Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2017

NCSC Rolls out Active Cyber Defense Government Programs

NCSC Rolls out Active Cyber Defense Government Programs

The National Cyber Security Centre (NCSC) has announced the launch of four ‘Active Cyber Defence’ programs to improve basic levels of cybersecurity across UK business and government departments.

Described as “four simple and free measures for government departments to improve basic cybersecurity, which are ready to be implemented immediately by departments and their arm’s-length bodies”, it follows the news of an attempted brute force attack on parliamentary emails a week ago.

Developed as part of the government’s National Cyber Security Strategy, it “aims to make infrastructure, products and services automatically safer and easier to use safely by organizations and individuals.”

The four programs see the NCSC offer DNS filtering to prevent redirects, adding DMARC services to cut down on phishing opportunities, the WebCheck service which scans websites for common vulnerabilities and a notification service for suspicious websites with Netcraft.

Andrew Clarke, EMEA director at One Identity, told Infosecurity that he felt that this was reassuring, and that this “sets a good example for commercial organizations to emulate as they also take a more pro-active cybersecurity stance.”

He said: “In our rapidly changing world, some of the basics get overlooked, so having a pro-active service will be reassuring to government departments that need to concentrate on delivering a quality service to citizens.

“Taking a look at the four measures, these are all good pro-active measures that remove a lot of the day-to-day irritations. This is a great start and as long as the service develops further and extends to cover some of the more sophisticated techniques now being adopted then it will help more comprehensively.”

Mark James, security specialist at ESET, added that any help towards taking the “sole onus away from the user has to be a great thing, as when the end-user does not actually understand or even be in a position to make a factual choice regarding something being good or bad, then relying on those choices to keep us safe is starting on a negative to begin with.”

Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools: said: “The steps taken by the NCSC is a great starting point to address underlying architectural issues and basic security vulnerabilities common in many different environments. Filtering DNS, making BGP hijacking more difficult, and the steps the ADC is taking in requiring DMARC are all great steps to cut out ‘low hanging vulnerabilities’. These compensating controls aren't perfect, and against targeted attacks may not be as useful, but the NCSC and ADC are great steps in the right direction.”

Source: Information Security Magazine

Computer Scientists: Passwords Can be Acquired from Brain Waves

Computer Scientists: Passwords Can be Acquired from Brain Waves

The latest cyber-attack vector may be the human brain, according to computer scientists from the University of Alabama at Birmingham and the University of California Riverside.

The study used electroencephalograph (EEG) headsets on research subjects, a type of user input which is increasingly used in video games. According to that study, if a user pauses their game and manually inputs a password to authenticate their online banking, the password could be acquired from their brain waves.

The 12 research subjects were asked to input a string of randomly generated passwords and PIN numbers by typing on their keyboards. While doing so they wore both consumer and medical quality EEG headsets. Theoretically, malware that targets the EEG headset output could acquire a user's password if they're thinking about it. The algorithms used by the researchers guessed four digit PIN numbers with a 46.5% success rate, and guessed six character passwords with a 37.3% success rate.

“In a real world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites, “ said Nitesh Saxena, one of the authors of the paper.

Saxena had further commentary about the study's findings. "Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices. It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."

A Canadian information security analyst who prefers not to be named considered other cybersecurity implications of the research's findings. “(The EEG attack method) is not exactly subtle, but could be an interrogation technique. I think that would be counted as potentially self-incrimination, so probably not court admissible.”

Source: Information Security Magazine

CIA May Have Developed Linux Malware

CIA May Have Developed Linux Malware

Vault 7 from WikiLeaks is stirring controversy once again. This time, a document has been leaked from the CIA with technical details on Linux malware they may have developed. The CIA document is dated 5 June  2015, and names the malware OutlawCountry.

Here are details from the document.

  • OutlawCountry contains a kernel module that creates a hidden netfilter table.

  • One kernel module specifically targets CentOS and Red Hat Enterprise Linux 6.

  • An attacker who uses OutlawCountry must have shell access to their target.

  • The purpose of the hidden netfilter table is to allow new rules to be created with the iptables command.

"OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for exfiltration and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target. With knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from a user or even system administrator," WikiLeaks wrote on their blog.

Although the document states that an attacker needs shell access to their target, it's unclear as to how an attacker is supposed to acquire access. OutlawCountry also requires root privileges.

Although only a fraction of client PCs run Linux operating systems, a large percentage of servers run Linux, including distributions such as Red Hat and CentOS. Red Hat Enterprise Linux is CentOS's upstream source, so it makes sense that the same vulnerability can exist in both operating systems. OutlawCountry's network traffic redirection feature suggests the malware could target servers which operate internet functions, such as web servers.

WikiLeaks' Vault 7 documents have been published since 7 March 2017, and consist of leaks from the CIA. The Vault 7 post which revealed the OutlawCountry document is dated 29 June 2017.

Source: Information Security Magazine

NotPetya Development May Have Started Before EternalBlue

NotPetya Development May Have Started Before EternalBlue

Both WannaCry and the new Petya variants that hit earlier this week (including NotPetya) exploited the same Windows SMB vulnerability that Microsoft released a patch for in March. Even though Microsoft released the patch before the ShadowBrokers leaked the EternalBlue exploit that targeted that vulnerability, millions of computers were still attacked. Even so, it's common knowledge in the cybersecurity field that both WannaCry and NotPetya were built with EternalBlue. A theory from F-Secure's Andy Patel blows the NotPetya assumption wide open.

“The network propagation module was probably already in development in February,” Patel wrote.

Two unnamed F-Secure colleagues added their thoughts.

“We won’t be able to determine the timestamp for the use of NSA tools since it’s part of the main DLL code which has the June timestamp.”

“Also, in this particular Petya sample, the shellcode is in a way coupled with the exploits. That is, they didn’t simply plug the shellcode in without properly testing it with their version of the SMB exploit.”

Patel clairified his observations in a footnote. “Some of the payloads utilized by the network propagation component have compilation timestamps from February 2017. The compilation dates on these payloads don’t have any bearing on when the Eternal exploits were implemented in the network propagation code.”

WannaCry appears to be the work of script kiddies—cyber-attack amateurs who use scripts developed only by other parties without producing their own code or finding their own exploits. The ransomware didn't even have an effective monetization scheme. NotPetya appears to be something completely different, and there are sound theories that it was developed by a nation-state. Also, the ransomware element of NotPetya may have merely been a guise.

“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware',” security researcher the grugq said on Twitter.

Tweet from F-Secure with the timestamps that are the basis for the theory that NotPetya started development before the EternalBlue leak.
Tweet from F-Secure with the timestamps that are the basis for the theory that NotPetya started development before the EternalBlue leak.

Source: Information Security Magazine

Ukrainian Spooks Call in FBI, NCA and Europol

Ukrainian Spooks Call in FBI, NCA and Europol

Ukrainian security service SBU has reached out to the FBI, the UK’s National Crime Agency (NCA), Europol and others in a bid to establish who was behind this week’s ‘Petya’ ransomware outbreak.

In a brief statement, the SBU claimed it is also working with “special services of foreign countries and international organizations” in a joint effort to get to the bottom of the hugely damaging attack campaign.

Interestingly, the security service branded the attack an “act of cyber-terrorism”.

It explained:

“The SBU specialists in cooperation with the experts of FBI USA, NCA of Great Britain, Europol and also leading cyber security institutions, conduct coordinated joint events on localization of damaging software PetyaA distribution, final definition of methods of this act of cyberterrorism, establishing of the attack sources, its executors, organizers and paymaster.”

The means of propagation, “activation” and operation have already been identified, which means that teams are currently focused on “the search of possibilities for data decoding and groundwork of guidelines for prevention of virus distribution, neutralization of other negative consequences of this emergency.”

The Ukraine was particularly badly hit by the outbreak, with Eset claiming three-quarters (75%) of victims are within the country.

This threat appears to use various propagation methods, including the EternalBlue exploit utilized by WannaCry. It also uses legitimate tools PsExec and Windows Management Instrumentation Command-line (WMIC), plus Windows security tool Mimikatz to extract log-ins, to help spread laterally.

However, some analysts have claimed that in Ukraine, a compromised update to popular local accounting software MeDoc was used as an initial infection vector, with the country branded “patient zero” by Bitdefender.

In addition, Kaspersky Lab had this:

“The most significant discovery to date is that the Ukrainian website for the Bakhmut region was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file. To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update.”

Despite the best intentions of the SBU and its global law enforcement allies, it would be highly unusual if they were able to definitively attribute the initial threat to a specific source.

Source: Information Security Magazine

Linux Systemd Vulnerability Enables DNS Attacks

Linux Systemd Vulnerability Enables DNS Attacks

In January 2017, security researcher Sebastian Krahmer found a bug in Linux systems which could be exploited to grant cyber-attackers root access to a targeted machine. On June 27 2017, software engineer Chris Coulson reported a different systems vulnerability.

