Backdoor Attacks From Windigo Operation Still Active 1.11.2017 securityweek Attack Windigo, a malicious operation uncovered over three years ago, continues to be active despite a takedown attempt in 2014 and the sentencing of one conspirator in August 2017.
At the core of Windigo was Linux/Ebury, an OpenSSH backdoor and credential stealer that was estimated to have infected over 25,000 servers worldwide during a two and a half year period prior to the botnet’s discovery. The systems were being abused to steal credentials, redirect web traffic to malicious sites, and send in excess of 30 million spam messages a day.
The operation was uncovered by ESET researchers who worked together with CERT-Bund, the Swedish National Infrastructure for Computing, and other agencies to take it down. In 2015, Finnish authorities apprehended Maxim Senakh, one of the conspirators behind the operation. He was extradited to the United States last year and sentenced to 46 months in federal prison in August this year.
While security researchers did notice a significant drop in the Windigo activity related to the web traffic redirection following Senakh’s arrest, the malicious operation was not put to rest completely, and the Ebury backdoor has evolved, ESET warns.
A new version of the malware that was discovered in February this year shows that its authors focused on evasion and on improving botnet’s resilience against takeover attempts. Furthermore, the malware now packs a new mechanism to hide the malicious files on the filesystem, the researchers discovered.
The malware continues to use a domain generation algorithm (DGA) for data exfiltration if the operator hasn’t connected to the infected system via the OpenSSH backdoor for three days, but changes were made to the DGA itself, ESET reveals.
Ebury now includes self-hiding techniques the researchers refer to as a “userland rootkit.” For that, the malware hooks the readdir or readdir64 function to list directory entries. Should the Ebury shared library file be the next directory structure to return, the hook skips it and returns the subsequent entry instead.
To activate the hooks, Ebury injects its dynamic library into every descendant process of sshd. Thus, Ebury’s dynamic library is loaded when the new process is executed, and the malware’s constructor is called, executing the hooking routines.
In addition to being Linux-distribution-specific, earlier versions of the backdoor used to work only on very specific versions of OpenSSH, but the newer version replaced the OpenSSH patching routines with function hooking. Thus, the researchers were able to execute the malware on multiple Linux distributions.
The threat also features a hardened backdoor mechanism that no longer relies on a password encoded in the SSH client version string. Now, the backdoor’s activation requires a private key to authenticate, an extra check supposedly added to prevent unauthorized use of Ebury-compromised servers.
The new version of Ebury features new installation methods, the security researchers discovered. Just as previous versions, the malware adds the payload inside the libkeyutils.so library, but does it differently than before, and also has different deployment scripts and techniques based on the Linux distribution running on the targeted system.
“Ebury now uses self-hiding techniques and new ways to inject into OpenSSH related processes. Furthermore, it uses a new domain generation algorithm (DGA) to find which domain TXT record to fetch. The exfiltration server IP address is concealed in these data, signed with the attackers’ private key. An expiration date was added to the signed data to defend against signature reuse, thus mitigating potential sinkhole attempts. Windigo’s operators regularly monitor publicly shared IoCs and quickly adapt to fool available indicators,” ESET concludes.
Industrial Products of many vendors still vulnerable to KRACK attack 30.10.2017 securityaffairs Attack
Many industrial networking devices from various vendors are still vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack). Many industrial networking devices are vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack), including products from major vendors such as Cisco, Rockwell Automation, and Sierra Wireless.
A few weeks ago, researchers discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications0 stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).
Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The above vulnerabilities affect products from tens of vendors, some of them are already working to fix the problems. Recently the Rockwell Automation announced to have patched its Stratix wireless access point against the KRACK vulnerability, while Microsoft addressed the issue with the October 2017 Patch Tuesday.
Sierra Wireless issued a security advisory to inform customers that many of its products, including access points and client devices, are affected by the vulnerabilities. The vendor plans to release security updates over the coming months. Siemens is still assessing its products for vulnerable devices.
WPA2 implementations are some industrial communications products are affected exposing the industrial devices to Krack attack.
Cisco confirmed that its access points and other wireless infrastructure components are affected only by the CVE-2017-13082.
Cisco published a security advisory to confirm that many products, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points, are affected by multiple vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II.
“Among these ten vulnerabilities, only one (CVE-2017-13082) may affect components of the wireless infrastructure (for example, Access Points), the other nine vulnerabilities affect only client devices. Multiple Cisco wireless products are affected by these vulnerabilities.” states the security advisory.
“Cisco will release software updates that address these vulnerabilities. There are workarounds that addresses the vulnerabilities in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, and CVE-2017-13082. There are no workarounds for CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.”
Cisco still hasn’t released security updates for the vulnerable industrial products, however, the tech giant suggested workarounds for some of the flaws.
Industrial Products Also Vulnerable to KRACK Wi-Fi Attack 27.10.2017 securityweek Attack Some industrial networking devices are also vulnerable to the recently disclosed KRACK Wi-Fi attack, including products from Cisco, Rockwell Automation and Sierra Wireless.
KRACK, or Key Reinstallation Attack, is the name assigned to a series of vulnerabilities in the WPA2 protocol, which secures modern Wi-Fi networks. The flaws can allow an attacker within range of the targeted device to read information that the user believes is encrypted and, in some cases, possibly even inject and manipulate data (e.g. inject malware into a website).
The vulnerabilities are tracked as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. The security holes have been confirmed to affect products from tens of vendors, but many of them have already started releasing patches.KRACK
Since a majority of WPA2 implementations are affected, it’s not surprising that some industrial communications products are also exposed to KRACK attacks.
Cisco pointed out that of the ten KRACK flaws, only CVE-2017-13082 affects access points and other wireless infrastructure components, while the rest impact client devices.
In the case of Cisco, many of the company’s products are affected, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points. The networking giant has yet to release patches for the vulnerable industrial products. However, workarounds are available for six of the flaws.
According to an advisory from ICS-CERT, Rockwell Automation is working on releasing a firmware update for its Stratix 5100 Wireless Access Point/Workgroup Bridge. These industrial devices are used worldwide in the critical manufacturing, energy, and water sectors.
Devices running version 15.3(3)JC1 and earlier are impacted by CVE-2017-13082. Until patches become available, Rockwell has advised customers to take steps to prevent potential attacks, including limiting access to control system, and ensuring that software is patched, security products are deployed and untrusted websites are not accessed.
Sierra Wireless has also released an advisory to inform customers that a dozen of its products, including access points and client devices, are affected by the vulnerabilities. The company has promised to release patches over the coming months.
The list of affected Sierra Wireless devices includes industrial products such as the FX30 rugged gateway and the AirLink MP70 router.
Siemens has yet to publish an advisory regarding the impact of KRACK on its products, but the company did say that its experts are investigating the flaws.
DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions 25.10.2017 thehackernews Attack
DUHK — Don't Use Hard-coded Keys — is a new 'non-trivial' cryptographic implementation vulnerability that could allow attackers to recover encryption keys that secure VPN connections and web browsing sessions. DUHK is the third crypto-related vulnerability reported this month after KRACK Wi-Fi attack and ROCA factorization attack. The vulnerability affects products from dozens of vendors, including Fortinet, Cisco, TechGuard, whose devices rely on ANSI X9.31 RNG — an outdated pseudorandom number generation algorithm — 'in conjunction with a hard-coded seed key.' Before getting removed from the list of FIPS-approved pseudorandom number generation algorithms in January 2016, ANSI X9.31 RNG was included into various cryptographic standards over the last three decades. Pseudorandom number generators (PRNGs) don’t generate random numbers at all. Instead, it is a deterministic algorithm that produces a sequence of bits based on initial secret values called a seed and the current state. It always generates the same sequence of bits for when used with same initial values. Some vendors store this 'secret' seed value hard-coded into the source code of their products, leaving it vulnerable to firmware reverse-engineering. Discovered by cryptography researchers — Shaanan Cohney, Nadia Heninger, and Matthew Green — DUHK, a 'state recovery attack,' allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs. Using both values in hand, attackers can then use them to re-calculate the encryption keys, allowing them to recover encrypted data that could 'include sensitive business data, login credentials, credit card data and other confidential content.' "In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4." researchers said. "Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS." Here below you can check a partial list (tested by researchers) of affected devices from various vendors: crack-prng-encryption-key The security researchers have released a brief blog post and technical researcher paper on a dedicated website for DUHK attack.
DUHK Attack allows attackers recover encryption keys used to secure VPN connections and web browsing sessions 25.10.2017 securityaffairs Attack
DUHK is a vulnerability that allows attackers to recover secret encryption keys used to secure VPN connections and web browsing sessions After the disclosure of the KRACK and ROCA attacks, another attack scenario scares IT community. It is the DUHK vulnerability (Don’t Use Hard-coded Keys), it is the last cryptographic implementation vulnerability that could be exploited by attackers to recover encryption keys used to secure VPN connections and web browsing sessions.
The DUHK vulnerability was reported by the cryptography researchers Shaanan Cohney, Nadia Heninger, and Matthew Green.
The group researchers have published technical details about the attack on a dedicated website.
“DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key.” wrote the researchers.
“The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.”
The DUHK vulnerability affects a wide range of products from dozens of vendors, including CISCO, Fortinet, and TechGuard. The vulnerability affects every device the relies on the outdated pseudorandom number generation algorithm ANSI X9.31 RNG ‘in conjunction with a hard-coded seed key.’
The bad news is that the ANSI X9.31 RNG was included into several cryptographic standards over the last three decades until January 2016 when it was removed from the list of FIPS-approved pseudorandom number generation algorithms.
The problem is related to the fact that Pseudorandom number generators are not able to generate random numbers and the knowledge of initial secret value (seed) could be used to determine the number generated by the algorithm.
Unfortunately, some vendors store the seed value hard-coded into the source code of their solutions. An attacker can obtain the seed by a reverse-engineering of the source code of the products.
The DUHK is described as ‘state recovery attack,’ an attacker with the knowledge of the seed value can power a man-in-the-middle attack to recover the current state value after observing some outputs.
Attackers can then use the values to re-calculate the encryption keys and decrypt data potentially exposing sensitive data, including login credentials, credit card data, and other confidential information.
“In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4.” researchers said.
“Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS.”
Below a partial list of affected devices tested by the researchers:
Further technical details are included in the paper “Practical state recovery attacks against legacy RNG implementations.”
VPN, Web Sessions Exposed to DUHK Crypto Attack 24.10.2017 securityweek Attack A vulnerability in the outdated ANSI X9.31 random number generator (RNG) can allow attackers to recover encryption keys and read data passing through VPN connections and encrypted web browser sessions, researchers warned.
The vulnerability has been dubbed DUHK (Don’t Use Hard-coded Keys) and it has been found to affect the products of at least a dozen vendors. The issue was discovered by cryptography experts Shaanan Cohney, Nadia Heninger, and Matthew Green.
ANSI X9.31 is a pseudorandom number generator that was standardized in 1985 and it was compliant with the Federal Information Processing Standards (FIPS) requirements until January 2016. The RNG relies on a static key to generate random numbers and that key must remain secret in order for the system to be secure.DUHK attack
However, some companies implemented X9.31 with a static key that has been stored directly in the source code of the product. This allows an attacker to obtain the key from the application’s source code or binary and use it to decrypt communications associated with that product.
In some cases, an attacker may be able to recover the private key in just a few seconds via the DUHK attack, which works only if the RNG is used directly to generate crypto keys and if the attacker can obtain some of the generated numbers.
The weakness has been known since 1998, but neither NIST nor entities involved in the FIPS standardization process specified a method for securely generating the key.
An analysis of hundreds of products that implemented the X9.31 RNG revealed that 12 of them had used static hardcoded keys in the source code, leaving their users vulnerable to attacks.
The list of affected products included the BeCrypt Cryptographic Library, Cisco Aironet, DeltaCrypt FIPS Module, Fortinet’s FortiOS, MRV Communications’ LX-4000T/LX-8020S, Neoscale’s CryptoStor, Neopost’s Postal Security Devices, Renesas’ AE57C1, TechGuard’s PoliWall-CCF, Tendyron’s OnKey193, ViaSat’s FlagStone Core, and the Vocera Cryptographic Module. Many of the affected vendors have since removed the use of X9.31 from their products.
