Category Archives: Vulnerabilities

Aviation Equipment Major ASCO Victim of Ransomware Attack

The Belgian manufacturer of aeronautical equipment ASCO was forced to close its operations in Belgium, Germany, Canada and the United States after a ransomware attack at its Zaventem plant in Belgium.

ASCO is one of the world’s largest manufacturers of aeronautical equipment and provides high-end aeronautical equipment, such as lifting devices, mechanical assemblies and functional components, to various aviation giants such as Boeing. Airbus, Lockheed Martin, Bombardier Aerospace and Embraer.

The computer systems at the Zaventem plant in Belgium, which also serves as headquarters, were attacked last Friday by a ransomware attack, forcing the company to close its factories in Belgium, Germany, Canada and the United States to mitigate the impact of the attack.

ASCO employees sent on leave for an indefinite period

ASCO, acquired last year by the American company Spirit AeroSystems, also sent about 1,000 of its 1,400 employees to these factories due to an extended shutdown and was asked not to return to work until new order. However, the company’s non-production offices in France and Brazil are currently operational.

ASCO has not yet issued any official statement regarding the attack on ransomware, nor has it communicated the details of the ransom demand, that the company intends to respond to the complaint or that the infection has caused the loss of intellectual property secrets. However, the company told the Brussels Times that it had not yet detected any theft or loss of information.

Andrea Carcano, CPO of the co-founder of Nozomi Networks, warned that it was never advisable to pay ransom in these situations. “There is no guarantee that criminals will restore the systems. Organizations must prepare for this type of event and have a plan to limit the damage and the reputation of the brand.

The attack comes two months after the European Commission approved the acquisition of the company by Spirit Aerosystems, based in the United States. The acquisition in cash of SRIF, the parent company of the Belgian-based aircraft components manufacturer, for a total amount of $ 650 million (£ 512 million) was announced in May 2018

The first EU regulatory review was stopped in October 2018 when Spirit withdrew its first contract notice to the Commission due to regulatory concerns. The company resumed the regulatory process in February 2019 after informing the European Commission on 30th January.

There was no press release or announcement from both companies. The LinkedIn and Twitter accounts of both companies did not provide any confirmation or acknowledgment of the attack until the report was released.

The aeronautics industry has been the target of hackers recently. When an airline is purchased, the new owner is more likely to go with the legacy systems instead of integrating them and updating them completely. New airlines are better equipped and have control on their IT system.

In terms of ransomware, prevention is better than cure. Keep all your systems are up-to-date with the latest patches and that there are no security vulnerabilities or that can leave an organization exposed to attackers.

Also, Read:

Ransomware Attack Impacts Baltimore Emails, Online Payments

FBI Investigating Baltimore Ransomware Attack

 

The post Aviation Equipment Major ASCO Victim of Ransomware Attack appeared first on .

Major Vulnerabilities in HSMs Discovered

Yesterday’s announcement of this HSM hacking in the 2019 BlackHat program caused a lot of excitement for a good reason: the authors claim to have discovered unauthenticated remote attacks, giving full control of an HSM and full access to the keys and secrets stored in it.

For the moment, very few details are available in English about how this attack was led by Ledger researchers, but fortunately for Francophones, this work was presented in detail earlier this week at the annual conference on Security of France SSTIC. Francophones can watch the video or read the document proceedings.

What really happened?

For non-Francophones, the Cryptosense bilingual team translated a brief summary of what Ledger researchers Gabriel Campana and Jean-Baptiste Bédrune did. Many technical issues needed to be resolved along the way, as part of a thorough and professional vulnerability survey:

  • They started using the SDK’s legitimate access to test HSM to load a firmware module that would give them a shell inside the HSM.
  • Then, they used the shell to run a fuzzer in the internal implementation of PKCS #11 commands for reliable and exploitable buffer overflows.
  • They verified that they could exploit this buffer overflows out of the HSM, that is, by simply calling the PKCS #11 driver of the host machine.
  • Then they wrote a payload that would overload the access control and allow them, to load an arbitrary firmware (without signature). It is important to keep in mind that this back door is persistent, a subsequent update will not solve it.
  • Then they wrote a module that would dump all the secrets of HSM and load it into the HSM.

What’s latest?

The vulnerabilities have now been fixed. The manufacturer is not mentioned in the presentation, but it is possible to solve it, looking at the latest security announcements of major manufacturers of HSM.

