Foreword:

Microsoft RDP protocol is one of the main focuses of bad actors in these days. There are reports for numerous successful breaches in small and medium sized organizations with heavy use of RDP from outside. The reasons for that is the protocol has security flaws, this article will cover the latest of them, but also most of the time it was setup some time ago and the authentication for it is weak which means it is prone to brute-force-attacks. Most modern IPS do not catch RDP based brute-force-attacks without any additional tuning or professional SoC, none of which is usually present or indeed a priority in small and mid-sized business due to costs.

New vulnerability, CVE-2019-0708, was found in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008.

It also is present in older versions such as Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates, but they are still frequently in use within organizations.

Microsoft director of incident response Simon Pope described the vulnerability with the following: “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,”

This vulnerability is marked as critical because of its nature – the vulnerability is at the pre-authentication level with means that strong credentials do not help, and it virtually requires NO user intervention. Also, the vulnerability in question is marked as wormable, which means when an exploit is created it can easily be incorporated into more complex malware and be used to automatically try to exploit and spread vertically inside an organization with RDP enabled and unpatched, quite similar to WannaCry EternalBlue SMB exploit. This scenario makes up for a potentially fast and wide spread malware.

Microsoft released 16 updates on the 19th of May targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or bad actors to break into vulnerable systems remotely, without any help from users.

Vulnerable products:

Windows 7, Windows Server 2008 R2, and Windows Server 2008, Windows XP and older versions of Windows

Non-vulnerable products:

Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How to protect yourself:

If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.

Simple steps can make a bit difference.

  1. First never use or allow open to everyone RDP access from outside. Check your current Firewall settings for allowing RDP connections from ANY on the outside. Use alternative access into your organization via corporate Remote VPN with 2 Form-factor authentication.
  2. Disable unused applications.
  3. If application needs to be used make sure it regularly patched and has all security updates
  4. Have a second layer of security – up to date endpoint protection, advanced network threat protection to stop the spread in case of breach
  5. Backup your servers and valuable data regularly – this would help you recover of problem in case the security updates/patches break something or in case of a breach (ransomware or destruction of information).

Used materials:

https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Foreword:

At the end of Oct, Cisco announced a vulnerability in its ASA OS and Firepower FTP running products.

The vulnerability is based on the SIP inspection code that handles SIP signaling packets.

The vulnerability:

The FW do inspection on protocols for various reasons, NAT fixup, added security, discovery of dynamic port connections and allowing traffic to pass via the firewall etc. The SIP inspection is part of the default Global Inspection Policy that is enabled on the device, meaning all firewalls with default configuration for inspection are affected.

A bombardment of a high-rate specifically crafted SIP requests can impact the firewall (high CPU load) and cause legitimate traffic to cease hence causing a Denial of Service.

There is currently no software updates from Cisco to address this vulnerability. All mitigation options are based on additional configuration and listed below

Affected Products:

This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later on both physical and virtual appliances if SIP inspection is enabled and the software is running on any of the following Cisco products. Worth noticing is that SIP inspection is enabled by default

NOTE: Older (EOL) Cisco ASA 5500 series are NOT affected (due to older code). Also the Virtual ASA (ASA 1000V) is not affected

Determining if your product is vulnerable:

Check your current running software versions

For ASA:

ciscoasa# show version | include Version

If version is above 8.4 then it is vulnerable

For Firepower FTD:

> show version

If version is above 6.0 then it is vulnerable

Is my firewall under attack?

During an active attack you will be able to see large number of connections coming to your firewall on port 5060 (traditional SIP port and the one the Cisco devices are listening to in order to perform the inspection).

The following command will show the current SIP connections, they will be listed as incomplete as the source of the DoS only actively bombards the firewall without closing the SIP connection.

show conn port 5060

Another useful command is:

show processes cpu-usage non-zero sorted

This will show you the current cpu usage per process. Typical high CPU values will be observed during the attack. A continuous exploit of this vulnerability will cause continues high-CPU and could cause the device to crash and reload itself

Another indicator of compromise for this attack is a sudden reload after a network slowdown and the presence of a crashfile

show crashinfo

After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread

Workaround (Mitigation):

There are several options, all limiting the allowance of these SIP packets to reach or overwhelm the device

1. Disable SIP inspection

Have SIP inspection only if you are actively using it. Our experience with SIP inspection is that usually it is not required (not all customers are doing SIP trunks from inside the organization to a IP Telephony provider in the cloud). Even if SIP is in use, most SIP providers would actively ask you to disable the SIP inspection as Cisco is slow on updating it comparing to how fast SIP protocol changes. SIP providers would ask you just to open specific port ranges and not rely on this inspection due to multiple reasons.

To disable SIP inspection, configure the following:

For Cisco ASA Software
policy-map global_policy
class inspection_default
no inspect sip

For Cisco FTD Software Releases
configure inspection sip disable

Note: This command is issued from the FTD CLI.

