Viewing entries in
vulnerabilities

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.


Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.
 

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.
 

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.
     

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted
     

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact incidents@ncsc.gov.uk who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.


If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.


Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.


Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.
 

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.
 

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 9th March 2018

This report is drawn from recent open source reporting. 

Largest reported DDoS attacks mitigated 

The largest ever reported Distributed Denial of Service (DDoS) occurred in early March 2018, according to Netscout Arbor. A peak of 1.7 Terabits per second (Tbps) was recorded, although the attack was mitigated. This followed a recent attack against GitHub on 28 February, with a peak of 1.35 Tbps. The largest known attack previously took place in 2016 against the US DNS provider DYN, which peaked at 1.2 Tbps.

The method used for these attacks is known as a ‘memcached server DDoS’. Memcached servers store data in memory that applications may need access to on external databases. Large companies often use memcached servers to help speed up and assist in dealing with large demands on their services. When memcached servers are openly accessible over the internet via User Data Protocol (UDP), they can be utilised to significantly amplify data.

The attackers ‘ping’ a server with a small packet of data in order that memcached servers reply with a response to the victim which is up to fifty thousand times the original packet size. If there are no mitigations such as filtering or management of networks, this could easily cause a service to go offline. Whilst the vectors were different in the 2016 DYN attack, the incident demonstrates the potential ramifications if other services are dependent on the targeted service; for more information, see the NCSC Weekly Threat Report 24 October 2016.

In the attack against GitHub, there has since been reporting of a ransom made in the data payload, demanding a payment of 50 Monero (worth approx. $15 000). There are also suspicions among various mitigation service providers that this method of amplification has now been adopted by DDoS-as-a-Service providers.

These latest DDoS attacks were mitigated, but further attacks may occur. The NCSC has previously provided DDoS advice regarding understanding the threat of attacks and also response and recovery planning. There is also a detailed catalogue of NCSC DDoS guidance.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th January 2018

'Meltdown' and 'Spectre' vulnerabilities to microprocessors

Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced this week. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions - such as recovering passwords - are theoretically made easier.

However, an attacker would still need to run code on a device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites. At this stage there has been no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC has pro-actively advised that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available, and has recommended that home users enable automatic updates so future security measures are installed.

Further advice for enterprise administrators and home users can be found on this website.
 

Cyber-enabled fraud: an increasing threat for 2018

Media reporting highlights an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).

This attempted theft highlights that poor end user security is still a problem for some global financial institutions.

Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide. Most notoriously, around US $81 million was stolen from Bangladesh Bank in February 2016.

Analysis of the Bangladesh Bank theft indicates that the hackers responsible likely implanted malware into the banks servers to steal legitimate SWIFT credentials, which were then used to conduct the fraudulent transactions.

Most organisations in the UK finance sector will have sufficient cyber security measures in place to protect against the type of fraud which occurred against the Bangladesh and Globex banks, however, globally, this trend of cyber-enabled fraud, which seeks to acquire and then abuse legitimate credentials, is likely to continue throughout 2018, and it is likely to be attempted against UK organisations across all sectors.
 

Cyber attack forces US hospital offline

The Jones Memorial Hospital in the US state of New York was hit by a cyber attack this week impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.

The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US. While all sectors are vulnerable to such attacks, healthcare organisations in the US are more likely to be specifically targeted by cyber criminals because they operate privately, for profit and have a high reliance on access to data. As a result, these organisations also tend to have appropriate response and backup procedures in place, enabling them to limit the operational and financial impact of cyber attacks.

The NCSC has published guidance on how to prevent a ransomware incident and what to do if your organisation is infected.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘gov.uk’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.


Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.


The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th October 2017

Bad Rabbit Ransomware

This week, ‘Bad Rabbit’ ransomware infections have been reported in countries including Russia, Ukraine, Bulgaria, Turkey, Germany and Japan. The NCSC has not received any reports that the UK has been affected by this latest malware attack. The majority of infections have been in Russia, where media organisations were worst affected. Russia’s Interfax News Agency suffered outages to several of its services, including its news portal. Ukrainian victims included the Ministry of Infrastructure, Odessa airport and Kiev metro.

