Attack  Articles - H 2020 1 2  Attack List -  H  2021  2020  2019  2018  Attack blog  Attack blog


New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks
20.5.2020  Thehackernews  Attack
Israeli cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites.
Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker's choice, potentially causing a botnet-scale disruption to online services.
"We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers' IP addresses," the researchers said in the paper.
"We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers."
Following responsible disclosure of NXNSAttack, several of the companies in charge of the internet infrastructure, including PowerDNS (CVE-2020-10995), CZ.NIC (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9, have patched their software to address the problem.
The DNS infrastructure has been previously at the receiving end of a rash of DDoS attacks through the infamous Mirai botnet, including those against Dyn DNS service in 2016, crippling some of the world's biggest sites, including Twitter, Netflix, Amazon, and Spotify.
The NXNSAttack Method
A recursive DNS lookup happens when a DNS server communicates with multiple authoritative DNS servers in a hierarchical sequence to locate an IP address associated with a domain (e.g., www.google.com) and return it to the client.
This resolution typically starts with the DNS resolver controlled by your ISPs or public DNS servers, like Cloudflare (1.1.1.1) or Google (8.8.8.8), whichever is configured with your system.
The resolver passes the request to an authoritative DNS name server if it's unable to locate the IP address for a given domain name.
But if the first authoritative DNS name server also doesn't hold the desired records, it returns the delegation message with addresses to the next authoritative servers to which DNS resolver can query.
dns server to ddos attack
In other words, an authoritative server tells the recursive resolver: "I do not know the answer, go and query these and these name servers, e.g., ns1, ns2, etc., instead".
This hierarchical process goes on until the DNS resolver reaches the correct authoritative server that provides the domain's IP address, allowing the user to access the desired website.
Researchers found that these large undesired overheads can be exploited to trick recursive resolvers into forcefully continuously sending a large number of packets to a targeted domain instead of legitimate authoritative servers.
In order to mount the attack through a recursive resolver, the attacker must be in possession of an authoritative server, the researchers said.
"This can be easily achieved by buying a domain name. An adversary who acts as an authoritative server can craft any NS referral response as an answer to different DNS queries," the researchers said.
The NXNSAttack works by sending a request for an attacker-controlled domain (e.g., "attacker.com") to a vulnerable DNS resolving server, which would forward the DNS query to the attacker-controlled authoritative server.
Instead of returning addresses to the actual authoritative servers, the attacker-controlled authoritative server responds to the DNS query with a list of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain.
The DNS server, then, forwards the query to all the nonexistent subdomains, creating a massive surge in traffic to the victim site.
The researchers said the attack can amplify the number of packets exchanged by the recursive resolver by as much as a factor of more than 1,620, thereby overwhelming not only the DNS resolvers with more requests they can handle, but also flood the target domain with superfluous requests and take it down.
ddos attack using dns-servers
What's more, using a botnet such as the Mirai as a DNS client can further augment the scale of the attack.
"Controlling and acquiring a huge number of clients and a large number of authoritative NSs by an attacker is easy and cheap in practice," the researchers said.
"Our initial goal was to investigate the efficiency of recursive resolvers and their behavior under different attacks, and we ended up finding a new seriously looking vulnerability, the NXNSAttack," the researchers concluded.
"The key ingredients of the new attack are (i) the ease with which one can own or control an authoritative name server, and (ii) the usage of nonexistent domain names for name servers and (iii) the extra redundancy placed in the DNS structure to achieve fault tolerance and fast response time," they added.
It's highly recommended that network administrators who run their own DNS servers update their DNS resolver software to the latest version.


Bluetooth Bugs Allow Impersonation Attacks on Legions of Devices
20.5.2020  Threatpost  Attack

A host of unpatched security bugs that allow BIAS attacks affects Bluetooth chips from Apple, Intel, Qualcomm, Samsung and others.

Academic researchers have uncovered security vulnerabilities in Bluetooth Classic that allows attackers to spoof paired devices: They found that the bugs allow an attacker to insert a rogue device into an established Bluetooth pairing, masquerading as a trusted endpoint. This allows attackers to capture sensitive data from the other device.

