Category Archives: IoT

Intel buys Smart Edge platform from Canada-based Pivot Technology Solutions for $27M

In the latest move to expand its edge computing business, Intel Corp. has agreed to purchase Smart Edge computing platform, an indirect subsidiary of Pivot, for US$27 million on Oct. 15.

Smart Edge is a virtualized mobile smart edge (MEC) computing platform that provides services to enterprises and businesses at the edge. The technology enables services including personalized ads, digital signage, VR and AR, and product information. It can be linked with various IoT devices to provide data analytics.

The platform can also create caching points to quickly deliver information with lower latency. Decentralizing data delivery across many nodes across the network is faster than delivering data from large, centralized data centres.

By scooping up Pivot’s Smart Edge, Intel is looking to further expand into the 5G market, where IoT and edge computing is expected to boom. In its press release, the company said that it’s expecting the 5G silicon addressable market to reach $65 billion by 2023.

Intel exited the 5G smartphone modem business in April this year and transitioned its focus towards network infrastructure and data centres.

Reuters reported that Smart Edge did not generate much revenue in the first half of 2019.

The acquisition is expected to complete in the fourth quarter of 2019. Intel said around 25 Smart Edge employees will join Intel when the transaction closes.

Prerequisites of IoT Security: Software, Network, Physical

IoT Security focuses on protecting networks and connected devices in the Internet of Things. For the readers who are new to IoT, it is a system of connected computing devices, digital and mechanical machines, animals, people, and objects. Each aspect has a unique identifier and an ability to transfer data on the network automatically. Once these devices are on the internet, they encounter grave vulnerabilities without proper protection.

Some recent high-profile incidents have surfaced, thus making IoT security a pressing topic. Cybercriminals use traditional devices to infiltrate and attack a network. Therefore, it is crucial to implement safety standards to ensure the protection of the IoT networks and their agents.

Challenges in IoT Security

IoT security has some difficulties in establishing end-to-end protection of devices and networks. Networking appliances are relatively unfamiliar, and protection isn’t even a crucial consideration in designing products. Moreover, the infancy stage of the IoT market makes manufacturers and product designers desire to present their products to the market quickly. These people disregard security in their devices, even in the planning phase.

A primary issue in IoT security is the use of default or hardcoded passwords because it can result in security breaches, even if users change them. Not providing strong passwords can still lead to infiltration. Moreover, IoT devices have resource constraints and don’t have the necessary compute capabilities to implement robust security. For instance, temperature or humidity sensors can’t handle measures such as advanced encryption. 

Furthermore, IoT devices hardly ever receive patches and updates because, from the viewpoint of the manufacturer, built-in security is costly, limits the functionality, and slows down development. 

Legacy assets can’t take advantage of IoT security, and replacing the infrastructure is expensive, so experts use smart sensors retrofitted on them. However, these assets haven’t been updated and don’t have protection against modern threats. As such, an attack is very feasible.

Many systems offer limited updates, and security can lapse if the organization doesn’t provide additional support. Thus, additional protection can be challenging because various IoT devices remain in the network for extended periods.

Moreover, there are no industry-accepted criteria for IoT safety. Frameworks exist, but industry organizations and large corporations can’t agree on a single structure. Each has its specific standards, while industrial IoT has incompatible and proprietary standards. Thus, the numerous measures make it almost impossible to secure systems and ensure interoperability.

The convergence of operational technology and IT networks create various challenges for security teams. Many of the personnel have the task of ensuring end-to-end security and protecting systems outside of their expertise. The involvement of a learning curve compromises protection as IT personnel must have the appropriate skill sets to handle IoT security.

Organizations must take the necessary steps to seek a shared responsibility for security. Manufacturers, service providers, and end-users must play an important role. Prioritization of privacy and protection of devices, and default authorization and encryption, for instance, must take place. However, end-users must also accept part of the burden to ensure that they take the necessary precautions like changing passwords, using security software, and installing patches as needed.

IoT Security as an Obstacle to Technology Adoption

The security of the Internet of Things is a primary obstacle to successful technology adoption. This observation is correct even when you’re only in the early stages of deployment planning.

We look at three significant angles of this complicated issue, especially when you’re laying out the deployment of IoT sensors in your setup:

  • Software security patches
  • Network
  • Physical device

Software Patches

Some sensors of the Internet of Things have many built-in computing capabilities. Therefore, these devices may not accept remote updates and patches or run a security-software agent. This problem is tremendous and worrisome because of the daily discovery of software vulnerabilities that target IoT. If there’s no capability to patch these loopholes upon detection, you have a pressing issue.

