayanna Pressley (D-Mass.).

“Facial recognition technology is fundamentally flawed, systemically biased, and has no place in our society,” said Pressley. “Black and brown people are already over-surveilled and over-policed, and it’s critical that we prevent government agencies from using this faulty technology to surveil communities of color even further. This bill would boldly affirm the civil liberties of every person in this country and protect their right to live free of unjust and discriminatory surveillance by government and law enforcement.”

Privacy groups have advocated for a national moratorium on the use of facial recognition systems, and lauded the proposed legislation as a step in the right direction.

“The use of face surveillance technology needs to end. Face surveillance violates Americans’ right to privacy, treats all individuals as suspicious, and threatens First Amendment-protected rights,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director of the Electronic Privacy Information Center (EPIC).

Several cities in the United States have banned the use of facial recognition, including San Francisco and Oakland, and just this week the Boston City Council voted unanimously to ban it, too. In March, the state of Washington became the first state to pass a law regulating the use of facial recognition systems, requiring law enforcement agencies to get a warrant in order to run facial recognition scans as part of an investigation.

Research has shown in recent years that facial recognition systems have difficulty identifying specific people, particularly women and people of color. That weakness can lead to misidentifications and potentially wrongful prosecutions. Privacy advocates have warned about the dangers of these problems, and the issues with these systems have led vendors such as IBM, Amazon, and Microsoft to say they will not sell their facial recognition software to police for the time being.

“The use of face surveillance technology needs to end. Face surveillance violates Americans’ right to privacy."

“We will not sell facial-recognition technology to police departments in the United States until we have a national law in place, grounded in human rights, that will govern this technology,” Microsoft President Brad Smith told The Washington Post earlier this month.

The new proposed legislation would prohibit federal entities from buying, using, or accessing any “automated or semi-automated process that—assists in identifying an individual, capturing information about an individual, or otherwise generating or assisting in gen- erating surveillance information about an individual based on the characteristics of the individual’s gait or other immutable characteristic ascertained from a distance.”

The prohibition would apply to voice recognition systems but not fingerprint or palm-print biometrics, and also would allow any use that’s explicitly authorized by an act of Congress. The bills would allow states and localities to pass their own laws, as well.

“Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country. As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present,” said Markey.

“I’ve spent years pushing back against the proliferation of facial recognition surveillance systems because the implications for our civil liberties are chilling and the disproportionate burden on communities of color is unacceptable.”

<![CDATA[New Bill Takes Direct Aim at Encrypted Devices and Services]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-bill-takes-direct-aim-at-encrypted-devices-and-services https://duo.com/decipher/new-bill-takes-direct-aim-at-encrypted-devices-and-services Wed, 24 Jun 2020 00:00:00 -0400

A new bill introduced yesterday in the Senate would require device manufacturers, cloud platform providers, and software makers to provide law enforcement agencies direct access to encrypted data on devices and encrypted communications services. The bill provides clear language about the way that access must work and would essentially make truly end-to-end encrypted services nearly impossible to operate.

The Lawful Access to Encrypted Data Act is sponsored by Sen. Lindsey Graham (R-S.C.) and provides the most direct challenge to the use of strong encryption for data at rest and in motion of any proposed legislation in recent years. While some other bills have made oblique references to encryption or used end-arounds to address the issue, Graham’s bill includes specific language to spell out requirements for the type of access that OS manufacturers, device makers, and cloud providers would have to provide to encrypted devices and services.

Under the provisions in the bill, when presented with a search warrant, providers would be required to assist in “decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched, or otherwise providing such information in an intelligible format, unless the independent actions of an unaffiliated entity make it technically impossible to do so”.

The language concerning data in motion is similar, requiring service providers to deliver “all communications authorized to be intercepted securely, reliably, and concurrently with their transmission.”

That provision is perhaps the most worrisome from a security perspective.

"Requiring the ability to intercept and get unencrypted data "on the wire" in real time does basically mean this is the outright ban on end-to-end encryption that we have been fearing would come. Even CALEA did not go that far," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.

As with most legislation that attempts to weaken or outlaw certain forms of strong encryption, Graham and the cosponsors, Sens. Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.), cite the use of encrypted services and devices by terrorists, child predators, and other criminals as the motivating factor for the introduction of the bill.

“Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous terrorism cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations,” Graham said in a statement.

“My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks.”

The requirements in the new bill share some charactersitics with the Communications Assistance for Law Enforcement Act (CALEA), which gave the federal government power to require telecommunications companies to modify their systems to enable wiretapping and targeted interception of communications. CALEA does not apply to information service providers.

"This is essentially 'CALEA II' but for the 'information services' (the Internet, social media, email, cloud storage, devices) that were expressly carved out from CALEA. Weirdly, though, the bill only expressly closes the encryption carve-out in CALEA; it does not acknowledge the information services carve-out, which seems to me to create a conflict between the language of CALEA and the language of this bill," said Pfefferkorn.

Graham’s bill contemplates access to both encrypted data at rest, meaning information stored on a device or other location, and data in motion, such as messages transiting Google’s or Apple’s network. The challenges of providing that access are manifold as are the problems with the reasoning behind the approach. Cryptographers and systems security experts have said for decades that the concept of a secure system is incompatible with exceptional access for law enforcement or any other select group.

"We shouldn't spend one second more debating these fictions."

“This bill is simply blind to reality. It is blind to the fact that as millions of us march in the streets and shelter in place, we've never been more dependent on secure communications and devices. It is blind to the expert consensus that there is no way to provide access to securely encrypted data without a backdoor, something that legislating a prize for a magical solution cannot change,” Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation, said.