The bugs allow Bluetooth Impersonation Attacks (BIAS) on everything from internet of things (IoT) gadgets to phones to laptops, according to researchers at the École Polytechnique Fédérale de Lausanne (EPFL) in France. The flaws are not yet patched in the specification, though some affected vendors may have implemented workarounds.

“We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices),” the researchers said. “At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.”

The issue lies in the pairing/bonding protocols used in the specification. When two Bluetooth devices are paired for the first time, they exchange a persistent encryption key (the “long-term key”) that will then be stored, so that the endpoints are thereafter bonded and will connect to each other without having to perform the lengthier pairing process every time.

For the attacks to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device that has previously established bonding with a remote device with a Bluetooth address known to the attacker.

BIAS Bugs
The post-pairing connections are enabled because the devices – let’s call them Alice and Bob – perform a background check to make sure both possess the long-term key. This is done using the Legacy Secure Connections or Secure Connections protocols inside the Bluetooth specification, which verify three things: Alice’s Bluetooth address, Bob’s Bluetooth address and the shared long-term key.

As the researchers explained in their paper released on Monday, an attacker (let’s call him Charlie) can change his Bluetooth address to mimic either Alice or Bob’s address (uncovered via simple eavesdropping), but he cannot prove the ownership of [the long-term key].” The researchers explained, “this is the fundamental assumption behind Bluetooth’s authentication guarantees, and this assumption should protect against impersonation attacks.”

They added, “Both procedures authenticate [the long-term key] using a challenge-response protocol, and the procedure selection depends on Alice and Bob’ supported features. The standard claims that both procedures protect secure connection establishment against impersonation attacks, as an attacker who does not know [the long-term key] cannot provide a correct response to a challenge.”

However, several bugs exist in these processes, they found, opening the door for BIAS gambits while that post-pairing connection is being carried out. The problems include: The Bluetooth secure connection establishment is neither encrypted nor integrity-protected; Legacy Secure Connections secure connection establishment does not require mutual authentication; a Bluetooth device can perform a role switch anytime after baseband paging; and devices who paired using Secure Connections can use Legacy Secure Connections during secure connection establishment.

There are several attack scenarios that are possible, according to the paper, especially for device pairs that use the older Legacy Secure Connections to bond.

For instance, Charlie can establish a connection with Alice pretending to be Bob. Charlie sends a challenge to Alice, and receives a response that’s calculated based on address and long-term key. “As the Bluetooth standard does not mandate [the use of] the legacy authentication procedure mutually while establishing a secure connection, Alice does not have to authenticate that Charlie knows [long-term key],” according to the paper.

Another attack scenario involves switching master and slave roles. The master in a pairing is the one that requests the connection. The above attack works when attackers impersonate the requesting side of the relationship. However, they can also impersonate a slave device by maliciously taking advantage of Bluetooth’s role switch procedure.

“Bluetooth uses a master-slave medium access protocol, to keep the master and the slave synchronized. The standard specifies that the master and slave roles can be switched any time after baseband paging is completed,” according to the researchers. “This is problematic because Charlie can use this to impersonate the slave device by initiating a role switch and become the master (verifier) before the unilateral authentication procedure is started, and then complete the secure connection establishment without having to authenticate…This feature of Bluetooth was never investigated in a security context, and is thus an entirely novel attack technique.”

The devices using the newer and stronger Secure Connections protocol are also vulnerable, specifically to downgrade attacks.

“Charlie can pretend that the impersonated device (either Alice or Bob) does not support Secure Connections to downgrade secure connection establishment with the victim to Legacy Secure Connections,” the paper explained. “As a result of the downgrade, Charlie and the victim use the legacy authentication procedure rather than the secure authentication procedure, and Charlie can bypass secure connection establishment authentication.”

KNOB Connection
The BIAS attacks can also be combined with the Key Negotiation of Bluetooth (KNOB) attack, according to a CERT advisory, which would give an attacker full access to the paired device.