2. Actively block IP address(es) of the attackers

You can always actively block (by ACL) the offending IP address that you are seeing via the show conn port 5060. You need also to clear the existing connection issuing clear conn address

Other option is the old shun command that blocks all traffic from certain source IP

shun

This does not survice a reload

3. Filter out based on the SIP attributes

Most observed attacks use an SIP attribute of Sent-by Address that is set to 0.0.0.0. That is not typical behavior for a valid SIP communication, the attack can also be confirmed by doing a packet capture and noticing the amount of packets arriving from a SIP address you are not expecting. You can read the packet captures, check for the Sent-by address and if values are set to 0.0.0.0 and previous methods of mitigation are not valid for your environment then you can proceed and implement this change

regex VIAHEADER “0.0.0.0”

policy-map type inspect sip P1
parameters
match message-path regex VIAHEADER
drop

policy-map global_policy
class inspection_default
no inspect sip
inspect sip P1

4. Rate limit all SIP traffic

Not a great option as that could also influence legitimate traffic, however SIP is the signaling protocol for setting up voip connections, so in nature it should not be very chatty.

You can use the Cisco MPF (Modular Policy Framework) to create a policy and match the SIP traffic and then set a rate limit on this traffic so it would not cause the high cpu spike. Configuration can vary here, so it needs to be done by an expert on product or an external capable consultant.

Resources:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

https://www.theregister.co.uk/2018/11/02/cisco_sip_warning/

New vulnerability discovered in Cisco ASA, ASAx and Firepower devices

A new vulnerability was publicly announced last Friday (22th of June). It effects all current Cisco ASA devices (all models) and Firepower appliances (please see full list below).

It allows a remote attacker to execute a DoS (Denial-Of-Service) attack towards the vulnerable device and potentially extract sensitive data from the device (credential usernames and active sessions). It exploits the HTTP(S) service on the devices and uses directory traversal to try to gather sensitive data and potential reload the device. The vulnerability is possible due to lack of proper input validation of the HTTP URLs.

The discovery was made by a Polish Security researcher named Michal Bentkowski and was initially shared only with Cisco, giving time for Cisco to prepare patches and updates to its software. There have already been real-life attempts in exploiting this vulnerability due its lack of complexity and how easy it is to do it – there is already a couple of scripts on the internet to automate the process (see links below). Cisco states there is no work-around for this problem and all its customers are urged to upgrade to the patched software that Cisco has released prior to the unveiling of the vulnerability.

How to check if your devices are vulnerable:

If you have not patched your devices since the 22th of June and are using ASDM/CSM or Anyconnect on a publicly facing interface then it is very likely you are affected.

Simple steps to validate if your devices are vulnerable

1. Check if your devices is listening on SSL ports

 ciscoasa# show asp table socket | include SSL|DTLS

Look for open sockets on public facing interfaces

2. Check for presence of a process called Unicorn Proxy Thread, if this process is present, your device is considered vulnerable

ciscoasa# show processes | include Unicorn
Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0
 3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218

Look for open sockets on public facing interfaces

Affected models:

Fixed Releases:

Customers should upgrade to an appropriate release as indicated in the following tables.

Cisco ASA Software

Cisco ASA Software ReleaseFirst Fixed Release for This Vulnerability
Prior to 9.11Migrate to 9.1.7.29
9.1 9.1.7.29
9.29.2.4.33
9.3 Migrate to 9.4.4.18
9.49.4.4.18
9.5Migrate to 9.6.4.8
9.69.6.4.8
9.79.7.1.24
9.89.8.2.28
9.99.9.2.1

Cisco FTD Software

Cisco FTD Software ReleaseFirst Fixed Release for This Vulnerability
6.0Migrate to 6.1.0 HotFix or later
6.0.1Migrate to 6.1.0 HotFix or later
6.1.0Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms)
6.2.0Not vulnerable
6.2.1Migrate to 6.2.2.3
6.2.26.2.2.3
6.2.36.2.3.1
6.2.3-851
6.2.3-85.02

Related articles:

If  you would like any help or guidance please contact www.4cornernetworks.com today.

Foreword:

Malware has evolved so much in recent years and the trend is to keep evolving with ever increasing pace. Traditional Firewalls that use old technologies such as stateful firewalling are not capable of detecting / preventing most of the modern threats. The restricted use of traditional firewalls to lower the attack surface is not sufficient and not effective anymore. Vulnerabilities get discovered every day, many of them critical, server administrators often lack the required knowledge to protect/patch their devices. Endpoints (desktops/laptops/smartphones) are constantly at risk due to the fact bad “actors” are constantly coming up with clever ways to bypass traditional defenses and deliver malware, quite often exploiting the weakest link (the users), companies cannot cope with training users in the field of IT security quick enough.

