Category Archives: Vulnerabilities

For Effective Patch Management, Don’t Overlook Risk

Patch management has always been an evergreen topic for security practitioners. Each time poor patching is identified as the root cause of a breach, it triggers a new flood of opinions on the countless dos and don’ts of triaging common vulnerabilities and exposures (CVEs), understanding criticality scores, and deploying patches. Often left out of the conversation, however, is an especially crucial variable: risk.

read more

Hacker Discovered “God Mode” Whilst Fuzzing Some Old x86 CPU’s

A security researcher named Christopher Domas spoke at the recent Black Hat conference highlighting some x86 CPUs are installed with

Hacker Discovered “God Mode” Whilst Fuzzing Some Old x86 CPU’s on Latest Hacking News.

“Open Sesame” Vulnerability That Let Users Hack Windows 10 Was Demonstrated at Black Hat Conference

Microsoft works continually to improve the security of its Windows 10 operating system. Although the tech giant has certainly made

“Open Sesame” Vulnerability That Let Users Hack Windows 10 Was Demonstrated at Black Hat Conference on Latest Hacking News.

DEF CON 2018: Hacking Medical Protocols to Change Vital Signs

LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ […]

DEF CONtests Highlight Hacker Culture’s Expanding Reach

Scores of contests at the annual DEF CON event reveal hacker culture in its Baroque glory, with tests of social engineering and IoT hacking skills taking center stage. They don’t call it “Hacker Summer Camp” for nothing. Attendees to the Black Hat and DEF CON hacker conferences in Las Vegas this week have a dizzying array of...

Read the whole entry... »

Related Stories

Vulnerability Discovered: Mobile Point–of-Sale Devices Affected

A point-of-sale security vulnerability impacting mobile payment services across the globe was discovered by researchers from Positive Technologies. Thursday, during

Vulnerability Discovered: Mobile Point–of-Sale Devices Affected on Latest Hacking News.

Comcast Xfinity Customers’ Partial Data Exposed

The partial home addresses and social security numbers of more than 26.5 million customers of Comcast Xfinity were exposed due

Comcast Xfinity Customers’ Partial Data Exposed on Latest Hacking News.

Report: Firms Could Use Better Vulnerability Assessment to Fight Cyberthreats

Half of organizations are relative teenagers in terms of maturity when it comes to their vulnerability-assessment practices, a key aspect of successful strategies to defend themselves quickly against cyber attacks, a recent report has found. Nearly half, or 48 percent, of the organizations polled in the survey–The Cyber Defender Strategies...

Read the whole entry... »

Related Stories

8 everyday technologies that can make you vulnerable to cyberattacks

The technological advances of the modern world make for an exciting and convenient lifestyle. With each new development, from artificial intelligence to the Internet of Things, we make the mundane and tedious more manageable.

The security vulnerabilities of the latest tech have been well documented. But what about everyday technologies that have been around for a while or are widely adopted? Those familiar devices and programs can also put you at risk of being targeted by hackers.

Here are eight commonly-used tech conveniences that are not as ironclad as you might hope.

1. Smart speakers

Smart speakers like Google Home or Amazon Echo, feature countless capabilities meant to assist users. However, cybersecurity experts also warn they’re vulnerable to numerous types of attacks.

Some involve threat actors controlling the speakers with supersonic commands that humans can’t hear, but smart speakers recognize when embedded into YouTube videos, white noise, or other content.

Researchers also discovered hackers could engineer smart speaker apps that seem legitimate but actually come straight from those orchestrating cyberattacks. Sometimes, even when users close out of the apps, they keep recording conversations and other sounds happening in the home and sending them to criminals silently in the background.

2. Smart security systems

Smart security systems let you keep an eye on your home while at the office or vacationing in another country. These systems allow users to sort through hours of footage stored in the cloud or can use artificial intelligence to learn familiar faces who arrive at your door.

However, even security systems can have flaws. A cybersecurity research team in Europe found a bug in Swann smart security cameras that allowed footage from one home to be broadcast to other homes. If hackers had discovered that problem instead of the researchers who verified its existence, they could have used the vulnerability to intercept footage and spy on homeowners. Then, it’d theoretically be quite easy for them to move beyond hacking into the realm of burglary.

3. USB drives

USB drives increase the capabilities of your computer, specifically by being able to move files from one location to another, or to increase storage capacity. They’re also relatively easy for hackers to corrupt by loading worms or other kinds of malware onto them. The US military even knew of the potential danger they posed and banned the use of thumb drives a decade ago.

Unfortunately, many individuals and businesses do not understand the genuine risk of letting employees connect to the Internet while using unsecured USB drives. Instead, they view USBs as tools of convenience, not gadgets that could infect their computers or networks. For example, if a USB drive is connected to a machine that’s infected with ransomware, the files on that drive will also become infected. Moving that drive from one computer to the next, then, could spread the infection beyond a single endpoint to multiple systems.

4. Dongles

Where USB drives give you more room to store files on a computer, dongles plug into USB ports and increase functionality by providing extra content or features. For example, smart TV dongles give you extra channels and movies to enjoy.

A few years ago, cybersecurity experts hacked a dongle provided to car owners by an insurance company to track their driving habits. The experiment allowed researchers to control the windshield wipers of the vehicle fitted with the dongle and—much more alarmingly—enable and disable its brakes.

A more recent problem affected the Amazon Fire Stick. In that case, threat actors installed cryptomining malware that didn’t show up in users’ lists of running apps. Besides making the Fire Stick and its Internet connection sluggish, the malware sometimes made itself known by displaying the word “test” on the screen, accompanied by the Android bot icon. Fortunately, it’s reportedly fixable by restoring the dongle to its factory settings.

5. Shared media files

Cybercriminals consistently engineer new ways to trick people into giving up their passwords, credit card numbers, and other personally identifiable information (PII) through phishing attempts. Phishes typically show up in victims’ inboxes and look exactly like legitimate emails, down to the color schemes, buttons, and headers.

You might already know that downloading an unfamiliar email attachment increases the possibility of being infected, but perhaps you let your guard down when using a well-known file-sharing service like Dropbox. Hackers send malicious emails seemingly originating from Dropbox, too.

Once people click on links within those messages, their browsers go through a redirect process and proceed to download a JavaScript file put there by cybercriminals. Lo and behold, passwords and other credentials entered to access the “Dropbox” folder will be scraped and sent off to those crafty criminals, who can sell them on the black market to the highest bidder.

6. Wi-Fi networks

People use Wi-Fi networks every day and scarcely think about the consequences. Unfortunately, hackers often take advantage of that dependence. Sometimes they create illegitimate, publicly accessible Wi-Fi networks with official-sounding names, like Philadelphia Airport, and hope people will connect to those without verifying they’re real.

Other disturbing research reveals ex-partners are wreaking havoc via remotely-managed instances of domestic abuse. The people affected are collectively known as smart home abuse victims. A study about the matter emphasizes how an individual need only know a home’s Wi-Fi network password and have a corresponding smart home app on their phone to make the lights turn on and off, crank the thermostat up to an unbearably hot temperature, or otherwise make life extremely unpleasant.

7. Smart phones

Like many people, you probably think of your smart phone as much safer from malware than your computer. However, the very thing that makes smart phones “smart,” the Internet, is what makes them vulnerable. Often, infiltration happens when threat actors create apps that look legitimate, but are actually a front for loading all kinds of malware in the background, from cryptominers to adware and even ransomware.

In addition, criminals can infect your phone through smishing, or SMS phishing, where malicious links are texted to individuals under the guise of a great promotion or pretending to be from a credible institution, such as a doctor’s office or bank.

A case involving activists working for Amnesty International revealed hackers installed a kind of spyware called Pegasus through WhatsApp (the real app, not a spoof). Moreover, there are nearly 200 publicly-reported cases of nonprofits being targeted through WhatsApp by that spyware or similar form of malware.

8. Web browsers

Using the Internet would be substantially more cumbersome and maybe even impossible without the invention of the web browser. However, just like the other items on this list, web browsers can also serve as gateways through which hackers enter. One bug that made headlines in April 2018 involved hackers compromising Windows computers through a vulnerability in Internet Explorer, which allowed users to be infected by a malicious Microsoft Word file.

Another kind of malware called Vega Stealer snatches credit card details input into fields when people use the Chrome or Firefox browsers. It can also take data from Word and Excel files and show it to outside parties.

Finally, criminals have found another route to infect users via browser by creating rouge plugins that often make their way past official review for listing in browser web stores by appearing to be legitimate. However, once approved and adopted by the stores, threat actors flip the switch and add malicious updates, infecting any users who download the plugins for additional browser functionality.

Many issues discovered by researchers

If there’s a positive side to several of the vulnerable tech items on this list, it’s that cybersecurity researchers uncovered their vulnerabilities and notified the appropriate parties. Of course, it’s worse when device owners are the ones who learn that problems exist when their computers, phones or other tech helpers start behaving strangely.

In any case, now that you know about some of the things cybercriminals do to unsuspecting users of technology, aim to be more aware of when things seem amiss. Being proactive can sometimes prevent small issues from becoming gigantic catastrophes.

The post 8 everyday technologies that can make you vulnerable to cyberattacks appeared first on Malwarebytes Labs.

Augur Cryptocurrency Bug Made The App Vulnerable To Fake Data

The crypto world is providing us with various innovative apps and platforms, leveraging the increasing attention this industry is gaining.

Augur Cryptocurrency Bug Made The App Vulnerable To Fake Data on Latest Hacking News.

Samsung Galaxy S7 Vulnerable To Hacking Due To Meltdown Security Flaw

Samsung Galaxy S7 is, perhaps, one of the most talked about phones by Samsung. Yet, they turned out to be

Samsung Galaxy S7 Vulnerable To Hacking Due To Meltdown Security Flaw on Latest Hacking News.

MongoDB Vulnerability Leaked Health Care Data Of 2 Million Mexicans Online

While the investigations continue for the massive Singapore’s Heath data breach, an independent researcher found something even more alarming. The

MongoDB Vulnerability Leaked Health Care Data Of 2 Million Mexicans Online on Latest Hacking News.

Black Hat USA Update: BlackBerry Launches New Ransomware Solution

In the midst of the rising ransomware attacks on medical facilities, factories, businesses, educational facilities, and even everyday internet-using individuals,

Black Hat USA Update: BlackBerry Launches New Ransomware Solution on Latest Hacking News.

Critical Security Flaws In OpenEMR Left 90 Million Medical Records Vulnerable

Keeping in mind the recent wave of medical data breaches, one can realize the security threats to medical and health

Critical Security Flaws In OpenEMR Left 90 Million Medical Records Vulnerable on Latest Hacking News.

‘SegmentSmack’ – Critical TCP Vulnerability Found In Linux 4.9 Triggers DoS Attack

Recently, a researcher has discovered a critical TCP vulnerability in the Linux Kernel that could trigger cyber attacks. Precisely, by

‘SegmentSmack’ – Critical TCP Vulnerability Found In Linux 4.9 Triggers DoS Attack on Latest Hacking News.

Episode 107: What’s Hot at Black Hat & does DHS need its new Risk Management Center?

In this episode of The Security Ledger Podcast (#107): Hacker Summer Camp takes place in Las Vegas this week as the Black Hat, DEFCON and B-Sides conferences take place. We’re joined by DigiCert Chief Technology Officer Dan Timpson to talk about the presentations that are worth seeing. And, in our second segment, The Department of Homeland...

Read the whole entry... »

Related Stories

Two Critical HP Printer Patches Released, Over 225 Printer Models Affected

A firmware update has been posted by HP Inc. addressing a duo of critical security vulnerabilities in the company’s Inkjet

Two Critical HP Printer Patches Released, Over 225 Printer Models Affected on Latest Hacking News.

Data Breach At Women’s and Children’s Hospital Exposed Children’s Records Online

Here comes a report about another health data breach that this time has affected Australian citizens. The Womens and Childrens

Data Breach At Women’s and Children’s Hospital Exposed Children’s Records Online on Latest Hacking News.

Monero Wallet Vulnerability – Loss Of $1.8 Million to Livecoin Crypto Exchange

Monero – a cryptocurrency that is supposedly synonymous with security – proved that ‘nothing is unhackable’. A researcher discovered a

Monero Wallet Vulnerability – Loss Of $1.8 Million to Livecoin Crypto Exchange on Latest Hacking News.

General Motors Started New Automotive Bug Bounty Program

General Motors have been working out how to produce their best for their customers. In an attempt to beef up

General Motors Started New Automotive Bug Bounty Program on Latest Hacking News.

Massive Cryptojacking Campaign: More than 170,000 MikroTik Routers Enslaved

Security researchers uncovered a colossal cryptocurrency mining campaign that involved the utilization of MikroTik routers. The attackers used the settings

Massive Cryptojacking Campaign: More than 170,000 MikroTik Routers Enslaved on Latest Hacking News.

New Miner – PowerGhost Fileless Cryptominer Targets Corporate Networks.

The experts at Kaspersky security lab have identified a new miner. This comes at the time when the cryptocurrency rush

New Miner – PowerGhost Fileless Cryptominer Targets Corporate Networks. on Latest Hacking News.

HP to pay hackers up to $10,000 for finding security vulnerabilities in its printers

HP launches bug bounty program to enhance printer security

HP became the first printer manufacturer company to launch a bug bounty program that wants hackers to break into its printers. According to HP, it’s a “first of its kind” bug bounty program for printers, with rewards of up to $10,000 for vulnerabilities discovered.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP Chief Technologist of Print Security on Tuesday. “HP is committed to engineering the most secure printers in the world.”

HP will carry out the bug hunt in collaboration with crowdsourcing security platform, Bugcrowd, that manages bug bounties, vulnerability disclosures, and more. This program is based on invite-only basis so that it can better manage incoming vulnerabilities.

“HP has offered a way for researchers to disclose bugs to our team for a long time now,” Albright said. “This is our first bug bounty program, and the world’s first Print specific bounty, to be managed by an external party.”

According to the program guidelines, researchers are required to report the vulnerabilities found in the private program directly to Bugcrowd. HP will evaluate any vulnerability that was previously discovered by the company and may reward the researcher “as a good faith payment.” In the meantime, Bugcrowd will verify all submitted bugs and reward researchers depending on the severity of the flaw. Researchers can earn anywhere between $500 and $10,000 per legitimate find under the terms of the program.

“For years, the conversation about cybersecurity has focused on software and networking,” said Albright. “Today, bad actors are targeting endpoint devices. Protecting connected devices, like printers, at the edge of the network has become paramount.”