Conclusion 

Well-Funded vulnerability research teams within state intelligence agencies could have done similar work and discovered this attack. The disruption caused by the disclosure of certain secret keys to the financial system of the target country would be very interesting for those seeking to wage cyberwar. The most disturbing part of the attack may be that the firmware update is persistent. There may be HSM deployed in critical infrastructure now with similar backdoors.

Also, Read:

How To Deal With DNS Vulnerabilities?

Vulnerabilities, Stolen Credentials on Dark Web on the Rise

 

The post Major Vulnerabilities in HSMs Discovered appeared first on .

Threatlist: Targeted Espionage-as-a-Service Takes Hold on the Dark Web

One in four underground merchants offer advanced hacking services, once reserved for APTs and well-funded organized crime gangs.

Apple Releases Firmware Security Updates for AirPort Base Stations

Apple recently released a series of updates that address several firmware security issues affecting its AirPort base stations. Released on 30 May, the changes fix eight vulnerabilities that apply to the AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. Almost half of these bugs concerned denial-of-service (DoS) attacks. Apple fixed one of these […]… Read More

The post Apple Releases Firmware Security Updates for AirPort Base Stations appeared first on The State of Security.

Thangrycat: A Serious Cisco Vulnerability

Summary:

Thangrycat is caused by a series of hardware design flaws within Cisco's Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. Thangrycat allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco's chain of trust at its root. While the flaws are based in hardware, Thangrycat can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.

From a news article:

Thrangrycat is awful for two reasons. First, if a hacker exploits this weakness, they can do whatever they want to your routers. Second, the attack can happen remotely ­ it's a software vulnerability. But the fix can only be applied at the hardware level. Like, physical router by physical router. In person. Yeesh.

That said, Thrangrycat only works once you have administrative access to the device. You need a two-step attack in order to get Thrangrycat working. Attack #1 gets you remote administrative access, Attack #2 is Thrangrycat. Attack #2 can't happen without Attack #1. Cisco can protect you from Attack #1 by sending out a software update. If your I.T. people have your systems well secured and are applying updates and patches consistently and you're not a regular target of nation-state actors, you're relatively safe from Attack #1, and therefore, pretty safe from Thrangrycat.

Unfortunately, Attack #1 is a garden variety vulnerability. Many systems don't even have administrative access configured correctly. There's opportunity for Thrangrycat to be exploited.

And from Boing Boing:

Thangrycat relies on attackers being able to run processes as the system's administrator, and Red Balloon, the security firm that disclosed the vulnerability, also revealed a defect that allows attackers to run code as admin.

It's tempting to dismiss the attack on the trusted computing module as a ho-hum flourish: after all, once an attacker has root on your system, all bets are off. But the promise of trusted computing is that computers will be able to detect and undo this kind of compromise, by using a separate, isolated computer to investigate and report on the state of the main system (Huang and Snowden call this an introspection engine). Once this system is compromised, it can be forced to give false reports on the state of the system: for example, it might report that its OS has been successfully updated to patch a vulnerability when really the update has just been thrown away.

As Charlie Warzel and Sarah Jeong discuss in the New York Times, this is an attack that can be executed remotely, but can only be detected by someone physically in the presence of the affected system (and only then after a very careful inspection, and there may still be no way to do anything about it apart from replacing the system or at least the compromised component).

Points To Consider Before Selecting a Secure Web Gateway

Information technology has undergone a major transformation in recent years. Today, infrastructure, applications, and data – almost everything – are moving to the cloud. Whether it’s the public or private cloud infrastructure, cloud technology has revolutionized the IT ecosystem. Today, however, this raises global questions about how to protect the data stored in the cloud.

This rise in cloud technology has also changed the way employees used to work; it has made many people care less about the security of their data and that of the organization. When an employee works outside the corporate network, he does not even bother to turn on the VPN and work. And that’s where secure web gateways come into force.

What is a secure web gateway?

A secure web gateway (SWG) actually refers to content control software. When we talk about content control, it means that this specific software filters and manages the content on the Internet. This software essentially prevents malicious Internet traffic from running on the corporate network and ensures the security of the enterprise. In simple terms, it actually provides content relevant to the work or policy of the company and not to the user sitting outside the network.

In recent years, SWG has become a tool for organizations around the world. This is not very new – SWG has been there since the inception of the web. Today, however, it is more sophisticated than content filtering and is offered both in the on-prem forms and cloud. However, SWGs are capable of preventing or restricting malicious traffic, and that not all companies know to use SWG.

Things to Keep In Mind

You should have complete know-how about the web-related threats and vulnerabilities.

