Foreword:

At the end of Oct, Cisco announced a vulnerability in its ASA OS and Firepower FTP running products.

The vulnerability is based on the SIP inspection code that handles SIP signaling packets.

The vulnerability:

The FW do inspection on protocols for various reasons, NAT fixup, added security, discovery of dynamic port connections and allowing traffic to pass via the firewall etc. The SIP inspection is part of the default Global Inspection Policy that is enabled on the device, meaning all firewalls with default configuration for inspection are affected.

A bombardment of a high-rate specifically crafted SIP requests can impact the firewall (high CPU load) and cause legitimate traffic to cease hence causing a Denial of Service.

There is currently no software updates from Cisco to address this vulnerability. All mitigation options are based on additional configuration and listed below

Affected Products:

This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later on both physical and virtual appliances if SIP inspection is enabled and the software is running on any of the following Cisco products. Worth noticing is that SIP inspection is enabled by default

NOTE: Older (EOL) Cisco ASA 5500 series are NOT affected (due to older code). Also the Virtual ASA (ASA 1000V) is not affected

Determining if your product is vulnerable:

Check your current running software versions

For ASA:

ciscoasa# show version | include Version

If version is above 8.4 then it is vulnerable

For Firepower FTD:

> show version

If version is above 6.0 then it is vulnerable

Is my firewall under attack?

During an active attack you will be able to see large number of connections coming to your firewall on port 5060 (traditional SIP port and the one the Cisco devices are listening to in order to perform the inspection).

The following command will show the current SIP connections, they will be listed as incomplete as the source of the DoS only actively bombards the firewall without closing the SIP connection.

show conn port 5060

Another useful command is:

show processes cpu-usage non-zero sorted

This will show you the current cpu usage per process. Typical high CPU values will be observed during the attack. A continuous exploit of this vulnerability will cause continues high-CPU and could cause the device to crash and reload itself

Another indicator of compromise for this attack is a sudden reload after a network slowdown and the presence of a crashfile

show crashinfo

After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread

Workaround (Mitigation):

There are several options, all limiting the allowance of these SIP packets to reach or overwhelm the device

1. Disable SIP inspection

Have SIP inspection only if you are actively using it. Our experience with SIP inspection is that usually it is not required (not all customers are doing SIP trunks from inside the organization to a IP Telephony provider in the cloud). Even if SIP is in use, most SIP providers would actively ask you to disable the SIP inspection as Cisco is slow on updating it comparing to how fast SIP protocol changes. SIP providers would ask you just to open specific port ranges and not rely on this inspection due to multiple reasons.

To disable SIP inspection, configure the following:

For Cisco ASA Software
policy-map global_policy
class inspection_default
no inspect sip

For Cisco FTD Software Releases
configure inspection sip disable

Note: This command is issued from the FTD CLI.

2. Actively block IP address(es) of the attackers

You can always actively block (by ACL) the offending IP address that you are seeing via the show conn port 5060. You need also to clear the existing connection issuing clear conn address

Other option is the old shun command that blocks all traffic from certain source IP

shun

This does not survice a reload

3. Filter out based on the SIP attributes

Most observed attacks use an SIP attribute of Sent-by Address that is set to 0.0.0.0. That is not typical behavior for a valid SIP communication, the attack can also be confirmed by doing a packet capture and noticing the amount of packets arriving from a SIP address you are not expecting. You can read the packet captures, check for the Sent-by address and if values are set to 0.0.0.0 and previous methods of mitigation are not valid for your environment then you can proceed and implement this change

regex VIAHEADER “0.0.0.0”

policy-map type inspect sip P1
parameters
match message-path regex VIAHEADER
drop

policy-map global_policy
class inspection_default
no inspect sip
inspect sip P1

4. Rate limit all SIP traffic

Not a great option as that could also influence legitimate traffic, however SIP is the signaling protocol for setting up voip connections, so in nature it should not be very chatty.

You can use the Cisco MPF (Modular Policy Framework) to create a policy and match the SIP traffic and then set a rate limit on this traffic so it would not cause the high cpu spike. Configuration can vary here, so it needs to be done by an expert on product or an external capable consultant.

Resources:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

https://www.theregister.co.uk/2018/11/02/cisco_sip_warning/

Foreword:

On the 29th of March a company that deals with security in embedded devices, called Embedi published their discovery about a critical vulnerability in most Cisco Switch devices (both running IOS and XE).

The vulnerability (CVE-2018-0171) is based on stack buffer overflow and is possible due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily. The service is running on TCP 4786, opened by default and listening when service is enabled (which is by default).

Yet again a new functionality that is meant for easier deployment and potential less operational costs during deployment poses a serious security risk. The vulnerability is deemed as critical because it gives complete access to the device or be used to do a DoS on the device, meaning it can crash the device. What makes the case even worse is that the Smart Install Client functionality is enabled by default.

Initially researchers believed that the vulnerability could only be used for attacks inside an enterprise network due to the communication ports usually not exposed to the Internet or to the fact that many of switch or other devices are only internal, because in a securely configured networks because the recommendation is that Smart Install technology participants should not be accessible through the Internet.