“And it is blind to public opinion. For decades, Americans have overwhelmingly rejected government attempts to require security flaws in technology, from the Clipper Chip, to the Apple San Bernardino case, up to Senator Graham's other misguided bill, the EARN IT Act, which would allow a government task force to outlaw end-to-end encryption. We shouldn't spend one second more debating these fictions."

Another inherent limitation of a legislative approach to this issue is that the law obviously would apply only to products or services sold or operated in the United States. There are numerous secure messaging and encrypted email services based overseas that would be outside the reach of the proposed bill. There may also be conflicts between the requirements of Graham's bill and regulations in some industries such as health care regarding data security and privacy.

"This bill raises serious questions for me about how the backdoor mandate would interact with the various data-security requirements under federal regulations and many state laws. Good cybersecurity is increasingly the law of the land, and companies have faced steep penalties for data breaches and hacks," Pfefferkorn said.

Entire sectors, such as HIPAA-covered entities, have data security obligations. How is a provider supposed to both provide adequate data security to satisfy, say, the FTC and state attorneys general, when it must also backdoor its encryption?

Unlike the EARN IT Act, which does not mention encryption but would have the effect of preventing the operation of encrypted messaging services, Graham’s bill takes the issue head on. The requirements in the legislation would place a considerable burden on service providers, device makers, and other covered companies to devise access methods for law enforcement. For some services or products, the requirements could be impossible to meet. For example, the encrypted messaging app Signal is designed in such a way that the provider does not have access to the contents of users’ messages and does not hold keys to decrypt them. Four years ago, Signal had to respond to a grand jury subpoena for details of one user account.

“The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else,” Signal creator Moxie Marlinspike said in a blog post earlier this month.

“This is because we’ve designed Signal to keep your data in your hands rather than ours. Signal uses end-to-end encryption so that we never have access to the contents of the messages you send; they are only visible to you and the intended recipients.”

The Lawful Access to Encrypted Data Act has been referred to the Senate Judiciary Committee, of which Graham is the chairman. Meanwhile, the EARN IT Act is scheduled to be discussed during a Judiciary Committee meeting Thursday.

<![CDATA[Decipher Podcast: Melanie Ensign on Security Communications]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-melanie-ensign-on-security-communications https://duo.com/decipher/decipher-podcast-melanie-ensign-on-security-communications Tue, 23 Jun 2020 00:00:00 -0400

<![CDATA[Evil Corp Deploys New WastedLocker Ransomware]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/evil-corp-deploys-new-wastedlocker-ransomware https://duo.com/decipher/evil-corp-deploys-new-wastedlocker-ransomware Tue, 23 Jun 2020 00:00:00 -0400

The Russian attack group responsible for distributing the Dridex malware and BitPaymer ransomware and was the target of sanctions from the Department of Justice last year has reemerged with a new strain of ransomware called WastedLocker and an updated distribution framework to install it on victims’ machines.

The group is known variously as Evil Corp and TA505 and has been active in the cybercrime world for many years, stealing tens of millions of dollars from its victims. Evil Corp’s most famous tool is Dridex, a banking trojan that is usually delivered through malicious email attachments. The group also has deployed ransomware known as BitPaymer in the past, but has mostly been seen using Dridex, as it has been wildly successful for them. Researchers and law enforcement officials have been tracking Evil Corp for years, and in December the Department of Justice charged several alleged members of the group with a number of crimes and the Department of State offered a reward of up to $5 million for information leading to the arrest of Maksim Yakubetes, the alleged leader of the group.

Dridex has been a highly effective tool for Evil Corp and it has allowed the group to target victims around the world.

“Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses,” the Justice Department said in its release in December.

“In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom. Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.”

After the U.S. actions against Evil Corp, the group’s activities fell off for a few weeks before resuming in January. Four months later, researchers at NCC Group saw Evil Corp attackers using a previously unknown ransomware variant that they named WastedLocker. The new variant does not share many characteristics with the earlier BitPaymer ransomware and Evil Corp is using WastedLocker carefully, going after specific targets inside networks that cause the most havoc for the victim organization.

“Evil Corp are selective in terms of the infrastructure they target when deploying their ransomware. Typically, they hit file servers, database services, virtual machines and cloud environments. Of course, these choices will also be heavily influenced by what we may term their ‘business model’ – which also means they should be able to disable or disrupt backup applications and related infrastructure. This increases the time for recovery for the victim, or in some cases due to unavailability of offline or offsite backups, prevents the ability to recover at all,” Nikolaos Pantazapoulos, Stefano Antenucci, and Michael Sandee of NCC Group wrote in an analysis of the new ransomware.

Unlike most ransomware, WastedLocker does not come preloaded with a list of specific file extensions to search for encrypt, but has an exclusion list of directories and files not to target. For example, it excludes executables, binaries, and DLLs, among many others. The encryption routine is simple, using AES and a new key for every file. The ransom demand is not included in the ransom note and victims are instructed to send an email to one of two unique addresses in order to find out the price for decryption.

Unlike some of the more recent ransomware campaigns, Evil Corp does not appear to be using WastedLocker to steal and leak sensitive data from victims. The NCC Group researchers theorize that this could be an effort to avoid drawing even more attention from law enforcement agencies. The group has a long-term view of operations and no shortage of resources to call on.

“The group has access to highly skilled exploit and software developers capable of bypassing network defences on all different levels,” the researchers said.

“It appears the group regularly finds innovative but practical approaches to bypass detection in victim networks based on their practical experience gained throughout the years. They also demonstrate patience and persistence. In one case, they successfully compromised a target over 6 months after their initial failure to obtain privileged access.”

