New vulnerability discovered in Cisco ASA, ASAx and Firepower devices
A new vulnerability was publicly announced last Friday (22th of June). It effects all current Cisco ASA devices (all models) and Firepower appliances (please see full list below).
It allows a remote attacker to execute a DoS (Denial-Of-Service) attack towards the vulnerable device and potentially extract sensitive data from the device (credential usernames and active sessions). It exploits the HTTP(S) service on the devices and uses directory traversal to try to gather sensitive data and potential reload the device. The vulnerability is possible due to lack of proper input validation of the HTTP URLs.
The discovery was made by a Polish Security researcher named Michal Bentkowski and was initially shared only with Cisco, giving time for Cisco to prepare patches and updates to its software. There have already been real-life attempts in exploiting this vulnerability due its lack of complexity and how easy it is to do it – there is already a couple of scripts on the internet to automate the process (see links below). Cisco states there is no work-around for this problem and all its customers are urged to upgrade to the patched software that Cisco has released prior to the unveiling of the vulnerability.
How to check if your devices are vulnerable:
If you have not patched your devices since the 22th of June and are using ASDM/CSM or Anyconnect on a publicly facing interface then it is very likely you are affected.
Simple steps to validate if your devices are vulnerable
1. Check if your devices is listening on SSL ports
ciscoasa# show asp table socket | include SSL|DTLS
Look for open sockets on public facing interfaces
2. Check for presence of a process called Unicorn Proxy Thread, if this process is present, your device is considered vulnerable
ciscoasa# show processes | include Unicorn
Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0
3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218
Look for open sockets on public facing interfaces
- 3000 Series Industrial Security Appliance (ISA)
- ASA 1000V Cloud Firewall
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 and 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
Malware has evolved so much in recent years and the trend is to keep evolving with ever increasing pace. Traditional Firewalls that use old technologies such as stateful firewalling are not capable of detecting / preventing most of the modern threats. The restricted use of traditional firewalls to lower the attack surface is not sufficient and not effective anymore. Vulnerabilities get discovered every day, many of them critical, server administrators often lack the required knowledge to protect/patch their devices. Endpoints (desktops/laptops/smartphones) are constantly at risk due to the fact bad “actors” are constantly coming up with clever ways to bypass traditional defenses and deliver malware, quite often exploiting the weakest link (the users), companies cannot cope with training users in the field of IT security quick enough.
Before, now and future
It is obvious that additional security on the network layer is mandatory. But the controls that are to be used must meet certain criteria, they must be what the industry call Next-Generation Firewall, meaning the device should be able to identify users, applications, do advanced threat protection using different methods (signatures, reputation, sandboxing) and provide detailed reports/logs for pro-active and reactive (forensics) purposes. All current high-end vendors on the market provide this Next-Gen FW capability. Cisco has done something very clever, it decided many years ago (after the purchase of Sourcefire) that it would integrate the Sourcefire functionality into its Firewall technology and is dominating the market with its next generation ASA products. The result was a very flexible solution, albeit a bit cumbersome to configure. The client has the option to enable just the ASA functionality and hence have only a stateful Firewall, or also add the advanced Sourcefire Next-Gen FW capabilities. Cisco even sells all current devices (the 5500 X series) with a built in Firepower (Cisco rebranded Sourcefire into Firepower) capability. A significant number of customers are actively replacing the older ASAs with new X series ones. Many without enabling the Firepower capability. As mentioned briefly above, the reasons for this decision vary but the main one was the added complexity and the separate management that the Firepower needed. This translates into added cost, as usually these skills are not available internally and had to be sourced from outside consulting companies. Also, the Firepower product cannot just be configured and forgotten about but needs small adjustments and manual intervention from time to time, again adding to the operational costs.
With more customers adopting and embracing the Firepower solution, the solution has matured, especially after the introduction of Firepower 6.1. Installation, integration and support have become more user friendly. Which meant operational costs have reduced significantly. Transition between pure ASA and ASA + Firepower was streamlined and could be done within days and without any downtime for the customer. A small investment in purchasing the licenses for Firepower, as customers already had the hardware, and the additional consulting services could in fact be the difference between a secure network and a compromised one. We all know that this is a very bad and expensive experience. This investment made would immediately start to pay off and ensure a completely different way of securing your network that cannot be compared to the archaic traditional firewalls. In the future Cisco and many other vendors will completely get remove stateful only Firewall devices. Cisco is going to replace all ASA with the new appliances capable of running a united operating system – the Firepower Threat Defense. The switch to this is inevitable, so there are no benefits whatsoever for waiting. The work for the transition/migration must be done and the sooner the better. Simply put, there is more protection and security provided to all resources behind the Firewall.