Bad Rabbit asks victims to pay 0.05 Bitcoin (currently worth approximately £210) to restore their files. A smal number of transactions are reported to have been made, although these are unconfirmed, and it is currently unknown whether paying the ransom leads to decryption of files. The infection vector is believed to be via certain compromised media websites in the affected regions, which asks the user to execute a fake Adobe Flash Player update. Researchers including FireEye and Crowdstrike have identified several links between Bad Rabbit and the NotPetya ransomware, including the use of similar Javascript code to redirect victims. While claims have been made that Bad Rabbit made use of the EternalBlue exploit leveraged by WannaCry and NotPetya, these have been widely refuted; subsequent claims have been made that the EternalRomance exploit was leveraged.

It is currently unclear who is responsible for this ransomware. NCSC technical analysis is ongoing to provide more clarity on technical indicators. There are no reported UK victims to date. Nevertheless, it should be noted that UK organisations would be vulnerable were they to visit any of the infected websites. In the case of NotPetya for instance, a number of UK organisations were infected. The NCSC has provided some mitigation advice in its public statement, highlighting the importance of patching, using proper antivirus services and having effective backup procedures. In addition to this, Bad Rabbit makes use of a set of hard-coded username/password combinations in order to attempt to spread to SMB shares on the local network. Organisations should ensure that these username/password combinations do not exist anywhere on their network, and in general that they follow good password practices.

Is Reaper the new Mirai?

In September, cyber security firms reported the discovery of a new botnet that targets, and could already have infected millions of, vulnerable internet connected devices.

The botnet (named variously as ‘IoTroop’; ‘IoT_reaper’ or ‘reaper’) has been targeting a number of known vulnerabilities found in popular device brands including internet connected cameras and Wi-Fi routers.

Reaper is being compared to the Mirai botnet which caused serious disruption to the Dyn domain name server provider and thousands of customer websites in October 2016.  Some of Reaper’s code is reportedly similar to Mirai, however, researchers believe Reaper has many more capabilities than Mirai and the potential to cause a lot more damage.  The fast rate that Reaper has been infecting devices is also concerning and the attacker appears to be updating the malware regularly.

The purpose of the Reaper botnet is currently unclear as it does not yet appear to have been used for malicious purposes. It is possible that, like the Hajime botnet identified earlier this year, there will be speculation that it has been developed to stop vulnerable devices being harnessed for malicious activity, but it would be best to assume the worst until proven otherwise.

Ensuring your devices are fully patched and limiting access to these devices will help protect from compromise. For further advice see our 10 steps to cyber security.
 

Washington Cyber Conference reportedly targeted by hackers

The International Conference on Cyber Conflict (CyCon) will be held 7-8 November in Washington and will host a high-level gathering of NATO and US military cyber experts.

A recent Cisco report has highlighted that this conference has been targeted by cyber actors known as ‘APT28’ and ‘Fancy Bear’. Cisco report that this actor has modified an existing Microsoft Word flyer publicising the conference, added reconnaissance malware to it and has conducted an email campaign to infect potential victims. The modified document contains an embedded Visual Basic for Applications (VBA) macro which is executed when the document is opened and automatically installs the malware. Running any macro within any externally produced Microsoft Word document will usually generate a warning which must be explicitly approved by the user. However, the user is more likely to override the warning and execute the macro if the malware-bearing email appears to be from a legitimate contact.

Word and PDF documents are one of the most common ways to spread malware, so, as a security measure, Microsoft deliberately turned off auto-execution of macros by default many years ago. Many current malware infections rely on persuading the user to turn macros back on. We assess with high confidence that cyber actors will likely continue to use creative and current specialised topics to compromise targets. It is likely that this campaign has been targeting people linked to government/military cyber security.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 20th October 2017

KRACK – a fundamental flaw in Wi-Fi security

Security researchers from Belgium have found that the majority of Wi-Fi connections are potentially vulnerable to exploitation because of a fundamental weakness in the wireless security protocol – WPA2. The exploit is called “KRACK”, which is short for Key Reinstallation Attack. Reports suggest that at most risk are Linux operating systems, Internet of Things (IoT) devices and 41% of Android devices. However, many of these, especially IoT devices, may never get patched.