<![CDATA[Password Spraying Leads to Compromise of Cloud Identities]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/password-spraying-leads-to-compromise-of-cloud-identities https://duo.com/decipher/password-spraying-leads-to-compromise-of-cloud-identities Mon, 22 Jun 2020 00:00:00 -0400

Many state-sponsored attack groups have extensive arsenals of custom tools and malware that they deploy in their intrusions, but sometimes it’s the simple techniques and tactics that can be the most effective. For one group that’s been successful in targeting organizations in the aerospace, defense, and energy industries, large-scale password spraying has become a key tool in compromising Outlook accounts as an entry point for its intrusions.

Password spraying attacks are relatively simple but can be quite effective and devastating for an organization that does not have another layer of defense such as multifactor authentication on a target account. Rather than trying a large number of passwords against one account as in a normal brute force attack, password spraying relies on trying a few commonly used passwords against a bunch of accounts. Attackers typically use this technique on email accounts, especially corporate ones that can grant them entry to the wider network.

Outlook and Office 365 are prime targets for this kind of attack, and Microsoft researchers have been tracking several intrusions by a group it calls Holmium that employ password spraying against Active Directory Federation Services (AD FS). The AD FS system allows organizations to use single-sign on services exposed to the Internet and Microsoft’s team found that enterprises that didn’t have MFA enabled were easier targets for Holmium in these intrusions.

“After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365,” the Microsoft Threat Protection INtelligence Team said in an analysis of the recent attacks.

“Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like CVE-2017-11774.”

That vulnerability allows the attackers to bypass some of the security features in Outlook and run arbitrary commands. From there, the Holmium attackers run a custom backdoor known as Powerton and install some payloads for persistence on the machine. Then it’s off to the races.

“Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end,” the Microsoft analysis says.

The Holmium group is also known as APT33 and researchers have tied the group to the Iranian government. The group has consistently targeted companies in the energy sector over the years, and has used a handful of custom tools in its intrusions. The password spraying attacks that Microsoft investigated specifically went after cloud identities, something that is more difficult to fix than a simple endpoint compromise and some of the enterprises that were hit didn’t react to the intrusions right away.

“During these attacks, many target organizations reacted too late in the attack chain—when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation,” Microsoft’s analysis said.

<![CDATA[Enterprise, Embedded Devices at Risk From Ripple20 Bugs]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/enterprise-embedded-devices-at-risk-from-ripple20-bugs https://duo.com/decipher/enterprise-embedded-devices-at-risk-from-ripple20-bugs Wed, 17 Jun 2020 00:00:00 -0400

An obscure TCP/IP stack that is embedded in millions of medical, ICS, networking, and retail devices around the world contains nearly 20 vulnerabilities, some of which can allow remote code execution and give an attacker complete control over the target device.

The flaws, known collectively as Ripple20, are in a stack provided by Treck, which builds software libraries for embedded systems, and they run the gamut from improper input validation and access control to an integer overflow. Researchers at JSOF, a small Israeli security research firm, discovered the vulnerabilities last fall and began looking into where the Treck stack was used and soon discovered it was deployed in a long list of devices. Among the vendors with affected products are HP Enterprise, Intel, Schneider Electric, Caterpillar, and Rockwell Automation, and because the TCP/IP stack is designed specifically for embedded systems, many of the affected devices may be quite difficult to update.

“The software library spread far and wide, to the point that tracking it down has been a major challenge. As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly,” the JSOF advisory says.

“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect’. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.”

"The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems."

For enterprises, the main risk from these vulnerabilities comes from network devices such as printers and servers running firmware or software versions that contain the vulnerable library. Several models of HP and Samsung printers are affected, as are some Intel servers. The broader effect, however, will be felt by the manufacturers of ICS gear, PoS systems, medical devices, and transportation systems that are vulnerable. Treck has provided an updated version of the TCP/IP stack and many of the affected vendors have released fixes too, but updating some of those products and systems may not be a simple process. ICS and medical devices, specifically, operate in highly controlled environments and taking them offline for updates requires significant planning.

Because of the broad reach of the vulnerabilities and the library itself, the JSOF researchers coordinated their disclosure with CERT organizations in several countries, including Israel, Japan, and the United States, as well as the Cybersecurity and Infrastructure Security Agency (CISA).

“The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code,” the advisory from the CERT/CC at Carnegie Mellon University says.

“Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs.”

<![CDATA[Unnamed Web Host Hit With DDoS Attack]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/unnamed-web-host-hit-with-ddos-attack https://duo.com/decipher/unnamed-web-host-hit-with-ddos-attack Wed, 17 Jun 2020 00:00:00 -0400

Attackers launched a massive distributed denial-of-service against a specific website hosted by a hosting provider in early June. Not only was the 1.44 terabit-per-second DDoS attack the largest Akamai has seen to date, it was also one of the most complex to resolve, according to Akamai.

“The attack appears to have been a planned and orchestrated effort–and appears that someone was very intent on maximizing damage,” Akamai said.

This attack had a bandwidth of 1.44 terabits-per-second and 385 million packets per second and lasted about an hour and a half, said Roger Barranco, vice president of global security operations for Akamai. The attack sustained 1.2 terabits-per-second for an hour.

The hosting provider, which Barranco declined to name, hosted a number of political and social sites. The provider itself was not the target, as the attack seemed to be making a statement about the site. Barranco also said there wasn’t a way to definitely draw a link between current events and the site that was under attack.

There were other smaller attacks against the provider during this time period, such as the 500 gigabit-per-second DDoS attack against a different website. But being able to sustain high traffic volumes for that long a period of time is unusual in a DDoS attack when most attacks are measured in minutes.

A Well-Coordinated Attack

A typical DDoS attack depends on one to three different attack vectors, but this one utilized nine, Barranco said. The methods involved volumetric attacks, or floods, of ACK, SYN, UDP, NTP, TCP reset, and SSDP packets, multiple botnet attack tools, and CLDAP reflection, TCP anomaly, and UDP fragments. There were no zero-day vulnerabilities and novel techniques, Barranco said.