The researchers tested the practicality of the attack method against Fortinet’s FortiGate VPN gateway products, which run the FortiOS operating system. An Internet scan conducted this month showed that there are more than 25,000 Fortinet devices that are vulnerable and exploitable.
“And this count is likely conservative, since these were simply the devices that bothered to answer us when we scanned. A more sophisticated adversary like a nation-state would have access to existing VPN connections in flight,” Green explained in a blog post.
The vulnerability affects Fortinet devices running FortiOS versions 4.3.0 through 4.3.18. The vendor addressed the issue, which it tracks as CVE-2016-8492, last year with the release of versions 4.3.19 and 5.0.
There is no evidence of DUHK attacks in the wild and the researchers who discovered the flaw say they don’t plan on releasing any code used in their implementation of the method.
Furthermore, while the actual key recovery might be easy, a real-world attack exploiting this vulnerability is difficult to conduct. However, the flaw could be highly useful for a state-sponsored actor such as the NSA, which has far greater capabilities compared to the average threat group. It’s also worth mentioning that the attack is passive so it would not be easy to detect, researchers said.
A few years ago, the NSA was accused of promoting the use of the backdoored Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG). However, experts have now pointed out that Dual EC was not as widely used as X9.31.
Locky Uses DDE Attack for Distribution 21.10.2017 securityweek Attack While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.
One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.
Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.
The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.
Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.
The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.
The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.
“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.
Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.
Google to Offer Stepped-up Security For 'High Risk' Users 18.10.2017 securityweek Attack Google said Tuesday it would offer stronger online security for "high risk" users who may be frequent targets of online attacks.
The US technology titan said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security.
"We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks," said a Google security blog post.
"For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety."
Google will require these users to log into their accounts with a physical USB key which will be part of two-factor authentication, to guard against fraudulent access.
"An attacker who doesn't have your security key is automatically blocked, even if they have your password," the statement said.
Google will provide additional monitoring for these accounts and limit access to sensitive applications, aiming to protect against impersonation and "phishing" to gain access to an account.
"Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question," the company said.
Phishing is the use of deception to gain confidential information such as usernames, passwords, bank account details and credit card numbers.
In one of the most highly publicized phishing attacks, Hillary Clinton's campaign chairman John Podesta gave up his password to a hacker, resulting in a series of embarrassing leaks during the 2016 presidential race.
Vendors Race to Fight KRACK Wi-Fi Attacks 17.10.2017 securityweeek Attack Technology companies worldwide have released or are working on releasing patches to address the dangerous Wi-Fi vulnerabilities publicly disclosed this week.
Setting the stage for a new attack method called Key Reinstallation Attack, or KRACK, these vulnerabilities affect the Wi-Fi standard itself and potentially expose all Wi-Fi Protected Access II (WPA2) protocol implementations.
An attacker capable of exploiting the issues could steal sensitive information transmitted over Wi-Fi, including credit card numbers, passwords, chat messages, emails, photos, and more. All major operating systems, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are affected.
The good news, however, is that the attacker needs to be in within range of an affected wireless access point, and that only data encrypted using the WPA2 protocol is exposed. Data encrypted using other standards, including HTTPS, TLS, and the like, should be safe from this attack.
What’s more, the Wi-Fi Alliance says that there is no evidence that the vulnerabilities have been exploited maliciously and confirmed that a straightforward software update should resolve them. However, the industry organization has already released a vulnerability detection tool for use by any Wi-Fi Alliance member.
As the US-CERT noted in its advisory, the issues affect the Wi-Fi standard itself, meaning that all correct implementations are exposed. Thus, there’s a general consensus of urgency among top vendors to address the bug through software updates, and some of them have already released patches.
Microsoft has already addressed the issue its October 2017 patches and published an advisory on the matter. Apple is reportedly taking steps in this direction by including patches in the latest beta releases of macOS, iOS, tvOS, and watchOS.
Android 6.0 and above and Linux were said to be affected the most, with the attack being “exceptionally devastating” against them. While security updates have been released for Linux, Google seems determined to address the issue in the coming weeks, most likely with the November 2017 monthly Android patches.
The issue is being addressed in Debian, Fedora, Red Hat, and Ubuntu. Patches are available for OpenBSD as well, and are being prepared for the FreeBSD Project.
Intel has released an advisory listing all affected products, while Netgear has released fixes for some products and is working on updates for others. Cisco too has released patches for affected products, the same as Fortinet, MikroTik, Ubiquiti Networks, WatchGuard, and Aruba. Zyxel also confirmed that some of its products are affected.
The list of affected and potentially affected vendors is much more extensive than that, as US-CERT has revealed. Most of the vendors were notified on the vulnerabilities in late August, but it’s yet unclear how many of them are affected.
KRACK Demo: Critical Key Reinstallation Attack Against Widely-Used WPA2 Wi-Fi Protocol 17.10.2017 thehackernews Attack Do you think your wireless network is secure because you're using WPA2 encryption? If yes, think again! Security researchers have discovered several key management vulnerabilities in the core of Wi-Fi Protected Access II (WPA2) protocol that could allow an attacker to hack into your Wi-Fi network and eavesdrop on the Internet communications. WPA2 is a 13-year-old WiFi authentication scheme widely used to secure WiFi connections, but the standard has been compromised, impacting almost all Wi-Fi devices—including in our homes and businesses, along with the networking companies that build them. Dubbed KRACK—Key Reinstallation Attack—the proof-of-concept attack demonstrated by a team of researchers works against all modern protected Wi-Fi networks and can be abused to steal sensitive information like credit card numbers, passwords, chat messages, emails, and photos. Since the weaknesses reside in the Wi-Fi standard itself, and not in the implementations or any individual product, any correct implementation of WPA2 is likely affected. According to the researchers, the newly discovered attack works against: Both WPA1 and WPA2, Personal and enterprise networks, Ciphers WPA-TKIP, AES-CCMP, and GCMP In short, if your device supports WiFi, it is most likely affected. During their initial research, the researchers discovered that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by the KRACK attacks. It should be noted that the KRACK attack does not help attackers recover the targeted WiFi's password; instead, it allows them to decrypt WiFi users' data without cracking or knowing the actual password. So merely changing your Wi-Fi network password does not prevent (or mitigate) KRACK attack.
Discovered by researcher Mathy Vanhoef of imec-DistriNet, KU Leuven, the KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that's used to establish a key for encrypting traffic. For a successful KRACK attack, an attacker needs to trick a victim into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages. "When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value," the researcher writes. "Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice." The research [PDF], titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, has been published by Mathy Vanhoef of KU Leuven and Frank Piessens of imec-DistriNet, Nitesh Saxena and Maliheh Shirvanian of the University of Alabama at Birmingham, Yong Li of Huawei Technologies, and Sven Schäge of Ruhr-Universität Bochum. The team has successfully executed the key reinstallation attack against an Android smartphone, showing how an attacker can decrypt all data that the victim transmits over a protected WiFi. You can watch the proof-of-concept (PoC) video demonstration above. "Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past," the researcher say. The researchers say their key reinstallation attack could be exceptionally devastating against Linux and Android 6.0 or higher, because "Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info)." However, there's no need to panic, as you aren't vulnerable to just anyone on the internet because a successful exploitation of KRACK attack requires an attacker to be within physical proximity to the intended WiFi network. WPA2 Vulnerabilities and their Brief Details The key management vulnerabilities in the WPA2 protocol discovered by the researchers has been tracked as: CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake. CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake. CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake. CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame. The researchers discovered the vulnerabilities last year, but sent out notifications to several vendors on July 14, along with the United States Computer Emergency Readiness Team (US-CERT), who sent out a broad warning to hundreds of vendors on 28 August 2017. "The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others," the US-CERT warned. "Note that as protocol-level issues, most or all correct implementations of the standard will be affected." In order to patch these vulnerabilities, you need to wait for the firmware updates from your device vendors. According to researchers, the communication over HTTPS is secure (but may not be 100 percent secure) and cannot be decrypted using the KRACK attack. So, you are advised to use a secure VPN service—which encrypts all your Internet traffic whether it’s HTTPS or HTTP. You can read more information about these vulnerabilities on the KRACK attack's dedicated website, and the research paper. The team has also promised to release a tool using which you can check whether if your WiFi network is vulnerable to the KRACK attack or not. We will keep updating the story. Stay Tuned! Update: Patches for Linux's hostapd (Host access point daemon) and WPA Supplicant are now available.
How A Drive-by Download Attack Locked Down Entire City for 4 Days 17.10.2017 thehackernews Attack How A Drive-by Download Attack Locked Down Data of this City for 4 Days We don't really know the pain and cost of a downtime event unless we are directly touched. Be it a flood, electrical failure, ransomware attack or other broad geographic events; we don't know what it is really like to have to restore IT infrastructure unless we have had to do it ourselves. We look at other people's backup and recovery issues and hope we are smarter or clever enough to keep it from happening to us. Recovery from a downtime event includes inconvenience, extra work, embarrassment and yes, real pain. A ransomware attack is a good example. Unitrends—an American company specialised in backup and business continuity solutions—recently shared with us a real cyber-attack incident happened with one of their customers to describe the required steps they took to recover functionality following a CryptoLocker attack against a US city. Also, how it cost city's Governance team days of production and hundreds of man-hours to recover. The Challenge Issaquah is a small city of 30,434 people in Washington, United States. According to Forbes, they are the 2nd fastest growing suburb in the state of Washington. John T, IT Manager leads a team of five employees who execute all IT initiatives co-developed with the city's IT Governance team. John's team manages all technology, from phones, networks, servers, desktops, applications and cloud services. The city has only two IT staff dedicated to infrastructure. "We are spread so thin that logs are not monitored consistently," reports John. "We are slowly recovering from a decade of underinvestment in IT and have a large backlog of software, hardware and network upgrades." Part of that underinvestment is that they continued to rely on a tape drive that was ten years old using Backup Exec. They continued to stumble along until they were hit with a CryptoLocker ransomware attack. The Infection Here below find the complete story shared by John with us: In the final analysis, we believe the ransomware attack originated from a "drive-by" where a single city employee visited and opened a .pdf file that had been compromised on a grant coordination site run by a non-profit. This is not an uncommon risk—a small company or organisation website that doesn’t have IT funding to keep up with the security risks in today’s lightspeed world. Most entries in the User’s Log file were harmless, though the way this virus worked, it could have been downloaded at any time but still needed to be executed by the user. It could have been sitting on the hard drive for weeks (looking like a .pdf) before being executed, though we would need to interview the user to see if she remembers anything like this. This ransomware appeared to disable our anti-virus systems, and is known to remove all traces once finished. This virus ran only in PC memory and did not turn up on any other devices in our system. It only attacked Microsoft Office, image, .pdf, and text files in folders on the user’s PC and file shares to which the user had to write access. It stopped encrypting files once the PC was restarted in safe mode. The lack of propagation could have been a result of either the virus being designed to reside solely in memory to prevent triggering alarms or because our anti-virus software intercepted it at other devices as it attempted to propagate. The physical server that hosted the file also hosted five critical virtual application servers. After careful analysis, it was determined these were not compromised. We immediately moved these virtual machines onto a different host. This was done prior to kicking off the server restore to reduce processor and NIC load on the file server host. When we began the file server restore process it quickly became apparent it would take a long time… four days as it turned out. A quick analysis revealed we had no other options to restore the file server. The backup.exe device did work and never failed or stopped during the restore process. It seems the scale of the restore was too big for the device capacity and it had to chunk the workout, making the process very long. Fortunately for us, the attack had happened on a Thursday, so only Thursday and Friday office productivity was lost. Even so, our users were very negatively impacted and quite upset (as were we). This led to funding being released to move to a modern backup appliance. The Real Cost to Recover from a Ransomware Attack John said senior executives agreed to fund an upgrade to the backup system, and after a vendor selection process, his team chose what it felt was the best combination of features and capacity with reasonable costs. If the same Ransomware attack occurred today with data backed up on the Unitrends Recovery Series 933S appliance the results would have been much different. First, the attack would have been discovered very quickly as all Unitrends appliances include predictive analytic software and machine learning that will automatically recognise the effects of ransomware on backup files. An email would then automatically be sent to administrators warning of the attack and identifying the affected files. Then the disaster recovery plan they had in place would be executed. Secondly, deleting, reinstalling affected files and restarting affected servers would take minutes, not hours and probably not four days. Critical applications could have been spun up instantly on the backup appliance using the last good backups made before the infection. This would greatly limit the negative impact on employees and office productivity. The Results There have been several backup and recovery incidents since the Unitrends Appliance was installed, reported John. "We have used our backup appliance to recover files that were accidentally deleted by end users. We had also used it to recover virtual machines when we had a host system failure. The downtime in the latter case was limited to staff response time as the mission-critical backup VM was up in less than five minutes!" "We also plan on moving to the cloud very soon since the Unitrends appliance comes with integrated cloud software. The biggest benefits we expect to see from the cloud are low-cost off-site storage, the ability to recover applications in the cloud if needed as a DraaS feature, and access from anywhere in case of a natural disaster type emergency." "We now have peace of mind knowing that we can recover quickly when needed. We also have increased shared team knowledge on backup and DR with the easy-to-use user interface."