Before, now and future

It is obvious that additional security on the network layer is mandatory. But the controls that are to be used must meet certain criteria, they must be what the industry call Next-Generation Firewall, meaning the device should be able to identify users, applications, do advanced threat protection using different methods (signatures, reputation, sandboxing) and provide detailed reports/logs for pro-active and reactive (forensics) purposes. All current high-end vendors on the market provide this Next-Gen FW capability. Cisco has done something very clever, it decided many years ago (after the purchase of Sourcefire) that it would integrate the Sourcefire functionality into its Firewall technology and is dominating the market with its next generation ASA products. The result was a very flexible solution, albeit a bit cumbersome to configure. The client has the option to enable just the ASA functionality and hence have only a stateful Firewall, or also add the advanced Sourcefire Next-Gen FW capabilities. Cisco even sells all current devices (the 5500 X series) with a built in Firepower (Cisco rebranded Sourcefire into Firepower) capability. A significant number of customers are actively replacing the older ASAs with new X series ones. Many without enabling the Firepower capability. As mentioned briefly above, the reasons for this decision vary but the main one was the added complexity and the separate management that the Firepower needed. This translates into added cost, as usually these skills are not available internally and had to be sourced from outside consulting companies. Also, the Firepower product cannot just be configured and forgotten about but needs small adjustments and manual intervention from time to time, again adding to the operational costs.

With more customers adopting and embracing the Firepower solution, the solution has matured, especially after the introduction of Firepower 6.1. Installation, integration and support have become more user friendly. Which meant operational costs have reduced significantly. Transition between pure ASA and ASA + Firepower was streamlined and could be done within days and without any downtime for the customer. A small investment in purchasing the licenses for Firepower, as customers already had the hardware, and the additional consulting services could in fact be the difference between a secure network and a compromised one. We all know that this is a very bad and expensive experience. This investment made would immediately start to pay off and ensure a completely different way of securing your network that cannot be compared to the archaic traditional firewalls. In the future Cisco and many other vendors will completely get remove stateful only Firewall devices. Cisco is going to replace all ASA with the new appliances capable of running a united operating system – the Firepower Threat Defense. The switch to this is inevitable, so there are no benefits whatsoever for waiting. The work for the transition/migration must be done and the sooner the better. Simply put, there is more protection and security provided to all resources behind the Firewall.

Conclusion:

We urge to our customers not to wait until it is too late. Don’t be reactive to a compromised network, take the initiative today and avoid the inevitable.

If you already have the ASA X series deployed there are just a few simple steps to attain all the benefits from the most advanced Intrusion Prevention system at the moment.

Why wait? Contact 4CornerNetworks today to discuss.

https://4cornernetworks.com/contact/

History:

In the last months and years we have seen multiple DDoS attacks based on amplification techniques (DNS, NTP, Chargen, SSDP)

A new amplification attack was spotted in the last week of February (25th – 27th of February).

It is, by far, the strongest amplification attack we had and it is based on the Memcached protocol running on UDP port 11211.

Sources at CloudFlare state the attack reached 257Gbps.

Why the Memcached Protocol?

The answer is simple, it supports UDP which is stateless (which is necessary for amplification attacks), it lacks any form of authentication, and when it turns out it provides excellent ratio in amplification (the difference between the size of the trigger packet and the response).

Amplification ratio in the attack was around x10000 times but the protocol itself is capable of x51200.

The attack stats detected on CloudFlare show UDP datagrams with 1400B size. The number of packets peaked to 23Mpps which measures to the reported total 257Gbps of bandwidth. And that is a lot, it can cause very serious outages.

How does an amplification attack work and how it can be prevented?

To successfully lunch an amplification attack you need 3 components:

  1. Capability to spoof IP packets, meaning access to a high-bandwidth pipe on ISP that does not do a solid job in securing anti-spoofing
  2. Application/Protocol that is amplification friendly – UDP based, no authentication, protocol allowing large responses to be created based on small requests
  3. Reflector servers running a suitable protocol – These are servers that are reachable from Internet and that are going to respond to requests

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How can Amp Attacks be prevented?

If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.

Simple steps can make a bit difference.

  1. ISP should always adhere to the strict anti-spoofing rules and allow outbound traffic only from sources belonging to their IP ranges.
  2. Developers should think about security when creating new applications and protocols. UDP should be avoided unless low-latency is needed, and if UDP is used, the protocol should have some form of authentication and should never allow a reply to a request ratio bigger than 1. Meaning all replies should be smaller or equal to the request that generate them.
  3. Administrators should correctly “firewall” their servers and allow access to the services to whomever needs them; and not the whole Internet. Certain types of responses might be blocked from within the application or at Firewall level.

Related articles:

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

So far, the 2018 has been catastrophic for Intel.

Three major vulnerabilities were found in a very short span of time, and Intel team cannot catch up fast enough with the patching and the security updates.

The newest one is from the 12th of Jan and disclosed by a Finnish Security Company (F-Secure). It uses a bug in the AMT (Active Management Technology) feature of certain Intel based systems. The AMT was designed as a helping tool for administrators to assist with managing their vast fleet of endpoints but bad implementation makes all of these devices completely unsecure when physically accessible.