The variety is unusual because of the sheer amount of planning and coordination that would have been required. While attack infrastructure can be rented, there is a limited reserve of tools that can be used, and other attackers putting together their own campaigns are competing to use those tools, as well.

“Someone went way out of their way to reserve the capability and collect the tools needed for an attack of this size,” Barranco said.

Geographic concentration tends to be typical for DDoS attacks, so the fact that the attack was made of globally distributed traffic was notable. There have been geographically-dispersed attacks in the past —the Mirai botnet had “some continental and geographic distribution, but not to this extent,” Barranco said—but this attack used the regions differently. There was a primary attack vector associated with the regions, so the traffic coming from the United States used one method, and traffic from another region used a different type of attack.

The most prominent sources of traffic were San Jose and Frankfurt, Germany.

Barranco didn't know if this was just one very skilled and knowledgeable individual or a group working very closely together, but said it was not very likely that multiple groups were working together.

Growing in Size

There are many denial-of-service attacks in a typical year, many of them against gaming sites, but most of them tend to be small and short-lived.

Attacks usually double in size every two years, Barranco said. At the end of last year, DDoS attacks were typically small and short in duration, although the sizes had been increasing slowly. Barranco noted the median bandwidth size for attacks doubled from about 300 gigabit-per-second to 600 gigabit-per-second two years ago. In that sense, the June incident appears to be right on schedule.

It’s easy to focus on just the gigabit per second (or in this case, terabit-per-second) because they are large numbers, but packets-per-second is an important metric to pay attention to, as well. An attack with relatively low packets-per-second can still take down a business because the network equipment can't handle the amount of traffic being sent even though the network capacity is not saturated. A DDoS attack against an online bank and credit card issuer in April 2019, at 39 gigabit-per-second and 113 million packets-per-second, was the largest attack by packets-per-second that Akamai had seen up to that point, according to Akamai's latest State of the Internet report.

"While the packet count for this attack was extremely high, individual packets were relatively small, limiting the volume of traffic created," Akamai said.

Large providers frequently have to deal with large attacks. Amazon Web Services was hit with a 2.3 terabit-per-second DDoS attack earlier this year, as attackers unsuccessfully attempted for three days to knock services offline, according to Amazon’s Q1 AWS Shield Threat Landscape Report. The hosting provider was hit with smaller traffic volume than Amazon, but Barranco noted the difference in packets-per-second between the two attacks. AWS was hit with 293 million packets-per-second, making the June attack on the hosting provider, with 385 million packets-per-second, “quite a bit larger,” Barranco said.

That doesn’t mean that the AWS attack was less serious—dealing with large volumes of attack traffic (in this case, CLDAP reflection) for over three days is never a picnic.

Knowing Good Traffic From Bad

Akamai’s Security Operations Command Center handled the bulk of the attack in seconds, but it still took about ten minutes to get it under control, Barranco said. The hosting provider noticed the impact of the attack only for a few minutes.

Enterprises need to really understand their ingress traffic so that they can respond to a DDoS attack effectively, Barranco said. Otherwise, they may wind up crippling their own network while trying to stop the attack. DNS traffic, for example, may make up about 1 percent of the enterprises’s total traffic, but it is the most critical. If an enterprise responded to a DNS flood or a DNS amplification attack by blocking DNS traffic, the entire enterprise’s business operations could come to a standstill because the enterprises didn’t realize the how much the enterprise depended on that small volume of legitimate packets. Similarly, if the attack used NTP floods, blocking NTP could prevent corporate machines from operating normally. A defender may not know which packets to keep if the attacker employs multiple types of traffic,

The challenge is to “stop the [attack] traffic while still letting the good traffic in,” Barranco said.

<![CDATA[Pandemic-Related Malware Activity Falling Off]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/pandemic-related-malware-activity-falling-off https://duo.com/decipher/pandemic-related-malware-activity-falling-off Tue, 16 Jun 2020 00:00:00 -0400

COVID-19-themed malware and phishing attacks over the course of the last four months since the pandemic took hold of the global consciousness to the exclusion of nearly everything else have essentially followed the peaks and valleys of the crisis itself, and have largely relied on existing infrastructure and previously seen malware tools, new data shows.

There have been countless individual spam, malware, and phishing campaigns since February that are tied in to the pandemic in one way or another, many of them using topics such as financial stimulus payments, vaccines, or testing programs as lures. The global nature of the pandemic has made it a concern for nearly everyone, something that is nearly unprecedented in the Internet era. That makes it a golden opportunity for cybercrime groups and they have not been shy about taking advantage of it, beginning in early January as the virus gained momentum in Asia and continuing ever since.

Data compiled by Microsoft from its defensive tools deployed around the world shows that attacks using COVID-19 as a hook began to accelerate quickly in early February when the World Health Organization named the virus and then peaked in early March, just after the first victim died in the United States. Among the early adopters of the pandemic as a theme in malware and phishing campaigns were the groups pushing the Lokibot and Emotet trojans, soon to be followed by the Trickbot actors. The attacks were first seen in China and the U.S., but quickly made their way around the globe.

“The rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide event. The point of contention was whether these attacks were new or repurposed threats. Looking through Microsoft’s broad threat intelligence on endpoints, email and data, identities, and apps, we concluded that this surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures,” Microsoft’s Threat Protection Intelligence Team said in a new analysis of the campaigns.

Although cybercrime groups were quick to exploit the pandemic for their own gain, the overall volume of COVID-themed malware and phishing attacks was relatively insignificant when compared to the total number of malware attacks. Cybercrime groups have the ability to change up their lures, targets, and payloads very quickly as circumstances dictate, but those changes typically are temporary.

“Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior. As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak. These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution,” Microsoft’s report says.

“After peaking in early March, COVID-19 themed attacks settled into a “new normal”. While these themed attacks are still higher than they were in early February and are likely to continue as long as COVID-19 persists, this pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns.”

While the attacks using the pandemic as a lure have been worldwide, the specific methods of employing it have differed by country, as have the individual ups and downs of malware activity. In the U.S. there have been three separate peaks in activity, with the latest one coming in late May when the country passed 100,000 COVID-19 deaths just as some states began to loosen restrictions. Activity has fa;;en off significantly since then, though.

<![CDATA[Intel to Add Hardware Defense Against Subtle Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/intel-to-add-hardware-defense-against-subtle-attacks https://duo.com/decipher/intel-to-add-hardware-defense-against-subtle-attacks Mon, 15 Jun 2020 00:00:00 -0400

Intel has introduced a new set of processor-level security features to help protect against a specific type of attack that takes advantage of memory safety vulnerabilities in browsers and operating systems.

The new protections, known as Control-Flow Enforcement Technology (CET), are part of a push by Intel to bring more security down to the hardware level rather than relying on the OS and third-party applications to provide defenses. CET is built into the company’s Tiger Lake mobile processors, which are due for release later this year, and will make its way into server and desktop processors later. The idea behind the introduction of CET is to create a hardware-level barrier to return-oriented programming attacks, a technique in which attackers build a malicious code flow from return instructions on the stack. The attack uses bytes that are already in the computer’s memory and are executable.

“So, with a ROP attack, the attacker can execute arbitrary code composed via gadgets using the existing program inheriting all the permissions of the program. This makes these attacks effective and hard to detect and potentially allow an attacker to escalate privileges or break out of process sandboxes. These types of malware target operating systems (OS), browsers, readers and many other applications, and it takes deep integration with hardware at the foundation to deliver more effective protection with minimal performance impact,” Intel’s technical paper on the new protection says.

ROP attacks have been in use for many years and software makers have introduced a number of mitigations to help prevent or minimize the effects of successful exploits. MIcrosoft specifically has been adding mitigations for common ROP techniques to Windows consistently as new attacks have emerged, but the techniques continue to evolve, so defenses must, as well. As with many other areas of security, the combination of software and hardware approaches is often more effective than one without the other.

"Because the code is legitimate, it makes control flow hijacking difficult to see."

“As more proactive protections are built into the Windows OS, attackers are shifting their efforts to exploit memory safety vulnerabilities by hijacking the integrity of the control flow,” said David Weston, director of Enterprise and OS Security at Microsoft. “As an opt-in feature in Windows 10, Microsoft has worked with Intel to offer hardware-enforced stack protection that builds on the extensive exploit protection built into Windows 10 to enforce code integrity as well as terminate any malicious code.”

But it’s not just Windows machines that will have the benefit of the new protections once the CET-enabled processors are available.

“We've also been working with the Linux and developer communities. We’ve been making sure they understand how Intel CET works and that they are taking advantage of it in their respective products,” Tom Garrison, vice president of the Client Computing Group and General Manager of Security Strategies and Initiatives at Intel, said in an email.

Although some of the software-based defenses and mitigations that Microsoft and other software makers have been effective, the risk of ROP and jump-oriented programming (JOP) exploit attempts is still quite real.

“ROP and JOP malware attacks can be particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behavior. Many software-based detection and prevention techniques have been developed with limited success. Because the code is legitimate, it makes control flow hijacking difficult to see,” Garrison said.

<![CDATA[Networked Devices Will Stop Working As Root Certificates Expire]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/networked-devices-will-stop-working-as-root-certificates-expire https://duo.com/decipher/networked-devices-will-stop-working-as-root-certificates-expire Fri, 12 Jun 2020 00:00:00 -0400

Most doom-and-gloom and sky-is-falling scenarios in information security tend to be exaggerated, but the fact that a significant number of Internet of Things will stop working over the next year doesn't seem like one of those hysterical warnings.

IoT and smart devices will start break down and stop working because they will be unable to connect online, said security researcher and consultant Scott Helme. These devices won't fail because of simultaneous hardware issues or a coordinated widespread attack. It's a lot more simpler than that: the root certificates these devices use to establish secure online connections will expire.

The security of Internet connections depend on a web of trust between certificate authorities and digital certificates. There may be multiple levels of certificate authorities and certificates, each one validating the one below it. But at the most base level, all CAs eventually link back to (and derive their ability to issue certificates from) a Root CA. A client uses root certificate "quite literally embedded in your operating system or your browser of choice," to validate the server's certificate before establishing a secure connection with the server. "It's [the root certificate] physically present on your device," Helme said.

When the client can no longer connect to the server because its certificate has expired, the server administrator has to renew and update the certificate. This isn't unusual, as server certificates don't have long lifespans, and starting September, will be restricted to a validity period of one year or less. Root certificates were designed to have longer expiration windows--such as 20 to 25 years--because they are in every single client that connects to the Internet. Helme is concerned there isn't an equivalent fix in the reverse scenario, when the client cannot connect to the server because its root certificate has expired.

Time's Up

The poor state of client-side updates is a massive problem--many Android phones are not supported long enough to receive software updates and networked devices such as printers and routers don't always have a straightforward way to update the firmware. Many of the IoT devices on the market don't even have an update mechanism of any kind. When the root certificates on these devices expire, as they inevitably will because all certificates have some kind of expiration date, the devices will just stop working. The expiration date for many of the original root certificates is right about now, Helme warned.

"We're coming to a point in time now where there are lots of CA Root Certificates expiring in the next few years simply because it's been 20+ years since the encrypted Web really started up and that's the lifetime of a Root CA certificate," Helme said.

CAs have created new root certificates and distributed them in operating system and browser updates over the years. If the client has one of the newer root certificates--either because the manufacturers shipped the device with a newer one or the user has updated the device--then the problem isn't immediate. But if the device still has one of the original certificates, time's up.