This is the first and foremost thing every organization should do. Companies need to understand the threats and vulnerabilities they are facing. They also need to make sure the path and source of the threat and what damage they are causing and could cause in the future.

What to consider when opting for secure web gateway?

You must have extensive knowledge of Web threats and vulnerabilities. This is the most important thing any organization should do. Businesses need to know the threats and vulnerabilities they are exposed to. They must also state the trajectory and source of the threat, as well as the damage they could cause in the future.

When you have strong knowledge about what you are going to deal with, you plan better. And when you plan better, you come up with strong solutions. So, before evaluating or opting for a specific secure web gateway, you should know what is happening.

If you know exactly what you are going to deal with, plan better. And if you plan better, you can offer solid solutions. So before you select a specific secure web gateway, you need to know what’s going on.

What measure to take?

When you’re done analyzing the threats and vulnerabilities, review the existing actions you’ve already taken or the tools you’ve configured to handle malicious traffic. Check each tool and see the results of these tools.

If you do not have the required resources and infrastructures, check to see if you can set this parameter and how much it will cost. If your budget is exceeded, you can see some of the cloud service providers. It is always a good idea to review our existing sources before using a brand new tool.

Do you have the bandwidth to deploy extra security tool?

You might feel a high level of need to deploy a secure web gateway product in order to make your web security infrastructure stronger, but one simply can’t buy an SWG product and get it fit in — you have to make sure that you have the required infrastructure and resources to make the most out of the tool.

Does your existing infrastructure align with cloud infrastructure?

The cloud approach can solve local problems but has its own requirements. So, if you choose a cloud infrastructure, make sure your existing processes and methods are working properly. Also, make sure you have the support you need for a cloud-centric deployment. This concerns the infrastructure.

Now, when you talk about tools and implementing a cloud-based security tool, you need to check whether it can integrate with existing local tools. If you can afford to meet those challenges, a cloud-based SWG is definitely a great way to eliminate cyber-attacks and malicious traffic from the corporate network.

What to expect from a secure web gateway product?

This is the penultimate but one of the most important things to keep in mind. You need to pick the issues you want to fix: the format of the threats you want to detect and fix, the type of traffic you want to block, and so on. If you have a vision or set of results that you expect, you can participate in the evaluation of the secure web gateway product and see if this product can deliver the results. It makes no sense to spend time and money on a product if it does not.

Related Resources:

Six Top Secure Web Gateway Vendors

Secure Web Gateway Mechanics Made Simple

What is the Difference between a Firewall, Router & Secure Web Gateway

 

The post Points To Consider Before Selecting a Secure Web Gateway appeared first on .

Data Security in the Cloud: How to Lock Down the Next-Gen Perimeter

Enjoy the video replay of the recent Threatpost cloud security webinar, featuring a panel of experts offering best practices and ideas for managing data in a cloudified world.

Another Intel Chip Flaw

Remember the Spectre and Meltdown attacks from last year? They were a new class of attacks against complex CPUs, finding subliminal channels in optimization techniques that allow hackers to steal information. Since their discovery, researchers have found additional similar vulnerabilities.

A whole bunch more have just been discovered.

I don't think we're finished yet. A year and a half ago I wrote: "But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride." I think more are still coming.

Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution

The vendor also issued a patch schedule for the still-unpatched bug in its Secure Boot trusted hardware environment, which affects most of its enterprise and SMB portfolio, amounting to millions of vulnerable devices.

WhatsApp Vulnerability Fixed

WhatsApp fixed a devastating vulnerability that allowed someone to remotely hack a phone by initiating a WhatsApp voice call. The recipient didn't even have to answer the call.

The Israeli cyber-arms manufacturer NSO Group is believed to be behind the exploit, but of course there is no definitive proof.

If you use WhatsApp, update your app immediately.

Leaked NSA Hacking Tools

In 2016, a hacker group calling itself the Shadow Brokers released a trove of 2013 NSA hacking tools and related documents. Most people believe it is a front for the Russian government. Since, then the vulnerabilities and tools have been used by both government and criminals, and put the NSA's ability to secure its own cyberweapons seriously into question.

Now we have learned that the Chinese used the tools fourteen months before the Shadow Brokers released them.

Does this mean that both the Chinese and the Russians stole the same set of NSA tools? Did the Russians steal them from the Chinese, who stole them from us? Did it work the other way? I don't think anyone has any idea. But this certainly illustrates how dangerous it is for the NSA -- or US Cyber Command -- to hoard zero-day vulnerabilities.

EDITED TO ADD (5/16): Symantec report.