Furthermore, some devices don’t have decent security and aren’t patchable. The only way to solve the dilemma is to search for a different product that does the functional task and provides more protection.

Discovery and Networking

One of the toughest problems to solve is securing the backend and IoT sensors connections. A majority of organizations don’t even know all their devices on their network. Therefore, device discovery is critical for the network security of the Internet of Things.

A primary explanation for the lack of visibility is the operational technology of IoT. The IT staff has no sole administration of network because even line-of-business personnel can connect devices to the system. There is no protocol to inform the tech group in charge of maintaining network security. Network operations people now have an unaccustomed headache because they used to control the topology of the entire network.

Aside from the close cooperation of IT personnel with the operations staff of the business, network scanners can automatically detect devices on the system through techniques such as network traffic analysis, whitelists, and device profiles. These factors ensure proper provisioning and monitoring of device connections on the network.

Physical Access

Frequently, physical access is a significant and straightforward concern for traditional IT security. Data centers have strict security, and switches and routers are in locations where unauthorized people can’t access or fiddle these peripherals discreetly. 

However, for the Internet of Things, well-established security practices aren’t evident. A few IoT implementations are easy to secure. A misfit can’t tinker with state-of-the-art diagnostic equipment in a secured hospital. The hacker can’t fiddle with intricate robotic manufacturing equipment in a limited access factory floor. Compromises can occur, but if a felon is still a threat even in secure locations.

Consequently, equipment around the metropolis, such as smart parking meters, traffic cameras, and noise sensors are easily accessible to the public. Soil sensors in agricultural areas and other technology in a sufficiently remote place aren’t safe either.

Diversified solutions are in place. For instance, enclosures and cases can stop a few attackers, but these things may be impractical in some situations. Video surveillance on these machines can also be a point of the intrusion. Thus, the IoT Security Foundation advocates the disabling of ports on a device. However, this recommendation isn’t necessary in some cases where there is a need for them to perform their functions. Moreover, it recommends implementing tamper-proof circuit boards and embedding these circuits in resin.

The post Prerequisites of IoT Security: Software, Network, Physical appeared first on .

Canadian consumers aren’t taking IoT security seriously enough, says ESET report

Despite rampant outbreak of cybersecurity incidents, consumers are still not taking proper steps to safeguard their internet-connected devices, concluded an ESET survey study with 4,000 participants. With a tally of 7 billion and counting, the number of IoT devices is expected to rise to 21 billion by 2025. According to IoT Analytics, the number of…

Canadian SMBs incur a potential productivity loss of CA$2 billion using older technology 

A recent study commissioned by Microsoft and Intel reported that the cost of using a PC older than four years is more than buying a new one.  As per StatsCanada, the country is home to around 1.2 million small and medium businesses. These businesses comprise 98.8 per cent of the total employee businesses in the…

D-Link router models affected by remote code execution issue that will not be fixed

Researchers at Fortinet’s FortiGuard Labs have publicly disclosed a critical remote code execution vulnerability affecting some models of D-Link routers. 

Security experts at Fortinet’s FortiGuard Labs disclosed a remote code execution vulnerability tracked as CVE-2019-16920. The vulnerability is an unauthenticated command injection issue that was discovered on September 2019. The flaw has received a CVSS v31 base score of 9.8 and a CVSS v20 base score of 10.0. 

The bad news for the users is that the vendor will not address it because it affects discontinued products.  

According to the Fortinet, the vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 router families.

D-Link router

“In September 2019, Fortinet’s FortiGuard Labs discovered and reported an unauthenticated command injection vulnerability (FG-VD-19-117/CVE-2019-16920) in D-Link products that could lead to Remote Code Execution (RCE) upon successful exploitation. We rated this as a critical issue since the vulnerability can be triggered remotely without authentication.” reads the security advisory published by Fortinet.

The vulnerability could be exploited by an attacker sending arbitrary input to a “PingTest” gateway interface to achieve command injection.

“The vulnerability begins with a bad authentication check. To see the problem in action, we start at the admin page and then perform a login action.” continues the advisory. “Here, we implement the POST HTTP Request to “apply_sec.cgi” with the action ping_test. We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234” command in the router server and then send the result back to our server. “

The experts discovered that it is possible to execute code remotely, even without the necessary privileges, due to bad authentication check.