Wifi networks are vulnerable to WPA KRACK attack 17.10.2017 securityaffairs Attack The KRACK attack allows an attacker to decrypt information included in protected WPA2 traffic. WPA2 standard has been compromised! Boffins have discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications0 stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).
WPA2 standard has been compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.
The impact could be serious for both companies and home users, any working implementation of WPA2 is likely affected, the only limitation is that an attacker needs to be within the range of a victim to exploit the weaknesses.
The researchers devised an attack method dubbed KRACK attack (Key Reinstallation Attack), it works against almost any WPA2 Wi-Fi network.
The KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.
According to the researchers, the KRACK attack works against:
Both WPA1 and WPA2, Personal and enterprise networks, Ciphers WPA-TKIP, AES-CCMP, and GCMP Initially, the researchers discovered that the vulnerabilities affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
The vulnerabilities were found by the Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven.
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”
The attacker just needs to trick a victim into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
The experts demonstrated how to execute the key reinstallation attack against an Android smartphone in order to decrypt a transmission over a protected WiFi.
According to the experts, the attack is exceptionally effective against Linux and Android 6.0 or higher, because “Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info).”
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. ” added the expert.
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies.” the researcher say.
“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past,”
Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. The experts discovered the flaws last year and notified several vendors on July 14, the US-CERT also issued an alert to hundreds of vendors on 28 August 2017.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.” the US-CERT warned.
Users have to wait for firmware updates from their device vendors, security patches for Linux’s hostapd (Host access point daemon) and WPA Supplicant are already available.
Further details on the KRACK attack are included in the research paper titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”
The research team also plans to release a tool for the assessment of WiFi network.
Key Reinstallation Attacks
16.10.2017 Attack Breaking WPA2 by forcing nonce reuse INTRODUCTION We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.
DEMONSTRATION As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in backing apps, and even in VPN apps.
DETAILS Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):
Key reinstallation attacks: high level description In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Key reinstallation attacks: concrete example against the 4-way handshake As described in the introduction of the research paper, the idea behind a key reinstallation attack can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.
Practical impact In our opinion, the most widespread and practically impactful attack is the key reinstallation attack against the 4-way handshake. We base this judgement on two observations. First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies. Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past. In turn, this causes all encryption protocols of WPA2 to reuse keystream when encrypting packets. In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases (e.g. English text can still be decrypted). In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted.
The ability to decrypt packets can be used to decrypt TCP SYN packets. This allows an adversary to obtain the TCP sequence numbers of a connection, and hijack TCP connections. As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.
If the victim uses either the WPA-TKIP or GCMP encryption protocol, instead of AES-CCMP, the impact is especially catastrophic. Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Moreover, because GCMP uses the same authentication key in both communication directions, and this key can be recovered if nonces are reused, it is especially affected. Note that support for GCMP is currently being rolled out under the name Wireless Gigabit (WiGig), and is expected to be adopted at a high rate over the next few years.
The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client. Finally, most of our attacks also allow the replay of unicast, broadcast, and multicast frames. For further details, see Section 6 of our research paper.
Note that our attacks do not recover the password of the Wi-Fi network. They also do not recover (any parts of) the fresh encryption key that is negotiated during the 4-way handshake.
Android and Linux Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key. This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.
Assigned CVE identifiers The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.
PAPER Our research paper behind the attack is titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 and will be presented at the Computer and Communications Security (CCS) conference on Wednesday 1 November 2017.
Although this paper is made public now, it was already submitted for review on 19 May 2017. After this, only minor changes were made. As a result, the findings in the paper are already several months old. In the meantime, we have found easier techniques to carry out our key reinstallation attack against the 4-way handshake. With our novel attack technique, it is now trivial to exploit implementations that only accept encrypted retransmissions of message 3 of the 4-way handshake. In particular this means that attacking macOS and OpenBSD is significantly easier than discussed in the paper.
We would like to highlight the following addendums and errata:
Addendum: wpa_supplicant v2.6 Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an all-zero encryption key in the 4-way handshake. This was discovered by John A. Van Boxtel. The new attack works by injecting a forged message 1, with the same ANonce as used in the original message 1, before forwarding the retransmitted message 3 to the victim. Addendum: other vulnerable handshakes After our initial research as reported in the paper, we discovered that the TDLS handshake and WNM Sleep Mode Response frame are also vulnerable to key reinstallation attacks.
Selected errata In Figure 9 at stage 3 of the attack, the frame transmitted from the adversary to the authenticator should say a ReassoReq instead of ReassoResp. TOOLS We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released once we had the time to clean up their usage instructions.
We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we had a change to prepare the code repository for release). We remark that the reliability of our proof-of-concept script may depend on how close the victim is to the real network. If the victim is very close to the real network, the script may fail because the victim will always directly communicate with the real network, even if the victim is (forced) on a different Wi-Fi channel than this network.
Q&A Do we now need WPA3? No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.
Should I change my Wi-Fi password? Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router. After updating your router, you can optionally change the Wi-Fi password as an extra precaution.
I'm using WPA2 with only AES. That's also vulnerable? Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). So everyone should update their devices to prevent the attack!
You use the word "we" in this website. Who is we? I use the word "we" because that's what I'm used to writing in papers. In practice, all the work is done by me, with me being Mathy Vanhoef. My awesome supervisor is added under an honorary authorship to the research paper for his excellent general guidance. But all the real work was done on my own. So the author list of academic papers does not represent division of work :)
Is my device vulnerable? Probably. Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information.
What if there are no security updates for my router? Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
How did you discover these vulnerabilities? When working on the final (i.e. camera-ready) version of another paper, I was double-checking some claims we made regarding OpenBSD's implementation of the 4-way handshake. In a sense I was slacking off, because I was supposed to be just finishing the paper, instead of staring at code. But there I was, inspecting some code I already read a hundred times, to avoid having to work on the next paragraph. It was at that time that a particular call to ic_set_key caught my attention. This function is called when processing message 3 of the 4-way handshake, and it installs the pairwise key to the driver. While staring at that line of code I thought “Ha. I wonder what happens if that function is called twice”. At the time I (correctly) guessed that calling it twice might reset the nonces associated to the key. And since message 3 can be retransmitted by the Access Point, in practice it might indeed be called twice. “Better make a note of that. Other vendors might also call such a function twice. But let's first finish this paper...”. A few weeks later, after finishing the paper and completing some other work, I investigated this new idea in more detail. And the rest is history.
The 4-way handshake was mathematically proven as secure. How is your attack possible? The brief answer is that the formal proof does not assure a key is installed once. Instead, it only assures the negotiated key remains secret, and that handshake messages cannot be forged.
The longer answer is mentioned in the introduction of our research paper: our attacks do not violate the security properties proven in formal analysis of the 4-way handshake. In particular, these proofs state that the negotiated encryption key remains private, and that the identity of both the client and Access Point (AP) is confirmed. Our attacks do not leak the encryption key. Additionally, although normal data frames can be forged if TKIP or GCMP is used, an attacker cannot forge handshake messages and hence cannot impersonate the client or AP during handshakes. Therefore, the properties that were proven in formal analysis of the 4-way handshake remain true. However, the problem is that the proofs do not model key installation. Put differently, the formal models did not define when a negotiated key should be installed. In practice, this means the same key can be installed multiple times, thereby resetting nonces and replay counters used by the encryption protocol (e.g. by WPA-TKIP or AES-CCMP).
Some attacks in paper seem hard We have follow-up work making our attacks (against for example macOS and OpenBSD) significantly more general and easier to execute. So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallations attacks cannot be abused in practice.
Are people exploiting this in the wild? We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild. That said, key reinstallations can actually occur spontaneously without an adversary being present! This may for example happen if the last message of a handshake is lost due to background noise, causing a retransmission of the previous message. When processing this retransmitted message, keys may be reinstalled, resulting in nonce reuse just like in a real attack.
Should I temporarily use WEP until my devices are patched? NO! Keep using WPA2.
Will the Wi-Fi standard be updated to address this? There seems to be an agreement that the Wi-Fi standard should be updated to explicitly prevent our attacks. These updates likely will be backwards-compatible with older implementations of WPA2. Time will tell whether and how the standard will be updated.
Is the Wi-Fi Alliance also addressing these vulnerabilities? For those unfamiliar with Wi-Fi, the Wi-Fi Alliance is an organization which certifies that Wi-Fi devices conform to certain standards of interoperability. Among other things, this assures that Wi-Fi products from different vendors work well together.
The Wi-Fi Alliance has a plan to help remedy the discovered vulnerabilities in WPA2. Summarized, they will:
Require testing for this vulnerability within their global certification lab network. Provide a vulnerability detection tool for use by any Wi-Fi Alliance member (this tool is based on my own detection tool that determines if a device is vulnerable to some of the discovered key reinstallation attacks). Broadly communicate details on this vulnerability, including remedies, to device vendors. Additionally, vendors are encouraged to work with their solution providers to rapidly integrate any necessary patches. Communicate the importance for users to ensure they have installed the latest recommended security updates from device manufacturers. Why did you use match.com as an example in the demonstration video? Users share a lot of personal information on websites such as match.com. So this example highlights all the sensitive information an attacker can obtain, and hopefully with this example people also better realize the potential (personal) impact. We also hope this example makes people aware of all the information these dating websites may be collecting.
How can these types of bugs be prevented? We need more rigorous inspections of protocol implementations. This requires help and additional research from the academic community! Together with other researchers, we hope to organize workshop(s) to improve and verify the correctness of security protocol implementations.
Why the domain name krackattacks.com? First, I'm aware that KRACK attacks is a pleonasm, since KRACK stands for key reinstallation attack and hence already contains the word attack. But the domain name rhymes, so that's why it's used.
Did you get bug bounties for this? I haven't applied for any bug bounties yet, nor have I received one already.
How does this attack compare to other attacks against WPA2? This is the first attack against the WPA2 protocol that doesn't rely on password guessing. Indeed, other attacks against WPA2-enabled network are against surrounding technologies such as Wi-Fi Protected Setup (WPS), or are attacks against older standards such as WPA-TKIP. Put differently, none of the existing attacks were against the 4-way handshake or against cipher suites defined in the WPA2 protocol. In contrast, our key reinstallation attack against the 4-way handshake (and against other handshakes) highlights vulnerabilities in the WPA2 protocol itself.
Are other protocols also affected by key reinstallation attacks? We expect that certain implementations of other protocols may be vulnerable to similar attacks. So it's a good idea to audit security protocol implementations with this attack in mind. However, we consider it unlikely that other protocol standards are affected by similar attacks (or at least so we hope). Nevertheless, it's still a good idea to audit other protocols!
Is there is higher resolution version of the logo? Yes there is. And a big thank you goes to the person that made the logo!
When did you first notify vendors about the vulnerability? We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.
Why did OpenBSD silently release a patch before the embargo? OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.
So you expect to find other Wi-Fi vulnerabilities? “I think we're just getting started.” — Master Chief, Halo 1
Swedish transport agencies targeted in DDoS cyber attacks 16.10.2017 securityaffairs Attack
Swedish transport agencies were hit by cyber attacks on Wednesday and Thursday, October 11 and 12, is it Information Warfare? Swedish transport authorities were hit by cyber attacks on Wednesday and Thursday, October 11 and 12. The attacks have brought down several IT systems causing delays of the train transportation.