KNOB was discovered last August. It occurs when a third party forces two or more victims to agree on an encryption key with as little as one byte of entropy. Once the entropy is reduced, the attacker can brute-force the encryption key and use it to decrypt communications.

This would allow a user to “impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection and brute-force the session key,” according to CERT.

An attacker could initiate a KNOB attack on encryption key strength without intervening in an ongoing pairing procedure through an injection attack. If the accompanying KNOB attack is successful, an attacker may gain full access as the remote paired device. If the KNOB attack is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.

Remediation Forthcoming
The Bluetooth Special Interest Group (SIG) said in an advisory that it will be eventually updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption.

“Until this occurs, the Bluetooth SIG is strongly recommending that vendors ensure that reduction of the encryption key length below 7 octets is not permitted, that hosts initiate mutual authentication when performing legacy authentication, that hosts support Secure Connections Only mode when this is possible, and that the Bluetooth authentication not be used to independently signal a change in device trust without first requiring the establishment of an encrypted link,” it said.

The researchers said that for now, any standard-compliant Bluetooth device can be expected to be vulnerable.

“After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices,” according to the BIAS website. “So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.”


Bluetooth BIAS attack threatens billions of devices
20.5.2020  Securityaffairs Attack

Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.
Researchers from École Polytechnique Fédérale de Lausanne (EPFL) discovered a vulnerability in Bluetooth, dubbed Bluetooth Impersonation AttackS or BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device.

The issue potentially impact over a billion of devices.

“To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key. It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).” reads the vulnerability note VU#647177.

The Bluetooth specification is affected by security flaws that could allow attackers to carry out impersonation attacks while establishing a secure connection.

For BIAS attack to be successful, the attacker has to use a device that would need to be within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker.
To establish an encrypted connection, two Bluetooth devices must pair with each other using a link key, aka long term key.

The experts explained that the flaw results from how two previously paired devices handle the link key. The link key allows two paired devices to maintain the connection every time a data is transferred between the two devices.
The experts discovered that it is possible for an unauthenticated attacker within the wireless range of a target Bluetooth device to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices without knowing the link key.

“The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment.” reads the research paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”
The researchers reported their findings to the Bluetooth Special Interest Group (SIG), in December 2019.
“The researchers identified that it is possible for an attacking device spoofing the address of a previously bonded remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth attack disclosed in 2019.” reads the advisory published by the Bluetooth SIG. “If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.”

Experts explained that combining the BIAS attack with other attacks, such as the KNOB (Key Negotiation of Bluetooth) attack, the attacker van brute-force the encryption key and use it to decrypt communications.

“The BIAS and KNOB attacks can be chained to impersonate a Bluetooth device, complete authentication without possessing the link key, negotiate a session key with low entropy, establish a secure connection, and brute force the session key” states the paper.

Experts tested the attack against as many as 30 Bluetooth devices and discovered that all of them were found to be vulnerable to BIAS attacks.

The Bluetooth SIG has addressed the vulnerability announcing the introduction of changes into a future specification revision.

The SIG recommends Bluetooth users to install the latest updates from the device and operating system manufacturers.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the paper concludes. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”


NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks
20.5.2020  Securityweek  Attack
Several major providers of DNS services and software have been working to address a serious DNS vulnerability that could allow malicious actors to launch significant distributed denial-of-service (DDoS) attacks.

The vulnerability, dubbed NXNSAttack, was discovered by a team of researchers from Tel Aviv University and Interdisciplinary Center Herzliya in Israel.

The flaw exists in the DNS protocol and it affects all recursive DNS resolvers. It has been confirmed to impact DNS software such as NLnet Labs’s Unbound, BIND, Knot Resolver and PowerDNS, as well as DNS services provided by Google, Microsoft, Cloudflare, Amazon, Oracle (DYN), Verisign, IBM Quad9, and ICANN.

The affected organizations have patched their software and servers to prevent exploitation. However, entities that operate their own DNS resolver need to update their software as soon as possible to prevent attacks.

Various CVE identifiers have been assigned by the impacted vendors, including CVE-2020-8616 (BIND), CVE-2020-12662 (Unbound), CVE-2020-12667 (Knot) and CVE-2020-10995 (PowerDNS).