The attack is extremely simple and allows for anybody (without any particular technical skills) to launch it. Basically, the baddy needs only to reload/shutdown and power up the endpoint that has Intel AMT enabled, then despite all authentications (like BIOS password or OS authentication) the baddy needs only to do Ctrl+P during book process (which takes him/her to MEBx (Management Engine BIOS extension) login and use the default password (admin) to login. Next steps are simple, change the password so nobody can access and change back the settings or disabled the AMT, and allow remote access to the endpoint (there is even an option to not allow the legal user to stop this. After that physical access to the endpoint is not needed, the attacker can manage the machine as long they are on the same network (wireless or wired). The attack is dangerous, because it’s so simple to implement, takes no more than 30 seconds, gives full access to the endpoint and bypasses other security controls. The recommended actions to protect AMT enabled endpoints are quite logical: change default pass to complex secure password, disabled AMT if you are not using it, and keep an eye on your endpoint and do not give anybody else physical access to it.

We have all heard by now about the other major vulnerabilities that were recently disclosed, namely the famous Meltdown and Spectre. We will not discuss in detail how these attacks work as that was already covered in detail and available from many sources but would like to summarise how this is affecting end users and other vendors in the chain.

First, the official and best way to be protected against these two attacks is to change the chips but obviously that is not really a feasible solution for many end users and companies. Major OS vendors have taken steps to patch their respective OS.

Microsoft has patched Windows 10 fairly quickly and just recently (9th of Jan) patched Windows 7 and 8 for the Meltdown vulnerability. A note – users are urged to check if the patches were successfully installed as some anti-virus systems (including Windows Defender and Microsoft Security Suit) can prevent the patch to be installed.

Apple has been bold in saying despite all their systems being vulnerable to Meltdown and Spectre, there is no well-known exploits impacting their customers. Still Apple released released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2.

Android – Google has released its patches on the monthly security patch on the 5th of Jan. However, they would immediately become available only for pure Google phones (Pixel and Nexus), all the rest of the android users need to wait for their retrospective vendors to release patches.

Firefox browser – Mozzila released a patch and recommends all user to update Firefox to version 57.0.4.

Chrome – The patch is included in the new 64 bit version of the browser that will be released on the 23th of Jan. If you want added security Google recommends you use the Site Isolation experimental feature.

Linux – the Linux kernel developers have reacted quickly and patches are available for most used kernel versions.

Due to the nature of the attack (possibility of seeing memory from other applications) the virtualization platforms were badly affected. The two largest vendors, VMware and Citrix however, have decided to take completely different actions courses.

VMware released security patches for all of his affected major products – ESXi, Fusion and Workstation. We need to note here that the patch helps only with Meltdown attack.

Citrix has decided not to release security patches but transfer the risk to its clients and recommends them to check for any patches on 3rd party software.

It is worth mentioned also that most of the OS based patches (not browser patches) are created only to protect again the Meltdown attack as the Spectre is harder to patch and security experts believe it will be around for some months and maybe years to come.

Related materials:

https://thehackernews.com/2018/01/intel-amt-vulnerability.html

https://thehackernews.com/2018/01/meltdown-spectre-patches.html

https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html

Malware is evolving constantly. The threat landscape is so dynamic that yesterday’s news is not news today. The malware business is a full-blown industry that can easily size up with the IT security industry.

Recent major security breaches:

NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach) – more than 70 million now. The breach is reported to have happened via vulnerability on their website.

Teamviewer vulnerability – critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other’s PC without permission.

By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without altering settings and permissions.

Uber – Uber’s October 2016 data breach affected some 2.7 million UK users, it has now been revealed. Uber did not disclose until now and paid a ransom (100k USD). Lawsuits to follow. Information held by a third-party cloud service provider used by Uber was accessed by the two hackers.

PayPal subsidiary breach – ID Theft for 1.6 Million Customers. PayPal Holdings Inc. said that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers were stored.

Numerous unidentified security vulnerabilities were found in the platform (bugs that lead to security related vulnerabilities). Evidence of a breach discovered. Forensics are under way.

Equifax – breach allowed 15.2 million UK records to be made public (and 145 Million US records). Bad guys used a known vulnerability in an internet accessible service for initial penetration.

Recent Apple Root vulnerability – Any Mac system running macOS High Sierra 10.13.1 or 10.13.2 beta was vulnerable. There was no real exploit, you just typed root for username and keep the password empty and keep pressing enter and after several tries you are logged in with root rights.  A logic error existed in the validation of credentials or simply a bug.

Malware

Making malware today has become more available. Malware development processes does not differentiate much from any software development, people use online available sources for much of the code, and will combine it together to their liking and purpose. A lot of the bad guys would also release the code for their creations which can later be changed and further modified (example Petya and NotPetya). Even code stolen from the government cyber agencies is now used in modern malware (example EternalBlue use in multiple malware as a way of effective horizontal spread – used in WannaCry).