However during a short scan of the Internet, researchers detected over 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open.

Which Cisco devices are affected:

The vulnerability was proven to work on the following devices: Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches.

And here are all devices that may fall into the Smart Install Client type and can be considered potentially vulnerable:

Cisco’s reaction:

The original researchers reached Cisco with their finding before going public with it and the vendor had enough time to patch their software. Official releases after March have been patches against the vulnerability and available for download.

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How to determine if your device is affected:

Issue the following command:

show vstack config

If the output shows that SmartInstall is enabled then proceed with the checks

Check your current running software versions

show version

Use a Cisco official tool to check the vulnerabilities on your Cisco IOS/XE via the following link:

https://tools.cisco.com/security/center/softwarechecker.x

General recommendations:

Resources:

https://thehackernews.com/2018/04/cisco-switches-hacking.html

https://embedi.com/blog/cisco-smart-install-remote-code-execution/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

History:

In the last months and years we have seen multiple DDoS attacks based on amplification techniques (DNS, NTP, Chargen, SSDP)

A new amplification attack was spotted in the last week of February (25th – 27th of February).

It is, by far, the strongest amplification attack we had and it is based on the Memcached protocol running on UDP port 11211.

Sources at CloudFlare state the attack reached 257Gbps.

Why the Memcached Protocol?

The answer is simple, it supports UDP which is stateless (which is necessary for amplification attacks), it lacks any form of authentication, and when it turns out it provides excellent ratio in amplification (the difference between the size of the trigger packet and the response).

Amplification ratio in the attack was around x10000 times but the protocol itself is capable of x51200.

The attack stats detected on CloudFlare show UDP datagrams with 1400B size. The number of packets peaked to 23Mpps which measures to the reported total 257Gbps of bandwidth. And that is a lot, it can cause very serious outages.

How does an amplification attack work and how it can be prevented?

To successfully lunch an amplification attack you need 3 components:

  1. Capability to spoof IP packets, meaning access to a high-bandwidth pipe on ISP that does not do a solid job in securing anti-spoofing
  2. Application/Protocol that is amplification friendly – UDP based, no authentication, protocol allowing large responses to be created based on small requests
  3. Reflector servers running a suitable protocol – These are servers that are reachable from Internet and that are going to respond to requests

How does the attack work?

The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.

How can Amp Attacks be prevented?

If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.

Simple steps can make a bit difference.

  1. ISP should always adhere to the strict anti-spoofing rules and allow outbound traffic only from sources belonging to their IP ranges.
  2. Developers should think about security when creating new applications and protocols. UDP should be avoided unless low-latency is needed, and if UDP is used, the protocol should have some form of authentication and should never allow a reply to a request ratio bigger than 1. Meaning all replies should be smaller or equal to the request that generate them.
  3. Administrators should correctly “firewall” their servers and allow access to the services to whomever needs them; and not the whole Internet. Certain types of responses might be blocked from within the application or at Firewall level.

Related articles:

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Malware is evolving constantly. The threat landscape is so dynamic that yesterday’s news is not news today. The malware business is a full-blown industry that can easily size up with the IT security industry.

Recent major security breaches:

NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach) – more than 70 million now. The breach is reported to have happened via vulnerability on their website.

Teamviewer vulnerability – critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other’s PC without permission.

By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without altering settings and permissions.

Uber – Uber’s October 2016 data breach affected some 2.7 million UK users, it has now been revealed. Uber did not disclose until now and paid a ransom (100k USD). Lawsuits to follow. Information held by a third-party cloud service provider used by Uber was accessed by the two hackers.

PayPal subsidiary breach – ID Theft for 1.6 Million Customers. PayPal Holdings Inc. said that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential parts where the personal information of TIO’s customers were stored.

Numerous unidentified security vulnerabilities were found in the platform (bugs that lead to security related vulnerabilities). Evidence of a breach discovered. Forensics are under way.

Equifax – breach allowed 15.2 million UK records to be made public (and 145 Million US records). Bad guys used a known vulnerability in an internet accessible service for initial penetration.

Recent Apple Root vulnerability – Any Mac system running macOS High Sierra 10.13.1 or 10.13.2 beta was vulnerable. There was no real exploit, you just typed root for username and keep the password empty and keep pressing enter and after several tries you are logged in with root rights.  A logic error existed in the validation of credentials or simply a bug.

Malware

Making malware today has become more available. Malware development processes does not differentiate much from any software development, people use online available sources for much of the code, and will combine it together to their liking and purpose. A lot of the bad guys would also release the code for their creations which can later be changed and further modified (example Petya and NotPetya). Even code stolen from the government cyber agencies is now used in modern malware (example EternalBlue use in multiple malware as a way of effective horizontal spread – used in WannaCry).

Another typical trend in malware these days is to be modular. It will install and run multiple services on the infected host in specific order after the initial infection.