The researchers reported the vulnerability to D-Link on September 22, the vendor the day after acknowledged the issue, but three days later confirmed that no patch will be released because the products are at End of Life (EOL),

Below the disclosure timeline:

  • 22 September, 2019: FortiGuard Labs reported the vulnerability to D-Link.
  • 23 September, 2019: D-Link confirmed the vulnerability
  • 25 September, 2019: D-Link confirmed these products are EOL
  • 3 October 2019: Public disclosure of the issue and released advisory

Pierluigi Paganini

(SecurityAffairs – routers, hacking)

The post D-Link router models affected by remote code execution issue that will not be fixed appeared first on Security Affairs.

Dutch police shut down bulletproof service hosting tens of DDoS botnets

Dutch police seized a bulletproof hosting service in a major takedown, the infrastructure was used by tens of IoT botnets involved in DDoS attacks.

A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. The bulletproof hosting service was used to host malware and command and control systems of several DDoS botnets.

“Middelburg, Veendam, Amsterdam, Driebergen – The police has taken five servers offline that were used to control a version of a so-called botnet.” reads the press release published by the Dutch police. “The hardware was seized and the business operations stopped. A 24-year-old man from Veendam and a 28-year-old man from Middelburg were arrested on Tuesday evening. They are suspected of, among other things, computer breach and the spread of malware.”

Authorities revealed that they have received more than three thousand reports of malware spread through the bulletproof hosting service.over a period of one year.

The authorities also arrested two Dutch nationals who had been running a Mirai botnet from the servers of KV Solutions BV (KV hereinafter) bulletproof hosting service.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device. Which DDoS attacks can be attributed to this botnet is part of the further investigation.” continues the statement.

Authorities are analyzing the seized servers and the data they contain will likely lead to the arrests of other players in the cybercrime underground.

Pierluigi Paganini

(SecurityAffairs – bulletproof hosting service, malware)

The post Dutch police shut down bulletproof service hosting tens of DDoS botnets appeared first on Security Affairs.

Gucci IOT Bot Discovered Targeting European Region

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Gucci

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a
Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data accordingly.  Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555  using telnet client on remote IP,  the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service.  Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

  • HTTP null scan
  • UDP flood
  • Syn flood
  • ACK flood
  • UDP flood with less protocol options
  • GRE IP flood
  • Value Source Engine specific flood

It was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Tridium’s Niagara product is affected by two vulnerabilities in BlackBerry’s QNX operating system for embedded devices.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities in Tridium’s Niagara product that reside in the BlackBerry’s QNX operating system for embedded devices.

The flaws could be exploited by a local user to escalate their privileges.

The Niagara Framework is a universal software infrastructure developed by Tridium that allows building controls integrators, HVAC and mechanical contractors to build custom, web-enabled applications for accessing, automating and controlling smart devices real-time via local network or over the Internet.

Tridium Niagara product

The Niagara framework is widely adopted, especially in the commercial facilities, government facilities, critical manufacturing and IT sectors.

The security flaws impact Niagara AX 3.8u4, 4.4u3 and 4.7u1.

The most severe vulnerability, tracked as CVE-2019-8998, is an information disclosure flaw related to the procfs service that can be exploited by a local attacker for privilege escalation.

The flaw was discovered by Johannes Eger and Fabian Ullrich of the Secure Mobile Networking Lab at TU Darmstadt in Germany and received a CVSS score of 7.8.

“This advisory addresses an information disclosure vulnerability leading to a potential local escalation of privilege in the default configuration of the procfs service (the /proc filesystem) on affected versions of the BlackBerry QNX Software Development Platform (QNX SDP) that could potentially allow a successful attacker to gain unauthorized access to a chosen process address space.” reads the advisory.

BlackBerry QNX confirmed that it is not aware of attacks exploiting the flaw in the wild.

The second vulnerability, tracked as CVE-2019-13528, is an improper authorization issue, it could allow a specific utility to gain read access to privileged files.

“A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).” reads the advisory.

This flaw was reported by Francisco Tacliad and it received a CVSS score of 4.4.

Tridium has released updates that address these vulnerabilities and recommends users update to the versions identified below:

  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Pierluigi Paganini

(SecurityAffairs – Tridium, IoT)

The post Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS appeared first on Security Affairs.

McAfee Receives the 2019 Security Excellence Award From IoT Evolution

If you’re like most users, you’ve probably adopted several smart devices into your home over the last few years. Whether it be voice assistants, smart TVs, thermostats, or gaming systems, IoT devices help make our lives easier. But with greater connectivity also comes greater exposure to online threats. However, that doesn’t mean users should avoid using IoT technology altogether. With the help of smart security, users can feel safe and protected as they bring new gadgets into their lives. Solutions like McAfee Secure Home Platform, which is now the winner of the IoT Security Excellence Award, can help users connect with confidence.

Here at McAfee, we know smart security is more important now than ever before. That’s why we work tirelessly to ensure that our solutions provide consumers with the best protection possible. For example, McAfee Secure Home Platform provides automatic protection for the entire home network by automatically securing connected devices through a router with McAfee protection. It’s through the proactive evolution of our products that McAfee Secure Home Platform has received this 2019 IoT Security Excellence Award from IoT Evolution World, the leading publication covering IoT technologies.

The IoT Security Excellence Award celebrates the most innovative products and solutions in the world of IoT. It honors technology empowered by the new availability of information being deduced, inferred, and directly gathered from sensors, systems, and anything else that is supporting better business and personal decisions. Winners of this award are recognized for their innovation in gathering and managing information from connected devices that often are not associated with IoT.

“We are thrilled that McAfee Secure Home Platform has been recognized by IoT Evolution World as a recipient of the 2019 IoT Evolution Security Excellence Award. We continue to prioritize creating solutions that lead with ease of use and first-class protection, in order for consumers to best protect every connected device in their homes.” – Gary Davis, Chief Consumer Security Evangelist at McAfee.

As long as technology continues to evolve, so will the threat landscape. This is what drives us to keep developing leading solutions that help you and your loved ones connect with confidence. Solutions like McAfee Secure Home Platform are leading the charge in providing top home network security while still empowering users to enjoy their smart devices.

To stay updated on the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee Receives the 2019 Security Excellence Award From IoT Evolution appeared first on McAfee Blogs.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

5G and IoT: How to Approach the Security Implications

Experts from Nokia, iboss and Sectigo talk 5G mobile security for internet of things (IoT) devices in this webinar YouTube video (transcript included).

Smominru Botnet continues to rapidly spread worldwide

Researchers at Guardicore Labs reported that the Smominru botnet is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

In February 2018, researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that was using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities. According to the researchers, the Smominru botnet has been active at least since May 2017 and at the time of its discovery infected more than 526,000 Windows computers.

According to a new report published by the researchers at Guardicore Labs, the Smominru, is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

The report published by Guardicore Labs researchers analyzes the attack chain and the nature of the victims.

Experts discovered that many machines recruited in the botnet were reinfected even after removing the Smominru, a circumstance that suggests that these systems remain unpatched since first infection. 

“During August, the Smominru botnet infected 90,000 machines around the world, with an infection rate of 4,700 machines per day. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.” reads the report published by the experts.

Most of the infected systems are Windows 7 and Windows Server 2008, representing 85 percent of all infections, in China, Taiwan, Russia, Brazil and the US.

In just one month, the worm infected more than 4,900 networks, some of them had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy, experts observed a total of 65 infected hosts.

Once compromised the system, a first-stage Powershell script named blueps.txt is downloaded onto the machine. This script performs the following actions:

  • It downloads and executes three binary files;
  • It creates a new administrative user named admin$ on the system;
  • It downloads additional scripts to perform malicious actions.

Smominru

Once gained access to the targeted systems, Smominru installs a Trojan module and a cryptocurrency miner and attempt to infect other machines inside the target network.

The botnet main purpose continues to be crypto-mining but recently experts observed that operators added a data harvesting module and Remote Access Trojan (RAT) to their botnet’s cryptocurrency mining code.

The latest variant of Smominru downloads and runs at least 20 distinct malicious scripts and binary payloads, including a worm downloader and an MBR rootkit.

The storage infrastructure is widely distributed, experts found more than 20 servers, each of them serves a few files and each file references additional 2-3 servers.

Operators stored many of the files on more than one hosting server, to improve the resilience of attack infrastructure to takedowns and its flexibility.

Most of the machines are located in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The attackers create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time.”continues the report.”The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc. “

Guardicore Labs experts managed to gain access to one of the attackers’ servers and analyzed its content to gather information on the nature of the victims.

“The attackers’ logs describe each infected host; they include its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz,” the researchers say. continues the report.

Unlike previous variants, the new Smominru bot also removes infections from compromised systems and blocking TCP ports (SMB, RPC) to prevent infections by other threat actors.

Further data, including Indicators of Compromise, are reported in the analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Smominru Botnet continues to rapidly spread worldwide appeared first on Security Affairs.

Are IoT Threats Discussed In The Cybercriminal Underground?

With IoT devices expected to reach tens of billions in the next few years, is it any wonder that cybercriminals are looking for ways to take advantage of this massive attack surface to generate illicit money?

A number of Trend Micro researchers from around the globe decided to look into this and launched a research project to dive into five different cybercriminal undergrounds (Russia, Portuguese, English, Arabic, and Spanish) to identify what conversations are occurring, what attacks and threats are being utilized, and the reasons for using IoT by members of these undergrounds. A detailed report can be downloaded here for those who want to read up on their findings.

I’d like to give you my three key takeaways from the research:

  1. Not all Undergrounds are alike: Russia has the most experienced membership and are the best at monetizing IoT attacks. Portuguese is next with the other three still very early in their abilities to monetize attacks. A lot of undergrounds include tutorials to help educate members on many different areas of IoT threats. We think this collaboration will improve their abilities quickly and turn this threat into a significant one in the near future.
  2. Monetization is mainly through botnets: Most of the money today is made through attacks perpetrated by already infected devices that have been turned into botnets. From DDoS to VPN Exit Nodes, malicious actors infect many devices and utilize the power of many to turn their limited computing power into a collective powerhouse. Other actors sell their services to peers who don’t have the knowledge or don’t have the resources to perpetrate an attack.
  3. Routers are a primary target: In our analysis, many of the attacks and threats being distributed within the undergrounds target routers, mainly consumer routers. Routers are a good target as they access many devices within the network behind it which can then be used to launch attacks against others.

There is no doubt that IoT devices are being used more and more in attacks or as the target of an attack, and there is a lot of chatter within multiple undergrounds around the world to raise awareness and interest around this attack surface.Our report is intended to give information on what cybercriminals are doing now or will be doing with IoT in the future and show it is a global phenomenon.

For consumers and organizations, be aware that devices you own are a likely target for attacks, and most likely today to be added into an existing botnet. Mirai is the dominant IoT threat today and will likely continue as malicious actors create variants of this malware.

Check out our report for more details on what our researchers found and for more information about IoT and how to protect devices, visit our IoT Security section on the web.

The post Are IoT Threats Discussed In The Cybercriminal Underground? appeared first on .

iPhone Users: Here’s What You Need to Know About the Latest iOS Hacks

iPhone hacks have often been considered by some to be a rare occurrence. However, a group of Google researchers recently discovered that someone has been exploiting multiple iPhone vulnerabilities for the last two years. How? Simply by getting users to visit a website.

How exactly does this exploitation campaign work? According to WIRED, researchers revealed a handful of websites that had assembled five exploit chains. These exploit chains are tools that link security vulnerabilities together and allow a hacker to penetrate each layer of iOS digital protections. This campaign took advantage of 14 security flaws, resulting in the attacker gaining complete control over a user’s phone. Researchers state that these malicious sites were programmed to assess the Apple devices that loaded them and compromise the devices with powerful monitoring malware if possible. Once the malware was installed, it could monitor live location data, grab photos, contacts, passwords, or other sensitive information from the iOS Keychain.

So, what makes this attack unique? For starters, this exploitation campaign hides in plain sight, uploading information without any encryption. If a user monitored their network traffic, they would notice activity as their data was being uploaded to the hacker’s server. Additionally, a user would be able to see suspicious activity if they connected their device to their computer and reviewed console logs. Console logs show the codes for the programs being run on the device. However, since this method would require a user to take the extra step of plugging their iPhone into a computer, it’s highly unlikely that they would notice the suspicious activity.

Although iOS exploits usually require a variety of complexities to be successful, this exploitation campaign proves that iOS hacking is very much alive and kicking. So, what can Apple users do to help ward off these kinds of attacks? Here’s how you can help keep your device secure:

  • Install automatic updates. In your device settings, choose to have automatic updates installed on your device. This will ensure that you have the latest security patches for vulnerabilities like the ones leveraged in these exploit chains as soon as they’re available.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iPhone Users: Here’s What You Need to Know About the Latest iOS Hacks appeared first on McAfee Blogs.

Overview of NIST 800-171b: 33 Enhanced Security Requirements to Help Protect DoD Contractors

In early July, NIST released draft versions of two new publications: NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and NIST SP 800-171B: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. NIST explains that its “SP 800-171 Revision […]… Read More

The post Overview of NIST 800-171b: 33 Enhanced Security Requirements to Help Protect DoD Contractors appeared first on The State of Security.

The manufacturing industry’s major cybersecurity challenges

Estimated reading time: 3 minutes

Until recently, the manufacturing sector as a whole rarely took cyber threats seriously. This was primarily due to the domain’s outlook that it was a highly specialized industry and hence would not be on the radar of cyberattackers. The outlook started to change after annihilating cyberattacks such as spear-phishing attacks on Saudi Aramco, Stuxnet and the LockerGoga started to surface.

Citing one of the latest cyberattacks, Airbus faced a threat this year when it reported that it had detected an attack on its information systems which resulted in a data breach. Though it did not affect their operations, Airbus did admit that employee-related details had been lost in the breach.

It was events like these when this industry realized that it too is equally prone to cyber threats that can shut down entire production lines and have ramifications throughout the supply chain.

In fact, according to Seqrite’s Q2 Threat Report, cyberattacks are on the prowl in manufacturing, especially in the automobile sector.

We discuss key channels for attackers to target the this industry.

  1. Data breaches

Manufacturers store a vast range of often specialized and classified data on their systems. This ranges from the projects they are working on, blueprints for future products that companies would like to be secretive about, confidential financial data and a lot more. Hackers are aware that this data is a potential goldmine putting manufacturers at risk of data breaches which can lead to disastrous consequences. Manufacturing companies must recognize that the risk of data breaches actually exists and work hard to plug the gap.

  1. Internet of Things and connected manufacturing

The manufacturing industry is increasingly moving towards an era of smart manufacturing where the shop floor and the supply chain are progressively getting interconnected. This helps to speed-up production and time-to-market but also creates an ecosystem where there is a reduced division between different stages in the manufacturing lifecycle.

Although beneficial, this increases the risk of a cyberattack in multitudes – the risk of a single cybersecurity breach can have a deep impact on a manufacturing plant.

Furthermore, with futuristic technologies like the Internet of Things (IoT) seeing enterprise adoption at lightning speeds, manufacturers, now, have to deal with an added cyber threat channel.

  1. IP theft

Intellectual property is the manufacturing industry’s key asset and prized possession. Hence, it is obvious that if it goes in the wrong hands, this could cause immense reputational and financial damage to a manufacturing company. While most companies in this sector have strict rules for employees on the information they can disseminate to external sources, enterprise stakeholders do not consider that the risk for IP theft can also come from cyber attacks, whether it’s data breaches or insider threats.

  1. Falling behind in the skills gap

Mostly, the manufacturing industry collectively understands the importance of specialized knowledge and hiring people with expert skills to solve the problems they face in day-to-day operations. However, considering the current dangerous scenario of enterprise cyberattacks, this needs to be extended to resolve their cybersecurity problems as well.

After all, cybersecurity is a specialized issue and it requires specific people with the correct training and knowledge to tackle it. The manufacturing industry must look beyond a conventional IT department to tackle cyberthreats.

  1. Regulation and compliance

The manufacturing industry has mandates to comply with regulations at a national and an international level that currently encapsulates cybersecurity as well. Most manufacturing companies nowadays operate under some sort of regulatory control for their data. Often this information is stored in the cloud with very limited access and under strict regulations.

If this data privacy is violated, it can have serious consequences and is a factor to be kept in mind when considering a cloud network security strategy.

Keeping the above in mind, it is important for the manufacturing sector to prioritize cybersecurity and invest in solutions like Seqrite Endpoint Security (EPS) and Unified Threat Management (UTM) to ensure they remain protected in this day and age of sophisticated and tailor-made cyberattacks towards the enterprise.

The post The manufacturing industry’s major cybersecurity challenges appeared first on Seqrite Blog.

Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks

Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.

The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.

What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.

While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:

  • Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
  • Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
  • Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks appeared first on McAfee Blogs.

How to Build Your 5G Preparedness Toolkit

5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.

In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.