DNS amplification attacks are DDoS attacks where the attacker exploits vulnerabilities in DNS servers to turn small queries into larger payloads that can disrupt the targeted server.

In the case of NXNSAttack, a remote attacker can amplify network traffic by sending DNS queries to a vulnerable resolver, which queries an authoritative server controller by the attacker. The attacker’s server delegates to fake server names pointing to the victim’s DNS domain, causing the resolver to generate queries towards the victim’s DNS server. The attack can result in an amplification factor of over 1,620.

NXNSAttack - image credits NIC.CZ

The researchers who discovered the flaw have created a dedicated website for NXNSAttack and published a detailed paper describing their findings. CZ.NIC, which develops Knot Resolver, has also published a blog post that provides a summary of how the attack works.


European supercomputers hacked in mysterious cyberattacks
19.5.2020  Bleepingcomputer  Attack

Several high-performance computers (HPCs) and data centers used for research projects have been shut down this week across Europe due to security incidents.

About a dozen of these supercomputers are affected in Germany, U.K., and Switzerland, leaving researchers unable to continue their work. Some were compromised as early as January.

Supercomputers are extremely powerful systems built on traditional hardware to perform high-speed computations. They are used mainly for scientific work and testing mathematical models for complex physical phenomena and designs.

Multiple clusters down in Germany
On Monday, notifications started to roll out from the U.K. and Germany about supercomputers being shut down following cyber attacks.

ARCHER, UK’s National Supercomputing Service, became unavailable to researchers on May 11 due to security exploitation on its login nodes. The service remains locked to external access and fresh news will be posted tomorrow.

“Jobs that are currently running or queued will continue to run, but you will be unable to log in or to submit new jobs”

Another informs that all existing ARCHER? passwords and SSH keys will be reset. Users logging in when the service comes back online will need two credentials: an SSH key with a passphrase and a fresh ARCHER password.

The Baden-Württemberg High Performance Computing (bwHPC) project in Germany on the same day announced a security incident that made five of its clusters unavailable, with no timeframe for resuming operations:

bwUniCluster 2.0 at the Karlsruhe Institute of Technology
ForHLR II at the Karlsruhe Institute of Technology
bwForCluster JUSTUS, used for chemistry applications
bwForCluster BinAC at the University of Tübingen, used for bioinformatics and astrophysics projects
Hawk, inaugurated in February at the High-Performance Computing Center in Stuttgart
Leibniz Supercomputing Center on Thursday notified users that a security incident affected its high-performance computers, prompting the institute to isolate them from the outside world.

Also on Thursday, the Jülich Supercomputing Centre (JSC) in Germany announced that its JURECA, JUDA, and JUWELS supercomputers became unavailable due to an IT security incident.

By the end of the week, at least nine supercomputers in Germany were impacted by cyber attacks, according to SPIEGEL journalist Patrick Beuth.

A similar note was posted for the Taurus system at the Technical University in Dresden: “Due to a security issue we have temporarily closed access to Taurus.”

The bwForCluster NEMO in Freiburg, used for research in neuroscience, elementary particle physics, and microsystems engineering, has also been hacked.

Beuth reports that users received emails saying that the attacker’s way in was a stolen account with root privileges. A total of seven attacks were detected, the first one on January 9.

On Saturday, the Swiss Center of Scientific Computations (CSCS) informed its users that several high-performance computers and academic data centers can no longer be accessed due to malicious activity detected on the systems.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” - CSCS Director Thomas Schulthess

Cryptojacking intent
Details are scarce about the purpose of the attack but the European Grid Infrastructure (EGI) in an advisory yesterday published details about two cyber attacks hitting academic data centers that appear to be the work of the same actor.

In both cases, the attacker was using compromised SSH credentials to hop from one host to another to abuse CPU resources for mining Monero cryptocurrency. Some hosts are used for mining, others are proxies for connecting to the mining server.

The Computer Security Incident Response Team (CSIRT) at EGI found that in one case, the malicious mining activity is configured to run only during night hours, most likely to avoid detection.

