IoT Reaper Ransomware

New Ransomware on the loose

IoT Reaper Ransomware

New extremely large Botnet is being built – Nicknamed IoTroop or IoT Reaper

Remember Mira? The worm that prayed on unsecure IoT devices. It managed to spread and gain control using quite a simple method to gain entry – reusing the hard-coded or default password for IoT devices which were well-known by then, and the spreading was done via the EthernalBlue SMB exploit.

Now security researchers at CheckPoint and NetLab360 claim there is a new botnet being formed (called IoTroop or Reaper). This time the methods used to gain unauthorized entry are more sophisticated – no more trying to exploit traditional hardcoded and default password or to brute-force easy passwords, the Reaper malware tries to exploit different known vulnerabilities that IoT and home network devices have (more than 12 different popular vendors including Linksys, Netgear, D-Link, AVTECH and GoAhead have numerous vulnerabilities already discovered, list and links in the related articles below). The Reaper code constantly evolves, the guys behind it seems to add new exploits into the code based on new vulnerabilities being published openly on the Internet.

Another key difference between Mirai and Reaper is that as Mirai was extremely aggressive in scanning and trying to hop between network and infect other systems (which makes it easily detectable by security controls), the Reaper is stealthier in its way of spreading and tries to stay under the radar for as long as possible.

The likelihood of a successful exploit is quite high due to the fact that traditional home users do not tend to pay much attention to security and are very likely not to have patched their devices.

All sources claim this new botnet will be much bigger and stronger than Mirai – The NetLab360 researchers are claiming the C2 communication they see confirms more than 20k bots per control server and they have estimated more than 2 million vulnerable devices out there that are ripe for the infection. There is a great possibility the total number of bots can swell quite heavily in the coming weeks.

What is at stake here? How will this botnet be used?

At this stage, it is still very early to predict how this botnet will be used but most likely DDoS attacks are on the roadmap – the previous smaller Mirai successfully managed to do a DDoS with more than 1Tbps of traffic (both to Dyn internet infrastructure giant which brought down many popular web services down and French hosting company OVH).

IoT general security problems

The problems with IoT is the inherited lack of security (saying inherited because manufactures do not take security into account when building the devices) and the ever-growing number of IoT devices being deployed by users who are not savvy in networking or security best-practices (changing of default passwords, patching, lowering the attack surface). These two large issues combined with the large number of devices out there (the trend is more and more IoT devices to be manufactured and connected online) really poses quite a large security threat to the Internet community.

Some good news:

Different efforts to secure IoT devices are on the roadmap, US lawmakers are trying to pass a legislative action into forcing hardware IoT manufactures to start taking security into account and not spill out junky unsecure devices.

Also, some of the creators and botnet administrators of the Mirai, have now been arrested and expecting trial and effective sentences. This clearly shows there will be consequence for all actions related to running a botnet and malicious cyber behavior, this must be a deterrent for any future black-hats out there.

New ransomware on the loose

Remember WannaCry and Nyatya, aka NotPetya (a variant of Petya) ransomwares. There is a new one around the corner (initial spotting is on the 24th Oct), again spread predominately in the East Europe (Ukraine, Poland, Bulgaria) and Russia but also in Japan, Germany, South Korea and the USA. It is a changed version of NotPetya. It uses usually a drive-by download on hacked sites to trick the user to run a fake Flash Player installer. The horizontal spread within the compromised network this time is NOT based on the EthernalBlue SMB exploit, but Bad Rabbit uses an open tool MimiKatz to try to extract any login credentials on the infected machine and reuse them to spread itself via legit Windows management protocols such as WMI and SMB to other devices. It also uses a hard-coded list with most commonly used passwords to try to brute-force credentials access.

Most current antivirus and endpoint protection software will detect Bad Rabbit and there is a known Windows Registry based vaccination that can prevent a machine from getting infected, but Bad Rabbit shows the ransomware trend is still strong and not likely to quiet down anytime soon.

Relevant articles:

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://4cornernetworks.com/nyatya-wiper-malware-disguised-ransomware/

https://4cornernetworks.com/wannacry-crypto-virus-outbreak/

https://securelist.com/bad-rabbit-ransomware/82851/

VPN Crypto Attack

New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack

VPN Crypto Attack

We live in interesting times

There is a Chinese proverb/curse saying: May you live in interesting times?

Why is this intended as a curse? Maybe living in interesting times means living in challenging times.

The security environment is so dynamic these days, it is certainly interesting to see how things change all the time, vulnerabilities are found almost every day, exploits are being developed at a whopping pace and even for professionals, just keeping up with it all is very challenging.

In the last two weeks there have been quite a few major security events/discoveries

Starting with KRACK ATTACK (announced 18th of Oct), which our blog already covered https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/ but there are new things around the corner.

New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack

With KRACK attack still going on strong there is a new one that involves breaking cryptography. This one however does not take advantage of the control messages in WPA-2 to allow sniffing of user data but exploits weak software implementation for the ANSI X9.31 RNG. Until quite recently the  ANSI X9.31 RNG was used to generate cryptographic keys that secure VPN connections and web browsing sessions.

A team of security researchers from the University of Pennsylvania and John Hopkins University found a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The DUHK attack allows “attackers to recover secret encryption keys from vulnerable implementations to decrypt and read communications passing over VPN connections or encrypted web sessions”.

The attack has been confirmed to work on Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18. The necessary requirement (all of them need to be met) for a device to be vulnerable to the DUHK are:

  • It uses the X9.31 random number generator
  • The seed key used by the generator is hard-coded into the implementation
  • The output from the random number generator is directly used to generate cryptographic key
  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

Also, the attacker needs to be able to observe passively the encrypted handshake traffic.