First Set of Failures

Something along these lines have already happened, Helme said. Customers were surprised and confused when select Roku streaming channels stopped working on May 30th. Roku informed those customers of a "global technical certificate expiration" and directed them to manually install a software update. This was an unexpected situation, but relatively painless, because Roku has a menu option for users to find and download software updates.

"That exact time [30 May at 10:48:38 GMT] was when the AddTrust External CA [Certificate Authority] Root expired and brought with it the first signs of trouble that I've been expecting for some time," Helme said.

For many devices that don't have an easily accessible option in the Settings menu, this situation would have been far more challenging to resolve. The customer may have to download the update separately and figure out how to copy it onto the device, as used to be the case for older wireless networking equipment. Or what's more likely, it may be impossible to update the device at all. In that case, the customer's only choices are to ask the manufacturer to replace the device, buy a new device, or just stick with the dysfunctional unit.

The problem wasn't limited to just Roku devices, but to any device with the old AddTrust Root CA Certificate installed. Payment platforms Stripe and Spreedly also experienced disruptions on the same day because some root certificates had expired. The expired certificates were causing some API/web clients to fail, "notably OpenSSL and curl," Spreedly said in its incident response report.

"There is a whole load of stuff that broke because of this Root CA expiring," Helme said.

Google software engineer Ryan Sleevi, who has been heavily involved in standards work for certificate authorities and the future of digital certificates.

Newest Is Still Old

The BBC ran up against this problem recently from the server side. The media company had a new security certificate for its streaming services which was linked to a root certificate with a validity period from November 2012 to January 2038. However, a significant number of smart TVs on the market had the older root certificates, which meant those TVs would not be able to validate this certificate and connect to the streaming service. The fact that an eight-year old root certificate is still not on enough devices highlights the severity of the problem. The BBC chained multiple intermediate certificates as a temporary workaround to use the older root certificate until 2028, at which point, the hope is that enough Smart TVs would have updated to have the newer root certificate.

Smart TV manufacturers may be releasing updates, but if it takes ten years or so to address the problem of old root certificates, then it is not addressing the issue effectively. Android devices also have this issue, since vendors update (if they offer any updates) a select number of models, and only for a very short period of time.

"There is a significant portion of devices that are either lagging seriously behind on updates or simply aren't being updated," says Helme.

On a larger scale, legacy operating systems still in use in ATMs, airport terminal departure boards, and point of sale systems will be unable to connect, leading to "failures to provide services to customers," said Fausto Oliviera, principal security architect at Acceptto, a continuous behavioral authentication provider. Enterprises who have not "developed ways to ensure that they are able to update their devices will have to quickly come up with ways to prevent failure of service," Oliviera said.

From the consumer standpoint, this is a challenge, because it doesn't even matter if the device is top of the line and brand new if it is relying on an old root certificate.

"Just because a device was built in 2018, it doesn't mean the software wasn't already 6+ years out of date," Helme said.

Updates Needed

One potential date for another way of failures is Sept. 30, 2021, when the DST Root CA X3 certificate used by many Let's Encrypt certificates expires. Let's Encrypt has been trying to transition to different Root CA, but had to delay the process because many devices don't know the Root CA it is trying to move to. The ISRG Root was issued in June 2015 and became a trusted CA in August 2018. Devices that received an operating system or software update would know about ISRG Root CA, but if a device has not been updated since August 2018--such as an Android phone--then it wouldn't know about the new root CA.

Updating a root certificate isn't like updating the browser or operating system every month. It isn't even like updating a server certificate every year (or six months). Making a requirement that devices have to check and download an update to get the latest root certificate every few years--even five years would help address this problem--shouldn't be so onerous.

Manufacturers and service providers have to think about updating the root store--if their devices or software depend on root certificates for secure communications, then they need to update so that they are using newer root certificates. Relying on users to update, or know how to update, isn't going to work. Developers have to think about how they will update the root store.

"Simply replacing the Root Store with the latest version might give a device years more useful life or prevent your service being negatively impacted when the next Root CA expiry comes around," Helme said.

<![CDATA[FBI Warns of Increase in Banking Trojan Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/fbi-warns-of-increase-in-banking-trojan-attacks https://duo.com/decipher/fbi-warns-of-increase-in-banking-trojan-attacks Thu, 11 Jun 2020 00:00:00 -0400

The global pandemic and resulting quarantine in many countries has led to an increased reliance on technology for many daily tasks, which creates more opportunities for attackers, and the FBI is warning that mobile banking apps are among the top targets for attackers looking to take advantage of the situation.

Mobile banking trojans have been a highly profitable and diverse cottage industry for cybercrime groups for many years, right from the time that smartphones became widely available. At first they were rudimentary and relatively easy to spot, but as time has gone on and mobile banking has grown in popularity, the attackers have become much more creative and stealthy and the malicious apps have become increasingly difficult to identify. There are several different types of mobile banking attacks, and the most effective and popular ones are trojanized versions of legitimate apps or malicious apps that have the ability to throw fake login screens in front of a banking app to steal victims’ credentials.

These techniques are widely used and so they’re well understood by the research community and the teams that work to keep malware out of the app stores. However, they can still be quite effective, especially in the Android ecosystem where individuals can download apps from third-party app stores and providers directly. The quarantine in the United States and many other countries has meant that far fewer people are going to banks in person and are relying on mobile apps fpr more and more transactions, a situation that is highly attractive for attackers.

“With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations. The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps,” the FBI warning issued Wednesday says.

“The trojan creates a false version of the bank's login page and overlays it on top of the legitimate app."