We urge to our customers not to wait until it is too late. Don’t be reactive to a compromised network, take the initiative today and avoid the inevitable.
If you already have the ASA X series deployed there are just a few simple steps to attain all the benefits from the most advanced Intrusion Prevention system at the moment.
Why wait? Contact 4CornerNetworks today to discuss.
In the last months and years we have seen multiple DDoS attacks based on amplification techniques (DNS, NTP, Chargen, SSDP)
A new amplification attack was spotted in the last week of February (25th – 27th of February).
It is, by far, the strongest amplification attack we had and it is based on the Memcached protocol running on UDP port 11211.
Sources at CloudFlare state the attack reached 257Gbps.
Why the Memcached Protocol?
The answer is simple, it supports UDP which is stateless (which is necessary for amplification attacks), it lacks any form of authentication, and when it turns out it provides excellent ratio in amplification (the difference between the size of the trigger packet and the response).
Amplification ratio in the attack was around x10000 times but the protocol itself is capable of x51200.
The attack stats detected on CloudFlare show UDP datagrams with 1400B size. The number of packets peaked to 23Mpps which measures to the reported total 257Gbps of bandwidth. And that is a lot, it can cause very serious outages.
How does an amplification attack work and how it can be prevented?
To successfully lunch an amplification attack you need 3 components:
- Capability to spoof IP packets, meaning access to a high-bandwidth pipe on ISP that does not do a solid job in securing anti-spoofing
- Application/Protocol that is amplification friendly – UDP based, no authentication, protocol allowing large responses to be created based on small requests
- Reflector servers running a suitable protocol – These are servers that are reachable from Internet and that are going to respond to requests
How does the attack work?
The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.
How can Amp Attacks be prevented?
If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.
Simple steps can make a bit difference.
- ISP should always adhere to the strict anti-spoofing rules and allow outbound traffic only from sources belonging to their IP ranges.
- Developers should think about security when creating new applications and protocols. UDP should be avoided unless low-latency is needed, and if UDP is used, the protocol should have some form of authentication and should never allow a reply to a request ratio bigger than 1. Meaning all replies should be smaller or equal to the request that generate them.
- Administrators should correctly “firewall” their servers and allow access to the services to whomever needs them; and not the whole Internet. Certain types of responses might be blocked from within the application or at Firewall level.
Malware is evolving constantly. The threat landscape is so dynamic that yesterday’s news is not news today. The malware business is a full-blown industry that can easily size up with the IT security industry.
Recent major security breaches:
NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach) – more than 70 million now. The breach is reported to have happened via vulnerability on their website.
Teamviewer vulnerability – critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other’s PC without permission.
By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without altering settings and permissions.
Uber – Uber’s October 2016 data breach affected some 2.7 million UK users, it has now been revealed. Uber did not disclose until now and paid a ransom (100k USD). Lawsuits to follow. Information held by a third-party cloud service provider used by Uber was accessed by the two hackers.
PayPal subsidiary breach – ID Theft for 1.6 Million Customers. PayPal Holdings Inc. said that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers were stored.
Numerous unidentified security vulnerabilities were found in the platform (bugs that lead to security related vulnerabilities). Evidence of a breach discovered. Forensics are under way.
Equifax – breach allowed 15.2 million UK records to be made public (and 145 Million US records). Bad guys used a known vulnerability in an internet accessible service for initial penetration.
Recent Apple Root vulnerability – Any Mac system running macOS High Sierra 10.13.1 or 10.13.2 beta was vulnerable. There was no real exploit, you just typed root for username and keep the password empty and keep pressing enter and after several tries you are logged in with root rights. A logic error existed in the validation of credentials or simply a bug.
Making malware today has become more available. Malware development processes does not differentiate much from any software development, people use online available sources for much of the code, and will combine it together to their liking and purpose. A lot of the bad guys would also release the code for their creations which can later be changed and further modified (example Petya and NotPetya). Even code stolen from the government cyber agencies is now used in modern malware (example EternalBlue use in multiple malware as a way of effective horizontal spread – used in WannaCry).
Another typical trend in malware these days is to be modular. It will install and run multiple services on the infected host in specific order after the initial infection.
1st stage – there is always the initial infection – usual methods here are unpatched vulnerability of a running service or in the cases of more advanced malware – the use of Zero-Day vulnerability. Example here is the EternalBlue exploit of the SMBv1 service. Usually the delivery of the exploit is via Internet on accessible services or once inside the organization, horizontally meaning within the internal networks of the organization. That stage ends with having temporary access to the system and dropping off the malware in questions
2nd stage – privilege escalation – will try to gather credentials from the infected device in different ways – cracking the specific files on the system that holds the accounts, trying to locate account information on the local drives, or even brute-forcing credentials. These credentials will be leveraged for either privilege escalation on that machine or access to other similar machines on the network and infecting them.