CSIRT released technical details and indicators of compromise for the incidents they analyzed, noting that victims are located in China, the U.S., and Europe.

Malware details
Tillmann Werner, security researcher at CrowdStrike, told BleepingComputer that one component of the malware has root privileges and loads other programs. Another component is used to remove traces from log data.

The researcher also says that both components are ELF64 binaries. The loader is placed under “/etc/fonts/.fonts” and the log cleaner is under “/etc/fonts/.low.”

Apparently, there are different files that are compiled on the target system but their functionality is the same. He provides YARA? detection rules for both parts (1, 2):

rule loader { strings: $ = { 61 31 C2 8B 45 FC 48 98 } condition: all of them }
rule cleaner { strings: $ = { 14 CC FC 28 25 DE B9 } condition: all of them }
An analysis of the two malware components is available from Robert Helling and Cado Security, a cybersecurity company in the US. The firm says that the malware was uploaded to the VirusTotal scanning service from Germany, UK, Switzerland, and Spain.

Security researcher Felix von Letiner said in a blog post that colleagues of his in Poland reported that a supercomputer in Barcelona was also impacted.


Australian product steel producer BlueScope hit by cyberattack
19.5.2020  Securityaffairs  Attack

The Australian flat product steel producer BlueScope Steel Limited was hit by a cyberattack that caused disruptions to some of its operations.
Australian steel producer BlueScope was recently hit by a cyberattack that disrupted some of its operations.

The incident was spotted on Friday at one of its businesses located in the US, but the company did not share any detail about the attack.

“BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions.” reads the statement published by the company. “In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds.”

The problems faced by the company are usually the result of a ransomware attack, the suspect is confirmed by iTnews that said the incident was caused by this family of malware and that is restoring systems from backups.

“BlueScope Steel is suffering IT “disruption” that is believed to be the result of a ransomware infection, impacting production systems used by its global operations.” reads a post published by iTnews. “iTnews has learned that production systems were halted company-wide in the early hours of Thursday morning, though recovery from backup was understood to be progressing on Thursday afternoon.”

BlueScope confirmed that the security incident impacted some of its IT systems. Manufacturing and sales operations in Australia were deeply impacted.
“In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.” continues the post.
Recently another Australian giant was hit by ransomware, the transportation and logistics giant Toll disclosed a security incident.

In May, Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.

Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.


BEC Gang Exploits G Suite, Long Domain Names in Cyberattacks

15.5.20  Threatpost  Attack

BEC gangs like “Exaggerated Lion” are using tricky tactics – like exploiting G Suite – to scam companies out of millions.

Business email compromise (BEC) attacks continue to be a thorn in companies’ sides, with the FBI in its IC3 annual cybercrime report saying that the attacks cost victims $1.7 billion in 2019.

Making matters worse, BEC cybergangs are turning to new tactics and tricks to avoid detection and capitalize on existing victims. For instance, a cybercriminal gang that researchers call “Exaggerated Lion” has been making use of G Suite and extremely long domain names to swindle millions of dollars out of its victims.

Crane Hassold, senior director of research with Agari, talks to Threatpost at RSA 2020 about how BEC scams are becoming more dangerous and trickier to detect.

Check out more Threatpost in-depth interviews here, and be sure to subscribe to Threatpost’s YouTube channel to stay updated on the latest videos.


Access to UK Supercomputer Suspended Following Cyberattack
15.5.20  Securityweek  Attack

Cyberattack Hits ARCHER Supercomputer in UK

Access to UK's ARCHER Supercomputer Was Suspended Following Cyberattack

Access to one of the most powerful supercomputers in the United Kingdom was suspended this week following a cyberattack.

Hosted by the University of Edinburgh and packing 118,080 processing cores running on a Cray XC30, the ARCHER (Advanced Research Computing High End Resource) supercomputer is the primary academic research supercomputer in the UK. The ARCHER Service was started in November 2013.

On May 11, 2020, the team behind ARCHER disabled access to the service due to a “security exploitation” on its login nodes. The team announced that jobs already running or queued would continue to run, although login has been disabled and no other jobs could be added.