Another typical trend in malware these days is to be modular. It will install and run multiple services on the infected host in specific order after the initial infection.

1st stage – there is always the initial infection – usual methods here are unpatched vulnerability of a running service or in the cases of more advanced malware – the use of Zero-Day vulnerability. Example here is the EternalBlue exploit of the SMBv1 service. Usually the delivery of the exploit is via Internet on accessible services or once inside the organization, horizontally meaning within the internal networks of the organization. That stage ends with having temporary access to the system and dropping off the malware in questions

2nd stage – privilege escalation – will try to gather credentials from the infected device in different ways – cracking the specific files on the system that holds the accounts, trying to locate account information on the local drives, or even brute-forcing credentials. These credentials will be leveraged for either privilege escalation on that machine or access to other similar machines on the network and infecting them.

3rd stage – installing a backdoor. Making sure the access is permanent

4th stage – doing the job. Downloading all necessary pieces of malware to finish the job.  If that is a crypto virus it will download the tools to encrypt the sensitive files, also change desktop or even download application to show the user the ransom note, a tool to clean keys and traces of the encryption etc.

5th stage – spread, can be done again by using vulnerable services within the organization or by leveraging any credentials that are discovered in the privilege escalating process and using legit sys admin management channels such as WMI and PSExec. Sometimes the spread can be done before or simultaneously with the 4th stage as not to warn the organization of its presence before it managed to infect multiple systems.

Types of malware:

It is very hard to categorize malware these days. Most traditional classification such as: virus, worm, trojan, backdoor does not really cut it anymore as most modern malware shares the features of all of them (again example WannaCry, it is a virus, it is a worm as it spreads itself and it is a backdoor as it does install a hidden unauthorized way into the compromised system, and on top of that does encryption).

Ransomware – attacks aimed at making money by forcing victims to pay for accessing again their personal files

DDoS attacks – attacks aimed at crippling or disabling services at the victim

Attacks aimed at stealing sensitive information – attacks aimed at spying on users and gathering sensitive data – credentials, S/N, banking details, impersonating info (DOB etc.), private communications etc

Zombie/Botnet – attacks that rely on the collective resources of multiple compromised hosts that are managed by a central C&C (command and control). Can be used for multiple things, DDoS, span relay, stealing sensitive information from users

APT attacks – Advanced Persistent Attacks. Specially crafted attacks, usually used in nation-state cyber activities. Example could be the attack versus Iranian Nuclear Program

IoT related attacks – again these blur with other, as normally the compromised IoT devices are used for other kind of attacks (DDoS). This kind of IoT are very typical these days, the IoT devices are cheap network connected devices that were not designed with security in mind. The Mirai attack was a shining example on how powerful attacks can be executed using a Botnet of compromised IoT devices (DYN case). Furthermore, the number of IoT will continue to grow.

Mobile devices – attacks that are specific for mobile devices, most dangerous ones are compromised apps that go under the radar and give away sensitive information from the smart phone (ID theft, or sell personal info to ad companies, or steal financial data (credit card info etc.)). There are no such thing as free apps, they steal data from you and use it in illegal way to monetize it and make profit.

Phishing / Spear-Headed Phishing – Becoming more and more popular, bad actors will put in the effort now to get to know the victim so they can deliver the malware content in a shape and form that is interesting to the target

Some top Cyber Security Trends:

  1. Less number of security breaches (due to more investments in in IT Security) reported globally but more impact upon breach.
  2. More time is needed for the detection of breached (average time in 2016 was 80.6 days, in 2017 it is 92.2 days)
  3. Predictions of crime damage costs to sky rocket in the next 3 years (by 2021) to 6 Trillion USD
  4. Successful phishing and ransomware attacks are climbing
  5. Global ransomware damage cost estimated to exceed 5 Billion USD by the end of 2017

Data was gathered by CSO 2017 Cyber Security report (csoonline.com)

Summary of the evolution of Security Controls

Advanced IPS systems have replaced the traditional status firewalls. They incorporate multiple security technologies (signatures, behavior analytics, heuristics, sandboxing, central intelligence feeds etc.), to be able to successfully detect intrusion events and malware.

Logging and alerting are hugely important for each organization to be able to both proactively secure your network but in case of a breach to re-actively do forensics

DLP is becoming more popular as numerous breaches that year were connected to leaked sensitive information (ID theft in the Equifax and Uber)

The focus of the security has shifted in the recent years from the network to the endpoint. Network and endpoint security controls should collaborate to create a strong security posture for your organization

Security has become closely connected to intelligence. All major security vendors syphon off as much data from the internet as they can just, so they can filter through it in a strive to find first the zero-day exploits and provide first adequate protection for their customers. All parts of the network infrastructure can be used as sensors and deliver intelligence data to a centralized place that provides the analysis (big data).