According to research undertaken by Bugcrowd, “2018 State of Bug Bounty Report,” vulnerabilities in printers are an increasing threat with attackers focused on endpoint devices. During the past year, the total endpoint bugs across the industry have increased 21 percent.

HP said that the bug bounty program will run indefinitely. In due course, the company plans to extend the bug bounty to its PC lineup.

HP started this bug bounty program in May this year, CNET reports. The company has already given $10,000 prize to one researcher who pointed out a critical vulnerability. Currently, the program has 34 researchers on board.

The post HP to pay hackers up to $10,000 for finding security vulnerabilities in its printers appeared first on TechWorm.

HP Announced Bug Bounty Program To Improve Its Printers Security

Bug bounty programs are a great initiative to recognize cybersecurity researchers for their efforts to highlight bugs in various platforms.

HP Announced Bug Bounty Program To Improve Its Printers Security on Latest Hacking News.

Exploits in Samsung Hub Put Smart Homes at Risk

There is more alarming security news for consumers with smart devices at home: hackers can take remote control of video cameras, thermostats, smart locks or other IoT devices by exploiting vulnerabilities discovered in Samsung’s SmartThings Hub, according to a report by Cisco Systems’ Talos research group. Cisco Talos researchers...

Read the whole entry... »

Related Stories

New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs for Maximum Impact

ZombieBoy, a new crypto-mining family, recently clocked in at 43 KH/s — or $1,000 per month at current Monero prices.

Independent security researcher James Quinn described ZombieBoy, a new family of crypto-mining malware, in AlienVault on July 18. The name comes from the ZombieBoyTools kit the malware uses to drop its first dynamic link library (DLL) file. Much like MassMiner, ZombieBoy is a highly infectious worm, but it uses WinEggDrop rather than MassScan to identify new hosts.

Before recently shutting down one of its addresses on Monero mining pool MineXMR, the crypto-mining malware was raking in approximately $1,000 worth of the digital currency every month, according to Quinn. Based on its use of the Simplified Chinese language, ZombieBoy likely originates from China.

ZombieBoy Exploits Multiple CVEs to Beat Security Defenses

ZombieBoy leverages multiple vulnerabilities to compromise networks, including CVE-2017-9073, a remote desktop protocol (RDP) vulnerability on XP and Server 2003, and Server Message Block (SMB) exploits CVE-2017-0143 and CVE-2017-0146. It then uses DoublePulsar and EternalBlue to create multiple backdoors, both increasing the chance of compromise and making it harder for IT teams to eliminate infections.

The crypto-mining malware is encrypted with Themdia and won’t run on virtual machines (VMs). This makes it hard to both capture and reverse engineer, limiting the efficacy and development of countermeasures.

ZombieBoyTools is linked to other Chinese malware like IRON TIGER APT (itself a variant of Gh0st RAT). This suggests not only persistence but also continued evolution. ZombieBoy’s double backdoors could pave the way for crypto-mining malware and leave the gate open for ransomware, keyloggers and other malicious tools.

How Can Companies Combat Crypto-Mining Malware?

While it’s tough to stop threats like ZombieBoy outright, companies can take action to limit risk. IBM security researchers recommend blocking command-and-control (C&C) traffic that exploits like DoublePulsar and EternalBlue rely on using signatures such as SMB_EternalBlue_Implant_CnC and SMB_DoublePulsar_Implant_CnC.

Security experts also recommend building intelligent, integrated immune systems capable of responding to multiple threats, including crypto-mining, ransomware and distributed denial-of-service (DDoS) attacks. This ecosystem of solutions should include two-factor authentication (2FA), advanced web application firewalls and the ability to limit or disable unused ports and services.

Source: Alien Vault

g

The post New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs for Maximum Impact appeared first on Security Intelligence.

Telstra Data Breach – A Website Error Exposed Customers’ Information Online

Telstra, an Australian telecommunication company disabled their “Your Telstra Tools” service after a customer notified a glitch. Reportedly, the unsuspecting

Telstra Data Breach – A Website Error Exposed Customers’ Information Online on Latest Hacking News.

How to Get the Most Out of DEF CON and Black Hat 2018

From its inception in 1997, Black Hat has grown from a small technology-focused conference into a major information security event — offering briefings, education and training for security and risk practitioners. It’s renowned for shedding light on vulnerabilities found in everything from consumer devices to critical infrastructure.

Ivan Reedman, global hardware security and capability development lead at IBM X-Force Red, said it best: “Black Hat is all about security professionals sharing knowledge, working together and seeing some of the awesome stuff going on in the industry, all while at the same time having fun and making new friends.”

Immediately following Black Hat — which will take place in Las Vegas, Nevada, from Aug. 4–9 — is the somewhat less formal DEF CON. DEF CON is one of the world’s largest hacker conventions and is happening in Las Vegas from Aug. 9–12.

David Bryan, global leader of technology at IBM X-Force Red, is most excited about this event: “DEF CON is a time when newbies, seasoned hackers and professionals come together to share knowledge and level the playing field. It’s also a great time for folks to brush up on their skills and share knowledge in the community.”

Hear the latest episode of the X-Force Red in Action podcast series

What’s On Tap for This Year’s Premier Security Conferences?

Many valuable talks, meetings, demos and games will take place at both Black Hat and DEF CON — and it can be hard for first-time attendees and veterans alike to decide how to spend their time. Below are some interesting sessions I know I don’t want to miss.

‘Outsmarting the Smart City’

In this session, which will take place on August 9 at 12:10 p.m., Daniel Crowley and Mauro Paredes from IBM X-Force Red and Jennifer Savage from Threatcare will discuss the security of smart cities, vulnerabilities they have identified in commonly used devices and how to strengthen smart city security. Attend this talk to learn more about what technology is in our cities today, what’s in store for the future, and how to discover and attack the technology that runs modern cities.

(I’m personally looking forward to finding out what vulnerabilities, if any, the team discovered in my home city!)

‘Foxtrot C2: A Journey of Payload Delivery’

One of the challenges red-team operators face when emulating an adversary is unrestricted or unsupervised communication across defensive technology deployed by the enterprise.

Meet Foxtrot C2, IBM X-Force Red’s concept tool designed to help penetration testers overcome enterprise network inspection mechanisms, successfully deliver malicious payloads and establish a long-running operation while consistently bypassing behavioral traffic correlation mechanisms deployed on the company network.

Join the talk on August 9 at 2:30 p.m. to hear IBM X-Force Red’s Dimitry Snezhkov dive into Foxtrot C2.

‘Sizing Up Vulnerabilities’

Identifying security vulnerabilities has become a business-as-usual activity for many companies — now the real challenge is to fix them.

Given the sheer volume of vulnerabilities coupled with the lack of vulnerability management resources, prioritizing and remediating the most critical flaws is an overwhelming project. Many rely on Common Vulnerability Scoring System (CVSS) scores. However, these alone are not enough because they do not take into account whether a vulnerability is actively being weaponized in the wild.

Join IBM X-Force Red’s Charles Henderson and Steve Ocepek at 11 a.m. on August 9 to learn more about vulnerability ranking.

‘The L0pht Testimony, 20 Years Later (and Other Things You Were Afraid to Ask)’

At 5 p.m. on August 10, IBM X-Force Red’s Space Rogue will participate in a reunion panel at DEF CON with members of the hacking collective L0pht Heavy Industries. The panel will look back on 20 years of cybersecurity and discuss the group’s 1998 testimony to warn Congress of glaring vulnerabilities in government systems.

Visit Us at Black Hat 2018 to Learn More

Are you planning your next career move? Are you looking to network with the best in the industry? Visit IBM at booth No. 2104 at Black Hat to discuss potential opportunities.

You can also experience the disruption bar, get your password ‘cracked’ by the tool, look inside an automated teller machine (ATM) and chat with IBM X-Force Red’s team of veteran hackers.

And since IBM X-Force Red is celebrating its second birthday, there will be gifts for all who visit.

To learn more about the team’s latest discoveries, follow the IBM X-Force Red in Action podcast series. Whether it’s cars, planes, toilets (yes, seriously!), ATMs or satellites, you never know what this hacking team will break into next — and you won’t want to miss a single episode.

Hear Space Rogue talk about Black Hat on the X-Force Red in Action podcast series

https://securityintelligence.com/series/xforce-red-in-action/

The post How to Get the Most Out of DEF CON and Black Hat 2018 appeared first on Security Intelligence.

Threat Report Provides Evidence of Threat Actors Targeting ERP Applications

Cybersecurity providers Digital Shadows and Onapsis released a report on July 25 that outlined additional evidence of threat actors targeting enterprise resource planning (ERP) applications, particularly SAP applications, according to Reuters.

Back in May 2016, SAP customers awoke to the news of a U.S. Computer Emergency Readiness Team (US-CERT) advisory to address the security of their SAP applications, especially internet-facing ones, due to evidence of unauthorized exploitation of a critical vulnerability previously patched by SAP more than five years before.

In some cases, these attackers are still exploiting the same vulnerability that was highlighted back in 2016.

Attackers Trade CVEs Affecting ERP Applications on the Darknet

The Digital Shadows and Onapsis report detailed the increase in the threats associated with the Common Vulnerabilities and Exposures (CVE) affecting ERP applications and exploits that could be used to abuse those vulnerabilities.

Additionally, these threats are getting more attention from malicious actors, as evidenced by a significant increase in the references to SAP and Oracle CVEs on the darknet, including criminal and underground forums that contain posts detailing how to hack an SAP application and requests for exploits of SAP HANA.

Per the Digital Shadows and Onapsis report, 50 exploits for SAP products and 30 for the Oracle EBS technology stack were found in one darknet forum alone when Digital Shadows combed through social media chatter.

Eight Key Findings From the Digital Shadows and Onapsis Report

The report serves as a wake-up call for organizations that are not adequately addressing cybersecurity for their SAP applications.

Here are eight key findings:

  1. The risks are growing year over year. New CVEs, vulnerabilities in exploits increase the attack surface, especially for organizations that are falling behind on security patches.
  2. The interest from cyberattackers in vulnerabilities affecting SAP applications is growing considerably year over year — more specifically 130 percent from 2016 to 2017.
  3. Nine operations from hacktivist groups have been discovered with claims of sabotaging operations and compromising business-critical applications.
  4. A well-known malware, Dridex, was found to be updated in 2017 and as recently as February 2018 to target the most widely used SAP client software, enabling cybercriminals to steal valid SAP user credentials.
  5. Over 500 configuration files were discovered on insecure file repositories over the internet, along with employees sharing ERP login credentials in public forums.
  6. Threat actors are incorporating SAP applications as part of the scope of their campaigns, as shown in over 20 examples throughout the report.
  7. Some 17,000 SAP and Oracle software installations are exposed to the internet at more than 3,000 top companies, government agencies and universities.
  8. More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that have not been patched or upgraded.

Password Hygiene and Patch Management Are Crucial to Protect ERP Apps

Attackers are not only targeting externally facing SAP applications, but also internal systems, using version 4 of the Dridex malware. This is one of the 20 examples shared in the report. Newer versions of ERP applications are also being targeted — the report cited examples of a post where a user is requesting any known SAP HANA vulnerability.

In addition, “sap123,” a default password, is shown to have been used in a compromised remote desktop protocol (RDP) session. RDP is a proprietary protocol that provides users with a graphical interface to connect to another computer over a network connection. Companies need to ensure that employees are properly trained in good password hygiene, according to Michael Melore, cybersecurity advisor at IBM Security.

Attackers are often drawn to mission-critical ERP systems due to the sensitive and confidential data they hold. After Oracle released a patch for CVE-2017-10271, a vulnerability in WebLogic, which is often used as a server for Peoplesoft, an exploit for this vulnerability was subsequently made available two months later, per the data collected by Digital Shadows.

Sources: Reuters, Onapsis, US-CERT

The post Threat Report Provides Evidence of Threat Actors Targeting ERP Applications appeared first on Security Intelligence.

Report: Cybercriminals target difficult-to-secure ERP systems with new attacks

Cybercriminals are targeting enterprise resource planning (ERP) apps–some of the oldest and most difficult-to-secure business software systems–with new attacks in an effort to exploit vulnerabilities and gain access to valuable, sensitive enterprise data, according to a new report. In the report released this week by Digital Shadows...

Read the whole entry... »

Related Stories

Vulnerability Spotlight: Multiple Vulnerabilities in Samsung SmartThings Hub

These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.



Executive Summary


Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with our coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.

The SmartThings Hub is a central controller that monitors and manages various internet-of-things (IoT) devices such as smart plugs, LED light bulbs, thermostats, cameras, and more that would typically be deployed in a smart home. The SmartThings Hub functions as a centralized controller for these devices and allows users to remotely connect to and manage these devices using a smartphone. The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth.

Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities. Some example scenarios are listed below:

  • Smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home.
  • Cameras deployed within the home could be used to remotely monitor occupants.
  • The motion detectors used by the home alarm system could be disabled.
  • Smart plugs could be controlled to turn off or on different things that may be connected.
  • Thermostats could be controlled by unauthorized attackers.
  • Attackers could cause physical damage to appliances or other devices that may be connected to smart plugs deployed within the smart home.

Given the wide range of possible deployments of these devices, this is not a complete list of different scenarios. Cisco Talos recommends ensuring that affected SmartThings Hubs are updated to the latest version of firmware to ensure that these vulnerabilities are addressed.

Exploitation


In total, Talos found 20 vulnerabilities in the Samsung SmartThings Hub. These vulnerabilities vary in the level of access required by an attacker to exploit them and the level of access they give an attacker. In isolation, some of these might be hard to exploit, but together they can be combined into a significant attack on the device. While we discuss all 20 of these vulnerabilities later in this blog post, in this section we will discuss how an attacker can chain together three vulnerability classes that are present in the device to gain complete control of the device.

Chains


It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities. This is commonly referred to as "chaining." When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.

We identified three notable chains, the last of which allows for remotely compromising the device without prior authentication:

A


Remote code execution: TALOS-2018-0556 describes a post-auth vulnerability that allows for the execution of arbitrary SQL queries against a database inside the device. When used alone, it only allows for altering the whole database. However, TALOS-2018-0557, TALOS-2018-0576, TALOS-2018-0581 and TALOS-2018-0583 describe a set of memory corruption vulnerabilities that allow for executing arbitrary code, assuming the attacker is capable of issuing arbitrary SQL queries. Since TALOS-2018-0556 provides this capability, they can be chained together to achieve code execution from the network. Note, however, that this list is not exhaustive, as other combinations may be viable.

B


Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path "/hub/data/hubcore/stZigbee" will make the "hubCore" process to crash. Moreover, as described in TALOS-2018-0594, when the "hubCore" process crashes, it triggers an information leak that can be captured from the network. By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.

C


Pre-auth remote code execution: TALOS-2018-0578 describes a vulnerability that allows for injecting semi-controlled HTTP requests to the internal `video-core` process, from the network and without prior authentication. Since the injected requests are not completely controllable, TALOS-2018-0577 can be chained (using all its 3 CVEs together) to further refine the injected HTTP request: TALOS-2018-0577 shows how to modify the method, path, and body components of an HTTP request, by exploiting a bug while handling HTTP pipelining. Finally the chain could end with TALOS-2018-0573, which exploits a buffer overflow on the stack by sending a local HTTP request to the `video-core` process. By chaining these 3 vulnerabilities together, an attacker can compromise the device remotely without prior authentication. Note that other similar vulnerabilities could be used as the last element of the chain. However, they might be more complex to implement.

Attack vectors


Chain C can be executed without prior authentication. Chains A and B, however, as well as the majority of the vulnerabilities reported, have different preconditions depending on the attack vector.

To understand the attack surface, it is useful to note that there is a trust relationship between the SmartThings Hub and the remote servers that it communicates with. This allows for the remote monitoring and management of the smart home via a smartphone application, as well as for the addition of custom features to make the Hub compatible with other, non-officially supported devices.

In the scope of the vulnerabilities that we reported, we identified multiple notable attack vectors:

X


Anyone owning a valid OAuth bearer token, or the relative username and password pair to obtain it, can talk to the remote SmartThings servers as an authenticated user. At this stage, an attacker could exploit some of the bugs that we reported, as demonstrated in TALOS-2018-0539.

Y


Third-party developers can write a "SmartApp" to make unknown hardware able to transparently communicate with the hub. SmartApps can be either published on the public marketplace or exist exclusively on the developer's hub. Since SmartApps are supposed to communicate with unsupported hardware, they need a way to send network messages. In fact, a SmartApp can instruct the Hub to perform network connections on its behalf. These network messages are sent by the remote SmartThings servers (which are where the SmartApp is actually executed) and sent to the Hub. Internally, these connections are performed by the `hubCore` process.

This has the side effect of giving SmartApps the power to communicate with localhost-bound services, such as `video-core`, which wouldn't otherwise be reachable.

Thus, the existence of SmartApps make chains A and B, as well as any `video-core` vulnerability, exploitable without authentication, but with the requirement of having a custom SmartApp enabled on the device.

Z


Anyone able to impersonate the remote SmartThings servers can talk to the `hubCore` process in the hub, which in turn allows an attacker to talk directly to the `video-core` process and exploit any of its bugs. Note that the SmartThings server that communicates with the Hub is not supposed to be able to run arbitrary code on it, as is proven by the fact that firmware update packages, although sent over this same TLS connections, are encrypted and authenticated, and likely packaged by a different, more privileged, machine.

Vulnerability Details


Samsung SmartThings Hub RTSP Password Command Injection Vulnerability (TALOS-2018-0539 / CVE-2018-3856)

The Samsung SmartThings Hub can be used to register, configure, and view the video stream from various IP cameras. The smart hub also provides users the ability to modify the camera's password, which is then stored by `video-core` in an internal database. Accessing the camera's video feed causes the camera to invoke the `ffmpeg` command using the `camera-password` parameter that is retrieved from this database. By including a space character in the camera password, an attacker could cause the `ffmpeg` binary to be launched with attacker-controlled command-line options. These options could be used to execute arbitrary system commands. TALOS-2018-0539 has been assigned CVE-2018-3856. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Code Execution Vulnerability (TALOS-2018-0548 / CVE-2018-3863 - CVE-2018-3866)

Multiple buffer overflow vulnerabilities exist within the samsungWifiScan handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of an HTTP POST request to /samsungWifiScan. The values of the `user`, `password`, `cameraIp`, and `callbackUrl` keys can be used to trigger these vulnerabilities as this data is transferred to a destination buffer in memory using `strcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0548 has been assigned CVE-2018-3863 through CVE-2018-3866. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Callback Code Execution Vulnerability (TALOS-2018-0549 / CVE-2018-3867)

An exploitable buffer overflow vulnerability exists within the Samsung WifiScan callback notification functionality present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub incorrectly processing communications received from smart cameras during the smart camera discovery process. An attacker could host specially crafted HTTP contents using an HTTP server that could be used to trigger this vulnerability. During the smart camera registration process, the SmartThings Hub will attempt to retrieve these contents from the host specified. The retrieved contents are then transferred using `sprintf` without first checking the size of the destination buffer. This vulnerability could be exploited to execute arbitrary code. TALOS-2018-0549 has been assigned CVE-2018-3867. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials videoHostUrl Code Execution Vulnerability (TALOS-2018-0554 / CVE-2018-3872)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The value of the `videoHostUrl` key can be used to trigger this vulnerability, as the data contained within this key is transferred to a destination buffer in memory without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0554 has been assigned CVE-2018-3872. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Code Execution Vulnerability (TALOS-2018-0555 / CVE-2018-3873 - CVE-2018-3878)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The values of the `secretKey`, `accessKey`, `sessionToken`, `bucket`, `directory`, and `region` keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer in memory using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0555 has been assigned CVE-2018-3873 through CVE-2018-3878. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Parsing SQL Injection Vulnerability (TALOS-2018-0556 / CVE-2018-3879)

A SQL injection vulnerability exists within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The SmartThings Hub allows for the changing of credentials that the hub uses when connecting to other devices. This process includes an HTTP POST request containing JSON which is made up of all of the parameters required to change the credentials. This information is not properly sanitized prior to being stored in an internal SQLite database. By including JSON and SQL syntax within this request, it is possible to trigger a JSON injection that, in turn, triggers a SQL injection condition. TALOS-2018-0556 has been assigned CVE-2018-3879. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database find-by-cameraId Code Execution Vulnerability (TALOS-2018-0557 / CVE-2018-3880)

An exploitable buffer overflow vulnerability exists within the database 'find-by-cameraId' functionality present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` process incorrectly handling records present within the SQLite database it uses. After first adding a camera to the 'camera table' of the SQLite database along with overly long camera information, an attacker can trigger this vulnerability by sending a specially crafted HTTP DELETE request specifying the camera that was previously added, causing an overflow condition.. This works due to a lack of restriction on the data that was pulled in during the database lookup for the camera. TALOS-2018-0557 has been assigned CVE-2018-3880. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core clips Code Execution Vulnerability (TALOS-2018-0570 / CVE-2018-3893 - CVE-2018-3897)

Multiple exploitable buffer overflow vulnerabilities exist within the `/cameras/XXXX/clips` handler present in the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to "/cameras/<camera-id>/clips." The values of the 'captureTime', 'startTime', 'endTime', 'correlationId', and 'callbackUrl' keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0570 has been assigned CVE-2018-3893 through CVE-2018-3897. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera URL Replace Code Execution Vulnerability (TALOS-2018-0573 / CVE-2018-3902)

An exploitable buffer overflow vulnerability exists within the camera "replace" feature present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of an HTTP PUT request to "/cameras/<camera-id>." The value of the 'url' key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0573 has been assigned CVE-2018-3902. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Update Code Execution Vulnerabilities (TALOS-2018-0574 / CVE-2018-3903 - CVE-2018-3904)

Multiple exploitable buffer overflow vulnerabilities exist within the camera "update" feature present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a PATCH request to "/cameras/<camera-id>." The values of the 'url' or 'state' keys can be used to trigger these vulnerabilities as the data contained within these keys is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0574 has been assigned CVE-2018-3903 and CVE-2018-3904. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Creation Code Execution Vulnerability (TALOS-2018-0575 / CVE-2018-3905)

An exploitable buffer overflow vulnerability exists within the camera "create" feature present within the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a POST request to "/cameras." The value of the "state" key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0575 has been assigned CVE-2018-3905. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Database shard.videoHostURL Code Execution Vulnerability (TALOS-2018-0576 / CVE-2018-3906)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of a database field within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` HTTP server improperly extracting the "shard.videoHostURL" field from its SQLite database, causing a stack-based buffer overflow condition. To exploit this vulnerability, an attacker would need to modify the value of this field in the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0576 has been assigned CVE-2018-3906. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core REST Request Parser HTTP Pipelining Injection Vulnerabilities (TALOS-2018-0577 / CVE-2018-3907 - CVE-2018-3909)

Multiple exploitable vulnerabilities exist within the REST parser present within the `video-core` HTTP server. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub incorrectly handling pipelined HTTP requests. These vulnerabilities could allow an attacker to overwrite the methods and contents of an HTTP request in order to insert malicious data for a variety of different reasons. These vulnerabilities could be leveraged along with other vulnerabilities to further maximize the attacker's impact on affected devices. TALOS-2018-0577 has been assigned CVE-2018-3907 through CVE-2018-3909. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 HTTP Header Injection Vulnerability (TALOS-2018-0578 / CVE-2018-3911)

An exploitable HTTP header injection vulnerability exists within the communications present between the Hub and the remote servers it communicates with. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution. TALOS-2018-0578 has been assigned CVE-2018-3911. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database shard Code Execution Vulnerabilities (TALOS-2018-0581 / CVE-2018-3912 - CVE-2018-3917)

Multiple exploitable stack-based buffer overflow vulnerabilities exist within the retrieval of database fields within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the `video-core` HTTP server improperly extracting the contents of several fields from its SQLite database, causing a stack-based buffer overflow condition. To exploit these vulnerabilities, an attacker would need to modify the value of these fields within the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0581 has been assigned CVE-2018-3912 through CVE-2018-3917. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 Sync Denial Of Service Vulnerability (TALOS-2018-0582 / CVE-2018-3918)

A vulnerability exists within the communications between the Samsung SmartThings Hub and the remote servers it communicates with. This vulnerability is present within the "sync" operation used to determine which cameras should be managed by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. Due to the lack of proper authentication, a remote attacker could leverage this trust relationship to delete cameras that should otherwise be managed by the SmartThings hub. TALOS-2018-0582 has been assigned CVE-2018-3918. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database clips Code Execution Vulnerability (TALOS-2018-0583 / CVE-2018-3919)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of database fields in the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly processing and extracting the fields from the "clips" table within its SQLite database. Leveraging TALOS-2018-0556, an attacker could arbitrarily insert a "captureTime" value within this table that exceeds the maximum size expected by the Hub, which results in a buffer overflow condition due to the lack of proper enforcement of this maximum size value. TALOS-2018-0583 has been assigned CVE-2018-3919. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core AWSELB Cookie Code Execution Vulnerability (TALOS-2018-0591 / CVE-2018-3925)

An exploitable buffer overflow vulnerability exists within the the remote video-host communication that is present within the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly handling the contents of AWSELB cookies. The cookie value that is obtained from the remote video-host servers is copied to a destination buffer without first checking the length of the cookie value leading to a buffer overflow condition. TALOS-2018-0591 has been assigned CVE-2018-3925. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore ZigBee firmware update CRC16 check Denial of Service Vulnerability (TALOS-2018-0593 / CVE-2018-3926)

An exploitable integer underflow vulnerability exists within the ZigBee firmware update process present within the `hubCore` binary used by the SmartThings Hub. An attacker could create a specially crafted file present within the "data" directory used by this process to create an infinite loop that ultimately crashes the service. Due to a logic error present within the ZigBee firmware update process that takes place on the SmartThings Hub, an attacker could leverage TALOS-2018-0556 to upload a specially crafted file that causes the process to continuously loop until a crash occurs. TALOS-2018-0593 has been assigned CVE-2018-3926. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Google Breakpad backtrace.io information disclosure vulnerability (TALOS-2018-0594 / CVE-2018-3927)

An exploitable information disclosure vulnerability exists within the exception handler present within the `hubCore` binary used by the SmartThings Hub. The Hub currently leverages Google Breakpad for the purpose of creating minidumps in situations where a crash is encountered. After these minidumps are created by the Hub, they are transmitted to a remote service (backtrace.io) for analysis via the "curl" utility, which is configured to leverage the "-k" switch for this data transmission. This insecure switch allows curl to establish a connection with a remote server that responds with a self-signed SSL certificate. An attacker with the ability to impersonate the remote server could intercept this minidump using a self-signed certificate in order to extract sensitive process data. TALOS-2018-0594 has been assigned CVE-2018-3927. For additional information, please see the advisory here.

Versions Tested


Talos has tested and confirmed that the following Samsung SmartThings Hub firmware versions are affected:

Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

https://community.smartthings.com/t/hub-firmware-release-notes-22-13/129936

Conclusion


While devices such as the SmartThings Hub are typically deployed to provide additional convenience and automation to users, special consideration must be made to ensure that they are configured securely, and updated when new firmware updates are made available by the manufacturer. Given that these devices can be deployed in many different scenarios, the impact of a successful attack against them could be severe. Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 45891, 46079, 46090, 46149, 46150-46155, 46211, 46217, 46296, 46319, 46320, 46321, 46390 - 46392, 46395, 46543, 46661

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details

In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.

FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine. Figure 1 shows the attack overview.


Figure 1: Attack overview

The malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft Office vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware. The malicious document used is named “Seminar.rtf”. It exploits CVE-2017-0199 to download the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with CVE-2017-11882.


Figure 2: Lure documents


Figure 3: Hex dump of embedded URL in Seminar.rtf

Figure 4 shows the first payload trying to download the second stage Seminar.rtf.


Figure 4: Downloading second stage Seminar.rtf

The downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2).

The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT.


Figure 5: Command in LNK file

The embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk.

Technical Details

After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function.

Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic used for ASCII strings is shown in Figure 6.


Figure 6: ASCII decryption routine

Decryption logic used for Unicode strings is shown in Figure 7.


Figure 7: Unicode decryption routine

Upon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with parameter #1, then it proceeds with initial system triage before doing command and control (C2) network communications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the “ROOT\CIMV2” namespace.

Figure 8 shows the full operation.


Figure 8: Initial execution process of backdoor component

Table 1 shows the classes referred from the “ROOT\CIMV2” and “Root\SecurityCenter2” namespace.

WMI Namespaces

Win32_OperatingSystem

Win32_ComputerSystem

AntiSpywareProduct

AntiVirusProduct

FirewallProduct

Win32_UserAccount

Win32_NetworkAdapter

Win32_Process

Table 1: Referred classes

WMI Queries and Registry Keys Used

  1. SELECT Caption FROM Win32_TimeZone
  2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem
  3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem

Registry entries are read for potential administration escalation and proxy information.

  1. Registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ” is queried to check the values ConsentPromptBehaviorAdmin and PromptOnSecureDesktop.
  2. Registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer.

Table 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread.

Command

Description

0x31

Fingerprint System via WMI and Registry

0x32

Drop File and execute

0x33

Remote Shell

0x34

Terminate connection with C2

0x35

Download and run batch script

0x36

Download file on machine

0x37

Upload File

Table 2: FELIXROOT backdoor commands

Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed.


Figure 9: Command logs after execution

Network Communications

FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server (Figure 10).


Figure 10: POST request to C2 server

All other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response header are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are “1.3” and “KdfrJKN”. The value “KdfrJKN” may be used as identification for the campaign and is found in the JOSN object in the file (Figure 11).


Figure 11: Host information used in every communication

The FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information about the task performed on the target machine (Table 3).

Parameter

Description

‘u=’

This parameter contains target machine information in the following format:

<Computer Name>, <User Name>, <Windows Versions>, <Processor Architecture>, <1.3>, < KdfrJKN >, <Volume Serial Number>

‘&h=’

This parameter includes the information about the command executed and its results.

‘&p=’

This parameter contains the information about data associated with the C2 server.

Table 3: FELIXROOT backdoor parameters

Cryptography

All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public keys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters.


Figure 12: RSA public key 1


Figure 13: RSA public key 2


Figure 14: AES encryption parameters

After encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send data to the server, and Figure 16 shows the structural representation of data used in C2 communications.


Figure 15: Structure used to send data to server


Figure 16: Structure used to send data to C2 server

The structure is converted to Base64 using the CryptBinaryToStringA function.

FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Conclusion

CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.

Appendix

Indicators of Compromise

11227ECA89CC053FB189FAC3EBF27497

Seminar.rtf

4DE5ADB865B5198B4F2593AD436FCEFF

Seminar.rtf

78734CD268E5C9AB4184E1BBE21A6EB9

Zam<RandomNumber>.doc

92F63B1227A6B37335495F9BCB939EA2

FELIXROOT Dropper

DE10A32129650849CEAF4009E660F72F

FELIXROOT Backdoor

Table 4: FELIXROOT IOCs

Network Indicators of Compromise

217.12.204.100/news

217.12.204.100:443/news

193.23.181.151/Seminar.rtf

Accept-Encoding: gzip, deflate

content-Type: application/x-www-form-urlencoded

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Configuration Files

Version 1:

{"1" : "https://88.198.13.116:8443/xmlservice","2" : "30","4" : "GufseGHbc","6" : "3", "7" :

“http://88.198.13.116:8080/xmlservice"}

Version 2:

{"1" : "https://217.12.204.100/news/","2" : "30","4" : "KdfrJKN","6" : "3", "7" :

"http://217.12.204.100/news/"}

FireEye Detections

MD5

Product

Signature

Action

11227ECA89CC053FB189FAC3EBF27497

NX/EX/AX

Malware.Binary.rtf

Block

4DE5ADB865B5198B4F2593AD436FCEFF

NX/EX/AX

Malware.Binary.rtf

Block

78734CD268E5C9AB4184E1BBE21A6EB9

NX/EX/AX

Malware.Binary

Block

92F63B1227A6B37335495F9BCB939EA2

NX/EX/AX

FE_Dropper_Win32_FELIXROOT_1

Block

DE10A32129650849CEAF4009E660F72F

NX/EX/AX

FE_Backdoor_Win32_FELIXROOT_2

Block

11227ECA89CC053FB189FAC3EBF27497

HX

IOC

Alert

4DE5ADB865B5198B4F2593AD436FCEFF

HX

IOC

Alert

Table 5: FireEye Detections

Acknowledgements

Special thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog.

Major Bluetooth Vulnerability

Bluetooth has a serious security vulnerability:

In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.

Paper. Website. Three news articles.

This is serious. Update your software now, and try not to think about all of the Bluetooth applications that can't be updated.

Expert says: Hack your Smart Home to Secure It

Smart home security starts at home, according to researcher Michael Sverdlin who says that consumers should explore the security of their smart home technology and consider simple modifications or hacks to remove insecure or promiscuous features. Not long ago, Michael Sverdlin, the back-end team leader for IoT security startup Vdoo, bought his...

Read the whole entry... »

Related Stories

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2

This article is the second installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to read part one for the full scoop.

Attackers are continually researching companies that are vulnerable to attack and refining their attack plan. However, there are opportunities to undermine a threat actor’s attack preparation and ability to compromise your organization successfully.

IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to better understand, track and defend against patterns of malicious behavior used by various adversarial actors.

The IBM X-Force IRIS cyberattack preparation framework focuses on implementing security procedures applicable to an organization’s internet-facing environment. Increasing network infrastructure security to guard against the attacker’s external reconnaissance and launch attack phases can help reduce the risk of a successful system compromise.

IRIS Cyberattack Preparation Framework

IRIS Cyberattack Preparation Framework — Schematic View

External Reconnaissance: How Attackers Gain Visibility Into Internal Networks

During the external reconnaissance phase of the framework, the attacker will research the target organization and look for exploitable access points, such as unsecured vulnerabilities, unpatched applications and open ports.

Attackers may search forums for usernames and passwords that could give them remote access to the organization’s internal network. They may also reach out to employees to try to convince them to provide their network access credentials or other information the attacker could use.

Finally, attackers seek opportunities to access organizations indirectly. For example, attackers may compromise companies that have third-party access to an organization’s network. This type of attack is known as a supply chain attack. Several publicly known data breaches involved an attacker exploiting an entry point through a third party with weaker security controls than the target company.

Read the complete white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Stop Attackers in Their Tracks

On the defender’s side, there are opportunities to increase visibility on the organization’s internet-facing networks to help analysts find the anomalous or malicious activity that may indicate that an attacker is conducting external reconnaissance. The key to risk reduction during the attacker’s external reconnaissance is understanding the organization’s networks and hardening the attack surface.

First, security teams should examine the organization’s online exposure and opportunities customers have to interact with it via the internet — since a malicious actor can misuse these.

Defenders can gain visibility into an attacker’s actions during the external reconnaissance phase by closely monitoring for unusual browsing of the organization’s external-facing websites. Additionally, an organization can hunt for signs that employee authentication credentials are posted on darknet forums.

Monitoring for unusual activity on public domains can include:

  • Identify the top users on company domains: Identify the most active users on an organization’s customer-facing web pages, and determine whether there are any abnormalities in their account use. Traffic from geographic regions that the company doesn’t operate in or an unusual amount of traffic coming from one internet service provider (ISP) may warrant further investigation. Often, unusual traffic can be more easily spotted after a baseline is established for what is normal.
  • Be cognizant of unusual browsing of web page directories: An attacker may map the organization’s website directories and subdirectories in search of common structures that can be exploited. For example, an attacker may try to use a directory traversal attack to attempt to gain access to restricted directories. To map directories, the attacker will follow the site’s directory tree starting at the parent directory and then drill down to all subfolders and files. When monitoring network traffic, directory mapping appears unusual when compared to how a typical user would browse a webpage. For example, user activity tends to involve less systemic page accesses with highly varying amounts of time spent on any given page.
  • Limit opportunities for attackers to take advantage of input validation vulnerabilities: Attackers may test input fields and search queries to determine whether there are opportunities to inject malicious code into the website. One example of an input validation vulnerability is an SQL injection attack, where malicious SQL statements are inserted into query fields for execution, potentially resulting in database information exposure or execution of malicious code on the server. Attackers may also try this path to obtain user credential sets from the underlying database.
  • Monitor for abnormal user-agent strings: Attackers can also look for vulnerabilities in the web server by sending code in the user-agent string. The user-agent string is a field in the HTTP header that indicates the platform, operating system and software being used to access the web page. When a web browser requests a page from a web server, it sends the user-agent string. Defenders can whitelist typical user-agent strings and create automatic alerts to highlight any abnormal or rare user-agent strings. Finally, because this is a user-controlled input, hackers can attempt to insert malicious code into the string with the hope it will execute on the receiving system.

Although monitoring for unusual browsing may not provide conclusive evidence of a pending attack, it’s part of the overall risk picture and can provide an avenue for further research and monitoring.

Remove Excess Privileges

Attackers may search for vulnerable access points into a network using a port scanner or an exploit kit. For defenders, the best practice is to follow the principle of least privilege, meaning that a user or system should only receive the access privileges that correspond with their role. Although cyberdefense strategies most commonly reference this concept when establishing user access controls, it also applies to systems, applications and processes. Removing excess privileges can reduce the attack surface and make it more difficult for the attacker to enter and move around the network.

First, security teams should map the organization’s network and identify ports that are accessible from the internet. These open ports act as doors to confidential data on the network and threat actors can exploit ports left unlocked to gain unauthorized entry. Mapping the network properly (and periodically) can help identify risky ports to close or monitor.

When applying the concept of least privilege to servers, only allow each server to perform the roles for which it’s authorized. Ideally, for example, a domain controller should only allow traffic and protocols required for domain administration and should not directly access the internet.

By contrast, a web server should only interact with the internet in the specific way that was intended by the business and network administrators. In reality, when servers are set up with default settings, more ports are open than are required for that server’s vocation, which can result in unmonitored security gaps.

The Launch Attack Phase: Hardening the Attack Surface

Once the attacker has completed the phases of the IBM X-Force IRIS cyberattack preparation framework, he or she may choose to launch an attack against the target. However, if an attacker failed to complete some of the prepare attack phases, he or she may choose to postpone an attack until more information is garnered or move on to another, more vulnerable target.

Therefore, one of the defender’s goals is to harden the attack surface and deter most attackers from viewing the organization as an easy target.

An attacker could use stolen credentials with remote access to directly infiltrate a network, or the attacker could also choose to exploit a server. Attacks to infiltrate an internal server can take many shapes and can be as diverse as domain name system (DNS) poisoning or the use of a self-propagating worm delivered from an external network.

Closing the Gaps by Patching

Efficient and timely patch management can help reduce the risk of a successful compromise. Although patching is a basic security practice, an alarming number of companies have suffered breaches due to unpatched vulnerabilities.

According to a Ponemon Institute study of 3,000 companies, 48 percent of respondents admitted they had suffered a data breach within the past two years — and of those respondents, 57 percent of the breaches were due to an unpatched vulnerability. A 2016 study by software company Symantec found that over 75 percent of legitimate websites have unpatched vulnerabilities.

Despite this, many organizations struggle to build an efficient recurring process due to operational complexities, outdated systems and business priorities. One reason systems may go unpatched is a concern — whether perceived or legitimate — that it may result in performance tradeoffs or disruption to operations during patch testing and implementation.

To make the right decisions for the business, security teams need to be aware of business trade-offs and weigh them against the risks of continuing to operate with an unpatched system.

One way to encourage patch management is to include security and patch management performance metrics as part of the system administration processes for service, application and system owners. This strategy will incentivize operations teams to include patch management in their operations — whereas most teams are only incentivized to ensure that there is no disruption to operations.

Also, developing clear procedures to test patch implementation can help to assuage concerns that the patch will break critical business processes. Creating and using a virtual environment is one option to test patches before deploying them in the live environment. Alternatively, segmenting the network and patching in batches can limit the potential negative consequences.

The second reason that patch management often fails is that it’s a manual process where teams have difficulty prioritizing and implementing the most important patches. Ensuring that IT teams have an up-to-date inventory of every asset and automated checks for patches can help identify when and what needs to be patched.

Also, building a centralized platform that automates certain processes will create a more organized and efficient patch-management program that can result in fewer security vulnerabilities.

Attackers Come Prepared: Take Defensive Actions to Mitigate the Risk of a Cyberattack

Although there is no way to guarantee that an organization’s network will not be compromised, implementing cost-effective security recommendations can help minimize the attack surface and reduce the risk of an attack occurring.

The next installments in this series will analyze the X-Force cyberattack execution framework, which models the activities an attacker takes after compromising the network. We will provide recommendations to help defenders increase their visibility of attackers lurking in their networks and best practices to decrease the likelihood of attackers being able to accomplish their mission.

You can also learn more by reading the X-Force IRIS cyberattack preparation and execution frameworks whitepaper or listening to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”

View the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2 appeared first on Security Intelligence.

Exploit Kit Creators Target Oft-Forgotten Vulnerabilities

Even as some cybercriminals shift to more sophisticated attack vectors, exploit kit creators are still targeting some of the oldest and most common software vulnerabilities.

Trend Micro’s July 2018 analysis of Rig, Angler, Sundown and other exploit kits suggested that cybercriminals are increasingly changing their approach by distributing cryptocurrency mining software, pushing out botnets and serving up banking Trojans.

At the same time, however, exploit kit creators are eschewing complex attack vectors and focusing on vulnerabilities that should have been patched long ago. This includes a Microsoft Windows VBScript engine remote code execution (CVE-2018-8174), as well as bugs in Internet Explorer (IE).

Software Vulnerabilities: Old Flaws, New Attacks

According to the Trend Micro findings, the most active kit since late 2017 is Rig, which has been upgraded at least four times and has outlasted others that were shut down or disappeared. Cybercriminals could potentially leverage IE and common Microsoft Office documents to take over the processing power of their victims’ machines to mine cryptocurrencies, steal banking credentials and payments or commit other malicious acts. Other active exploit kits include GrandSoft and Magnitude.

A June 2018 report from Palo Alto Networks also showed that some exploit kit creators are also targeting Adobe Flash Player. Overall, researchers observed at least eight different application vulnerabilities that accounted for 1,583 malicious URLs across 496 different domains during the first quarter of 2018.

Exploit Kit Creators Ride the Zero-Day Wave

A June 2018 Malwarebytes report, meanwhile, suggested that exploit kit creators are taking advantage of a recent surge in zero-day vulnerabilities and noted that even more are likely to emerge throughout the rest of the year. The researchers already detected a zero-day flaw involving Flash Player’s ActionScript language, which was used in two consecutive exploit kit attacks.

To reduce the risk of exploit kit attacks, especially those leveraging long-ignored vulnerabilities, IBM experts suggest that security leaders should adopt antivirus protection and implement strict patch-management policies to ensure that all software is regularly updated.

Sources: Trend Micro, Palo Alto Networks, Malwarebytes

The post Exploit Kit Creators Target Oft-Forgotten Vulnerabilities appeared first on Security Intelligence.

Securelist – Kaspersky Lab’s cyberthreat research and reports: A study of car sharing apps

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

  • the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
  • an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges

Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack

It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.


Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users

  • Don’t make your phone number publicly available (the same goes for your email address)
  • Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
  • If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
  • Do not use rooted devices.
  • Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.

Recommendations to car sharing services

  • Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
  • Use mechanisms to detect operations on rooted devices.
  • Allow the user to create their own credentials; ensure all passwords are strong.
  • Notify users about successful logons from other devices.
  • Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
  • Protect your application interface from being overlaid by another app.
  • Add a server certificate check.


Securelist - Kaspersky Lab’s cyberthreat research and reports

A study of car sharing apps

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

  • the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
  • an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges

Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack

It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.


Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users

  • Don’t make your phone number publicly available (the same goes for your email address)
  • Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
  • If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
  • Do not use rooted devices.
  • Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.

Recommendations to car sharing services

  • Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
  • Use mechanisms to detect operations on rooted devices.
  • Allow the user to create their own credentials; ensure all passwords are strong.
  • Notify users about successful logons from other devices.
  • Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
  • Protect your application interface from being overlaid by another app.
  • Add a server certificate check.

Spectre Rises Yet Again With a Vulnerability In Tow


Spectre ,a class of vulnerabilities in the theoretical execution mechanism utilized in present day modern processor chips, is indeed living up to its name by ending up being unkillable.

In the midst of a progression of alleviations proposed by Intel, Google and others, the on-going claims by Dartmouth computer scientists to have comprehended Spectre variation 1, and a proposed chip configuration fix called Safespec, new variations and sub-variations continue showing up.

The discoveries likewise restore questions about whether the present and past chip plans can ever be really fixed. Just two weeks back, new data-stealing exploits named Ghost 1.1 and 1.2 were made public by specialists Vladimir Kiriansky and Carl Waldspurger. 


Presently there's another called SpectreRSB that endeavors the return stack buffer (RSB), a framework in the current modern CPUs utilized to help anticipate the return addresses, rather than the branch predictor unit.

In a paper titled Spectre Returns! Speculation Attacks utilizing the Return Stack Buffer , circulated through pre-print server ArXiv, boffins Esmaeil Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Tune, and Nael Abu-Ghazaleh detail another class of Spectre Attack that accomplished the similar from Spectre variation 1 – enabling pernicious programming software to take passwords, keys, and other sensitive data, from memory it shouldn't be permitted to contact.

These specialists by coincidence, are among the individuals who built up the SafeSpec mitigation in the first place.

The most recent data-theft burglary system includes constraining the processor to misspeculate utilizing the RSB. Utilizing a call direction on x86, SpectreRSB enables an attacker to push an incentive to the RSB with the goal that the return address for the call guideline never again coordinates with the contents of the RSB.

The paper, dated July 20, plots the steps associated with the SpectreRSB attack, which itself has six variations:         

"(1) after a context switch to the attacker, s/he flushes shared address entries (for flush reload). The attacker also pollutes the RSB with the target address of a payload gadget in the victim’s address space; (2) the attacker yields the CPU to the victim; (3) The victim eventually executes a return, causing speculative execution at the address on the RSB that was injected by the attacker. Steps 4 and 5 switch back to the attacker to measure the leakage."

Oracle WebLogic Servers Attacked Following Publication Of PoC Code

Hackers have attacked the Oracle WebLogic servers and attempted to take control of those vulnerable who have not received the

Oracle WebLogic Servers Attacked Following Publication Of PoC Code on Latest Hacking News.

The State of Security: Stop Working in Silos: Integrating with APIs

It’s easy to be overwhelmed by the quantity of three-letter acronyms when you’re working with software and technology, but there’s three letters that are becoming increasingly more important in the world of software: API. “Application Programming Interface” sounds like it’s going to be an ominously complicated topic, but it’s a term you should watch out […]… Read More

The post Stop Working in Silos: Integrating with APIs appeared first on The State of Security.



The State of Security

Stop Working in Silos: Integrating with APIs

It’s easy to be overwhelmed by the quantity of three-letter acronyms when you’re working with software and technology, but there’s three letters that are becoming increasingly more important in the world of software: API. “Application Programming Interface” sounds like it’s going to be an ominously complicated topic, but it’s a term you should watch out […]… Read More

The post Stop Working in Silos: Integrating with APIs appeared first on The State of Security.

SecurityWeek RSS Feed: Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

read more



SecurityWeek RSS Feed

Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

read more

Carmakers Suffered Data Breach: Trade Secrets Of Tesla And Toyota Leaked Online

Recently, a researcher disclosed how he found the data from several top automakers exposed online. After ensuring his discovery was

Carmakers Suffered Data Breach: Trade Secrets Of Tesla And Toyota Leaked Online on Latest Hacking News.

Make Money as a Hacker – Highest Paying Bug Bounty Programs

Bug bounty programs are usually organized by software companies or websites, where developers get rewarded for finding bugs; in the

Make Money as a Hacker – Highest Paying Bug Bounty Programs on Latest Hacking News.

Pen testing: why do you need it, and five steps to doing it right

Penetration testing can contribute a lot to an organisation’s security by helping to identify potential weaknesses. But for it to be truly valuable, it needs to happen in the context of the business.

I asked Brian Honan, CEO of BH Consulting, to explain the value of pen testing and when it’s needed. “A pen test is a technical assessment of the vulnerabilities of a server, but it needs the business to tell you which server is most important. Pen testing without context, without proper scoping and without regular re-testing has little value,” he said.

Steps to do pen testing right

Some organisations feel they need to conduct a pen test because they have to comply with regulations like PCI, or to satisfy auditors, or because the board has asked for it. They’re often the worst places to start. To do it right, a business should:

  • Dedicate appropriate budget and time to the test
  • Carry out a proper scoping exercise first
  • Set proper engagement parameters
  • Run it regularly – preferably quarterly and more than just once a year
  • Use pen testing to check new systems before they go into production.

Absent those key elements, the test will not fail as such, but the approach from the start is just to tick a box. That’s why a one-off test will tell you little about how secure a system is. “A pen test is only a point-in-time assessment of a particular system, and there are ways to game the test. We have done pen tests where a client told us ‘these systems are out of scope’ – but they would be in scope for a criminal,” said Brian.

Prioritising business risks

The reason for running a pen test before systems go into production is that criminals may target them once they are live. It’s especially important if the new system will be critical to the business. “The value of doing a good pen test within context of the business, is that it will identify vulnerabilities and issues that the organisation can prioritise based on the business impact,” said Brian.

Pen testing, though valuable, is only one element of good security. “Unfortunately, many people think that if they run a pen test against their website, and it finds nothing, therefore their security is OK,” Brian said. “Just because you have car insurance doesn’t mean you won’t have an accident. There are many other factors that come into play: road conditions, other drivers on the road, confidence and experience of the driver.”

Brian warned against the risk of using pen testing as a replacement for a comprehensive security programme. If organisations have limited budget, spending it on a pen test arguably won’t make them any more secure. “Just doing it once a year to keep an auditor happy is not the best approach. It’s not a replacement for a good security programme,” he said.

The post Pen testing: why do you need it, and five steps to doing it right appeared first on BH Consulting.

Why the Best Defense Is a Good Offensive Security Strategy

When many people think about offensive security, they picture a mysterious figure wearing a hoodie, sitting behind a black-and-green terminal, diligently typing away as he probes enterprise networks. But the cybersecurity world has evolved well beyond this Hollywood hacker stereotype.

In the real world, offensive security operations — such as red-team simulations, penetration testing and vulnerability assessments — are undertaken by reliable, professional and knowledgeable teams of ethical hackers.

Let’s zoom in on the differences between these services and explore how they can help your organization stay one step ahead of malicious actors. How can an excellent offensive security strategy help protect your organization against those looking to slip through the cracks of your network defenses and swipe your most sensitive data?

Step Up Your Incident Response Game With Red-Team Exercises

A red team is a group of ethical hackers that organizations can hire to simulate a cyberattack, such as an advanced persistent threat (APT), a state-sponsored attack or a large-scale malware campaign. These teams can help responders strengthen their skills, which will help them in the event of a real breach. These simulated attacks enable security leaders to stress-test their incident response strategy, identify gaps and adjust accordingly.

When considering investing in red-team services, it’s essential to understand the goal you hope to achieve. If you need an in-depth analysis of the vulnerabilities in your environment, for example, a cyberattack simulation may not be the most effective solution. A red team’s primary objective is to challenge your defenses and help your responders develop the skills and poise to react when the heat is on and the stakes are high.

Penetration Testing Promotes Proactive Security

The goal of penetration testing is to assess the security of a limited set of assets during a specific period, under certain conditions. By proactively trying to breach their own network defenses, security teams can identify and remediate flaws in their infrastructure before threat actors have a chance to expose them.

This exercise is a great way to discover ad-hoc vulnerabilities and maintain compliance with security policies and data-privacy regulations. But it doesn’t deliver contextualized information about the organization’s overall security posture. Also, its limitation in scope and time distorts the results concerning the infrastructure at large.

Vulnerability Assessment: The Foundation of Offensive Security

While not technically an offensive security strategy, a vulnerability assessment is usually a foundational element to any red-team exercise or penetration test. A typical assessment identifies flaws and categorizes them by severity based on the criticality of the asset and other factors. It then provides advanced analysis to help security leaders decide, for example, whether to apply additional controls to reduce the risk of a threat actor exploiting the vulnerability or create a new exception based on a business need.

Stay One Step Ahead of the Bad Guys

In today’s ever-evolving threat environment, offensive security is absolutely critical for helping organizations sniff out cracks in their defenses before the bad guys do. Whichever strategy best suits your particular business needs, it must be deployed proactively and regularly reviewed for continuous improvement.

By engaging in these activities, security team can strengthen their cyberthreat monitoring, detection and response capabilities and generate more contextualized metrics to present to stakeholders. It may not be fit for the silver screen, but these activities play a major role in the battle our cyber heroes fight every day to make the real world a safer place.

Meet the offensive security experts of X-Force Red

The post Why the Best Defense Is a Good Offensive Security Strategy appeared first on Security Intelligence.

CarePartners Data Breach Update: Hackers Hold The Data To Ransom

Last month, CarePartners announced it faced a data breach. However at the time it did not explain any details about

CarePartners Data Breach Update: Hackers Hold The Data To Ransom on Latest Hacking News.

US Voting Machines Vendor Admits Installing Remote Access Software

The USA’s top voting machine manufacturer has admitted that their company has installed a remote access software in their election

US Voting Machines Vendor Admits Installing Remote Access Software on Latest Hacking News.

Smaller Nation State Attacks: A Growing Cyber Menace

While there certainly remains a global hierarchy when it comes to cyber capabilities, smaller state and non-state actors are increasingly exploiting the asymmetric nature of cyberspace to achieve a broad range of objectives.

5 ways to find and fix open source vulnerabilities

Guest post by Limor Wainstein

A recent discovery of surreptitious execution of cryptomining code by a sandboxed app, riding piggyback on the open source software (OSS) ecosystem, raises pertinent questions about the security of open source code and its dependencies. Programmers often use OSS as a jump-off for creating their software—and that includes malware authors.

The rogue app, which was found to be mining customers on May 11, was delivered through snapstore, the new cross-distribution, sandboxed application ecosystem initiated and promoted by Canonical, the developers of Ubuntu. In follow-ups to that incident, Canonical said:

It’s impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail. That’s true whether source code is available or not, as no institution can afford to review hundreds of thousands of incoming source code lines every single day.

As noted by Canonical, reviewing and analyzing open-source dependencies isn’t an easy task. But it’s an important one for programmers who want to make sure their software isn’t infiltrated by bad actors, whether that’s to mine cryptocurrency or to conduct even more nefarious business.

Why do you need to secure your open source libraries?

Developers rely heavily on open source software, and organizations are inclined to use free popular libraries. However, according to Barkley’s 2016 Cybersecurity Confidence Report, only 22 percent of organizations have a framework to regularly identify and analyze the various components built on their applications. With the growth in use of open source code, the risk exposure expands as well.

New vulnerabilities are constantly being unearthed in different open source code and, worryingly, a number of projects have little or no mechanisms in place to identify and fix those problems. According to a recent Snyk survey of open source maintainers, 44 percent have never undergone a security audit of any kind, while only 17 percent can claim to have a high level of security know-how.

In addition, there is no standard operating procedure for documenting security on open source projects. Among the top 400,000 publicly available repositories on GitHub, only 2.4 percent have a form of security documentation in place.

Since an open source dependency might be heavily deployed in a number of web applications, a bug or vulnerability will open up all of those projects to security risks. To improve the security of your open-source components, we recommend the following five best practices for reviewing dependencies, finding vulnerabilities, and patching those vulnerable open-source components once found.

1. Set strict security rules and standards before using a dependency

A good way to improve the security of your open source components is to build and enforce policies that require the developers using them to prove that they do not have any known vulnerabilities.

A lot of developers are largely still unaware of the risks posed by different open source components. It is of utmostimportancet to help them understand that vulnerabilities brought from open source components into the application puts the whole app at risk, if not the organization as a whole.

By creating and enforcing policies that either require the security team to approve of open source components, or require developers to prove the security of the tool, you automatically improve the security of your application—just by making developers aware of such risks.

2. Keep track of security updates for dependencies

Another crucial aspect to the security of open source components is to have an updated inventory of your organization’s open source libraries, both in development as well as in production. There are a fairly large number of organizations that do not have updated information on which open source components are currently under use in their applications. This poses a major security threat.

A lot of the popular proprietary applications contain indirect open source components that might not be in active development. Most of these open-source components remain unpatched and become insecure over time. This is usually because the developers spend their resources on securing and improving the in-house components. However, ignoring the security updates for your OSS components can open up loopholes that will go unnoticed.

A good place to begin rectifying this is by surveying the organization’s development teams on what open source components they use and the last time these were updated. This provides a window into assessing how updated the development team is with open source component security, as well a list of projects in use.

If your organization has the required infrastructure, you can also create a central repository of open source components where security updates and licenses can be managed. Similar to any other security process, managing an open source component is not a one-time effort. It is a continuous process for as long as the app is in deployment. Review, rinse, and repeat.

By ensuring that your policies on open source libraries are being followed, and by monitoring how these are being used, as well as managing your inventory, your overall application security program should be in good stead.

3. Test your components and dependencies

Probably the surest method of improving and ensuring the security of your open source code, and in the process your overall application, is to test the security of open source components being used within your organization once they’ve been identified.

Open source analysis is as important as proprietary code. This is not only because the code could hold unknown security vulnerabilities, but also because its dependencies and functions may differ between different use cases. This could mean that a component may be secure in one application, but found to be insecure when used in a different application. In cases like this, only testing and code review can identify these issues.

4. Build in-house tools instead of unsupported (expired) libraries

For expired libraries, or libraries that no longer have active developer maintenance systems, it is better to build your own in-house tools that you can use to actively check for and fix vulnerabilities. Though the initial cost and time spent might deter some organizations and development teams, in the long run, the functionality of an in-house tool can be an asset to developers.

You can also consider giving your in-house effort back to the community, making the open-source ecosystem stronger. This will encourage more developers to submit patches and revisions and therefore improve the overall security of the library. Apart from that, you will earn the respect of open source developers, which will help you grow as an individual and a business. For instance, over the last couple years, Microsoft has released tons of libraries under an open-source license that have helped them earn the trust of OSS developers and users.

5. Use security tools to check for security vulnerabilities

A number of different open source and commercial tools have been developed over the years to tackle the problem of identifying security vulnerabilities in open source components. Each tool or service tackles the problem a little differently.

Node Security Project (NSP)

The NSP is known largely for its work on Node.js modules and NPM dependencies. The latest version of npm integrates NSP to implement the npm audit script. It checks for any known vulnerabilities in your node modules and related dependencies, and offers support for patching those vulnerabilities.

RetireJS

RetireJS is an open source dependency checker specific to JavaScript. Its unique selling proposition (USP) is its ease of use. RetireJS contains multiple components, including a command line scanner, as well as plugins for Chrome, Firefox, Grunt, Gulp, ZAP, and Burp.

OSSIndex

OSSIndex is a tool that supports several different technologies. It effectively covers JavaScript, .NET/C#, and Java ecosystems. It also provides API vulnerability for free.

Dependency-check

Dependency-check supports Java, .NET, and JavaScript, as well as Ruby. It pulls its vulnerability information from the NIST NVD.

Commercial tools

Apart from the free tools, there are a few commercial tools that you can use to help find vulnerabilities in your open-source code. The popular ones include:

  • Hakiri: a commercial tool that provides dependency checks for Rub-y and Rails-based GitHub projects via static code analysis
  • Snyk: a commercial service focusing on JavaScript npm dependencies
  • WhiteSource: currently supports Ruby, NPM, PHP, Python, and Bower
  • SRC:CLR: Source Clear comes with a load of plugins to several IDEs, deployment systems, and source repositories, as well as a command-line interface

Open-source components are generally safe when there are a large number of people reviewing the code. However, making the source code available or having many users look at the source code doesn’t guarantee that all the security issues have been found and fixed. That’s why it’s important to integrate industry standard security policies into your application.

In this post, we’ve covered some of the best possible ways to secure your open source components against vulnerabilities and other security exploits. So, what are your thoughts on securing open source components? Share them in the comments below.

Limor Wainstein is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years’ experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides. 

The post 5 ways to find and fix open source vulnerabilities appeared first on Malwarebytes Labs.

Telefonica Data Breach Exposed Millions Of Consumer Records Online

While some hackers have their work cut out for them looking for their possible victims, some companies provide them with

Telefonica Data Breach Exposed Millions Of Consumer Records Online on Latest Hacking News.

Apple Released Bug Fixes In iOS 11.4.1 Along With A New iOS Security Vulnerability

Apple has tried to make every possible feature to restrict unwanted access to their iPhones. The USB restricted mode is

Apple Released Bug Fixes In iOS 11.4.1 Along With A New iOS Security Vulnerability on Latest Hacking News.

Military documents about MQ-9 Reaper drone leaked on dark web

Hackers have put up for sale on the dark web sensitive military documents, some associated with the U.S. military’s MQ-9 Reaper drone aircraft, one of its most lethal and technologically advanced drones, security research firm Recorded Future recently discovered. The firms’ Insikt Group on June 1 observed a bad actor trying to sell...

Read the whole entry... »

Related Stories

Why It’s Time to Cross Out the Checklist Approach to Vendor Security

It’s such a great feeling to check a box on your vendor security checklist. You establish a relationship with a third party — check! You meet another regulatory requirement — check! Once you’ve marked down every item and an audit turns up a clean report, the sales deal is done.

All parties involved can then go merrily on their way… until a malicious actor uncovers a security flaw that was overlooked amid all the handshakes and paperwork that went into the deal.

This security approach is especially prevalent in vendor management: One side says all is well — and the other takes this claim at face value without vetting it. This approach is not good for security, and it’s certainly not good for business.

Navigate Common Vendor Security Roadblocks

The most common (and dangerous) approach to vendor security happens when a company asks a third party for a copy of its latest vulnerability assessment or security operations center (SOC) audit report. Many people go through the motions to obtain these reports and check the box without considering how both documented and undocumented issues truly impact security.

In some cases, people are willing to look the other way or make dangerous assumptions — they’ve got to keep the business going, after all. Then, there’s the reality beyond the report. Clean reports, especially around SOC audits, are common. If there are any findings, it’s often an administrative issue related to user account management or data backups, but nothing of real substance that’s going to facilitate an incident or breach.

It’s also common for vendors to provide more in-depth vulnerability and penetration testing reports that are clean (or, at least, have minimal areas of concern). These reports are often based on network vulnerability scans that do not look at the entire IT environment — not an in-depth web application analysis.

When presented with these reports, it’s easy to overlook things like missing patches on workstations, SQL injections on web applications and misconfigured guest wireless networks. Instead of acknowledging these patch-management and security-awareness gaps, many business leaders just move on to the next big thing and sweep security under the rug.

When Talking Security, Don’t Beat Around the Bush

When it comes to security, there’s often a lack of ongoing involvement and oversight. It’s obviously important to keep the business running, but too many decision-makers assume security controls are sufficient to counter cyberattacks simply because someone else told them so.

It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity.

It’s similar to a doctor giving a patient a clean bill of health even though he or she is masking symptoms with medication. Although the bloodwork may look good, the patient is bound to have long-term health problems unless he or she makes better lifestyle choices. Many security programs follow the same path — especially when it comes to vendor management — and it’s a recipe for an unsustainable outlay of data breaches.

Part of the challenge is that people are sometimes afraid to ask questions. They want to appear professional and nice, and this often causes them to gloss over uncomfortable subjects — namely, security. It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity. This seems simple on the surface, but when organizational politics and high-value business deals are involved, everything gets more complicated.

Adopt a Trust-But-Verify Approach to Vendor Management

Vendor management is a hot topic today — and one that many enterprises struggle with. It doesn’t have to be terribly complicated, but it does have to be near the top of your information security program priorities. While it’s important to do right by your vendors, it’s more crucial to do what’s best for your business. That means looking beyond the paperwork, basic vulnerability checks and blind faith that the company is secure simply because someone else said so.

The best way to handle vendor security is through the old-school approach of trust but verify. Talk is cheap — and people are expedient, especially when big business deals are on the line. Try to step back and see through all the talk to truly understand what your vendors are doing.

When the going gets rough and the lawyers get involved, that’s the only defensible strategy.

Listen to the complete podcast series: Take Back Control of Your Cybersecurity now

The post Why It’s Time to Cross Out the Checklist Approach to Vendor Security appeared first on Security Intelligence.

Is banning USB drives the key to better security behaviour?

Convenience often beats security where users are concerned. Take USB keys, for example. They’re a very handy way to transfer files between computers, but they’re also a huge security risk. IBM recently attempted taking the drastic step of banning all removable portable storage devices (eg: USB, SD card, flash drive) completely. Should others follow suit?

To explore this issue deeper, I spoke to Neha Thethi, senior cybersecurity analyst at BH Consulting. She said for an attacker who has physical access to the victim’s machine, USB sticks are an effective way to install malicious software on a device or a network. Human nature being what it is, unsuspecting users will often plug unknown drives into their computers. From there, attackers have multiple ways to compromise a victim’s machine.

In fact, a classic tactic for security experts to test an organisation’s security awareness levels is to drop infected USB drives in a public area as part of a ‘red team’ exercise. If a percentage of employees picks up a key and plugs it into their machine, it’s a useful indicator of gaps in that organisation’s security.

Alternatives for file sharing

In Neha’s experience, given the current file sharing technologies available, many employees don’t need to use USBs for general tasks anyway. “We have found that restricting USB keys can definitely work. Most users in an organisation don’t really need access to those ports,” she said. Even where colleagues might need to share documents, it’s easier and safer to use a cloud service approved by their organisation.

But before banning USBs (or other removable media) outright, Neha recommends taking these five steps:

  • Discover what data you have
  • Know where you are storing the data
  • Classify the data according to its importance
  • Carry out a risk assessment for the most important data
  • Protect the data based on the level of risk – including encryption if necessary.

A company can take some of the steps by itself, but it’s best to use the experience of a security specialist within the company or a third party to carry out the security risk assessment. “The assessment should be conducted with the help of an expert team based on the type of industry and service you provide. Otherwise, you end up with an inaccurate picture of the security risks the organisation faces,” she said.

Prepare for pushback

If a USB ban is identified as a risk treatment measure, be prepared for pushback from some employees. Some of that will stem from company culture. Is the organisation reliant on rules, or do staff expect a degree of freedom? “Not everyone will give a round of applause for more security, because it is a hindrance and an extra step,” Neha warned. “Expect and anticipate pushback and therefore put in place incentives for blocking USBs. If people aren’t happy and are not on board with the change, it leads to them bending the rules.”

In some cases, there may be genuine exceptions to a no-USB rule. IBM itself faced pushbacks and is reportedly considering making a few exemptions. Neha also gave the example of a media company that uses high-quality digital photographs for its work. While it restricted USB ports for all employees, it made an exception for its media person. This person needed to transfer these high-quality images from the camera to a company device. Their specific role meant they got formal approval to have their USB port enabled.

Banning USB sticks should be workable in many cases, because better, more convenient and secure alternatives exist in the form of cloud sharing platforms. But like with the implementation of most security measures, it always helps to be prepared and plan for multiple scenarios.

The post Is banning USB drives the key to better security behaviour? appeared first on BH Consulting.

Fitness apps: Good for your health, not so much for military security

Fitness apps are proving to be a lot less beneficial to military security than they are for military fitness. That after researchers in the Netherlands discovered that data from the Polar fitness app revealed the homes and habits of those exercising in clandestine locations around the world, including intelligence agencies, military bases, nuclear...

Read the whole entry... »

Related Stories

Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties


Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)



A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0590 - Adobe Acrobat Reader DC Collab newWrStreamToCosObj Remote Code Execution Vulnerability (CVE-2018-12756)

A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0592 - Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability (CVE-2018-12815)

A specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

Known vulnerable versions

Adobe Acrobat Reader DC 2018.011.20038

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 46292-46293, 46550-46551, 46634-46635

Episode 103: On the Voice-Controlled Internet, How Will We Authenticate?

Voice based interfaces are growing in popularity, complexity and influence. But securing these interfaces has, thus far, been an afterthought. If we are destined to interact with the smart systems around us using our voice, how exactly will we manage to authenticate to those devices? In this podcast we speak with Ben Rafferty of the firm Semafone...

Read the whole entry... »

Related Stories

Kaspersky Deems Crypto-jacking the New Ransomware as Crypto-miners up Their Game

Because of its potential to earn hackers millions in a steady stream of cash, Kaspersky Labs has deemed crypto-jacking the new ransomware in a report that arrived  just as researchers spotted two new types of malware targeting the growing popularity of cryptocurrencies. In its report released last Wednesday, Kaspersky declared that crypto-mining...

Read the whole entry... »

Related Stories

Opinion: With Internet of Things, Devices become Insider Threat

Connected devices aren’t just fodder for botnets. They increasingly act as malicious “insiders” capable of spying on their surroundings and providing valuable intelligence on homes and offices, argues Yotam Gutman of the firm Securithings in this industry perspective.  Connected devices present unique challenges to enterprises...

Read the whole entry... »

Related Stories

Modern OSs for embedded systems

At Kaspersky Lab we analyze the technologies available on cybersecurity market and this time we decided to look at what OS developers are offering for embedded systems (or, in other words, the internet of things). Our primary interest is how and to what degree these OSs can solve cybersecurity-related issues.

We’d like to point out that this review reflects the author’s subjective opinion, and for the purposes of this analysis we developed our own classification of OSs.

Moreover, throughout this research we have compared other operating systems with KasperskyOS to see what we can learn from them and how we can improve KasperskyOS. The results of this comparison will also be presented in this article.

We analyzed a total of several dozen operating systems, from the most widespread to some niche players. The vast majority of the operating systems we looked at primarily handle practical functional tasks. Information security features, if they are included in the design, are merely extensions to the existing functionality in the form of plugins, components implementing encryption algorithms or add-in architecture. These measures can help improve the overall information security posture of a solution, but cannot guarantee protection from all modern threat models. If cybersecurity issues are not addressed in the initial design, it inevitably leads to compromises later when protection mechanisms are added.

Operating systems can be classified according to numerous criteria. Our approach was to treat operating systems from an architecture standpoint, so we classified them into four large classes according to their kernel types.

  • monolithic systems,
  • operating systems with monolithic kernels,
  • microkernel-based operating systems,
  • hybrid systems.

Monolithic systems

This is the most widespread type of operating system architecture for embedded devices. Most of the operating systems we analyzed are monolithic environments designed to work in microcontrollers where all processes (both user and system) run in a single address space without restrictions.

From an information security standpoint, this architecture is only suitable for very simple tasks – as the functionality becomes more complex, the risk of vulnerabilities becomes too great. Whenever vulnerabilities occur in such systems, whether it’s in implementations of system services or in an auxiliary application, this leads to the entire solution being compromised.

Libraries containing sets of encryption algorithms are usually offered as extra security measures for such operating systems. However, these measures can hardly be described as sufficient, because they don’t envisage a comprehensive solution to many important issues, such as the generation and storage of keys and certificates, ensuring trusted downloads, secure updates, etc. Also, because these libraries are created specifically for the appropriate operating systems, they often don’t undergo verification and/or sufficient testing, so they themselves may contain vulnerabilities and therefore reduce (rather than improve) the overall security of the solutions they’re part of.

Other measures (such as stack protection, various types of additional checks etc.) may ensure protection against different types of failures and errors, but they are often useless at protecting against targeted attacks that exploit known vulnerabilities within the system.

Even if a microkernel architecture was formally applied in a solution like this, an acceptable level of protection is impossible to ensure unless user processes are isolated from system processes, since any user process could affect the operation of the microkernel. Examples of microkernel operating systems in which processes are not isolated properly include the popular RIOT OS, Zephyr, Unison RTOS, and even the commercial microcontroller kernel µ-velOSity provided by Green Hills, as well as Microsar OS, the basic operating system for automotive solutions provided by Vector.

Despite all the security shortcomings of monolithic systems, such compact operating systems are suitable for work in cheap microcontrollers. They can be used in simple and compact devices where the only task is to measure a single parameter, such as temperature, pressure, volume, etc. Devices like these must be simple, compact and cheap. In our view, monolithic systems are not the best option when faced with tasks that are more complex.

Monolithic kernel systems

Monolithic kernel systems are another type of operating system architecture. This is perhaps the most widespread and popular type of operating system architecture both for embedded systems and for general-purpose systems (i.e. servers, workstations and mobile devices.)

Unlike in purely monolithic solutions, user processes in monolithic kernel systems are isolated from the kernel and only have access to its functions via a limited number of system calls. This constitutes a serious advantage from the information security standpoint.

A large number of services run in the kernel context, such as protocol implementations, file systems, device drivers, etc. Examples of monolithic kernel operating systems include those based on the Linux kernel (and its derivatives), as well as Windows, FreeBSD, RTEMS, etc.

The operating system’s kernel services still leave a large attack surface, while the code base operating in the kernel context cannot be considered as trusted. Therefore, don’t expect the kernel services to be free from vulnerabilities (in fact, vulnerabilities are regularly detected).

The compromise of any kernel service inevitably leads to the entire system being compromised, no matter what tools are employed to protect it.

The second problem is especially relevant for embedded systems. It is the need to restart the device when kernel models are updated. Indeed, restarting is not always required, however any case when a restart is not required is the exception rather than the rule.

The main advantage of monolithic kernel architecture is its better performance as compared to microkernel operating systems. This is due to the smaller number of context switches.

Different Linux distributions

Operating systems based on the Linux kernel are very user-friendly: they are available in source code, offer excellent hardware support and have a large amount of application and system software. All this makes these operating systems extremely attractive for developers of embedded systems.

Note: Linux only serves as the kernel of an operating system. Full-fledged operating systems are Linux-based distributions.

It’s worth noting that Linux was developed as a kernel for a multi-user operating system and contains a set of built-in security mechanisms, but from a modern-day perspective it has a number of information security issues, both in terms of architecture and implementation.

Conventional wisdom suggests that a properly configured Linux-based solution is sufficiently secure. However, the actual configuration process is quite complicated and most security restrictions can be bypassed. Besides, there are also difficulties with Linux that are related to the implementation of secure boot mechanisms, updating operating system components, and a multitude of other problems.

A large number of Linux-based branches and distributions have been developed that aim to improve security. Extensions have also been developed to tackle information security issues, including AppArmour, GRSecurity, PAX, SELinux, etc. These extensions help improve the security posture, though they cannot guarantee sufficient security, because the code base of the Linux kernel is quite large, and there’s no way of making the kernel’s computing base trusted. This problem appears to be insurmountable. According to www.cvedetails.com, 453 vulnerabilities were detected in Linux kernels in 2017. That number includes 159 vulnerabilities that allow execution of arbitrary code in the kernel context. Exploitation of a vulnerability in the Linux kernel makes it possible to circumvent any protection mechanisms, even the most sophisticated and carefully configured.

Android

Android 8.0 Oreo is the latest version of the Android operating system for mobile devices and, according to the developers, contains a multitude of new information security mechanisms. The key security features in this operating system are aimed at mitigating the consequences of exploiting vulnerabilities and reducing the attack surface, as well as the use of the principle of least privilege. There have also been changes to the API design and to the architecture. Some of the innovations are described below:

  • Smart protection of app authorization.
  • Advanced verification during updates of applications and the operating system to prevent common types of attacks, including rollback.
  • In-built support of HSM (hardware security module).
  • Application sandboxing with support for seccomp filters (secure computing restricts apps’ ability to make system calls) and the WebView component is isolated.
  • Support for a set of encryption profiles (different profiles use different sets of keys).
  • In-built support for two-factor authentication using physical keys.
  • Complicating paths to apps. An app can no longer be found at its static location. Instead, it is installed each time to a new location, and a special call to the system must be made to gain access to the app.
  • Discontinued support of outdated and vulnerable protocols and algorithms, such as SSL v3.0.

These are all necessary and useful measures that substantially complicate post exploitation of vulnerabilities and the ability to gain root privileges.

However, it shouldn’t be forgotten that the Linux kernel is inside Android with all the drawbacks inherent to it. An analysis of the monthly security bulletins shows that new vulnerabilities are being discovered in Android all the time, and a significant portion of them enable execution of arbitrary code.

Microkernel operating systems

One possible solution to the above problems is the use of microkernel architecture.

A microkernel provides only the elementary functions of process management and a minimum set of hardware abstractions. Most of the work is done with the help of dedicated user processes that don’t run in the kernel’s address space. This helps to substantially reduce the attack surface of the kernel services, while the kernel of the operating system can be rigorously verified (thanks to the small code base) using, among other things, formal verification methods. To learn more about verification and how it is different from validation, check out Ekaterina Rudina’s article devoted to this topic.

The most meaningful results from an information security standpoint have been shown for microkernel architectures, for example, the Separation Kernel approach and the use of MILS architecture.

Different types of microkernels and microkernel operating systems are widely available on the market. Some examples from this category are QNX, INTEGRITY RTOS, Genode, the L4 kernel and its derivatives.

We would like to dwell a little bit on the microkernel L4. It’s the result of an evolutionary process in the microkernel approach to the development of operating systems. Today, L4 is effectively the de facto standard in the development of microkernel operating systems.

L4 microkernel family

The L4 kernel was initially developed to demonstrate the feasibility of creating a microkernel that is suitable for use in real-life, general-purpose operating systems. This attempt can be considered rather successful: there now exists a whole family of research and commercial projects that make use of the L4 derivatives. The kernels of this family have been ported on a large number of hardware platforms. It should be noted that solutions based on L4 support operation in hard real-time mode.

Among the microkernel implementations currently supported the following can be highlighted:

  • seL4 – the first microkernel to be formally verified. It is still undergoing active development.
  • Codezero – a commercial version of the K4 kernel. The source code of the kernel is available under GPLv3 license, while the source of the additional modules and libraries is closed and distributed under commercial licenses.
  • OC – a version developed by TU Dresden and distributed under GPLv2 license; commercial support is available.

For the listed operating systems, there are different virtualization solutions available. There are also other virtualization solutions based on the L4 microkernel that are worth mentioning – they are OKL4, NOVA and the PikeOS operating system.

The microkernels of the L4 family are also used in the following operating systems:

  • Genode
  • TUD:OS – an operating system developed by TU Dresden on the basis of L4Re, which is an L4-based framework for constructing solutions.
  • CAamkES – a framework based on the L4 microkernel that was developed by Trustworthy Systems Research Group @Data61.
  • L4Linux – a porting of the Linux operating system based on the L4-family kernel. In this implementation of L4, Linux plays the role of a user mode service operating simultaneously with other L4 applications (including real-time components). Linux kernel versions up to 4.14 and hardware platforms x86 and ARM are supported.

From a security point of view, the seL4 kernel is the most important member of the L4 family.

The microkernel seL4 implements an object-capability model. Formal verification has been conducted for it, meaning the operating system’s properties can be guaranteed within specified concepts and assumptions; this improves the overall protection status of the solution. However, if the input assumptions are incorrect, problems can arise. For instance, a substantial drawback of the formal model during seL4 verification is that it rules out simultaneous execution of several processes (a single-processor system with blocked interruptions is envisaged).

The object-capability model provides detailed control over system behavior, but by no means all security properties can be described with its help. There are numerous other security models whose properties are impossible to express based on the object-capability model. For example, security properties may depend on system status, take time relationships into account, etc. To describe such properties, extra mechanisms need to be added to the solution, and in that case the advantages of seL4 are lost.

KasperskyOS makes use of many of the ideas used in seL4. However, it also allows for a description of any security properties by using Kaspersky Security System (KSS), part of the KasperskyOS architecture.

Hybrid operating systems

A hybrid kernel exhibits a combination of properties typical of monolithic and microkernel architectures; a hybrid kernel-based operating system architecture is essentially a modified microkernel that allows operating system modules to be executed in the kernel space to expedite operation.

Operating systems with hybrid kernels have emerged as a result of attempts to use the advantages of microkernel architecture while retaining as much of the well-tested monolithic kernel code as possible. In operating systems of this class, however, the problem of information security remains unsolved, because the attack surface remains large.

The ‘secure by design’ requirement

Many of the older operating systems were initially developed with no regard for information security. When security features are introduced, functional mechanisms cease to operate as they did before, and compatibility issues arise. For this reason, and a host of others, it’s impossible to completely revisit the architectures of these systems, and there can be no security guarantees – it’s only possible to talk of enhancing some security-related properties. There are many examples of such solutions, including QNX, Linux, and FreeBSD.

Only those operating systems that took information security requirements into consideration during development can ensure proper implementation of security mechanisms without impacting their functional capabilities. The use of a secure-by-design approach is a key requirement for the final solution to be certified to Common Criteria standard, starting with EAL4. Examples of secure-by-design operating systems are seL4, INTEGRITY RTOS, MUEN RTOS, KasperskyOS and several others.

KasperskyOS

From the very start, KasperskyOS was created to meet the most rigid information security requirements. It was based on advanced practices and approaches to creating secure systems, in line with the requirements of all essential security standards. In light of this, KasperskyOS can be considered a truly secure operating system from its inception.

KasperskyOS uses microkernel architecture in which the microkernel system tools divide the system into security domains, or ‘entities’ in KasperskyOS terms. All communications between security domains (inter-process communications, IPC) are performed using the microkernel – and controlled by it. No communications are allowed to bypass the microkernel.

All communications are typed: the interface of the entities is described in IDL (Interface Definition Language), and only this interface can be used for IPCs. This is where KasperskyOS differs significantly from most other operating systems.

The KasperskyOS microkernel operates in conjunction with Kaspersky Security System (KSS), which is a subsystem that calculates security verdicts. For each IPC, the KasperskyOS microkernel requests a verdict from KSS, which it uses as a basis for permitting or blocking that particular IPC. For verdict calculation, it is not only the fact and type of communication that is taken into account but also the system’s topology, the context in which the communication takes place, as well as the assigned policy described within the framework of a set of formal security models.

KSS supports a large number of formal security models, for example, Domain Type Enforcement, Object Capability, Role-Based Access, diverse temporal logic dialects, etc. New models can be added when required.

This provides the developer with a flexible tool to describe security policies with as high a level of detail as required. We are not aware of any other solution that provides this degree of detail.

Security policies are defined in a high-level language, which greatly simplifies the verification of the solution in accordance with stipulated requirements. This also makes it possible to run formal verification of the described properties[1].

If we consider systems with limited functional capabilities that perform a limited set of functions, theoretically it’s possible to provide the specified security properties and guarantee there are no vulnerabilities in the software code.

As a solution grows progressively more complex, the addition of different protocols, algorithms, functions, etc. makes it impossible to guarantee there are no vulnerabilities in it. Special measures must be taken to ensure these vulnerabilities cannot be exploited or that their exploitation does not lead to undesirable consequences. These protection measures should include isolation of processes, restricted access to resources, attack detection systems and countermeasures, etc. In that case, the security properties must be guaranteed by the system’s trusted components, i.e., by the OS kernel, security features, subsystems providing specific types of protection, such as cryptographic protection, etc.

At the same time, the relevant security policies need to be defined in an increasingly detailed way, and there comes a point when the capabilities of policy refinement reach a limit. For example, capability-based policies can allow or deny access to a certain resource, though there is no ability to define a situation in which such access would be contingent on something. In such cases, the required security properties are considered functional requirements, and are implemented in the solution’s code along with its other features. This leads to a progressive growth in the volume of the code base that needs to be controlled, and ensuring its verifiability becomes an increasingly challenging task. Consequently, the solution again becomes insecure.

With the help of KasperskyOS and KSS, it’s possible to provide as detailed a description of security properties as desired, and through decomposition of the solution it’s possible to select a limited set of individual modules containing the minimum required functions that require verification. These modules can be viewed as standalone and isolated – their verification then becomes easy.

The code base of KSS responsible for implementing the solution’s security policies can be generated, is formally verifiable[2] and, in this sense, it is trusted. This solves the problem of uncontrolled growth of the code base to which requirements of trust are imposed.

Since security properties are defined regardless of the functional logic, the developer can construct a security system for their solutions without taking into account the details of how specific components are implemented.

The described capabilities of KasperskyOS make it possible to follow a natural course of developing secure solutions that includes the following steps:

  1. Threat analysis and threat modeling.
  2. Development of a set of formal security policies to counter the threats described in step 1.
  3. Decomposition of the solution into security domains, and definition of IPC interfaces in line with the data obtained at step 2.
  4. Implementation of the solution in line with the data obtained at step 3, and configuration of security policies aligned with the results obtained at step 2.

The ability to follow the described process of development is an important methodological advantage over other operating systems. This ensures a key advantage of KasperskyOS: complex systems can be built to meet specific information security characteristics.

KasperskyOS supports virtualization with the help of the Kaspersky Secure Hypervisor (KSH) application. Its key feature is that it can work together with KSS to implement security policies related to the control of virtual machine access to the hypervisor’s internal resources. KSH is a lightweight solution. This makes it possible to verify its code base and means it can be viewed as being part of a trusted platform. The hypervisor can apply KSS verdicts to its internal processes even in situations where cross-domain interaction does not take place.

This capability does not exist in any other virtualization solutions; it is only possible to set rules to define how a specific virtual machine interacts with other isolated components of the system.

Conclusion

Now, in the internet-of-things era, cybersecurity issues surrounding connected devices are becoming increasingly critical. In our opinion, it is the security of the operating system that defines the overall level of cybersecurity of an entire embedded system. Unfortunately, issues of information security are still not given sufficient consideration during the development of operating systems. For nearly half of the operating systems we have considered, information security aspects are either not addressed whatsoever, or the functions associated with information security are implemented at a level that is unsatisfactory.

We hope that this review will, firstly, encourage the developers of operating systems for embedded systems to devote more attention to issues of cybersecurity, and, secondly, help developers choose an operating system for their projects. After all, it’s important for all of us that the internet of things doesn’t grow into an internet of threats.
 
 


 
[1] No formal verification of KSS has been performed as of yet; however, the approach employed allows for it.
[2] At this time, the requirement of formal verifiability is not met; however, there are vigorous efforts being made towards this end.

Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub


Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Overview


Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.
End users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub's REST API.
Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.

TALOS-2017-0483 - Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.

CVE: CVE-2017-16252 through CVE-2017-16337

Full technical advisory is available.

TALOS-2017-0484 - Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347

Full technical advisory is available.

TALOS-2017-0485 - Reboot Task Denial Of Service Vulnerability

An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.

CVE: CVE-2017-16348

Full technical advisory is available.

TALOS-2017-0492 - HTTPExecuteGet Firmware Update Information Leak Vulnerability

The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device's memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14443

Full technical advisory is available.

TALOS-2017-0493 - HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability

The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14444

Full technical advisory is available.

TALOS-2017-0494 - HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability

The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14445

Full technical advisory is available.

TALOS-2017-0495 - HTTPExecuteGet Parameters Extraction Code Execution Vulnerability

The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14446

Full technical advisory is available.

TALOS-2017-0496 - Insteon Hub PubNub "ad" Channel Message Handler Code Execution Vulnerability

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "ad" channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14447

Full technical advisory is available.

TALOS-2017-0502 - Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.

CVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455

Full technical advisory is available.

TALOS-2018-0511 - Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability

The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the "/mpfsupload" HTTP form and, later, upload the firmware via a POST request to "firmware.htm."

This vulnerability was found on firmware version 1013.

CVE: CVE-2018-3832

Full technical advisory is available.

TALOS-2018-0512 - Insteon Hub PubNub Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve any signed firmware image.

CVE: CVE-2018-3833

Full technical advisory is available.

TALOS-2018-0513 - Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability

An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.

CVE: CVE-2018-3834

Full technical advisory is available.

Discussion


Our previous vulnerability research on IoT devices (Foscam C1 Vulnerabilities, Circle with Disney) has shown that these kinds of devices are often vulnerable.

Although several vulnerabilities were also found on Insteon Hub PubNub, some leading to remote code execution, it is worth mentioning that in order to exploit such vulnerabilities, the attacker needs to be in a privileged position. Some vulnerabilities require authentication into the PubNub portal. For others, the attacker needs to be in a position to perform a man-in-the-middle attack. Finally, the device itself also partially mitigates the vulnerability by limiting the size of the HTTP requests, which was proven effective in one of the vulnerabilities.

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort Rules: 45441, 45422, 44863, 45049, 45086, 45087, 44863, 45088 


Vulnerability Spotlight: TALOS-2018-0523-24 – Multiple Vulnerabilities in Pixars Renderman application

Vulnerabilities discovered by Tyler Bohan from Talos


Overview


Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.

Pixar remedied  these vulnerabilities in RenderMan version 21.7

 

 

Details


TALOS-2018-0523 / CVE-2018-3840

An attacker could send a malformed TCP packet to port 4001 using the ‘0x67’ command that is not followed by one of the four values (0x00 - 0x03) permitted for the subsequent byte. Due to a lack of input validation, a null pointer dereference is caused, as well as a denial of service. You can read more details in the Talos Vulnerability Report.


TALOS-2018-0524 / CVE-2018-3841

This vulnerability is caused by a very similar issue as described in TALOS-2018-0523. The only difference is that a potential attacker supplies a packet containing the ‘0x69’ command, followed by more than one byte of data to trigger the vulnerability. You can read more details in the Talos Vulnerability Report.

 

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.


Snort Rule: 45610, 45604

Microsoft Patch Tuesday – June 2018

Executive Summary


Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Critical vulnerabilities


This month, Microsoft is addressing 11 vulnerabilities that are rated "critical." Talos believes these three vulnerabilities in particular are notable and require prompt attention.

CVE-2018-8225 - Windows DNSAPI Remote Code Execution Vulnerability

A remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability.

CVE-2018-8229 - Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available.

Other vulnerabilities deemed "critical" are listed below:

Important vulnerabilities


This month, Microsoft is addressing 39 vulnerabilities that are rated "important." One of these vulnerabilities is TALOS-2018-0545, which was assigned CVE-2018-8210. This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report here.

Additionally, Talos believes the following vulnerability is notable and requires prompt attention.

CVE-2018-8227 - Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

Other vulnerabilities deemed "important" are listed below:

Coverage


In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detects attempts to exploit them. Please note that additional rules may be released in the future, and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:
  • 45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958, 46961 - 46962

Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World

Introduction

FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things (IoT) device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user’s home. Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network. As the Harmony Hub device list includes support for devices such as smart locks, smart thermostats as well as other smart home devices, these vulnerabilities present a very high risk to the users.

FireEye disclosed these vulnerabilities to Logitech in January 2018. Logitech was receptive and has coordinated with FireEye to release this blog post in conjunction with a firmware update (4.15.96) to address these findings.

The Red Team discovered the following vulnerabilities:

  • Improper certificate validation
  • Insecure update process
  • Developer debugging symbols left in the production firmware image
  • Blank root user password

The Red Team used a combination of the vulnerabilities to gain administrative access to the Harmony Hub. This blog post outlines the discovery and analysis process, and demonstrates the necessity of rigorous security testing of consumer devices – particularly as the public places an increasing amount of trust in devices that are not just connected to home networks, but also give access to many details about the daily lives of their users.

Device Analysis

Device Preparation

Publicly available research indicated the presence of a universal asynchronous receiver/transmitter (UART) interface on some of the test points on the Harmony Hub. We soldered jumper wires to the test pads, which allowed us to connect to the Harmony Hub using a TTL to USB serial cable. Initial analysis of the boot process showed that the Harmony Hub booted via U-Boot 1.1.4 and ran a Linux kernel (Figure 1).


Figure 1: Initial boot log output from UART interface

After this point in the boot process, the console stopped returning output because the kernel was not configured with any console interfaces. We reconfigured the kernel boot parameters in U-Boot to inspect the full boot process, but no useful information was recovered. Furthermore, because the UART interface was configured to only transmit, no further interaction could be performed with the Harmony Hub on this interface. Therefore, we shifted our focus to gaining a better understanding of the Linux operating system and associated software running on the Harmony Hub.

Firmware Recovery and Extraction

The Harmony Hub is designed to pair with a companion Android or iOS application over Bluetooth for its initial configuration. We created a wireless network with hostapd and installed a Burp Suite Pro CA certificate on a test Android device to intercept traffic sent by the Harmony mobile application to the Internet and to the Harmony Hub. Once initial pairing is complete, the Harmony application searches for Harmony Hubs on the local network and communicates with the Harmony Hub over an HTTP-based API.

Once connected, the Harmony application sends two different requests to Harmony Hub’s API, which cause the Harmony Hub to check for updates (Figure 2).


Figure 2: A query to force the Harmony Hub to check for updates

The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available (Figure 3). If an update is available, the Logitech server sends a response containing a URL for the new firmware version (Figure 4). Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates.


Figure 3: The Harmony Hub checks for updates to its firmware


Figure 4: The server sends a response with a URL for the updated firmware

We retrieved this firmware and examined the file. After extracting a few layers of archives, the firmware can be found in the harmony-image.squashfs file. This filesystem image is a SquashFS filesystem compressed with lzma, a common format for embedded devices. However, vendors often use old versions of squashfstools that are incompatible with more recent squashfstools builds. We used the unsqashfs_all.sh script included in firmware-mod-kit to automate the process of finding the correct version of unsquashfs to extract the filesystem image (Figure 5).


Figure 5: Using firmware-mod-kit to extract the filesystem

With the filesystem contents extracted, we investigated some of the configuration details of the Harmony Hub’s operating system. Inspection revealed that various debug details were available in the production image, such as kernel modules that were not stripped (Figure 6).


Figure 6: Unstripped Linux kernel objects on the filesystem

Investigation of /etc/passwd showed that the root user had no password configured (Figure 7). Therefore, if we can enable the dropbear SSH server, we can gain root access to the Harmony Hub through SSH without a password.


Figure 7: /etc/passwd shows no password is configured for the root user

We observed that an instance of a dropbear SSH server will be enabled during initialization if the file /etc/tdeenable is present in the filesystem (Figure 8).


Figure 8: A dropbear SSH server is enabled by /etc/init.d/rcS script if /etc/tdeenable is present

Hijacking Update Process

During the initialization process, the Harmony Hub queries the GetJson2Uris endpoint on the Logitech API to obtain a list of URLs to use for various processes (Figure 9), such as the URL to use when checking for updated firmware or a URL to obtain information about updates’ additional software packages.


Figure 9: The request to obtain a list of URL endpoints for various processes

We intercepted and modified the JSON object in the response from the server to point the GetUpdates member to our own IP address, as shown in Figure 10.


Figure 10: The modified JSON object member

Similar to the firmware update process, the Harmony Hub sends a POST request to the endpoint specified by GetUpdates containing the current versions of its internal software packages. The request shown in Figure 11 contains a sample request for the HEOS package.


Figure 11: The JSON request object containing the current version of the “HEOS” package

If the sysBuild parameter in the POST request body does not match the current version known by the server, the server responds with an initial response containing information about the new package version. For an undetermined reason, the Harmony Hub ignores this initial response and sends a second request. The second response contains multiple URLs pointing to the updated package, as shown in Figure 12.


Figure 12: The JSON response containing URLs for the software update

We downloaded and inspected the .pkg files listed in the response object, which are actually just ZIP archives. The archives contain a simple file hierarchy, as shown in Figure 13.


Figure 13: The .pkg archive file hierarchy

The manifest.json file contains information used to instruct the Harmony Hub’s update process on how to handle the archive’s contents (Figure 14).


Figure 14: The contents of the manifest.json file

The Harmony Hub’s update process executes the script provided by the installer parameter of the manifest if it is present within the archive. We modified this script, as shown in Figure 15, to create the /etc/tdeenable file, which causes the boot process to enable the SSH interface as previously described.


Figure 15: The modified update.sh file

We created a new malicious archive with the appropriate .pkg extension, which was hosted on a local web server. The next time the Harmony Hub checked for updates against the URL supplied in the modified GetJson2URIs response, we sent a modified response to point to this update. The Harmony Hub retrieved our malicious update package, and after rebooting the Harmony Hub, the SSH interface was enabled. This allowed us to access the device with the username root and a blank password, as shown in Figure 16.


Figure 16: The SSH interface was enabled after a reboot

Conclusion

As technology becomes further embedded into our daily lives, the trust we place in various devices unknowingly increases exponentially. Due to the fact that the Harmony Hub, like many IoT devcies, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack. However, Logitech worked with our team to quickly address the vulnerabilities with their current firmware, 4.15.96. Developers of the devices we place our trust should be vigilant when removing potential attack vectors that could expose end users to security risks. We also want to share Logitech’s statement on the research and work by the Red Team:

"At Logitech, we take our customers’ security and privacy very seriously. In late January 2018, security research firm FireEye pointed out vulnerabilities that could impact Logitech Harmony Hub-based products*.

If a malicious hacker had already gained access to a Hub-users network, these vulnerabilities could be exploited. We appreciate the work that professional security research firms like FireEye provide when identifying these types of vulnerabilities on IoT devices.

As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it. As of April 10, we have released firmware that addresses all of the vulnerabilities that were identified. For any customers who haven’t yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it. Complete directions on updating your firmware can be found here.

*Hub-based products include: Harmony Elite, Harmony Home Hub, Harmony Ultimate Hub, harmony Hub, Harmony Home Control, Harmony Pro, Harmony Smart Control, Harmony Companion, Harmony Smart Keyboard, Harmony Ultimate and Ultimate Home."

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services


Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
  2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
  3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

A visual representation of the attack flow and execution chain can be seen in Figure 2.


Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


Figure 4: Embedded URL in OLE object


Figure 5: HTTP GET request to download the next level payload

The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


Figure 6: PowerShell command to download the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


Figure 7: DDE technique used to download the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.


Figure 8: Network communication to download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


Figure 10: Network traffic to download final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
  2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
  3. The unpacked code is Zyklon.


Figure 11: XML configuration file to schedule the task

The Zyklon malware first retrieves the external IP address of the infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


Figure 13: Zyklon issuing “settings” command and subsequent server response


Figure 14: Zyklon issuing “sign” command and subsequent server response


Figure 15: Zyklon issuing “ddos” command and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Comodo Dragon Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x - v7.x
  • Windows Live Messenger
  • MSN Messenger
  • Google Talk
  • GMail Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Miranda Messenger
  • Windows Credential Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top

Spectre and Meltdown from a CNO Perspective

Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software. This is not a universal principle, but as an American I am fine with it. Putting my computer network operations (CNO) hat on, I want to share a few thoughts about the intersection of the anti-American vendor mindset with the recent Spectre and Meltdown attacks.

There are probably non-Americans, who, for a variety of reasons, feel that it would be "safer" for them to run their cloud computing workloads on non-American infrastructure. Perhaps they feel that it puts their data beyond the reach of the American Department of Justice. (I personally feel that it's an over-reach by DoJ to try to access data beyond American borders, eg Microsoft Corp. v. United States.)

The American intelligence community and computer network operators, however, might prefer to have that data outside American borders. These agencies are still bound by American laws, but those laws generally permit exploitation overseas.

Now put this situation in the context of Spectre and Meltdown. Begin with the attack scenario mentioned by Nicole Perlroth, where an attacker rents a few minutes of time on various cloud systems, then leverages Spectre and/or Meltdown to try to gather sensitive data from other virtual machines on the same physical hardware.

No lawyer or judge would allow this sort of attack scenario if it were performed in American systems. It would be very difficult, I think, to minimize data in this kind of "fishing expedition." Most of the data returned would belong to US persons and would be subject to protection. Sure, there are conspiracy theorists out there who will never trust that the US government follows its own laws. These people are sure that the USG already knew about Spectre and Meltdown and ravaged every American cloud system already, after doing the same with the "Intel Management Engine backdoors."

In reality, US law will prevent computer network operators from running these sorts of missions on US cloud infrastructure. Overseas, it's a different story. Non US-persons do not enjoy the same sorts of privacy protections as US persons. Therefore, the more "domestic" (non-American) the foreign target, the better. For example, if the IC identified a purely Russian cloud provider, it would not be difficult for the USG to authorize a Spectre-Meltdown collection operation against that target.

I have no idea if this is happening, but this was one of my first thoughts when I first heard about this new attack vector.

Bonus: it's popular to criticize academics who research cybersecurity. They don't seem to find much that is interesting or relevant. However, academics played a big role in discovering Spectre and Meltdown. Wow!

Analyzing the Malware Analysts – Inside FireEye’s FLARE Team

At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering (FLARE) Team.

During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software,” and the latest open source freeware tools FLOSS and FakeNet-NG.

Listen to the full podcast here.