One of the most effective and insidious techniques that attackers use in mobile banking attacks involves a screen overlay that obscures the legitimate login page of a banking app. In many cases, a seemingly benign app such as a game or a utility will be used to conceal malware that is designed to wait for the user to launch a target banking app. At that point, the malware will activate and create a login screen that is identical to the legitimate one the user expects to see.

“Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device,” the FBI warning says.

“The trojan creates a false version of the bank's login page and overlays it on top of the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised.”

One of the best defenses against typical mobile banking attacks is to use two-factor authentication, which most major banks offer now. Strong 2FA can prevent many types of mobile banking attacks from succeeding, including the screen overlay and credential theft variants that are most common.

<![CDATA[Critical Flaw Patched in Windows SMB]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/critical-flaw-patched-in-windows-smb https://duo.com/decipher/critical-flaw-patched-in-windows-smb Wed, 10 Jun 2020 00:00:00 -0400

Microsoft’s June patch release included fixes for nearly 130 vulnerabilities across its product line, one of which stands out as an attractive target for attackers.

The vulnerability is a critical remote code execution bug in the Server Message Block (SMB) v1 protocol that is present in most of the current server and desktop versions of Windows. SMB is the protocol that Windows uses to send files and share resources across networks and version 1 is an older iteration, although it’s still included in newer Windows releases. The SMB protocol has seen more than its share of vulnerabilities over the years, and attackers have taken advantage of SMB in a number of high-profile intrusions, including the WannaCry ransomware incident.

On Tuesday, Microsoft released a patch for a new vulnerability that can be exploited remotely to take control of servers running SMBv1.

“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server,” the Microsoft advisory says.

“To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”

The vulnerability affects many current versions of Windows, including Windows Server 2008, Server 2012, Server 2016, Server 2019, Windows 7, 8.1, and 10.

In addition to the fix for SMBv1, Microsoft also released patches for two separate vulnerabilities in SMBv3 that are less serious, but can also cause problems for enterprises. One of the bugs is a denial-of-service problem, while the other is an information disclosure issue.

“A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this vulnerability against an SMB client and cause the affected system to crash,” the advisory says.

“To exploit the vulnerability against a server, an authenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

The information disclosure vulnerability is similar, but would only allow an attacker to gather some information about the target system.

“There is commonality between all these vulnerabilities however, and it is that mitigation can be accomplished via disabling SMBv3 compression, which is stated as having no negative performance impact (yet). There are patches, and patches will always be a solid strategy, but it's nice to know what the alternatives could be,” Richard Tsang, manager of software engineering for security content at Rapid7, said in an analysis of the SMB flaws.

<![CDATA[Flaw in Plug-and-Play Protocol Exposes Devices to Data Theft, DDoS Attacks]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/flaw-in-plug-and-play-protocol-exposes-devices-to-data-theft-ddos-attacks https://duo.com/decipher/flaw-in-plug-and-play-protocol-exposes-devices-to-data-theft-ddos-attacks Tue, 09 Jun 2020 00:00:00 -0400

CallStranger' vulnerability affects billions of UPNP devices Attackers can target a vulnerability in the Universal Plug and Play (UPnP) protocol to steal data, scan networks, and launch distributed denial-of-service attacks, a security researcher said.

The UPnP vulnerability, CallStranger, (CVE-2020-12695) allows attackers to bypass security tools such as data leak prevention (DLP) and firewalls to scan enterprise networks and enter areas on the network they shouldn’t be able to access from outside the network, said Yunus Çadırcı, senior cybersecurity manager at EY Turkey, who discovered the vulnerability late last year. Attackers can also potentially abuse connected devices to launch DDoS attacks via TCP amplification and exfiltrate data from vulnerable UPnP-capable devices.

“Billions of UPNP devices on the local network and millions of UPnP devices on the Internet are exposed,” Çadırcı wrote. “CallStranger is a protocol vulnerability, thus almost all UPnP devices (and probably yours) must be updated.”

The UPnP protocol, designed more than 20 years ago, simplify home and enterprise networking by allowing devices to discover each other on local networks and establish connections to exchange files, share resources (such as printers), and synchronize workloads. Many common Internet-connected devices support UPnP, such as enterprise routers, printers, video cameras, videogame consoles, and smart TVs.

Having UPnP accessible on the Internet is “generally considered to be a misconfiguration,” and there are many devices which are misconfigured in this way, US-CERT said in an advisory. A Shodan scan shows approximately 5.5 million devices with UPnP exposed to the Internet, and that is showing only a subset of vulnerable devices.

Details of the Flaw

The Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF [server-side request forgery]-like vulnerability, said Çadırcı. The SUBSCRIBE method allows network nodes to register a URL to receive callbacks under specific conditions. However, UPnP doesn’t implement any form of authentication or verification that the callbacks are coming legitimately from devices on the local network. Since the callback URL is not restricted to the local network, an attacker could potentially send TCP packets containing a malformed callback header value in the SUBSCRIBE function from outside the network. The attacker would be targeting the remote device’s internet-facing interface, but the code would be executed on the UPnP function, which usually runs on internal ports.

The attacker can use the malformed header to take advantage of any connected device which supports UPnP and is accessible on the Internet, such as security cameras, printers, routers, videogame consoles, and smart TVs.

An attacker could harness millions of vulnerable UPnP devices to launch a DDoS attack by bouncing and amplifying TCP traffic between the devices. Çadırcı said it was likely that botnets would begin targeting the vulnerability on consumer devices for this purpose.

“A remote attacker could exploit this vulnerability to cause a distributed denial-of-service condition,” US-CERT said in an alert.

Impact on Enterprises

While consumer devices are vulnerable, the “biggest risk” is probably for enterprises as data can be stolen from vulnerable devices, Çadırcı said. Internet service providers are also at risk.