New extremely large Botnet is being built – Nicknamed IoTroop or IoT Reaper

Remember Mira? The worm that prayed on unsecure IoT devices. It managed to spread and gain control using quite a simple method to gain entry – reusing the hard-coded or default password for IoT devices which were well-known by then, and the spreading was done via the EthernalBlue SMB exploit.

Now security researchers at CheckPoint and NetLab360 claim there is a new botnet being formed (called IoTroop or Reaper). This time the methods used to gain unauthorized entry are more sophisticated – no more trying to exploit traditional hardcoded and default password or to brute-force easy passwords, the Reaper malware tries to exploit different known vulnerabilities that IoT and home network devices have (more than 12 different popular vendors including Linksys, Netgear, D-Link, AVTECH and GoAhead have numerous vulnerabilities already discovered, list and links in the related articles below). The Reaper code constantly evolves, the guys behind it seems to add new exploits into the code based on new vulnerabilities being published openly on the Internet.

Another key difference between Mirai and Reaper is that as Mirai was extremely aggressive in scanning and trying to hop between network and infect other systems (which makes it easily detectable by security controls), the Reaper is stealthier in its way of spreading and tries to stay under the radar for as long as possible.

The likelihood of a successful exploit is quite high due to the fact that traditional home users do not tend to pay much attention to security and are very likely not to have patched their devices.

All sources claim this new botnet will be much bigger and stronger than Mirai – The NetLab360 researchers are claiming the C2 communication they see confirms more than 20k bots per control server and they have estimated more than 2 million vulnerable devices out there that are ripe for the infection. There is a great possibility the total number of bots can swell quite heavily in the coming weeks.

What is at stake here? How will this botnet be used?

At this stage, it is still very early to predict how this botnet will be used but most likely DDoS attacks are on the roadmap – the previous smaller Mirai successfully managed to do a DDoS with more than 1Tbps of traffic (both to Dyn internet infrastructure giant which brought down many popular web services down and French hosting company OVH).

IoT general security problems

The problems with IoT is the inherited lack of security (saying inherited because manufactures do not take security into account when building the devices) and the ever-growing number of IoT devices being deployed by users who are not savvy in networking or security best-practices (changing of default passwords, patching, lowering the attack surface). These two large issues combined with the large number of devices out there (the trend is more and more IoT devices to be manufactured and connected online) really poses quite a large security threat to the Internet community.

Some good news:

Different efforts to secure IoT devices are on the roadmap, US lawmakers are trying to pass a legislative action into forcing hardware IoT manufactures to start taking security into account and not spill out junky unsecure devices.

Also, some of the creators and botnet administrators of the Mirai, have now been arrested and expecting trial and effective sentences. This clearly shows there will be consequence for all actions related to running a botnet and malicious cyber behavior, this must be a deterrent for any future black-hats out there.

New ransomware on the loose

Remember WannaCry and Nyatya, aka NotPetya (a variant of Petya) ransomwares. There is a new one around the corner (initial spotting is on the 24th Oct), again spread predominately in the East Europe (Ukraine, Poland, Bulgaria) and Russia but also in Japan, Germany, South Korea and the USA. It is a changed version of NotPetya. It uses usually a drive-by download on hacked sites to trick the user to run a fake Flash Player installer. The horizontal spread within the compromised network this time is NOT based on the EthernalBlue SMB exploit, but Bad Rabbit uses an open tool MimiKatz to try to extract any login credentials on the infected machine and reuse them to spread itself via legit Windows management protocols such as WMI and SMB to other devices. It also uses a hard-coded list with most commonly used passwords to try to brute-force credentials access.

Most current antivirus and endpoint protection software will detect Bad Rabbit and there is a known Windows Registry based vaccination that can prevent a machine from getting infected, but Bad Rabbit shows the ransomware trend is still strong and not likely to quiet down anytime soon.

Relevant articles:

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://4cornernetworks.com/nyatya-wiper-malware-disguised-ransomware/

https://4cornernetworks.com/wannacry-crypto-virus-outbreak/

https://securelist.com/bad-rabbit-ransomware/82851/

We live in interesting times

There is a Chinese proverb/curse saying: May you live in interesting times?

Why is this intended as a curse? Maybe living in interesting times means living in challenging times.

The security environment is so dynamic these days, it is certainly interesting to see how things change all the time, vulnerabilities are found almost every day, exploits are being developed at a whopping pace and even for professionals, just keeping up with it all is very challenging.

In the last two weeks there have been quite a few major security events/discoveries

Starting with KRACK ATTACK (announced 18th of Oct), which our blog already covered https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/ but there are new things around the corner.

New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack

With KRACK attack still going on strong there is a new one that involves breaking cryptography. This one however does not take advantage of the control messages in WPA-2 to allow sniffing of user data but exploits weak software implementation for the ANSI X9.31 RNG. Until quite recently the  ANSI X9.31 RNG was used to generate cryptographic keys that secure VPN connections and web browsing sessions.

A team of security researchers from the University of Pennsylvania and John Hopkins University found a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The DUHK attack allows “attackers to recover secret encryption keys from vulnerable implementations to decrypt and read communications passing over VPN connections or encrypted web sessions”.

The attack has been confirmed to work on Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18. The necessary requirement (all of them need to be met) for a device to be vulnerable to the DUHK are:

Also, the attacker needs to be able to observe passively the encrypted handshake traffic.

The X9.31 was widely deployed in the past and was even part of the FIPS approved random number generation algorithms set until January 2016. There is a big chance a lot of VPN implementations are still using it.

There is a CVE for this vulnerability: CVE-2016-8492:

Here are the general recommendations:

  1. If you are a Fortinet client, please make sure your FortiOS is not running versions 4.3.0 to 4.3.18, or else upgrade asap.
  2. If you are running any cryptographic software still using the X9.31 generator, reconfigure it to use other random number generator or replace/upgrade software.
  3. Always stick to the latest security approved cryptographic algorithms when creating VPNs. Legacy VPN should be reconfigured to follow the latest practices

Related articles:

https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/

https://duhkattack.com/

Wi-Fi is everywhere, everything is on Wi-Fi now, phones, tablets, laptops, even home PCs, game consoles, smart devices (IoT), sensors etc. The security of WiFI is imperative, and has been entrusted to the WPA2 protocol. For that protocol, thus far all exploits have been connected to guessing the security key (hence reliant on customers having a weak key) or surrounding technologies (WPS for example) or older implementation such as the TKIP.

None of them were successful against a strong security-minded implementation.

Until today.

The attack – high-level breakdown of how the attack works and which devices are affected

An extremely interesting paper was released (16th October 2017) by its author, Mathy Vanhoef, this paper would rock the world of Wi-Fi as shines light on how to exploit the WPA2 protocol in such a way as to be able to decrypt the user data.

How does the attack work?

The attack does not allow the attacker to join the protected WiFi, nor does it break the encryption key. The attack is focused on the management plane in the WPA2, more precisely on 4-way handshake exchange during the client join.  It is achieved by manipulating and replaying handshake messages. By replaying message 3 of the handshake the attacker has the ability reinstall an already used nonce instead of a fresh key (a replay is allowed by the protocol because messages can be lost due to low signal etc). To guarantee security, an encryption key combination (key+nonce) should be used only once, then different versions of it (different nonce) should be used. Reusing the same key and nonce allows the attacker to derive the keystream, which combined with knowing a portion of the data that is encrypted and the already encrypted data, is enough to decrypt the rest of the data.

The attacker is positioning himself/herself in the middle of the handshake between the AP and the client by using a spoofed WiFI SSID with same name and making the client join his SSID by advising him to switch channels (hence the attack works best if the client has stronger signal to the attacker than to the legit AP). Only when this man-in-the-middle is completed can the attacker manipulate this handshake (as described above) and starting decrypting what the user sends.

Who is affected? – Practically every Wi-Fi enabled client, as again this is an attack towards the WPA2 protocol itself which all vendors needed to follow in their implementations, so this is not a scenario when the exploit is possible due to bugs in the code.

Android and Linux are the ones that are easier to compromise to the fact they mostly (41% of the devices out there) use wpa supplicant version 2.4. With them the code developers have followed a WPA2 standard advice to delete the nonce after its use so when the replay of message 3 happens the nonce that is used is comprised only from zeros making it trivial to decrypt. Further finding from the same author describe the possibility for that attack to work (with few changes) also towards wpa_supplicant 2.6 and iOS and freeBSD clients. This latest update brings the percentage of vulnerable supplicant to a very high number (as the author states, if you have a phone it is most likely vulnerable).

Impact:

We are sending out massive amount of sensitive data using Wi-Fi these days. Username and passwords are just the start, but credit card information, personal IDs, emails, private pictures etc. I guess nobody wants that data to be shared and read by others. Furthermore, the top choice device for many of these, is your smart phone, which in fact is the most vulnerable type of client device (see Conclusions chapter below).

So, what is next?

Do we go back to WPA or WEP or wait for WPA3?

Answer is no, WPA is also vulnerable and WEP is even less secure, WPA2 can be amended (both as a protocol and as implementation in software) and will continue to be used. It is recommended that WPA2 with CCMP is used, as TKIP and GCMP are even easier to break and attackers can not only listen to data but also manipulate data so malware can be injected into the traffic.

How to protect ourselves

Only the software update can mitigate this attack. Keep a close eye to the vendor announcement and patch as soon as they release the security patch for this exploit. Some of the patches may be silently releases and installed on your devices but please make sure you have them.

Actions like changing your PSK password and such do not make any difference (remember, the attack does not reveal this password nor lets the attacker join your network).