The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday and paralyzed the IT system that manages train orders triggering the agency in stopping or delaying trains while hackers were powering the attack.
Local media reported the Trafikverket email system and website went down, preventing travelers from making reservations or getting information about the delays.
The agency used Facebook to provide updates on the situation to the travelers.
“The Swedish Transport Administration suffered during the night against Wednesday and during Wednesday morning of major IT disturbances that made the site down, which meant that travelers could not get information about the delays that occurred.” reported the Swedish public broadcaster SVT.
“- Several systems were affected by IT interference, including our drive system that shows where the trains are located. Most systems are running now, but the problems are not completely solved, continuing delays are waiting, says Pär Aronsson, Press Communications Officer at the Swedish Transport Administration.”
SVT’s reporter is witnessing major delays and bad information at Stockholm Central, where many trains are delayed. PHOTO: SOFIA LINDAHL / SVT
Trafikverket officials confirmed the DDoS attack was aimed at the agency’s service providers TDC and DGC with the intent to affect the agency’s operations.
Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.
The day after, another DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik.
“Public transport operators Västtrafik in western Sweden were also hit by two similar overload attacks on Thursday, briefly crashing its ticket booking app and online travel planner.” reported The Local website.
“It could be a prank or someone trying to investigate what kind of protection Trafikverket has,” Patrik Gylesjö, deputy CEO of internet provider DGC told Computer Sweden.
Crooks or State-sponsored attacks?
It is difficult to attribute the attacks to specific actors with the information available, experts speculate the involvement of a nation-state attacker who was probing Sweden’s transportation infrastructure.
Someone noticed that the DDoS attacks hit Swedish transport agencies a week after the Russia conducted the Zapad drills that according to intelligence experts were conducted by Russia to test its cyber capabilities and simulate an attack on all Baltic countries, including the use of cyber weapons.
Hackers Used Government Servers in DNSMessenger Attacks 15.10.2017 securityweek Attack A recently discovered DNSMessenger campaign is abusing compromised U.S. state government servers to host malware, Cisco Talos security researchers say.
First uncovered in early March, the DNSMessenger attack involved the use of DNS requests to establish communication between a PowerShell RAT and its command and control (C&C) servers. Completely fileless and invisible to most standard defenses, the attack was highly targeted and researchers attributed it to a sophisticated threat actor.
Cisco now says that additional attacks leveraging this type of malware were discovered, targeting several organizations in an attempt to infect them with malware. Specific to this campaign is the use of DNS TXT records to create a bidirectional C&C channel and directly interact with the Windows Command Processor.
The attackers use spear phishing emails to spread the malware and leverage U.S. state government servers to host the malicious code necessary in the later stages of the infection chain. The emails, Cisco reveals, are spoofed to seem as if they were sent from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
In March this year, attacks targeting U.S. organizations and focused on personnel that handle filings to the SEC were attributed to the hacking group known as FIN7. The incidents were later tied to a framework used in the DNSMessenger campaign as well, as all attacks were supposedly orchestrated by a single threat group.
“The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate,” Cisco Talos reports.
The spear phishing emails used in the new attack contained attached Microsoft Word documents (also made to appear as if originating from SEC) that would leverage Dynamic Data Exchange (DDE) to perform code execution. When opened, the documents would prompt the user to allow the retrieval of content from included external links.
The DDEAUTO field used by the malicious document retrieved code initially hosted on a compromised Louisiana state government website. The downloaded code is executed using PowerShell and is responsible for achieving persistence and starting the next stage of the infection chain.
Heavily obfuscated, the next stage of infection establishes communication with the C&C and receives code via DNS. When this step is completed, the result string is decoded and decompressed and then passed to the Powershell IEX cmdlet to execute the code retrieved.
Cisco’s researchers weren’t able to obtain the next stage of PowerShell code from the C&C server and believe that this could be so because of the highly targeted nature of the attack. The actors behind the operation might be restricting communications to evade analysis.
Other researchers, however, were able to retrieve the code and reveal that it contains the usual set of information gathering capabilities. The stage 4 code, which includes a different structure of DNS records being used for commands, apparently exfiltrates data via a hardcoded web form.
This attack, Cisco concludes, shows the level of sophistication associated with threats facing organizations today: it includes multiple layers of obfuscation, it limits compromise to only the organizations of interest, and uses new techniques to execute malicious code on systems (leverages WMI, ADS, scheduled tasks, and registry keys to obtain persistence).
Experts spotted KnockKnock attacks, a new ingenious attack technique on Office 365 System Accounts 9.10.2017 securityaffairs Attack
Security experts from Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 accounts. The cloud access security broker Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 (O365) accounts.
The massive campaign leverages a low-key attack, started in May and is still continuing. Attackers are using a small botnet composed of 83 IP addresses across 63 networks, most of them registered in China. The attackers also used bots from 15 other countries, including Brazil, Russia, the US, and Malaysia.
Experts underscored the fact that the botnet attack KnockKnock was observed in targeted offensives.
“Skyhigh has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments.” reads the analysis published by Skyhigh Networks. “One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.”
Attackers launched a slow and methodical attack trying to remain under the radar instead of carrying out a brute force attack against O365 accounts.
The attackers targeted only a very small proportion (typically <2%) of the O365 account base, and limited the number of attempts to 3-5 per account in order to go undetected.
Once the attackers take over an account, they snoop o any data in the inbox and then create a new inbox rule to hijack any incoming messages. This is the first stage of the attack against company networks, once compromised an account, the attackers start in-company phishing attempts for lateral movements.
Experts suggest attackers may tailor the payload based on the targeted organization “for a larger takeover over time”.
The threat actors behind the KnockKnock attack focused its attention of certain accounts such as system accounts rather than ordinary accounts because they tend to have high access privileges and poor protection.
“The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.” continues the analysis.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. “
Skyhigh experts detected the KnockKnock attacks using its machine learning anomaly detection engine. The engine detected an increase in the number of anomalous accesses, experts spotted the malicious activity by correlating data from billions of 0365 events across hundreds of customers.
Skyhigh researchers confirmed that the KnockKnock attack targeted over 50 percent of their customers, it is likely that a large portion of large Office 365 customers is being attacked with this technique.
Experts noticed that none of 83 recognized IP addresses were already included on the lists of bad IP addresses, making this attack stealth in nature.
Experts spotted KnockKnock attacks, a new ingenious attack technique on Office 365 System Accounts 7.10.2017 secúrityaffairs Attack
Security experts from Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 accounts. The cloud access security broker Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 (O365) accounts.
The massive campaign leverages a low-key attack, started in May and is still continuing. Attackers are using a small botnet composed of 83 IP addresses across 63 networks, most of them registered in China. The attackers also used bots from 15 other countries, including Brazil, Russia, the US, and Malaysia.
Experts underscored the fact that the botnet attack KnockKnock was observed in targeted offensives.
“Skyhigh has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments.” reads the analysis published by Skyhigh Networks. “One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.”
Attackers launched a slow and methodical attack trying to remain under the radar instead of carrying out a brute force attack against O365 accounts.
The attackers targeted only a very small proportion (typically <2%) of the O365 account base, and limited the number of attempts to 3-5 per account in order to go undetected.
Once the attackers take over an account, they snoop o any data in the inbox and then create a new inbox rule to hijack any incoming messages. This is the first stage of the attack against company networks, once compromised an account, the attackers start in-company phishing attempts for lateral movements.
Experts suggest attackers may tailor the payload based on the targeted organization “for a larger takeover over time”.
The threat actors behind the KnockKnock attack focused its attention of certain accounts such as system accounts rather than ordinary accounts because they tend to have high access privileges and poor protection.
“The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.” continues the analysis.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. “
Skyhigh experts detected the KnockKnock attacks using its machine learning anomaly detection engine. The engine detected an increase in the number of anomalous accesses, experts spotted the malicious activity by correlating data from billions of 0365 events across hundreds of customers.
Skyhigh researchers confirmed that the KnockKnock attack targeted over 50 percent of their customers, it is likely that a large portion of large Office 365 customers is being attacked with this technique.
Experts noticed that none of 83 recognized IP addresses were already included on the lists of bad IP addresses, making this attack stealth in nature.
Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report 7.10.2017 securityweek Attack Slow and Methodical Attack Targets Large Microsoft Office 365 Customers
A widescale, yet stealthy attack against Office 365 (O365) accounts started in May and is still continuing. It is a low-key attack that tries to hide under the radar, and is delivered by a small botnet of 83 IP addresses across 63 networks. The majority of IP addresses are registered in China, but the attack activity also originates from 15 other countries, such as Russia, Brazil, the US and Malaysia.
The attack was detected by Skyhigh Networks -- a cloud access security broker (CASB) -- and described in a blog post Thursday.
The attack is not a traditional brute force attack against O365 accounts, but a slow and methodical attack that tries to avoid highlighting its activity. "First, it targets a very small proportion (typically <2%) of the O365 account base," writes Sandeep Chandana, principal data scientist at Skyhigh. "Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses."
"This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today's business automation, that typically do not require MFA and that traditionally have weak security oversight," explains Sekhar Sarukkai, chief scientist at Skyhigh. "Detection and protection from attacks on these 'weakest link' accounts require a cloud-native security approach for complete visibility and mitigation."
Once an account is compromised, the attacker exfiltrates any data in the inbox and then creates a new inbox rule designed to hide and divert any incoming messages. From here the attacker can initiate harder to detect in-company phishing attempts and start to propagate infection across the network: "attack a weak-link with the potential for elevated exploits," writes Chandana. He adds, "Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time."
The accounts targeted are carefully chosen: system accounts rather than people accounts. Such accounts tend to have two important characteristics: they have high access privileges, and poor protection.
"We have worked with our customers," Skyhigh's chief European spokesperson Nigel Hawthorn told SecurityWeek, "and seen that the attackers have used service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes."
The targeted account names have probably been guessed (eg, CRMlink@domain), or filtered from stolen credential lists published on the darknet.
Skyhigh detected the attacks when its machine learning anomaly detection engine detected anomalous access locations defying standard behavioral patterns across multiple customers. "As the number of these anomalous accesses increased, Skyhigh's threat funnel correlated multiple of these access attempt anomalies into threats." It analyzed billions of 0365 events across hundreds of customers.
However, although this attack was detected on Skyhigh customers, it is not a Skyhigh-specific problem. "We found that over 50 percent of our customers are being attacked," Hawthorn told SecurityWeek, "and I think it is fair to assume that 50 percent of all large Office 365 customers are being attacked even if they are not Skyhigh customers."
The 83 recognized attacking IP addresses have been fed back to the researchers that compile and publish lists of known bad IP addresses. None of them were already included on the lists. Some companies still rely on these lists to block individual IPs, "But," suggests Hawthorn, "it's a bit of a game of whack-a-mole to try to do this and keep up with every address, as the bad actors can move IP addresses in seconds. The best way to address it is with user behavioral analysis and machine learning that indicates unusual traffic patterns going to/from your cloud services and is able to respond to a fluid situation."
New Rowhammer Attack Bypasses Existing Defenses 6.10.2017 securityweek Attack A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.
In a newly published paper (PDF), eight researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide reveal attack methods that can allegedly bypass even a combination of defenses against Rowhammer.
In March 2015, Google demonstrated that the Rowhammer bug affects some dynamic random-access memory (DRAM) chips and can be exploited to gain kernel privileges on Linux systems. Although initially discovered in 2012, the issue was not documented until 2014.
Memory cells, which are arranged in a grid pattern of rows and columns, are smaller and placed closer together in newer DRAM chips, which have become smaller in size. Thus, it is more difficult to prevent cells from electrically interacting with each other, and repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.
In July 2015, a team of researchers from Austria and France demonstrated that Rowhammer can be exploited remotely using JavaScript. Although the researchers hadn’t developed a full root exploit at the time, they did warn that malicious actors could adapt Rowhammer exploits to gain root privileges.
Late last year, a team of researchers proposed two software-based mitigation techniques, claiming that they can even work against single-sided attacks. One is a bootloader extension to detect and disable vulnerable memory, while the other ensures that there is at least one raw of memory between the row controlled by the attacker and the row storing the targeted data.
The newly published research paper proposes a novel attack technique called one-location hammering, which doesn’t target multiple DRAM rows, but focuses on keeping only one DRAM row constantly open. The exploitation technique, opcode flipping, can bypass isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries, the researchers say.
“We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker chosen physical locations,” the researchers explain.
By abusing Intel SGX, the team also managed to hide the attack from the user and the operating system, thus evading all detection attempts. According to the paper, the abused Rowhammer enclave can be leveraged both for denial of service attacks in the cloud and for privilege escalation on personal computers.
The new method, the paper reveals, can evade all existing defenses, including static analysis, monitoring of CPU performance counters, monitoring of unusual high-frequency memory access patterns, preventing abuse of memory exhaustion, and using memory allocator to physically isolate user and kernel memory cells.
A new Ethereum ICO was hacked, the victim is Etherparty 4.10.2017 securityaffairs Attack
The Etherparty website is the last victim in order of time of a cyber attack involving an Ethereum ICO (Initial Coin Offering). Another hack involving an Ethereum ICO (Initial Coin Offering) made the headlines, the victim is the Etherparty website that sells tokens for a blockchain-based smart contract tool. The attackers replaced the legitimate address for sending funds to buy tokens with a fraudulent one they controlled.
Etherparty is a platform for the creation of smart contract that leverages on the blockchain.
Etherparty launched its Fuel token sale on October 1 at 9 A.M. PDT, but just 45 minutes, attackers hacked into the ICO website and replaced the wallet address, hijacking cryptocurrencies sent by investors.
According to Etherparty, its staff detected the hack after 15 minutes and in response immediately took the ICO website down for nearly one and half hour preventing more investors from sending funds to the attackers’ wallet.
The website, hosted on a new server, went online at 11:35 A.M. PDT. The website displays the following message to investors:
“Always check the URL and verify the contract address before sending ETH to any ICO.”
At the time it is unclear the exact amount of cryptocurrencies stolen by hackers, the company ensured that it will compensate “any affected contributors, with its proprietary FUEL token, prior to the temporary website shutdown at 10 A.M. PDT.”
The blockchain company has also “promised to compensate any affected contributors, with its proprietary FUEL token, prior to the temporary website shutdown at 10 A.M. PDT.”
“One hour after the ICO officially went live, the company identified a security issue, caused by a fraudulent contribution address, and temporarily shut down the website to protect all participants.” reads the press release published by the company on Medium.
“Etherparty’s site was later restored after the issue was resolved at 11:35 A.M. PDT, after going offline for 90 minutes. The blockchain company has promised to compensate any affected contributors, with its proprietary FUEL token, prior to the temporary website shutdown at 10 A.M. PDT.
The Etherparty ICO is still ongoing and it will be open until October 29, 2017. According to the company, the ICO had a great start “selling over 10,000,000 FUEL tokens in the first hour.” The company sold more than 400,000,000 FUEL tokens before the official launch in the pre-sale.
“Our team has been consistently and successfully thwarting potential security issues to avoid further escalation,” Etherparty Founder Lisa Cheng said.”However, we do acknowledge and apologise for the temporary disruption to our otherwise successful launch day. Etherparty is eager and committed to compensating all affected contributors for the inconvenience.”
This is the last hack in order of time, below the list of previous attacks in an ICO: $471,000 worth of Ethereum in cyber attack that hit Enigma Project $8.4 Million worth of Ethereum during Veritaseum’s Initial Coin Offering (ICO). $7 Million worth of Ether during the hack of startup CoinDash’s ICO. In response to the string of incidents the US Securities and Exchange Commission (SEC) issued an official warning about the risks of ICOs, meanwhile, China has already announced a ban on all ICO across the country.
Many Companies Unprepared for DNS Attacks: Survey 3.10.2017 securityweek Attack Many companies are not prepared to deal with DNS attacks, and a quarter of the ones that have already been hit reported significant losses, according to a survey conducted by Dimensional Research on behalf of network security firm Infoblox.
Attacks on Domain Name System (DNS) services can have serious consequences, as demonstrated by the attack on Dyn last year. The attack, powered by the Mirai botnet, led to service disruptions for several major websites, including Twitter, GitHub, Etsy, Soundcloud, PagerDuty, Spotify and Airbnb.
The study from Dimensional Research and Infoblox, based on a survey of over 1,000 IT and security professionals worldwide, revealed that 3 out of 10 companies have already experienced DNS attacks and in most cases it resulted in downtime.
While more than half of the attacks resulted in a downtime of less than one hour, in 6% of cases the downtime lasted for between 8 and 24 hours, and some victims even reported service disruptions that lasted more than one day.
As for the financial losses caused by DNS attacks, 3% of respondents said they had lost more than $1 million, and nearly a quarter reported losses exceeding $100,000.
The research has not found any link between the type of DNS service used and the risk of attacks. Companies that used a cloud DNS service, a third-party service or their own service were attacked roughly the same.
According to the report, 22% of companies don’t have a backup DNS service, and 63% of them are not capable of defending against all common DNS attacks, such as hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain and amplification.
Nearly one-third of the 1,000 respondents said they were not confident their company could handle a DNS attack. However, the Dyn incident has had a clear impact on how DNS attacks are seen, causing one-third of firms to change their DNS security strategy.
The survey showed that only 11% of companies have security teams managing DNS, while in most cases the service is handled by IT infrastructure or operations teams. Nearly 90% of respondents complained that their DNS solutions failed to alert them of an occurring DNS attack.
“DNS attacks are likely to continue and increase, given that attacks have been extremely successful by impacting the target business 93% percent of the time. This success rate reveals that companies are vulnerable today with substandard DNS tools that are incapable of defending against common DNS attacks or properly alerting teams when they are under siege,” reads the report.
Imperva Report Q2 2017- Over 75% of DDoS targets were hit multiple times 3.10.2017 securityaffairs Attack
According to Imperva DDoS report, over 75% of targets were hit multiple times in Q2 2017, while the percentage was only 43.2% in the same period of 2016. Imperva published the Global DDoS Threat Landscape for Q2 2017, the report shows an increase in the amount of persistent application layer DDoS attack over a one-year period.
According to Imperva, over 75% of targets were hit multiple times in Q2 2017, while the percentage was only 43.2% in the same period of 2016.
“We also saw an increase in the frequency of repeat application layer attacks. In total, 75.8 percent of target websites were hit by repeat assaults, the largest percentage we have on record. This was especially true for US based websites, 80.3 percent of which suffered multiple assaults. Moreover, of the 45 targets that suffered 50 or more attacks, 34 were hosted in the US.” states the report.
The researchers observed 973 application layer attacks per week in Q2
The number of application layer attacks observed each week has reached 973 in Q2 2017, it is a slight decrease respect previous quarter when Imperva observed 1,099 attacks per week.
Unfortunately, the number of mitigated network assaults decreased by 51%, falling from 296 per week in Q1 to 196 per week in Q2.
The largest network layer DDoS attack mitigated by Imperva in Q2 peaked at 350 Gbps, it was a so-called pulse wave attack that hit the target with alternating high-volume bursts, the time between each pulse is likely being used to mount a secondary assault on a different target.
The researchers observed a significant increase in attack complexity, multi-vector DDoS attacks accounted for 40.5 percent of all network layer DDoS assaults, a jump from 29 percent in the Q1.
Experts continue to observe short burst network layer attacks, 91.7% of them lasted less than an hour. Such kind of attacks was mostly launched by botnet-for-hire, pulse wave attacks and probing attempts are other principal causes behind the DDoS assaults.
The longest attack of Q2 2017 lasted for more than 147 hours, while 82.5% of attacks lasted less than 30 minutes.
“The largest application layer attack this quarter peaked at 89,134 RPS, which was significantly smaller than last quarter’s 176,393 RPS attack. This quarter’s attack, however, lasted for 48 days, more than twice as long as the one in Q1 2017.” continues the report.
During Q2 2017, 57.4% of all application layer assaults lasted for less than 30 minutes, while 7.4% of attacks lasted more than six hours and 1.7% being longer than 24 hours.
The most targeted country is the US, assaults against the U.S. accounted for 79.7% of all attacks, while China remained the top attacking county.
“China was responsible for 63 percent of attack traffic, once again topping our list of attacking countries. The US (6.4 percent) came in second. Turkey (2.1 percent), Ukraine (1.9 percent) and India (1.8 percent) respectively came in third, fourth and fifth place after each saw a significant increase in DDoS attack traffic originating from their territories.” closes the report.
UK National Lottery knocked offline by a DDoS attack on Saturday 3.10.2017 securityaffairs Attack
The UK National Lottery was knocked offline by a DDoS attack on Saturday, experts speculate the involvement of the dreaded Phantom Squad group. On Saturday, a DDoS attack knocked offline the UK National Lottery impeding Britons to buy the tickets on the www.national-lottery.co.uk website or through its associated app.
According to DownDetector reports, thousands of angry gamblers were unable to participate the Lottery.
The National Lottery apologized to customers unable to use its online services.
Follow The National Lottery ✔@TNLUK We're very sorry that many players are currently unable to access The National Lottery website or app. Our 46,000 retailers are unaffected.
8:01 PM - Sep 30, 2017 205 205 Replies 25 25 Retweets 50 50 likes Twitter Ads info and privacy The National Lottery confirmed that the outage was caused by a major distributed denial-of-service (DDoS) attack, it hasn’t provided further details about the incident.
It is still unclear who is behind the attack and if the attackers attempted to blackmail the National Lottery.
Experts speculate that the DDoS attack was launched by the hacker group “Phantom Squad” that sent threatening emails earlier this month, warning of DDoS attacks on Saturday 30 2017 unless a ransom was paid.
Phantom Squad launched several cyber attacks against many firms in the gaming industry. In 2015 the hackers targeted the Electronic Arts and Steam, in 2016 the group and PoodleCorp hit Steam and Origin Servers.
The gaming industry is particularly exposed to DDoS attacks that could cause serious damage, and crooks are aware of such kind of exposure.
“DDoS attackers are only too aware that the online gaming and gambling industry are particularly reliant on their websites remaining accessible, and have no qualms about harnessing botnets to launch denial-of-service attacks to bring services to their knees.” reads a blog post published by ESET.
The incident demonstrates that the UK National Lottery, even if is considered a privileged target of hackers, hasn’t adequate countermeasures to mitigate the threat.
Three in Four DDoS Targets Hit Multiple Times: Imperva 2.10.2017 securityweek Attack Amid an increase in frequency of repeat application layer distributed denial of service (DDoS) attacks during the second quarter of the year, over 75% of targets were hit multiple times, according to statistics from Imperva.
The company’s Global DDoS Threat Landscape for Q2 2017 shows an increase in the amount of persistent application layer assaults over a one-year period. Thus, while only 43.2% of targets were subjected to multiple attacks in the second quarter of 2016, the percentage increased to 75.8% during the same three-month window this year.
The number of application layer attacks observed each week has reached 973 in Q2 2017, down from 1,099 per week in the previous quarter. The number of mitigated network assaults decreased as well, falling from 296 per week in the prior quarter to only 196 per week.
The largest network layer attack that Imperva mitigated during the quarter peaked at 350 Gbps (gigabit per second) and employed a new tactic called a pulse wave attack. First described in August, this method of launching DDoS attacks can be used to pin down multiple targets with alternating high-volume bursts.
Imperva’s report also reveals that United States websites were hit the most with repeat application layer attacks. While the global percentage of targets hit multiple times is of 75.8%, it reaches 80.3% when U.S. websites are considered. Furthermore, the majority of targets that suffered 50 or more attacks were hosted in the US.
Multi-vector attacks went down significantly during the quarter, to only 21.7%, after reaching a record high 40.5% during the previous quarter. The decrease, Imperva says, can be attributed to the steep drop in 2-vector assaults, which fell from 33.5% to 9.4% quarter over quarter. 78.3% of all attacks consisted of a single vector, the company reveals.
The quarter also marked a continuation of a trend toward short burst network layer attacks (91.7% of assaults lasted less than an hour). Most of these attacks can be attributed to botnet-for-hire, but pulse wave assaults and probing attempts also added to the numbers. Overall, 82.5% of attacks lasted less than 30 minutes, while the longest attack of Q2 2017 lasted for more than 147 hours.
The largest application layer attack observed during the quarter peaked at 89,134 requests per second, which was merely half of the 176,393 RPS attack registered during the previous quarter. On the other hand, the attack lasted for 48 days, more than twice as long as the one in Q1 2017.
During Q2 2017, 57.4% of all application layer assaults lasted for less than 30 minutes, while the number of persistent attacks increased, with 7.4% of attacks lasting more than six hours and 1.7% being longer than 24 hours.
According to Imperva, the number of primitive bots grew from 90.4% in Q1 to 97.9% in Q2, which reflects an increase in non-sophisticated application layer attacks typically associated with botnet-for-hire services.
Attacks against the U.S. accounted for 79.7% of all attacks, although the country was home to only 61.4% of targets. According to Imperva’s report, 38% of DDoS targets in the U.S. were exposed to six or more DDoS attacks in the span of the quarter.
China remained the top attacking county, with more than 360,000 attacking devices and 63% of attack traffic. Imperva also reports an increase in attack traffic out of Turkey, Ukraine and India.
‘Illusion Gap’ attack method bypasses Windows Defender and executes malware 29.9.2017 securityaffairs Attack
Researchers have developed an attack method dubbed Illusion Gap for bypassing Windows Defender that will allow avoiding antivirus detection. Researchers from security firm CyberArk have devised a new technique dubbed ‘Illusion Gap’ that allows attackers to bypass Windows Defender.
The technique leverages on the fact that Windows Defender detection can be bypassed by tricking the antivirus into scanning a different file than the one actually executing.
The technique affects the scanning process over SMB shares, the experts explained that Antivirus solutions use to detect the execution of an executable file by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, usually with a user-mode agent.
The Illusion Gap attack may possibly affect other antivirus and defense solutions that the experts have not yet tested.
If the executable file is already present on disk, the Antivirus will not scan it on process creation because it has already scanned it on file creation. However, running an executable from an SMB share trigger the Antivirus scan the file even on process creation.
The researchers demonstrated that a possible attack method consists into tricking the antivirus into scanning a different file than the one actually executing.
To ensure that one file is served to the Windows PE Loader and another to Windows Defender,
Researchers used a custom implemented SMB server to ensure that one file is served to the Windows PE Loader and another to Windows Defender.
“We want to serve different files, one for Windows PE Loader and another for the Windows Defender Antivirus over SMB. We can achieve that using a custom implemented SMB server.” reads the analysis published by the experts. “When a process creation is made by Windows PE Loader, a request will be made to the SMB server for the executable file, and we will serve file A, which is malicious. When Windows Defender requests the executed file, we will serve file B, which is benign. This way, file B will be scanned while file A will be executed. But at first, we have to identify which request is made by whom.”
To bypass the Windows Defender, an attacker would need to implement the SMB protocol and create a “pseudo-server” that is able to discriminate between Windows Defender requests and normal ones.
“In order to abuse Windows Defender, an attacker would have to implement the SMB protocol and create a “pseudo-server” that can differentiate Windows Defender’s request from normal requests. For instance, decline the oplock request and return STATUS_OPLOCK_NOT_GRANTED. This will fail the scan and the malicious file will just execute without any interruptions:”
It is possible to have the same effect by blocking all handle creation requests with the impersonation level SEC_IDENTIFY.
CyberArk reported the ‘Illusion Gap’ attack to Microsoft, but the Tech giant doesn’t consider it as a security vulnerability.
“Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature,” reads the Microsoft’s Response on CyberArk Labs findings on Illusion Gap.
"Illusion Gap" Attack Bypasses Windows Defender 28.9.2017 securityweek Attack Windows Defender detection can be bypassed by tricking the antivirus application into scanning a different file or nothing at all, CyberArk Labs reveals.
The technique, which affects the scanning process over SMB shares, allows any malware to bypass Windows Defender and possibly other antivirus applications, researchers from CyberArk say.
Antivirus applications typically catch the execution of an executable file by a kernel callback and then scan the file, usually by requesting the user-mode agent to do so. The operation is different for executables already on the disk compared to those from a SMB share, the researchers explain.
If the executable file is already located on the hard drive, the antivirus won’t scan the process creation, because it scanned the file creation. However, the antivirus would scan the process creation when the executable is run directly from a SMB share, the security researchers explain.
One of the attack vectors involves tricking the antivirus into scanning a different file than the one actually executing. To ensure that one file is served to the Windows PE Loader and another to Windows Defender, a custom implemented SMB server is used.
Thus, when the process creation is made by Windows PE Loader and a request is made to the SMB server for the executable file, a malicious file is delivered. However, when Windows Defender requests the executed file, a benign file is served to ensure that the antivirus doesn’t stop the execution.
Thus, to abuse Windows Defender, an attacker would simply need to implement the SMB protocol and create a “pseudo-server” capable of differentiating between normal requests and those coming from Windows Defender.
One example, the researchers say, would be to decline the oplock request and return STATUS_OPLOCK_NOT_GRANTED, which would result in the scan failing and the malicious file being executed without interruptions. By blocking all handle creation requests with the impersonation level SEC_IDENTIFY one can also block the antivirus from scanning the file.
The attack is possible because the SMB protocol offers transparent integration into Windows, meaning that “accessing a remote file is performed like accessing a local file.” Thus, an attacker would need to create a handle to the file and then perform any operations using specific functions. However, replacing the file is possible for each operation, the researchers say.
CyberArk has contacted Microsoft to report the attack, but the company apparently doesn’t view the issue as a security vulnerability. In fact, the tech giant considers that the various special conditions required to trigger the bypass can be seen as a feature.
“Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature,” Microsoft reportedly told CyberArk.
Flaws Expose FLIR Thermal Cameras to Remote Attacks 27.9.2017 securityweek Attack Researchers have disclosed the details of several potentially serious vulnerabilities affecting thermal security cameras from FLIR Systems, said to be the world’s largest provider of thermal imaging cameras, components and imaging sensors.
The flaws were discovered by Gjoko Krstic of Zero Science Lab and were disclosed over the weekend by Beyond Security. The issues were reported to FLIR on June 27 and while the company responded to Beyond Security’s emails, it did not provide an estimated date for workarounds or patches.
Krstic found various types of vulnerabilities in FLIR’s FC-Series S, FC-Series ID and PT-Series thermal security cameras, including information disclosure, authenticated and unauthenticated remote code execution, and hardcoded credentials issues. The researcher also found a vulnerability that allows an unauthenticated attacker to access a camera’s live feed.FLIR thermal cameras can be hacked
Proof-of-concept (PoC) requests and code have been made available for each of the vulnerabilities.
A scan via the Internet search engine Censys shows that thousands of FLIR thermal cameras are accessible directly from the Internet, which increases the risk of exploitation for the vulnerabilities identified by Kristic.
The researcher discovered that an attacker can leverage API functionality provided by the FLIR web server to download various files from the FLIR OS. He also noticed that the web server does not check if the user is authenticated when they make a request to see the camera’s live feed, allowing an attacker to gain access to the video stream by sending a simple request.
Specially crafted requests can also be used by authenticated and unauthenticated attackers to execute arbitrary code. These security holes are caused by the lack of proper sanitization for user-controlled input.
Finally, Krstic discovered that the code includes various credentials that provide access to the devices.
Contacted by SecurityWeek, FLIR said it’s evaluating Beyond Security’s advisory and promised to provide an update on its findings once its assessment has been completed.
Cloudflare Announces Unmetered DDoS Mitigation, Geo Key Manager 26.9.2017 securityweek Attack Web performance and security solutions provider Cloudflare announced this week that all customers will benefit from unmetered mitigation against distributed denial-of-service (DDoS) attacks, and they will be able to choose where they want their private SSL keys stored.
DDoS protection providers typically ask their customers to pay more and even terminate them if they are hit by a massive attack that may cause disruptions to other customers’ services.
Cloudflare, which claims to have the ability to handle more than 15 terabits per second of DDoS traffic, believes it can now protect a website against attacks of any size while ensuring that other customers are not impacted in any way.CloudFlare
That is why the company has decided that it will not terminate customers or jack up their bill regardless of the size of the attack or the plan they use. Customers that use a paid plan will, of course, have more benefits, but when it comes to volumetric DDoS mitigation, even users of the Free plan will benefit from unlimited and unmetered protection.
“Back in 2014, during Cloudflare's birthday week, we announced that we were making encryption free for all our customers. We did it because it was the right thing to do and we'd finally developed the technical systems we needed to do it at scale. At the time, people said we were crazy. I'm proud of the fact that, three years later, the rest of the industry has followed our lead and encryption by default has become the standard,” Matthew Prince, CEO of Cloudflare, wrote in a blog post.
“I'm hopeful the same will happen with DDoS mitigation. If the rest of the industry moves away from the practice of surge pricing and builds DDoS mitigation in by default then it would largely end DDoS attacks for good. We took a step down that path today and hope, like with encryption, the rest of the industry will follow,” Prince added.
Private key restriction with Geo Key Manager
Cloudflare announced on Tuesday that customers will be able to specify where to store their private SSL keys via a new service called Geo Key Manager.
The company has data centers in more than 55 countries and some of its customers might not be comfortable knowing that the keys to their kingdom are stored on servers physically located in a certain country.
“Even if local governments are to be trusted, organizations may have strong geopolitical-based opinions on security or mandates to adhere to certain regulatory frameworks. That, or they simply may understand there are only so many data centers in the world that can meet our most stringent physical security requirements and controls; as Cloudflare’s network grows, it’s inevitable that we will exhaust these facilities, and thus customers need control over where their keys are held,” explained Cloudflare’s Patrick R. Donahue.
With Geo Key Manager, Cloudflare customers can choose to store their custom certificates only in U.S. data centers, only in E.U. data centers, or only in data centers with the highest security. The downside is that some initial requests will take tens of milliseconds longer to complete compared to allowing the keys to be stored in any Cloudflare data center, an option that provides the best performance.
Cloudflare has pointed out that all its data centers are highly protected against both digital and physical threats, but top tier centers have extra physical security measures, including non-stop security officers, pre-scheduled biometric access, private cages that can be accessed only after passing through 5 checkpoints, and comprehensive interior and exterior security controls and monitoring.
In the near future, Cloudflare Enterprise users may be provided even finer control over where their private keys are stored.
Deloitte targeted by a cyber attack that exposed clients’ secret emails 26.9.2017 securityaffairs Attack
The accountancy firm Deloitte announced it is has been targeted by a sophisticated hack that compromised its global email server. Today the accountancy firm giant Deloitte revealed that is has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients.
According to The Guardian that first reported the incident, hackers may have accessed company customers’ emails along with usernames, passwords and personal details of top accountancy firm’s blue-chip clients.
In addition to emails, hackers had potential access to IP addresses, architectural diagrams for businesses and health information.
“The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.” reported The Guardian.
“So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.”
Deloitte hack
The newspaper described the breach as a “deep embarrassment” due to the efforts of the firm in the cybersecurity industry.
Deloitte discovered the hack in March this year, and according to The Guardian, the attackers may have had access to the company systems since October or November 2016.
The attackers hacked into the Deloitte global email server through an “administrator’s account” that allowed them to have full access to any area of the accountancy firm.
The Guardian was told an estimated 5m emails were stored in the ”cloud” that was accessed by the hackers, anyway, Deloitte said the number of emails that were exposed was a fraction of this number.
It seems that the account was poorly protected, the company did not adopt a “two-step“ authentication for it.
“Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.” continues The Guardian.
Deloitte confirmed it has immediately notified the incident to government authorities and the affected clients, it also tried to downplay the incident but anyway it is my opinion that such kind of incidents is always serious.
“Only very few clients were impacted,” Deloitte said. “No disruption has occurred to client business, to Deloitte’s ability to continue to serve, or to consumers.”
“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,”
The newspaper reported that the incident is believed to have been US-focused, it affected so sensitive information that only a restricted number of Deloitte’s most senior partners and lawyers were informed.
The Guardian has been told the internal inquiry into the security breach has been codenamed “Windham”.
At the time it is still unclear if the attackers are financially or politically motivated, we cannot exclude it is the work or an insider.
Let me close with the statement released by a Deloitte spokesman.
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said.
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
“We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.
“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”
The Guardian pointed out the company claims to be the excellence in cyber security consultancy, and I hope for them they have adopted the necessary measures to avoid such kind of incident.
“Cyber risk is more than a technology or security issue, it is a business risk,” Deloitte tells potential customers on its website.
“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attack. Embedding best practice cyber behaviours help our clients to minimise the impact on business.”
Deloitte has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security”.
Attack on Software Firm Was Sophisticated, Highly Targeted 21.9.2017 securityweek Attack A recently disclosed breach at Avast-owned Piriform, makers of the popular software utility CCleaner, was a highly targeted attack performed by a sophisticated actor, Avast and Cisco security researchers have discovered.
Revealed on Monday, the compromise supposedly happened in early July, before Avast completed the purchase of Piriform. Hackers modified the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases to add backdoor code to them to collect user information. The modified binaries were up for download between August 15 and September 12, and resulted in over 2 million users downloading a malicious verson.
The infected installers were discovered by Morphisec, which alerted Avast on September 12. Within 72 hours, the command and control (C&C) server where the malicious code sent information was taken down and clean versions of CCleaner were being pushed to users.
While initially shouting out loud that the compromise was addressed before any harm was done to users, Avast on Wednesday confirmed that this was in fact a highly targeted attack and that a secondary payload was executed on some of the impacted systems.
Analysis of the logs found on the C&C server revealed that 20 machines in a total of 8 organizations received the second-stage payload. However, the logs only covered just over three days, and the actual number of machines that received the payload could be of hundreds, Avast says.
The security firm wouldn’t reveal the names of targeted organizations, but says that these were “select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.” This clearly means that most of the CCleaner users weren’t of interest to the attackers.
According to Cisco Talos researchers, the list of domains the attackers were attempting to target includes the sites of high-profile technology companies such as Singtel, HTC, Samsung, Sony, Intel, Microsoft, Cisco, O2, Vodafone, Akamai, among others. Cisco also disclosed that the attackers “were specifically controlling which infected systems were actually delivered a stage 2 payload.”
Attackers controlled payload delivery
“The server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform website,” Cisco explains.
On the server, the researchers also found a PHP file that defines core variables and operations used, which specifies the time zone as being People's Republic of China (PRC). This, however, shouldn’t be relied on for attribution, the researchers say.
Analysis of the server also revealed what type of information attackers gathered from the infected systems: OS version, architecture information, whether the user has administrative rights, hostname and domain name, a list of software installed on the machine, and currently running processes on the machine. The system information is stored in a MySQL database.
The database revealed that 700,000 machines reported to the C&C server between Sept. 12 and Sept. 16, but only around 20 machines received the second-stage payload. The researchers also determined that 540 government systems around the world were affected by the attack, and that 51 compromised systems were belonging to domains containing the word 'bank'.
However, Cisco also points out that the target list was changed while the server was active. The actor apparently had the ability to add or remove domains from the target list, based on the environments or organizations they chose to target. The server also held functionality responsible for loading and executing the second stage payload.
“During the compromise, the malware would periodically contact the C&C server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It's quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign,” the researchers say.
Sophisticated stage 2 payload
Heavily obfuscated and using anti-debugging and anti-emulation tricks, the stage 2 payload was found to be a complex piece of code that uses two components (DLLs). One is responsible for persistence, while the other contains the main business logic, mostly related to connecting to another C&C. The server address, which can be arbitrarily modified in the future, can be determined using an account on GitHub, an account on Wordpress, and a DNS record of a domain.
Cisco explains that the stage 2 installer is GeeSetup_x86.dll, which checks the OS version and drops the required version of a Trojanized tool. On x86 systems, it uses a Trojanized TSMSISrv.dll, which drops VirtCDRDrv, thus matching the filename of a legitimate Corel executable. On x64 systems, it uses a Trojanized EFACli64.dll file named SymEFA, similar to a legitimate executable in Symantec Endpoint.
The researchers discovered that the code would patch a legitimate binary to package the malware, and that an encoded PE is put in the registry. The Trojanized binary is meant to decode and execute the PE, which performs queries to additional C&C servers and executes in-memory PE files. Because executables aren’t stored directly on the file system, detection could prove complicated.
“Talos has reviewed claims from Kaspersky researchers that there is code overlap with malware samples known to be used by Group 72. While this is by no means proof in terms of attribution, we can confirm the overlap and we agree that this is important information to be considered,” the researchers continue.
Thorough cleanup necessary
Cisco points out that, while updating to the latest versions of CCleaner would ensure that the backdoor code in the installer is removed, further action might be required to remove additional malware that could be present on the system. Thus, they reinforce their previous recommendation that impacted users should restore their systems from backups or reinstall the operating system completely.
Avast, on the other hand, recommends updating to CCleaner version 5.35, as the digital certificate used to sign the infected version 5.33 has been revoked. The company also recommends that consumers use an anti-malware application.
“For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted,” the security firm notes.
“Supply chain attacks seem to be increasing in velocity and complexity. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time,” Cisco points out.
New Attack Fingerprints Users Using Word Documents 19.9.2017 securityweek Attack A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.
Distributed as attachments to phishing emails, these documents were in OLE2 format and contained links to PHP scripts located on third-party web resources. As soon as a user opens the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the computer.
An analyzed document contained tips on how one could use Google search more effectively and doesn’t appear to be suspicious, especially since it doesn’t contain active content, embedded Flash objects or PE files. However, as soon as a user opens the document, Word sends a GET request to an internal link.
“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” the security researchers say.
The security researchers discovered that the document used an undocumented Word feature, where an INCLUDEPICTURE field is used. This field indicates that an image is attached to certain characters in the text, but attackers used it to include a suspicious link there, although not the URL addressed by Word.
While the text in the Word document is stored in a raw state, so-called fields are used to indicate in which way portions of the text should be presented. A specific byte indicates that the raw text ends and the field INCLUDEPICTURE begins, and separator, and end bytes are also associated with the field.
In the analyzed document, a byte between the separator and the end indicates that an image should be inserted at that point. After locating the byte sequence with the picture placeholder, the researchers concluded at which offset the image should be located in the Data stream. The offset turned out to be a Form, and its name was another suspicious link.
Because the link was only an object name, it wasn’t used in any way, but a combination of flags was used to indicate that additional data should be attached to the form. This data, the researchers say, “constitutes a URL that leads to the actual content of the form.”
A a ‘do not save’ flag prevented the content from being saved to the actual document when it is opened.
The issue, the Kaspersky researchers say, is that “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.” They couldn’t find information on what the data that follows the separator may mean, and how it should be interpreted, which was the main problem when trying to understand how the document was following the URL.
“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.
This Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android, the researchers discovered. However, LibreOffice and OpenOffice do not have it, meaning that Word documents opened with any of these applications won’t call the malicious link.
Bashware attack, how to run Linux malware on Windows systems 13.9.2017 securityaffairs Attack
Experts found a new alarming method dubbed Bashware attack that allows attackers to silently run malware to bypass even the most common security solutions, The new Windows 10 feature Windows Subsystem for Linux (WSL) that implements the Linux bash terminal in Microsoft operating system could be exploited by malware to run undetected.
The feature was recently included in beta versions and it will be available for all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.
According to Because researchers with security firm Check Point, a malware designed for Linux can run undetected on Windows systems.
The new attack technique was dubbed Bashware, it allows the malicious code to evade the detection of antivirus solutions written for Windows, for this reason, it could be implemented also by Linux malware.
“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.” reads the analysis published by Check Point. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”
Below a video PoC of the Bashware attack:
Security researchers have demonstrated that the Bashware attack goes undetected with most of the security solutions, it may potentially affect more of 400 million Windows systems that already run Windows 10 PC.
“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all. This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.” continues the analysis.
According to the experts, the risk is anyway limited because the WSL feature must be explicitly enabled by the Windows user, it is disabled by default.
Check Point also added that the WSL could be silently enabled in the background, allowing the malware to run.
Microsoft downplayed the risks to end-users because the feature is disabled by default.
BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking 12.9.2017 thehackernews Attack If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side. Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology. Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction. All an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device. BlueBorne: Wormable Bluetooth Attack What's more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide. Ben Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack.
However, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others. "Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet," Armis said. "The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure "air-gapped" networks which are disconnected from any other network, including the internet." Apply Security Patches to Prevent Bluetooth Hacking The security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago—including Google, Apple and Microsoft, Samsung and Linux Foundation. These vulnerabilities include: Information Leak Vulnerability in Android (CVE-2017-0785) Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783) Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251) Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250) The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628) Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending) Google and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe. “Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.” – a Microsoft spokesperson said. What's worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack. Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs. Android users need to wait for security patches for their devices, as it depends on your device manufacturers. In the meantime, they can install "BlueBorne Vulnerability Scanner" app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.
Brute Force 900k + Attempts on a New Server 12.9.2017 securityaffairs Attack
Brute Force Attack Report – This article is going to cover an attack we have had on a new network from the second it was connected to the internet. Instantly we were collecting data showing the determination of people trying to gain “root” access to our Server.
Our data shows us that on the 21/August/2017 we had 150,000 failed logon attempts
We will start by describing the attack type and potential risk involved.
Attack TYPE Brute force attack, SSH service authentic action attack
Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
Attempts graph at the time of this report.
Failed Logins – Failed Logins. Last 150 Events
Attack Origins As shown in the chart below 27.1% of the attacks including the 1st IP to attempt SSH access was from China closely followed by Russia via a botnet attack.
Duration of The Attack This attack started on 19/08/2017 and is still ongoing at over 20k attempts per day (Please note this attack is being monitored 24/7 by Frontline Cyber Security Ltd and is against one of our test servers using honey pots).
We are sharing this information we are gathering with Action Fraud to help people detect and defend against future attacks from the target IP addresses.
Further details on this attack can be found on our Open Threat Exchange profile via the link below.
Risk to Business Explained If this attack was to target your company servers the risks are very high depending on your password strength and server security see below (with speed of 1,000,000,000 Passwords/sec, cracking an 8-character password composed using 96 characters takes 83.5 days. But a recent research presented at Password^12 in Norway, shows that 8-character passwords are no safer. They can be cracked in 6 hours)
If they crack your root – admin password they essentially control your server so please ensure you have protection in place for example:
Rate Limiting the Login Attempts
Hiding the login page
Using htaccess
Hardware Firewall / IP Tables
Two-factor authentication enabled.
MongoDB Tightens Security Amid New Database Attacks
12.9.2017 securityweek Attack A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.
The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.
Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.
Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.
The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.
If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.
To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.
“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.
Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”
He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.
“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don't scan themselves but simply use OSINT,” Gevers said.
There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don't forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.
During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.
The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.
“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.
MongoDB Tightens Security Amid New Database Attacks
11.9.2017 securityweek Attack A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.
The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.
Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.
Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.
The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.
If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.
To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.
“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.
Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”
He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.
“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don't scan themselves but simply use OSINT,” Gevers said.
There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don't forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.
During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.
The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.
“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.
DolphinAttack – Hackers control Siri, Google Now, Alexa voice assistants with ultrasound 8.9.2017 securityaffairs Attack
The DolphinAttack technique allows hackers to control Siri, Google Now, Alexa and other voice assistants with commands in ultrasonic frequencies. A team of researchers from the Chinese Zhejiang University has demonstrated how to control several popular speech recognition systems using ultrasound.
The attack technique was dubbed ‘DolphinAttack’, it was successfully tested against Amazon Alexa, Apple Siri, Google Now, Huawei HiVoice, Microsoft Cortana, Samsung S Voice, and also the speech recognition system installed an Audi Q3 models.
The researchers were able to modulate various voice commands on ultrasonic carriers making them inaudible to humans. The experts demonstrated than modulating voice commands at a frequency of 20,000 Hz or higher, they were able to activate the systems.
The researchers were able to able to provide the systems with common activation commands (“Hey Siri,” “OK Google,” “Hi Galaxy” and “Alexa,”)and several recognition commands including “Call 1234567890,” “Open dolphinattack.com,” “turn on airplane mode” and “open the back door.”