The team also made the decision to revoke existing passwords and rewrite SSH keys. When attempting to log back in after access to ARCHER is restored, operators will need to use new passwords and SSH keys.

“We would advise you to also change passwords and SSH keys on any other systems which you share your ARCHER credentials with,” the team said on Wednesday.

The security incident, the team says, appears to be part of “a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe.”

The EPCC Systems team has been working with the National Cyber Security Centre (NCSC) and Cray/HPE to investigate the incident and address the issue, but the ARCHER Service will remain unavailable over the weekend as well.

“We are hoping to return ARCHER back to service early next week but this will depend on the results of the diagnostic scans taking place and further discussions with NCSC,” the team said today.

No further details on the attack have been provided, nor on the actors suspected to be behind it.

Last week, the United States and the UK issued a joint alert to warn of advanced persistent threat (APT) groups “actively targeting organizations involved in both national and international COVID-19 responses,” including pharmaceutical companies, medical research organizations, and universities.


Google WordPress Site Kit plugin grants attacker Search Console Access
14
.5.2020  Securityaffairs  Attack

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.
The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.
Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

Site Kit
The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.
“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.


Advanced attack scenarios and sabotage of smart manufacturing environments

12.5.2020  Net-security  Attack  ICS

Advanced hackers could leverage unconventional, new attack vectors to sabotage smart manufacturing environments, according to Trend Micro.

attack smart manufacturing

Industry 4.0 Lab, the system that Trend Micro analyzed during this research

“Past manufacturing cyber attacks have used traditional malware that can be stopped by regular network and endpoint protection. However, advanced attackers are likely to develop Operational Technology (OT) specific attacks designed to fly under the radar,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.

“As our research shows, there are multiple vectors now exposed to such threats, which could result in major financial and reputational damage for Industry 4.0 businesses. The answer is IIoT-specific security designed to root out sophisticated, targeted threats.”
Smart manufacturing equipment relying on proprietary systems

Critical smart manufacturing equipment relies primarily on proprietary systems, however these machines have the computing power of traditional IT systems. They are capable of much more than the purpose for which they are deployed, and attackers are able to exploit this power.

The computers primarily use proprietary languages to communicate, but just like with IT threats, the languages can be used to input malicious code, traverse through the network, or steal confidential information without being detected.

Though smart manufacturing systems are designed and deployed to be isolated, this seclusion is eroding as IT and OT converge. Due to the intended separation, there is a significant amount of trust built into the systems and therefore very few integrity checks to keep malicious activity out.

The systems and machines that could be taken advantage of include the manufacturing execution system (MES), human machine interfaces (HMIs), and customizable IIoT devices. These are potential weak links in the security chain and could be exploited in such a way to damage produced goods, cause malfunctions, or alter workflows to manufacture defective products.
Defense and mitigation measures

Deep packet inspection that supports OT protocols to identify anomalous payloads at the network level
Integrity checks run regularly on endpoints to identify any altered software components
Code-signing on IIoT devices to include dependencies such as third-party libraries
Risk analysis to extend beyond physical safety to automation software
Full chain of trust for data and software in smart manufacturing environments
Detection tools to recognize vulnerable/malicious logic for complex manufacturing machines
Sandboxing and privilege separation for software on industrial machines


Shipping Giant Toll Confirms Hackers Stole Data in Recent Attack
12
.5.2020  Attack

After initially claiming that it had found no evidence of data being stolen as a result of the recently disclosed ransomware attack, Australian shipping giant Toll admitted on Tuesday that the attackers did manage to steal some data.

Toll informed customers last week that it had shut down some IT systems after discovering a piece of ransomware. This was the second ransomware incident disclosed by the company this year.

In an update shared on Tuesday, Toll admitted that the hackers did gain access to a corporate server from which they downloaded some information. The affected server stored information on current and former employees and details on commercial agreements with enterprise customers. However, the company said customer operational data was not exposed.

The attack involved Nefilim ransomware, whose operators are known to steal data and threaten to make it public unless a ransom is paid. However, Toll says it does not plan on paying any ransom, and claims it has not seen the compromised information being made public.