3rd stage – installing a backdoor. Making sure the access is permanent
4th stage – doing the job. Downloading all necessary pieces of malware to finish the job. If that is a crypto virus it will download the tools to encrypt the sensitive files, also change desktop or even download application to show the user the ransom note, a tool to clean keys and traces of the encryption etc.
5th stage – spread, can be done again by using vulnerable services within the organization or by leveraging any credentials that are discovered in the privilege escalating process and using legit sys admin management channels such as WMI and PSExec. Sometimes the spread can be done before or simultaneously with the 4th stage as not to warn the organization of its presence before it managed to infect multiple systems.
Types of malware:
It is very hard to categorize malware these days. Most traditional classification such as: virus, worm, trojan, backdoor does not really cut it anymore as most modern malware shares the features of all of them (again example WannaCry, it is a virus, it is a worm as it spreads itself and it is a backdoor as it does install a hidden unauthorized way into the compromised system, and on top of that does encryption).
Ransomware – attacks aimed at making money by forcing victims to pay for accessing again their personal files
DDoS attacks – attacks aimed at crippling or disabling services at the victim
Attacks aimed at stealing sensitive information – attacks aimed at spying on users and gathering sensitive data – credentials, S/N, banking details, impersonating info (DOB etc.), private communications etc
Zombie/Botnet – attacks that rely on the collective resources of multiple compromised hosts that are managed by a central C&C (command and control). Can be used for multiple things, DDoS, span relay, stealing sensitive information from users
APT attacks – Advanced Persistent Attacks. Specially crafted attacks, usually used in nation-state cyber activities. Example could be the attack versus Iranian Nuclear Program
IoT related attacks – again these blur with other, as normally the compromised IoT devices are used for other kind of attacks (DDoS). This kind of IoT are very typical these days, the IoT devices are cheap network connected devices that were not designed with security in mind. The Mirai attack was a shining example on how powerful attacks can be executed using a Botnet of compromised IoT devices (DYN case). Furthermore, the number of IoT will continue to grow.
Mobile devices – attacks that are specific for mobile devices, most dangerous ones are compromised apps that go under the radar and give away sensitive information from the smart phone (ID theft, or sell personal info to ad companies, or steal financial data (credit card info etc.)). There are no such thing as free apps, they steal data from you and use it in illegal way to monetize it and make profit.
Phishing / Spear-Headed Phishing – Becoming more and more popular, bad actors will put in the effort now to get to know the victim so they can deliver the malware content in a shape and form that is interesting to the target
Some top Cyber Security Trends:
- Less number of security breaches (due to more investments in in IT Security) reported globally but more impact upon breach.
- More time is needed for the detection of breached (average time in 2016 was 80.6 days, in 2017 it is 92.2 days)
- Predictions of crime damage costs to sky rocket in the next 3 years (by 2021) to 6 Trillion USD
- Successful phishing and ransomware attacks are climbing
- Global ransomware damage cost estimated to exceed 5 Billion USD by the end of 2017
Data was gathered by CSO 2017 Cyber Security report (csoonline.com)
Summary of the evolution of Security Controls
- Intrusion Prevention (Advanced Network Threat Detection) becomes a must
Advanced IPS systems have replaced the traditional status firewalls. They incorporate multiple security technologies (signatures, behavior analytics, heuristics, sandboxing, central intelligence feeds etc.), to be able to successfully detect intrusion events and malware.
- Logging and Alerting platforms more important than ever
Logging and alerting are hugely important for each organization to be able to both proactively secure your network but in case of a breach to re-actively do forensics
- Data Loss Prevention is gaining momentum
DLP is becoming more popular as numerous breaches that year were connected to leaked sensitive information (ID theft in the Equifax and Uber)
- Endpoint security/malware is again in the front lines of combating malware
The focus of the security has shifted in the recent years from the network to the endpoint. Network and endpoint security controls should collaborate to create a strong security posture for your organization
- Systemwide threat defense is becoming necessary to adequately protect your organization
Security has become closely connected to intelligence. All major security vendors syphon off as much data from the internet as they can just, so they can filter through it in a strive to find first the zero-day exploits and provide first adequate protection for their customers. All parts of the network infrastructure can be used as sensors and deliver intelligence data to a centralized place that provides the analysis (big data).
+44 (0) 131 516 9771
1745 Broadway, 17th Floor, New York, New York 10019
001 646 2572 160
88 Wood Street, 10th Floor, Wood Street, London, EC2V 7RS
0203 697 0353
Waterfront Plaza, 1750 Montgomery Street, First Floor, San Francisco, Ca 94111
001 415 275 3363