The X9.31 was widely deployed in the past and was even part of the FIPS approved random number generation algorithms set until January 2016. There is a big chance a lot of VPN implementations are still using it.

There is a CVE for this vulnerability: CVE-2016-8492:

Here are the general recommendations:

  1. If you are a Fortinet client, please make sure your FortiOS is not running versions 4.3.0 to 4.3.18, or else upgrade asap.
  2. If you are running any cryptographic software still using the X9.31 generator, reconfigure it to use other random number generator or replace/upgrade software.
  3. Always stick to the latest security approved cryptographic algorithms when creating VPNs. Legacy VPN should be reconfigured to follow the latest practices

Related articles:

https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/

https://duhkattack.com/

KRACKATTACK – the kraken of the Wi-Fi WPA2

Wi-Fi is everywhere, everything is on Wi-Fi now, phones, tablets, laptops, even home PCs, game consoles, smart devices (IoT), sensors etc. The security of WiFI is imperative, and has been entrusted to the WPA2 protocol. For that protocol, thus far all exploits have been connected to guessing the security key (hence reliant on customers having a weak key) or surrounding technologies (WPS for example) or older implementation such as the TKIP.

None of them were successful against a strong security-minded implementation.

Until today.

The attack – high-level breakdown of how the attack works and which devices are affected

An extremely interesting paper was released (16th October 2017) by its author, Mathy Vanhoef, this paper would rock the world of Wi-Fi as shines light on how to exploit the WPA2 protocol in such a way as to be able to decrypt the user data.

How does the attack work?

The attack does not allow the attacker to join the protected WiFi, nor does it break the encryption key. The attack is focused on the management plane in the WPA2, more precisely on 4-way handshake exchange during the client join.  It is achieved by manipulating and replaying handshake messages. By replaying message 3 of the handshake the attacker has the ability reinstall an already used nonce instead of a fresh key (a replay is allowed by the protocol because messages can be lost due to low signal etc). To guarantee security, an encryption key combination (key+nonce) should be used only once, then different versions of it (different nonce) should be used. Reusing the same key and nonce allows the attacker to derive the keystream, which combined with knowing a portion of the data that is encrypted and the already encrypted data, is enough to decrypt the rest of the data.

The attacker is positioning himself/herself in the middle of the handshake between the AP and the client by using a spoofed WiFI SSID with same name and making the client join his SSID by advising him to switch channels (hence the attack works best if the client has stronger signal to the attacker than to the legit AP). Only when this man-in-the-middle is completed can the attacker manipulate this handshake (as described above) and starting decrypting what the user sends.

Who is affected? – Practically every Wi-Fi enabled client, as again this is an attack towards the WPA2 protocol itself which all vendors needed to follow in their implementations, so this is not a scenario when the exploit is possible due to bugs in the code.

Android and Linux are the ones that are easier to compromise to the fact they mostly (41% of the devices out there) use wpa supplicant version 2.4. With them the code developers have followed a WPA2 standard advice to delete the nonce after its use so when the replay of message 3 happens the nonce that is used is comprised only from zeros making it trivial to decrypt. Further finding from the same author describe the possibility for that attack to work (with few changes) also towards wpa_supplicant 2.6 and iOS and freeBSD clients. This latest update brings the percentage of vulnerable supplicant to a very high number (as the author states, if you have a phone it is most likely vulnerable).

Impact:

We are sending out massive amount of sensitive data using Wi-Fi these days. Username and passwords are just the start, but credit card information, personal IDs, emails, private pictures etc. I guess nobody wants that data to be shared and read by others. Furthermore, the top choice device for many of these, is your smart phone, which in fact is the most vulnerable type of client device (see Conclusions chapter below).

So, what is next?

Do we go back to WPA or WEP or wait for WPA3?

Answer is no, WPA is also vulnerable and WEP is even less secure, WPA2 can be amended (both as a protocol and as implementation in software) and will continue to be used. It is recommended that WPA2 with CCMP is used, as TKIP and GCMP are even easier to break and attackers can not only listen to data but also manipulate data so malware can be injected into the traffic.

How to protect ourselves

Only the software update can mitigate this attack. Keep a close eye to the vendor announcement and patch as soon as they release the security patch for this exploit. Some of the patches may be silently releases and installed on your devices but please make sure you have them.

Actions like changing your PSK password and such do not make any difference (remember, the attack does not reveal this password nor lets the attacker join your network).

Deploy additional levels of encryption that is independent of the WPA2, such as SSL/TLS or IPSec. In the example on the krackattack page, they were only able to read the data from the web site after striping the SSL from it which in fact is a misconfiguration on the website itself.

Conclusion

The current threat is obviously for the end devices, not the infrastructure devices (APs etc). I expect that Microsoft, Apple and other commercial major OS vendors will react very fast and will silently patch (if they have not done so already). That would be sufficient for laptops and PCs with enabled Wi-Fi. A bigger problem will be for smart phone users, every Android vendor (Samsung, HTC etc) dictates its patching schedules, so I am not expecting a fast reaction from them. Apple runs its own devices so I expect faster reaction.

Having put the spotlight on client devices and not infrastructure, it is mandatory to mention that this new type of attack and the sure-to-come spin-offs from it will lead to new attacks towards infrastructure devices.

Cisco has numerous products that are found vulnerable and still investigating many more for that possibility.

Related materials:

https://www.krackattacks.com/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa