Category Archives: nsa

Multiple APT groups are exploiting VPN vulnerabilities, NSA warns

NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Last week, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents

Microsoft researchers recently reported that the APT5 cyberespionage group (aka MANGANESE) has been exploiting VPN vulnerabilities since July, some weeks before PoC exploits were publicly discosed.

Now NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

“Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices.” reads the security advisory published by the NSA.

“If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching. NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network:

  • Immediately update VPN user, administrator, and service account credentials.
  • Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users.
  • If compromise is suspected, review accounts to ensure no new accounts were created by adversaries.”

Both NCSC or NSA intelligence agencies confirmed that APT groups targeted several sectors, including military, government, academic, business and healthcare. The security advisories published by the agencies did not name any APTs leveraging the above VPN vulnerabilities.

In August, BadPackets experts observed a mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN endpoints vulnerable to CVE-2019-11510. At the time, over 14,000 vulnerable Pulse Secure endpoints were hosted by more than 2,500 organizations. The number of vulnerable endpoints dropped to roughky 6,000 by October 8, most of them in the United States, Japan and the UK.

Pierluigi Paganini

(SecurityAffairs – VPN vulnerabilities, hacking)

The post Multiple APT groups are exploiting VPN vulnerabilities, NSA warns appeared first on Security Affairs.

Researchers discovered a code execution flaw in NSA GHIDRA

Security researchers discovered a code-execution vulnerability that affects versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

NSA has released the suite Ghidra in March, it could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

A couple of weeks ago, security researchers discovered a vulnerability in the Ghidra tool, tracked as CVE-2019-16941, that could be exploited by an attacker to execute arbitrary code within the context of the affected application. The researchers discovered that the flaw could be exploited only when the experimental mode is enabled.

The vulnerability resides in the Read XML Files feature of Bit Patterns Explorer, an attacker could exploit it by using modified XML documents.

“NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.” reads the security advisory. “This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).”

The vulnerability has been rated as “critical severity” and received a CVSS score of 9.8.

The NSA attempted to downplay the severity of the flaw explaining that it is hard to exploit.

The good news is that the issue has been already fixed, a patch is available for those who build Ghidra themselves from the master branch.

The Ghidra 9.1 release, that is currently in beta testing, will also address the flaw.

Pierluigi Paganini

(SecurityAffairs – NSA, hacking)

The post Researchers discovered a code execution flaw in NSA GHIDRA appeared first on Security Affairs.

NSA Launches New Cybersecurity Directorate

NSA is redefining its cybersecurity mission and with the Cybersecurity Directorate it will enhance its partnerships with unclassified collaboration and information sharing.

Under the new Cybersecurity Directorate — a major organization that unifies NSA’s foreign intelligence and cyberdefense missions

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks.

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks — in a short press release. The NSA, sometimes called by its nickname, “No Such Agency,” is known for being secretive. But this new directorate seems to signal a pivot towards a more public approach to security than the Agency has taken in the past.

nsa

The directorate also reflects a change in the importance of national cybersecurity and provides a hint as to how government agencies are rethinking how cybersecurity divisions should be organized.

The NSA Makes Cyberdefense a Top Priority

The directorate will unify the NSA’s current foreign intelligence and cyberdefense operations, bringing them together in a “major organization” designed to defend domestic organizations against foreign cyberattacks. The NSA expects the directorate to “reinvigorate NSA’s white hat mission” by seeing the Agency turn towards providing partners and “customers” with threat information, and by otherwise equipping them against cyberattacks.

The directorate will have NSA turn its efforts towards securing military and defense industry security. A short, NSA-produced video at the end of the press release provided more information about what threats the NSA expects to defend the public from — including attacks on infrastructure, theft of classified information, and “mass deception of the public.”

The pivot comes at a time where the nation is facing several security crises and reasonable fears that almost anything that runs on a computer — banks, voting machines, and critical infrastructure — can be compromised or damaged by cyberattacks.

The launch of the new directorate — and the focus of the press release on cyberdefense — follows comments made by Glenn Gerstell, chief counsel of the NSA, back in September. At that time, Gerstell said that the NSA wouldn’t “hack back” in the case of a cyberattack and that the Agency was instead focused on defending key information and infrastructure from theft or damage by foreign actors.

The directorate is not the Agency’s first foray into providing private domestic organizations with intel about foreign hackers. In 2011, as the financial sector was still recovering from the financial crisis of 2008, the Agency began providing Wall Street banks with cybersecurity information in the hopes that it would prevent “financial sabotage.”

The State of Cybersecurity

The directorate reflects a broader change that’s also being seen in the private sector. Cybersecurity is no longer seen as a sub-component of an overall security plan, or as part of the tech department, but as a necessary investment that requires top talent and serious commitment of resources. Networks are more likely to be considered vulnerable and need better defense from cyberattacks.

Businesses are increasingly relying on Internet of Things or “smart” devices to provide data. But these devices are often improperly secured and allow an access point to secure networks, and the valuable information held there. As the world becomes more connected, there are more opportunities for hackers to slip in between the cracks of cyberdefenses and do damage once they have access to secure networks.