“At this stage, we have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information. The attacker is known to publish stolen data to the ‘dark web’. This means that, to our knowledge, information is not readily accessible through conventional online platforms,” Toll said in a statement.

Thomas Knudsen, managing director of the Toll Group, commented, “Given the technical and detailed nature of the analysis in progress, Toll expects that it will take a number of weeks to determine more details. We have begun contacting people we believe may be impacted and we are implementing measures to support individual online security arrangements.”

Toll has more than 40,000 employees and a global logistics network that spans across 1,200 locations in over 50 countries.

The company informed customers in January that it had found Mailto ransomware on some systems, but says the two incidents are not related.


Researchers Analyze Entry Points, Vectors for Manufacturing System Attacks
12
.5.2020  Securityweek  Attack

Researchers from cybersecurity firm Trend Micro and the Polytechnic University of Milan have analyzed the possible entry points and vectors for attacks targeting smart manufacturing environments, and they discovered several new vulnerabilities in the process.

It’s not uncommon for traditional malware to make its way into industrial environments and in many cases they are detected by existing security solutions, but sophisticated attackers looking to target industrial organizations are more likely to launch attacks that specifically target operational technology (OT) systems to make their attack more efficient and less likely to be detected.

The Polytechnic University of Milan has a dedicated Industry 4.0 lab with manufacturing equipment that is typically deployed in real-world environments. Trend Micro teamed up with the university to see exactly how attackers could gain access to manufacturing environments and the actions they could conduct.

The study, which resulted in a 60-page report, looked at three main points of entry: engineering workstations, custom industrial internet-of-things (IIoT) devices, and manufacturing execution systems (MES).

Manufacturing system attacks

One of the most important entry points are engineering workstations, which are often connected to devices on the plant floor. Engineering workstations are used to manage PLCs and HMIs, and gaining access to workstations can be highly useful to an attacker as it allows them to access sensitive information, move laterally, or tamper with manufacturing equipment.

Researchers at Trend Micro and the Polytechnic University of Milan have shown how these engineering workstations could be compromised using a malicious industrial add-in or extension. If an attacker can convince a user within the targeted organization to install a malicious add-in, they can push arbitrary automation logic code to manufacturing equipment.

While tricking an engineer into using a malicious add-in might not sound like an easy task, the researchers have identified some vulnerabilities that could make a hacker’s job easier. For example, a security hole in ABB’s RobotStudio app store, which hosts automation logic for industrial robots made by ABB, could have allowed an attacker to bypass the vetting process and upload a malicious add-in that would become immediately available in the store. ABB released a server-side patch for this vulnerability after being notified by Trend Micro.

Another example involves KUKA’s KUKA.Sim engineering and development software for robots and computer numerical control (CNC) devices. The issue is related to the eCatalog feature, which allows users to import 3D models made by others. The researchers discovered that the software did not include any integrity checks for data downloaded from the eCatalog and the communication between the client and the server was not encrypted, allowing a man-in-the-middle (MitM) attacker to make malicious changes to a model.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Custom IIoT devices, which allow engineers to run fully custom automation logic on manufacturing equipment, can also be a good entry point for attacks. While these custom devices have many benefits, they can rely on third-party libraries, which makes them more exposed to supply chain attacks.

If an attacker can somehow get the target to use a trojanized library or alter code directly on a development workstation, they could remotely gain full access to a plant, Trend Micro warned.

In the case of MES databases, which store work orders and templates, an attacker can simply change records in the database to cause problems. This can be done by an attacker who has gained access to the targeted organization’s network or to an unprotected MES database — this attack can also start with a compromised engineering workstation.

The researchers also looked at mobile HMIs, which can have vulnerabilities like the ones typically found in other mobile applications. There are over 170 HMI apps on Google Play and many of them have thousands and even hundreds of thousands of installs.

Vulnerabilities exist in many of these apps, but Trend Micro’s attack examples focused on Comau’s PickApp, which allows users to control their robots from a tablet or mobile phone. The application is affected by various types of flaws that can allow an attacker to take control of connected machines.