Since UPnP is so widely used, the attack surface has increased for most organizations, said Curtis Simpson, CISO of Armis. Enterprises already struggle with getting a clear picture of how many IoT devices they have on their network, and the fact that attackers can bypass firewalls and other security tools means there are now more opportunities for bad actors to break into enterprise environments. Bad actors may use the vulnerability in reconnaissance attacks to scan the network, or launch attacks against internal systems.

Çadırcı reported the protocol vulnerability to the Open Connectivity Foundation on Dec. 12. Traditionally, researchers publicly disclose vulnerabilities after 90 days, but Çadırcı gave vendors and ISPs extra time to investigate and deal with the issue. OCF updated the UPnP 2.0 specification in April to address the vulnerability. Devices built or configured after April 17 is likely using the newer specification and would not be vulnerable. Everything else would need to be updated to close the flaw.

"Because this is a protocol vulnerability, it may take a long time for vendors to provide patches," Çadirci said.

The CallStranger website lists products from major vendors such as Microsoft, Cisco, Broadcom, and Samsung that are known to be vulnerable. Çadırcı also published proof-of-concept scripts on GitHub that defenders can use to determine if any of their devices are susceptible to the flaw.

Manufacturers of affected devices are in the process of determining its impact," Tenable wrote in the blog post. "As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support.

Enterprise defenders shouldn’t just wait for CallStranger patches from vendors, because it will take a while for those updates to be rolled out. Many of these connected devices will need a firmware update, and most of them don’t have a mechanism to receive and install them. Many devices will just never get patched and will continue putting the organization at risk until it is replaced with a newer unit.

Protocol vulnerabilities tend to linger for a very long time, said Simpson. While protocols themselves are standardized, hardware and software providers are the ones that have to update their products once the protocols are updated. This makes patching a multi-step process, Simpson said. The number of vulnerable devices will naturally decrease over time as devices fail and are replaced, but patching itself may not make a significant dent.

"Less mature manufacturers and those less concerned about their brand are not likely to patch their code at all," Simpson said.

While waiting for vendors to update the devices, there are steps enterprise defenders can take, such as checking their logs for any suspicious activity around UPnP, and disabling UPnP services in IP cameras, printers, routers, and other devices if there isn’t a business need to have them, Çadırcı said. Defenders should also block all SUBSCRIBE and NOTIFY HTTP packets in traffic. One option is to evaluate whether unsecured UPnP devices even need to be on the network.

ISPs can put some pressure on vendors to update the devices. They should also block access to widely used UPnP control and eventing ports accessible on the public internet.

<![CDATA[IBM Releases Open Source Encryption Toolkit]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/ibm-releases-open-source-encryption-toolkit https://duo.com/decipher/ibm-releases-open-source-encryption-toolkit Mon, 08 Jun 2020 00:00:00 -0400

When data is encrypted while at rest, it cannot be used or read by unauthorized parties. Data in transit can be encrypted so that someone can’t intercept the information and try to read the contents. However, it is harder to protect the data when it is in use. That is the problem IBM is hoping to address with its open source toolkits implementing fully homomorphic encryption (FHE).

“The common methods of storing and sharing sensitive data with colleagues and partners have weak links. Today, files are often encrypted in transit and at rest, but decrypted while in use. This provides hackers and insiders with repeated opportunities to exfiltrate unencrypted data. FHE plugs these holes. It allows the manipulation of data by permissioned parties while it remains encrypted, minimizing the time it exists in its most vulnerable state,” said Flavio Bergamaschi, a senior research scientist at IBM Research.

The IBM Fully Homomorphic Encryption Toolkits is intended to allow developers experiment with FHE and make it easier to incorporate FHE into their applications. The toolkits are currently available on GitHub for macOS and iOS. Android and Linux versions are expected at some point. The kits include platform-specific IDE configuration, a complete sample program, and the dependency libraries needed to build applications using HElib, a mature and versatile encryption library. For example, the iOS toolkit includes a program to run a query against an encrypted database to find the names of the capital cities of various European countries.

“Now, in the time it takes most people to brew a pot of coffee or declutter a desk, developers can follow simple instructions to get up and running with a FHE toolkit,” said Eli Dow, a researcher at IBM Research.

Since FHE lets data be shared and used without exposing it during processing, it is ideal for sensitive applications such as those used in the financial and healthcare industries. FHE can also be used to selectively restrict decryption capabilities, so people can see only the portions of a file that they are entitled to, and are necessary for them to do their work, Bergamaschi said.

IBM released the core library for FHE as open source back in 2013. Developers need more than just library—they need working code, tutorials, documentation, and use cases to use the library successfully, Dow said. The toolkits will help developers as they rethink traditional programming models, especially since they will have to make some changes to the application’s business logic to handle the fact that the data never gets decrypted.

A developer interested in implementing “privacy-preserving search,” or when users get their search results without their queries being exposed to the provider, could use FHE to access the encrypted database. The sample program in the iOS toolkit is an example of a privacy-preserving search. FHE could also be used in machine learning applications where the model is trained using encrypted data, Dow said.

“For example, what if all the health care providers on the planet could pool fully encrypted patient records to allow analytics on patient data without divulging anything about the individuals involved. Think of the progress that could be made with regards to treating certain kinds of diseases!” Dow said.

IBM invented FHE in 2009, but it remained on the “cryptographic shelf” because the complex computations made it slow, and the amount of computing power required make it impractical for real applications, Bergamaschi said.

“In recent years, thanks to algorithmic advancements, Fully Homomorphic Encryption has reached an inflection point where its performance is becoming practical. This has revolutionized security and data privacy and how we outsource computation to untrusted clouds,” IBM said.

The toolkits are not final and will be changing as the community grows around these tools.

“We wanted to quickly put them out to get the technology into the hands of early adopters who want to make these concepts less abstract and more concrete as we look to build up a community of users and use cases,” Bergamaschi said.