In the press release, the NSA said that the Agency will “invest in and rely on its expert workforce.” It’s not clear right now if the new directorate will result in the NSA expanding its cybersecurity workforce. If so, they may run into some of the problems faced by the private sector, in that the number of cybersecurity experts has not kept pace with the frequency of, intensity of, and damage done by cyberattacks.

What the NSA’s Directorate Means for Cybersecurity

The new director shows that cybersecurity is a higher priority than ever for the Agency, and signals a turn to more public involvement in national security. Time will tell how effective the directorate is at preventing or reducing the harm of cyberattacks, but the defense industry is likely happy to receive any help that they can.

Going forward, cybersecurity will continue to become more important as critical infrastructure and essential components of our economy and national defense become more connected. Whether or not the cybersecurity industry will be able to keep up with the rising pace of attacks remains to be seen.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, NSA Cybersecurity Directorate)

The post NSA Launches New Cybersecurity Directorate appeared first on Security Affairs.

NSA on the Future of National Cybersecurity

Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

There are four key implications of this revolution that policymakers in the national security sector will need to address:

The first is that the unprecedented scale and pace of technological change will outstrip our ability to effectively adapt to it. Second, we will be in a world of ceaseless and pervasive cyberinsecurity and cyberconflict against nation-states, businesses and individuals. Third, the flood of data about human and machine activity will put such extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector. Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.

He then goes on to explain these four implications. It's all interesting, and it's the sort of stuff you don't generally hear from the NSA. He talks about technological changes causing social changes, and the need for people who understand that. (Hooray for public-interest technologists.) He talks about national security infrastructure in private hands, at least in the US. He talks about a massive geopolitical restructuring -- a fundamental change in the relationship between private tech corporations and government. He talks about recalibrating the Fourth Amendment (of course).

The essay is more about the problems than the solutions, but there is a bit at the end:

The first imperative is that our national security agencies must quickly accept this forthcoming reality and embrace the need for significant changes to address these challenges. This will have to be done in short order, since the digital revolution's pace will soon outstrip our ability to deal with it, and it will have to be done at a time when our national security agencies are confronted with complex new geopolitical threats.

Much of what needs to be done is easy to see -- developing the requisite new technologies and attracting and retaining the expertise needed for that forthcoming reality. What is difficult is executing the solution to those challenges, most notably including whether our nation has the resources and political will to effect that solution. The roughly $60 billion our nation spends annually on the intelligence community might have to be significantly increased during a time of intense competition over the federal budget. Even if the amount is indeed so increased, spending additional vast sums to meet the challenges in an effective way will be a daunting undertaking. Fortunately, the same digital revolution that presents these novel challenges also sometimes provides the new tools (A.I., for example) to deal with them.

The second imperative is we must adapt to the unavoidable conclusion that the fundamental relationship between government and the private sector will be greatly altered. The national security agencies must have a vital role in reshaping that balance if they are to succeed in their mission to protect our democracy and keep our citizens safe. While there will be good reasons to increase the resources devoted to the intelligence community, other factors will suggest that an increasing portion of the mission should be handled by the private sector. In short, addressing the challenges will not necessarily mean that the national security sector will become massively large, with the associated risks of inefficiency, insufficient coordination and excessively intrusive surveillance and data retention.

A smarter approach would be to recognize that as the capabilities of the private sector increase, the scope of activities of the national security agencies could become significantly more focused, undertaking only those activities in which government either has a recognized advantage or must be the only actor. A greater burden would then be borne by the private sector.

It's an extraordinary essay, less for its contents and more for the speaker. This is not the sort of thing the NSA publishes. The NSA doesn't opine on broad technological trends and their social implications. It doesn't publicly try to predict the future. It doesn't philosophize for 6000 unclassified words. And, given how hard it would be to get something like this approved for public release, I am left to wonder what the purpose of the essay is. Is the NSA trying to lay the groundwork for some policy initiative ? Some legislation? A budget request? What?

Charlie Warzel has a snarky response. His conclusion about the purpose:

He argues that the piece "is not in the spirit of forecasting doom, but rather to sound an alarm." Translated: Congress, wake up. Pay attention. We've seen the future and it is a sweaty, pulsing cyber night terror. So please give us money (the word "money" doesn't appear in the text, but the word "resources" appears eight times and "investment" shows up 11 times).

Susan Landau has a more considered response, which is well worth reading. She calls the essay a proposal for a moonshot (which is another way of saying "they want money"). And she has some important pushbacks on the specifics.

I don't expect the general counsel and I will agree on what the answers to these questions should be. But I strongly concur on the importance of the questions and that the United States does not have time to waste in responding to them. And I thank him for raising these issues in so public a way.

I agree with Landau.

Slashdot thread.

United States Sues Edward Snowden and You’d be Surprised to Know Why

The United States government today filed a lawsuit against Edward Snowden, a former contractor for the CIA and NSA government agencies who made headlines worldwide in 2013 when he fled the country and leaked top-secret information about NSA's global and domestic surveillance activities. And you would be more surprised to know the reason for this lawsuit—No, Snowden has not been sued for