1st stage – there is always the initial infection – usual methods here are unpatched vulnerability of a running service or in the cases of more advanced malware – the use of Zero-Day vulnerability. Example here is the EternalBlue exploit of the SMBv1 service. Usually the delivery of the exploit is via Internet on accessible services or once inside the organization, horizontally meaning within the internal networks of the organization. That stage ends with having temporary access to the system and dropping off the malware in questions

2nd stage – privilege escalation – will try to gather credentials from the infected device in different ways – cracking the specific files on the system that holds the accounts, trying to locate account information on the local drives, or even brute-forcing credentials. These credentials will be leveraged for either privilege escalation on that machine or access to other similar machines on the network and infecting them.

3rd stage – installing a backdoor. Making sure the access is permanent

4th stage – doing the job. Downloading all necessary pieces of malware to finish the job.  If that is a crypto virus it will download the tools to encrypt the sensitive files, also change desktop or even download application to show the user the ransom note, a tool to clean keys and traces of the encryption etc.

5th stage – spread, can be done again by using vulnerable services within the organization or by leveraging any credentials that are discovered in the privilege escalating process and using legit sys admin management channels such as WMI and PSExec. Sometimes the spread can be done before or simultaneously with the 4th stage as not to warn the organization of its presence before it managed to infect multiple systems.

Types of malware:

It is very hard to categorize malware these days. Most traditional classification such as: virus, worm, trojan, backdoor does not really cut it anymore as most modern malware shares the features of all of them (again example WannaCry, it is a virus, it is a worm as it spreads itself and it is a backdoor as it does install a hidden unauthorized way into the compromised system, and on top of that does encryption).

Ransomware – attacks aimed at making money by forcing victims to pay for accessing again their personal files

DDoS attacks – attacks aimed at crippling or disabling services at the victim

Attacks aimed at stealing sensitive information – attacks aimed at spying on users and gathering sensitive data – credentials, S/N, banking details, impersonating info (DOB etc.), private communications etc

Zombie/Botnet – attacks that rely on the collective resources of multiple compromised hosts that are managed by a central C&C (command and control). Can be used for multiple things, DDoS, span relay, stealing sensitive information from users

APT attacks – Advanced Persistent Attacks. Specially crafted attacks, usually used in nation-state cyber activities. Example could be the attack versus Iranian Nuclear Program

IoT related attacks – again these blur with other, as normally the compromised IoT devices are used for other kind of attacks (DDoS). This kind of IoT are very typical these days, the IoT devices are cheap network connected devices that were not designed with security in mind. The Mirai attack was a shining example on how powerful attacks can be executed using a Botnet of compromised IoT devices (DYN case). Furthermore, the number of IoT will continue to grow.

Mobile devices – attacks that are specific for mobile devices, most dangerous ones are compromised apps that go under the radar and give away sensitive information from the smart phone (ID theft, or sell personal info to ad companies, or steal financial data (credit card info etc.)). There are no such thing as free apps, they steal data from you and use it in illegal way to monetize it and make profit.

Phishing / Spear-Headed Phishing – Becoming more and more popular, bad actors will put in the effort now to get to know the victim so they can deliver the malware content in a shape and form that is interesting to the target

Some top Cyber Security Trends:

  1. Less number of security breaches (due to more investments in in IT Security) reported globally but more impact upon breach.
  2. More time is needed for the detection of breached (average time in 2016 was 80.6 days, in 2017 it is 92.2 days)
  3. Predictions of crime damage costs to sky rocket in the next 3 years (by 2021) to 6 Trillion USD
  4. Successful phishing and ransomware attacks are climbing
  5. Global ransomware damage cost estimated to exceed 5 Billion USD by the end of 2017

Data was gathered by CSO 2017 Cyber Security report (csoonline.com)

Summary of the evolution of Security Controls

Advanced IPS systems have replaced the traditional status firewalls. They incorporate multiple security technologies (signatures, behavior analytics, heuristics, sandboxing, central intelligence feeds etc.), to be able to successfully detect intrusion events and malware.

Logging and alerting are hugely important for each organization to be able to both proactively secure your network but in case of a breach to re-actively do forensics

DLP is becoming more popular as numerous breaches that year were connected to leaked sensitive information (ID theft in the Equifax and Uber)

The focus of the security has shifted in the recent years from the network to the endpoint. Network and endpoint security controls should collaborate to create a strong security posture for your organization

Security has become closely connected to intelligence. All major security vendors syphon off as much data from the internet as they can just, so they can filter through it in a strive to find first the zero-day exploits and provide first adequate protection for their customers. All parts of the network infrastructure can be used as sensors and deliver intelligence data to a centralized place that provides the analysis (big data).

A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.

Some Characteristics of Nyetya and why it is different

  1. There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
  2. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
  3. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

  1. No external Internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

  1. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

  1. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

  1. Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
  2. Do not use admin/elevated privileged accounts for normal users
  3. Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
  4. Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain).  The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.

Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).

Used materials:

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html

https://www.wired.com/story/petya-ransomware-ukraine/

© 4CornerNetworks - Website by Roslin Design
4CornerNetworks is the trading name of 4CornerNetworks Ltd
Registered Address: 27 The Mount, Rickmansworth, Hertfordshire WD3 4DW
Company Registration Number: 07920761
Registered in England
chevron-down