The CVE-2017-9445 bug can be exploited by cyber-attackers with TCP packets that trick the systemd initialization daemon to enable the execution of malicious code, or trigger system crashes.

According to Coulson, “Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number – sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this—so, on x86 this will be a page-aligned number—80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.

A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.”

Coulson reports that the bug was introduced in systemd version 233 in 2015, and affecters versions through 233.

Linux's systemd is a crucial feature, which is used by many distributions to bootstrap the user space and manage all subsequent processes. The program was created by Red Hat developers. Distributions that can be exploited through systemd vulnerabilities include Debian, Ubuntu, Arch Linux, OpenSUSE, SUSE Linux Enterprise server, Gentoo Linux, Fedora, and CentOS.

Ubuntu developer Canonical has addressed the vulnerability. On Tuesday, they released a fix for Ubuntu 17.04 and Ubuntu 16.10. According to Red Hat, the vulnerability doesn't affect the versions of systemd that are used in Red Hat Enterprise Linux 7. Debian responded to the CVE-2017-9445 report by explaining that their distributions use the vulnerable versions of systemd, but it's not a concern for them because the affected systemd-resolved service is disabled by default.

Source: Information Security Magazine

Guidance Software Releases Survey on State of Cybersecurity

Guidance Software Releases Survey on State of Cybersecurity

 Today Guidance Software, developer of the EnCase suite of endpoint security and digital forensics applications, released a brand new survey on the current state of cybersecurity.

They surveyed 330 security and IT professionals during May 2017, asking them about cyber-attacks in the past year and how that's affected their plans for the future. Here are some of their key findings.

About 65% of organizations had malware related breaches, an increase from 56% in 2016. As many as 23% of organizations have been hit by ransomware, with 9% admitting to have paid the ransom. None of the organizations surveyed claim to have paid a ransom in 2016. Interestingly, only 48% of respondents believe they'll need to respond to a breach within the next year.

Approximately 25% of organizations suffered direct financial losses due to cyber-attacks or data breaches in the past year. Around 20% of breach victims lost more than $1 million USD as a result. Minor financial losses are also increasing; 11% of respondents claimed them in 2016, and 19% recently.

The survey also concludes what organizations say their top three IT security challenges are. The rankings are: 35% of respondents claim risk assessment; as many as 34% say that security policy enforcement is a big challenge for them; and 31% say it's managing the complexity of cybersecurity in general.

These findings from Guidance Software's survey indicate the direction enterprise cyhbersecurity may be heading in the near future.

People in the information security field have opinions about the survey.

Cheryl Biswas, cybersecurity consultant for KPMG, said, “The challenge always has and always will be the human factor. We can't rely on automation or AI to predict that accurately. Our approach to security awareness and training has to change. We need to look at building it as a culture, so that we change perceptions into habits that will reinforce security practices. An end user who is actively monitoring their surroundings, both digital as well as physical, is an invaluable security asset. Attackers can breach both online portals as well as tailgate their way into organizations. The best attacks aren't sophisticated—they are simple and proven multiple times over because they exploit basic human tendencies.”

Todd Howe, systems adminstrator for Offensive Security, said, “Each organization has its own context and challenges, so while it's difficult to take specific actions from general surveys of this nature, it's heartening to see information security staffing levels on the rise. The incidence of major breaches drives home the point that the industry can't afford complacency. All hands on deck!”

Source: Information Security Magazine

Shadow Brokers Taunt and Blackmail NSA

Shadow Brokers Taunt and Blackmail NSA

The Shadow Brokers have not gone quiet after WannaCry (malware which uses their leaked EternalBlue exploit) hit. Days after WannaCry, they threatened to leak new exploits and data in June. Now, with June nearly over, they're striking again.

The Petya variants that hit European utilities and enterprises earlier this week also used their EternalBlue exploit. The Shadow Brokers were quick to brag about it. Yesterday, the Shadow Brokers boasted their subscription monthly dump service, with the next release dated for July.

“Another global cyber attack is fitting end for first month of theshadowbrokers dump service. There is much theshadowbrokers can be saying about this, but what is point and having not already being said? So to business! Time is still being left to make subscribe and getting June dump. Don’t be let company fall victim to next cyber attack, maybe losing big bonus or maybe price on stock options be going down after attack. June dump service is being great success for theshadowbrokers, many many subscribers, so in July theshadowbrokers is raising price.”

That's not all. Now they're trying to blackmail the NSA, threatening to expose an NSA worker who they accuse of cyber-attacking China.

“TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers not unusual but 'doctor' person is living in Hawaii and is sounding knowledgeable about theequationgroup. Then 'doctor' person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging. TheShadowBrokers is thinking 'doctor' person is former EquationGroup developer who built many tools and hacked organization in China.”

“Doctor” is an interesting codename for the NSA worker whom they're threating to expose. Someone on Twitter, using the @drwolfff account, says he's the person the Shadow Brokers are talking about. He says that the Shadow Brokers are making false accusations about him, and he'll “dox” himself later today. In a pinned tweet dated 10 October 2016, he verified that he's the person who uses the “drwolf” account on Keybase.io.

This is turning out to be a very interesting story which has serious implications, even if the parties involved aren't completely honest.

Source: Information Security Magazine

Half of Ransomware Victims Are Hit Multiple Times

Half of Ransomware Victims Are Hit Multiple Times

Half of organizations hit by a ransomware attack are struck multiple times, with exposed infrastructure stretching well beyond the endpoint, according to a new study from Druva.

The security vendor polled over 830 IT professionals across the globe to compile its Annual Ransomware Report.

It revealed that 80% believe attacks are increasing, with half of those already struck claiming that they’d been hit more than once.

What’s more, although unsolicited emails are often the cause of initial infection, exploiting employees’ lack of cyber-savvy, and infecting endpoints (60%), a third (33%) of attacks struck corporate servers and 7% targeted cloud apps.

This drives home the importance of a defense-in-depth strategy to ensure maximum protection from ransomware.

With multiple devices infected in 70% of cases, the report also highlights the value of speed-to-detection.

It’s disappointing, therefore, that IT departments took longer than two hours to detect such threats in 40% of cases.

Druva claimed this highlights the importance of automated threat monitoring and detection systems.

Backing up data is also key, so it’s heartening to find that 82% of respondents claimed to have been able to recover data by restoring from back-up.

It’s important to note, however, that best practice suggests IT teams follow the 3-2-1 rule: three back-up copies on two different media with one back-up offsite.

Druva CEO, Jaspreet Singh, argued the report’s findings illustrate the importance of planning.

“Simply put, protecting data protects your bottom line,” he added. “It’s no surprise that more and more companies are relying on back-up to recover from ransomware attacks. Simple preventative planning greatly mitigates what could otherwise be costly and destructive to data recovery, not to mention devastating to overall business viability.”

This week’s ‘Petya’ outbreak has shown once again the potentially catastrophic effects of ransomware, especially when combined with an effective propagation mechanism.  

Source: Information Security Magazine

Nato Confirms Cyber as Legitimate Military Domain

Nato Confirms Cyber as Legitimate Military Domain

Nato has confirmed that it is currently establishing cyber as a legitimate military domain, in which an online attack against a member nation could be considered an attack on all 29 allies.

The military alliance’s secretary general, Jens Stoltenberg, made the remarks at a press conference in Brussels yesterday ahead of a meeting of Nato defense ministers.

He said the alliance was “in the process of establishing cyber” as a domain alongside land, sea and air, meaning a cyber-attack could theoretically trigger Article 5 the part of its treaty related to collective defense.

However, the likelihood of being able to invoke Article 5 against a nation state attacker is complicated by the problem of attribution.

Nevertheless, Stoltenberg argued that cyber was an increasingly vital element of modern operations, as highlighted by WannaCry and the ‘Petya’ outbreak this week.

“We are implementing our cyber-defense pledge which is ensuring that we are strengthening the cyber-defenses of both Nato networks but also helping Nato allies to strengthen their cyber-defenses. We exercise more, we share best practices and technology and we also work more and more closely with all allies looking into how we can integrate their capabilities, strengthening Nato’s capability to defend our networks,” he added.

“All of this highlights the advantage of being an alliance of 29 allies because we can work together, strengthen each other and and learn from each other.”

Stoltenberg claimed the organization was also helping Ukraine improve its cyber-defenses.

The country has been rocked by several major attacks on critical infrastructure since its war with Russia began.

These have included stealthy APT attacks against power stations which caused blackouts for two successive winters.

It is also thought to have been ground zero in the recent ‘Petya’ attack campaign which led to ransomware causing widespread service outages in government organizations, utilities and more.

Microsoft claimed on Tuesday to have observed more than 12,500 machines in the country encounter the threat, with hackers booby-trapping an update for legitimate accounting software MEDoc to gain an initial foothold.

Nato has also experienced its fair share of attacks, being a favorite target of the infamous Fancy Bear/APT28 group linked to the Kremlin.

Source: Information Security Magazine