Deploy additional levels of encryption that is independent of the WPA2, such as SSL/TLS or IPSec. In the example on the krackattack page, they were only able to read the data from the web site after striping the SSL from it which in fact is a misconfiguration on the website itself.

Conclusion

The current threat is obviously for the end devices, not the infrastructure devices (APs etc). I expect that Microsoft, Apple and other commercial major OS vendors will react very fast and will silently patch (if they have not done so already). That would be sufficient for laptops and PCs with enabled Wi-Fi. A bigger problem will be for smart phone users, every Android vendor (Samsung, HTC etc) dictates its patching schedules, so I am not expecting a fast reaction from them. Apple runs its own devices so I expect faster reaction.

Having put the spotlight on client devices and not infrastructure, it is mandatory to mention that this new type of attack and the sure-to-come spin-offs from it will lead to new attacks towards infrastructure devices.

Cisco has numerous products that are found vulnerable and still investigating many more for that possibility.

Related materials:

https://www.krackattacks.com/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

As you probably know the Equifax (one of the three big credit bureaus in North America and UK) announced it was breached (discovered unauthorized access) on the 29th of July. So far, the predictions are that this leak of sensitive personal data impacts over 143 Million American, Canadian and British citizens.

What is a credit bureau? – an organization that makes money by gathering and compiling huge amount of data (personal and financial) about customers and selling it to 3rd party marketers with the purpose of being able to provide a credit score for a certain individual to prove that customers’ financial capability when obtaining credit.

Obviously, these incredibly detailed dossiers contain tons of sensitive information that could be used to impersonate a person for either financial gain or to cause harm.

Historically speaking, all credit bureaus have encountered problems keeping their sensitive information secure, Experian for example had a breach in 2015 which exposed data for over 15 Million people.

Analysis of the breach:

As investigation is on the way (after the detection of the breach in July, Equifax has hired a security company to investigate all details of the breach and the depth of the data leakage and to do proper forensics), there are few released details on what really happened. But what is known so far is very troubling and does not look good for Equifax cyber-security posture. The official statement from Equifax is that the attackers broke into the company’s systems by exploiting an application vulnerability and then gained access to certain files. No mention of the exact vulnerability used which facilitated the breach. The fact that there is no mention of zero-day vulnerability (unknown flow), which could in fact make Equifax less culpable and makes sense for them to highlight, means that the vulnerability was known, meaning that Equifax were not patching on time their internet accessible public services nor had properly configured advanced IPS or security control in place, both are a must when you operate with such highly sensitive data. Other security best practices were obviously not followed by allowing the attackers to get real data after breaching an internet edge service.

Mistakes made:

  1. A long delay in announcing the breach. This could be explained with the ongoing internal investigation but still the delay could have been used by hackers to their advantage to harm Equifax customers.
  2. Equifax reaction after the announcement

Equifax came up with a plan to offer some kind of post factum sense of security to its customers and announced a new portal (www.equifaxsecurity2017.com) where its customers might be able to check if their personal and financial information was amongst the ones that were stolen. However, this portal did not give any such information but usually it was either not working (gave System Unavailable message probably due to high load) or was experiencing certificate issues and hence has been blocked by many web security solutions (such as Cisco OpenDNS) or when they finally got it to work – was giving unclear information, a possible scheduled date for enrolling to another service (credit protection) called TrustedID. On top of that some security researchers have noticed that this output is being presented whether the customer presents real data (the portal asks for Last name and last 6 digits of social security number) or fake made up one. Seems this portal is nothing but an attention diversion from the real problem.

  1. Equifax had problems with the company security vision/leadership

Equifax until recently was looking to hire a vice president of security (they see that position to fulfil the role of a CISO). This position is vital for a company which possess such sensitive information and should not be left vacant. Cyber-security is a mindset and it takes time and persistence to be built. It should always come from the top positions in a large company and have the backing of top managers.

Lessons to learn:

Some simple cyber-security lessons to learn

  1. Know your assets and their value, this will give you an idea on how much you need to invest in protecting these assets
  2. Know the risks to your assets and what impact would a damage or leakage have on your company
  3. Have a strategy/vision that is supported and driven by top management
  4. Take action to put that strategy in place
  5. Have a plan in case of a breach, that would help you react and restore your positions, gain back trust from your customers and do proper analysis/forensics of the breach

More materials:

https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/

A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.

Some Characteristics of Nyetya and why it is different

  1. There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
  2. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
  3. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

  1. No external Internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

  1. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

  1. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

  1. Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
  2. Do not use admin/elevated privileged accounts for normal users
  3. Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
  4. Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain).  The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.

Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).

Used materials:

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html

https://www.wired.com/story/petya-ransomware-ukraine/

© 4CornerNetworks - Website by Roslin Design
4CornerNetworks is the trading name of 4CornerNetworks Ltd
Registered Address: 27 The Mount, Rickmansworth, Hertfordshire WD3 4DW
Company Registration Number: 07920761
Registered in England
chevron-down