While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:

  • Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
  • Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
  • Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
  • Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Build Your 5G Preparedness Toolkit appeared first on McAfee Blogs.

Evolved IoT Linux Worm Targets Users’ Devices

Since the early ‘90s, Linux has been a cornerstone of computer operating systems. Today, Linux is everywhere — from smartphones and streaming devices to smart cars and refrigerators. This operating system has been historically less susceptible to malware, unlike its contemporaries such as Windows or Mac OS. However, the widespread adoption of IoT devices has changed that, as security vulnerabilities within Linux have been found over time. These flaws have been both examined by researchers in order to make repairs and also exploited by hackers in order to cause disruption.

As recently as last month, a new strain of a Linux bricking worm appeared, targeting IoT devices– like tablets, wearables, and other multimedia players. A bricking worm is a type of malware that aims to permanently disable the system it infects. This particular strain, dubbed Silex, was able to break the operating systems of at least 4,000 devices. By targeting unsecured IoT devices running on Linux, or Unix configurations, the malware went to work. It quickly rendered devices unusable by trashing device storage, as well as removing firewalls and other network configurations. With this threat, many users will initially think their IoT device is broken, when really it is momentarily infected. To resolve the issue, users must manually download and reinstall the device’s firmware, which can be a time consuming and difficult task. And while this incident is now resolved, Silex serves as a cautionary tale to users and manufacturers alike as IoT devices continue to proliferate almost every aspect of everyday life.

With an estimated 75.4 billion IoT connected devices installed worldwide by 2025, it’s important for users to remain focused on securing all their devices. Consider these tips to up your personal device security:

  • Keep your security software up-to-date. Software and firmware patches are always being released by companies. These updates are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security to ensure you’re always in the know.
  • Change your device’s factory security settings. When it comes to IoT products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you are instantly upgrading your device’s security.
  • Use best practices for linked accounts. If you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
  • Set up a separate IoT network. Consider setting up a second network for your IoT devices that doesn’t share access with your other devices and data. You can check your router manufacturer’s website to learn how. You may also want to add another network for guests and their devices.
  • Get security at the start. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Evolved IoT Linux Worm Targets Users’ Devices appeared first on McAfee Blogs.

Is Your Smart Home Secure? 5 Tips to Help You Connect Confidently

With so many smart home devices being used today, it’s no surprise that users would want a tool to help them manage this technology. That’s where Orvibo comes in. This smart home platform helps users manage their smart appliances such as security cameras, smart lightbulbs, thermostats, and more. Unfortunately, the company left an Elasticsearch server online without a password, exposing billions of user records.

The database was found in mid-June, meaning it’s been exposed to the internet for two weeks. The database appears to have cycled through at least two billion log entries, each containing data about Orvibo SmartMate customers. This data includes customer email addresses, the IP address of the smart home devices, Orvibo usernames, and hashed passwords.

 

More IoT devices are being created every day and we as users are eager to bring them into our homes. However, device manufacturers need to make sure that they are creating these devices with at least the basic amount of security protection so users can feel confident utilizing them. Likewise, it’s important for users to remember what risks are associated with these internet-connected devices if they don’t practice proper cybersecurity hygiene. Taking the time to properly secure your devices can mean the difference between a cybercriminal accessing your home network or not. Check out these tips to help you remain secure when using your IoT devices:

  • Research before you buy. Although you might be eager to get the latest device, some are made more secure than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks these features, consider upgrading.
  • Safeguard your devices. Before you connect a new IoT device to your network, be sure to change the default username and password to something strong and unique. Hackers often know the default settings of various IoT devices and share them online for others to expose. Turn off other manufacturer settings that don’t benefit you, like remote access, which could be used by cybercriminals to access your system.
  • Update, update, update. Make sure that your device software is always up-to-date. This will ensure that you’re protected from any known vulnerabilities. For some devices, you can even turn on automatic updates to ensure that you always have the latest software patches installed.
  • Secure your network. Just as it’s important to secure your actual device, it’s also important to secure the network it’s connected to. Help secure your router by changing its default name and password and checking that it’s using an encryption method to keep communications secure. You can also look for home network routers or gateways that come embedded with security software like McAfee Secure Home Platform.
  • Use a comprehensive security solution. Use a solution like McAfee Total Protection to help safeguard your devices and data from known vulnerabilities and emerging threats.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your Smart Home Secure? 5 Tips to Help You Connect Confidently appeared first on McAfee Blogs.