The team tested the DolphinAttack method against 7 different speech recognition systems running on 16 devices.
The DolphinAttack method was the most effective against Siri on an iPhone 4s and Alexa on Amazon’s Echo personal assistant device, the researchers discovered it was possible to provide voice commands over a distance of nearly 2 meters (6.5 feet).
Test results were independent of the language used, but the type of command provided to the system did it.
“The length and content of a voice command can influence the success rate and the maximum distance of attacks. We are rigorous in the experiments by demanding every single word within a command to be correctly recognized, though this may be unnecessary for some commands. For instance, “Call/FaceTime 1234567890” and “Open dolphinattack.com” is harder to be recognized than “Turn on airplane mode” or “How’s the weather today?”.” states the research paper.
Other factors impacted the test results, such as the background noise, the researchers observed that the recognition rates for the command “turn on airplane mode” decreased to 30% when used on the street compared to 100% in an office and 80% in a cafe.
The researchers also proposed a series of hardware- and software-based defenses against the DolphinAttack method.
The researchers suggest manufacturers address this issue simply by programming their devices to ignore commands at 20 kHz or higher frequencies.
“A microphone shall be enhanced and designed to suppress any acoustic signals whose frequencies are in the ultrasound range. For instance, the microphone of iPhone 6 Plus can resist to inaudible voice commands well,” concluded the researchers .
From the user’s perspective, a solution to protect them from DolphinAttack is turning off voice assistant apps by going into settings.
Siri, Alexa, Google Now Vulnerable to Ultrasound Attacks
8.9.2017 securityweek Attack A team of researchers from the Zhejiang University in China have demonstrated how several popular speech recognition systems can be controlled using ultrasound via an attack method they have dubbed “DolphinAttack.”
The experts tested Apple’s Siri, Google Now, Samsung’s S Voice, Huawei’s HiVoice, Microsoft’s Cortana, Amazon’s Alexa and the speech recognition system in an Audi Q3 vehicle. They modulated various voice commands on ultrasonic carriers, at a frequency of 20,000 Hz or higher, in order to make them inaudible to humans.
The goal was to determine if these systems can be activated using ultrasound and if they can be controlled once they have been activated. The activation commands they tested included “Hey Siri,” “OK Google,” “Hi Galaxy” and “Alexa,” while recognition commands included “Call 1234567890,” “Open dolphinattack.com,” “turn on airplane mode” and “open the back door.”
The experiments, carried out on 16 devices with 7 different speech recognition systems, were successful in all cases from various distances. The DolphinAttack method was the most effective against Siri on an iPhone 4s and Alexa on Amazon’s Echo personal assistant device. In both cases, the attack worked over a distance of nearly 2 meters (6.5 feet).
The tests showed that the language used does not have an influence on the efficiency of the attack, but the type of command used does matter. For example, researchers determined that commands such as “call/facetime 1234567890,” “turn on airplane mode” or “how’s the weather today” are recognized much better than “open dolphinattack.com.”
Background noise also has an impact, with recognition rates for the “turn on airplane mode” command decreasing to 30% on the street compared to 100% in an office and 80% in a cafe.
The researchers have also proposed a series of hardware- and software-based defenses against the DolphinAttack method.
“The recently discovered DolphinAttack design flaw in IoT devices is another example of the importance in secure manufacturing. The flaw has introduced a relatively new attack vector – audio,” said Tim Jarrett, Sr. Director of Enterprise Security Strategy at Veracode.
“It is likely that audio and voice-based security controls will evolve as security researchers and hackers begin to explore vulnerabilities. Building in security by design and the ability to adapt to new threats will help IoT manufacturers leverage security as a competitive advantage,” Jarrett added. “IoT device manufacturers should consider this a wake-up call -- manipulating audio for vulnerability injections is a serious area for concern. This recent news isn't just an issue for the enterprise, but one for the millions of consumers that are using these IoT devices day in and day out.”
Injection Attacks Common in Energy and Utilities Sector: IBM
6.9.2017 securityweek Attack The energy and utilities sector has seen an increasing number of cybersecurity incidents and attacks, according to a new IBM X-Force report published on Wednesday.
IBM reported late last year that the number of attacks aimed at industrial control systems (ICS) had increased by 110 percent in 2016. Data from IBM Managed Security Services for the first half of 2017 shows that more than 2,500 attacks have already been detected against the company’s customers, compared to 2,788 attacks identified in the entire last year.
When it comes to the energy and utilities industry, IBM says this sector has fallen just shy of the top 5 most targeted sectors in the first half of 2017. Last year, the company detected more than 39 million security events, 382 attacks, and 66 security incidents that were deemed worthy of further investigation.
Of all the attacks observed by IBM, 60 percent of unintentional and malicious attacks came from outside the organization, and the rest were caused by insiders. Insiders include both malicious actors (16%) and employees who unknowingly opened malicious files (24%), giving attackers remote access to the organization.
“In one publicly disclosed incident, thousands of files were stolen over an eight-month period from an infected computer at a Japanese university's nuclear research lab Reportedly an employee opened a malicious email that caused the system to become infected and remotely accessible,” IBM said in its report. “The recent targeting of nuclear facilities in the US also involved spear-phishing, malicious Microsoft Word documents and a watering-hole attack.”
Sixty percent of the 2016 attacks against this sector involved some sort of injection method, including OS command injections (29%) and SQL injections (17%). In comparison, injection-type attacks accounted for only 42 percent of incidents across all the other industries monitored by IBM.
Other attacks involved information harvesting and analysis, abuse of existing functionality, and data structure manipulation.
Energy facilities in the United States and Europe have been increasingly targeted by sophisticated threat actors. While there is no evidence that the attacks caused any service disruptions, Symantec warned on Wednesday that a Russia-linked group known as Dragonfly, Crouching Yeti and Energetic Bear may have gained access to control systems, which could allow it to cause power outages in the future.
Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks
6.9.2017 securityweek AndroidAttack Variant of WireX Android Botnet is Able to Deliver High-volume UDP Flood DDoS Attacks
When several tech companies combined to analyze and hopefully control a new Android-based botnet they called WireX, they described it as focused on low bandwidth HTTP(S) attacks using POST and GET. They missed one variant subsequently analyzed by Qihoo Technology's 360 Flame Labs. This variant of WireX is able to deliver high-volume UDP flood attacks.
Both F5 Networks and Akamai have subsequently analyzed this 'new' variant. Akamai admits that it was 'essentially overlooked' by the original researchers until found and analyzed by Qihoo's Labs. F5 appears to have found it independently. Worryingly, a single bot is capable of generating over 250GB of attack traffic per attack directive.
The analyses show that the INSMainActivity component "runs the show and is responsible for both preliminary bootstrapping and spinning up the command and control (C2) polling services." It polls the p.axclick.store for commands. If it receives a response where the <title> tag is not empty, it spins up the AsyncTask/Vpxbjlowiwzg service. This in turn generates the C2 polling threads, one of which is responsible for the UDP attack logic, including sending out the UDP traffic.
If the initial C2 response contains both a <title> tag and the string 'snewxwri' (WireX is so-named from an anagram of the final 5 characters), then the attack directive string is split() into an Array on this delimiter value. The delimiter separates the target IP address and the port to attack (which is 1337 in Akamai's analysis).
"The UDP attack traffic exiting the infected device uses fairly generic attack characteristics and offers no customization capabilities for the attacker." In this variant/version, the attacker has no options over the packet size, or padding content for the UDP attack -- the bot receives its instructions and runs its attack cycle. Each packet is null (0x00) padded to a length of 512 bytes.
The bot spins up 50 threads. Each thread runs until 10,000,000 packets have been directed at the target, and is replaced by the next thread. "It is possible," writes Akamai, "a victim could receive many more than 500,000,000 packets per a given attacking source. At these rates, a single host is capable of generating over 250GB of attack traffic per attack directive received."
The attack rate is dependent on the speed of the delivering device and its network connections. "The code does not throttle the attack, and as a result will use all resources available on the device. We noticed our Android phone got surprisingly hot to the touch as a result."
WireX is more complex and dangerous than originally thought. "Discovering, and ultimately confirming, that WireX can also launch UDP-based volumetric attacks is important, as they are more likely to impact additional applications and OSI layers. This further expands the botnet's capabilities, raising additional concerns for defenders." No definite WireX UDP DDoS attack has yet been seen.
"Initial samples of WireX were flagged as click fraud malware," comments Akamai.
F5 offers a possible explanation: one command that is triggered only when the application launches is served by the p.axclick.store URL. "It results in the malware opening the default Android browser 10 times and browsing the target URL, which just seems like some basic clickfraud functionality," comment the F5 researchers.
"While it's easy to see how a click fraud bot could be easily repurposed to carry out HTTP(S) attacks, adds Akamai, "this discovery and our research all but confirms that WireX wasn't a click fraud botnet being repurposed to perform DDoS attacks. WireX was purpose built to engage in DDoS attacks from the start. To what end (ransom, ddos-for-hire, etc.), has yet to be fully realized."
F5 also points out that despite the basic nature of the UDP attack itself, "it has good market differentiation in its HTTP functionality. Being based on Android’s WebView class, the thingbot [the term used for IoT-based botnets, such as Mirai] is better equipped with browser-like functionality, making it more resistant to various bot challenges, such as cookie support, redirects, and JavaScript, which are still an obstacle for many DDoS malwares."
What does seem clear is that WireX is at the early stages of its evolution -- but already shows indications that it could develop into a serious threat.
Fake Chrome Font Update Attack Distributes Backdoor
5.9.2017 securityweek Attack A malicious campaign targeting users of the Chrome web browser on Windows systems recently started distributing a remote access Trojan, security researchers have discovered.
First spotted in December 2016, the attack is tied to the EITest compromise chain, and has been observed distributing the Fleercivet ad fraud malware and ransomware variants such as Spora and Mole. Initially targeting only Chrome, the campaign was expanded earlier this year to target Firefox users as well.
The attack relies on pop-ups being displayed in the Chrome browser on Windows devices, claiming that users need to install a so called HoeflerText font pack. Code injected into compromised websites would make the visited pages look unreadable, thus making the fake popup seem legitimate.
Fingerprinting capabilities included in the injected code trigger the attack if certain criteria are met (targeted country, correct User-Agent (Chrome on Windows) and proper referer). If the social engineering scheme is successful and the user accepts to install the fake font pack, a file named Font_Chrome.exe is downloaded and executed, and their system is infected with malware.
Starting in late August, the malware distributed via these fake Chrome font update notifications is the NetSupport Manager remote access tool (RAT). According to Palo Alto Networks’ Brad Duncan, this should indicate “a potential shift in the motives of this adversary.”
“Network traffic follows two distinct paths. Victims who use Microsoft Internet Explorer as their web browser will get a fake anti-virus alert with a phone number for a tech support scam. Victims using Google Chrome as their browser will get a fake HoeflerText popup […] that offers malware disguised as Font_Chrome.exe,” Duncan explains.
The most recent versions of Font_Chrome.exe are represented by file downloaders designed to retrieve a follow-up malware that would install NetSupport Manager. This commercially-available RAT was previously associated with a campaign from hacked Steam accounts last year.
While analyzing the recent attack, Palo Alto’s researchers discovered two variants of the file downloader and two instances of follow-up malware to install the RAT. Although the RAT is already at version 12.5, the version Chrome users are targeted with is at version 11.0, the researchers discovered.
Chrome users on Windows systems should be suspicious of any popup messages that inform them the “HoeflerText” font wasn’t found. Affected users aren’t expected to notice a difference in their system’s operation, given that this is a backdoor program, but that doesn’t mean they weren’t compromised.
“It’s yet to be determined why EITest HoeflerText popups changed from pushing ransomware to pushing a RAT. Ransomware is still a serious threat, and it remains the largest category of malware we see on a daily basis from mass-distribution campaigns. However, we have also noticed an increasing amount of other forms of malware in recent campaigns, especially compared to 2016,” Duncan notes.
He also points out that RATs give attackers more capabilities on an infected host and also provide more flexibility compared with malware that has been designed for a single purpose, and that the recently observed change in the EITest HoeflerText popups might suggest that ransomware is slightly less prominent than it once was.