For further detail on this flaw, please see our KRACK guidance and the latest blog.
 

Swedish transport networks hit by DDoS attacks

Media reported last week that trains were delayed in Sweden after the transport sector was successfully targeted by a series of DDoS attacks. On 11 October, two communication service providers serving the Swedish Transport Administration (Trafikverket) were hit by a DDoS attack, reportedly causing the Trafikverket’s train management system to go down for several hours. Consequently, manual procedures had to be used to handle rail traffic, resulting in delays for the rest of the day. The company also had to resort to using Facebook to keep customers updated as its email system and website were also unavailable. The following day, DDoS attacks targeted the Swedish Transport Agency (Transportyrelsen) and a public transport operator serving Western Sweden (Västtrafik). The impact of these attacks was less severe, briefly affecting web services including ticket booking.

Some media reports speculate that a state-linked actor may have been responsible, however investigations into the incidents continue. Overall, the case highlights how transport firms can be impacted by attacks on third party service providers (in this case, Trafikverket’s communication service providers).


Cyber-enabled intimidation of NATO personnel in Baltics

According to open source reporting, advanced surveillance techniques (possibly including drone monitoring and/or IMSI grabbing) are being used to pull data from personal smartphones of NATO personnel despite warnings not to use them following previous incidents.  There are accounts of personnel then being approached in public by individuals who convey details pulled from smartphones – in one example details about the personnel’s family.

This is not the first time NATO personnel operating in Europe have reported call interference or unusual behaviour by their mobile phones. Mobile devices operating over the public telephone system are susceptible to exploitation including interception of communications or tracking of the user. The capability to mount operations against personal electronic devices, including the use of rogue cell towers is within technical and financial reach of well-resourced threat actors. However, the more recent reporting is different as exploitation of devices has been followed up by personal approaches.

It is almost certain that personal mobile devices will increasingly become targets for a wide range of threat actors due to the amounts of personal information they hold, which is useful for espionage, targeting and criminal purposes. Personal mobiles are susceptible to a range of compromise vectors and have widely varying levels of cyber hygiene. This threat could expand beyond NATO personnel to businesses operating in the region or individuals traversing these areas on business or personal trips.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 23rd June 2017

This report is drawn from recent open source reporting.

Fake airline websites distributed by social media

Scammers are using the brands of major global airlines to lure users to fake websites and then encourage them to share links to the sites with friends. When a user clicks through to the sites they are prompted to answer a few simple questions and provide personal information to get free flights. Once they give away their name, email, phone, date of birth and address they are then told they will receive the flights, only once they ‘like’ and share the page on Facebook, spreading the fake sites to new victims.

According to threat researchers, cyber criminals were observed registering 95 fake websites in late March using the brands of 19 major airlines, including ones based in the UK.  The personal details provided by the victims are used for fraudulent marketing purposes, namely to drive traffic to websites that provide online promotions and monetisation of web and mobile applications. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize draws etc.) to attract public attention.

In the run up to the summer holidays, this cyber-enabled fraud may lead to lost custom and reputational damage for the airlines. The use of social media to distribute fake websites is likely to continue to increase. It is not limited to airlines and could affect any well-known brand.  There also remains a risk that malicious actors could modify the scheme and use such sites to distribute malware to victims. For guidance see the NCSC’s 10 Steps: Malware Prevention.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 26th May 2017

This report is drawn from recent open source reporting.

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service which allows users to move small amounts of money to other accounts by sending an SMS message. The criminals sent SMS messages from infected devices instructing banks to transfer funds to their own accounts. According to Group-IB, the Russian cyber security company that worked with Russian law enforcement on the investigation, the ‘Cron’ gang were planning to rent a further piece of malware adapted to target banks in France, Germany, the UK and the US amongst other unnamed countries.

Fake applications that impersonate a brand or organisation are not new. Purchasing from legitimate sources can reduce the risk of acquiring bogus applications.


Fake malware fixes

WannaCry ransomware may not have generated the wealth the scammers responsible were hoping for but since the attack enterprising criminals have been attempting to cash in on the heightened public awareness of WannaCry. Targeting concerned users, scammers have been offering a range of fake ‘fixes’ and ‘support services’.

This type of social engineering is a common methodology for cybercriminals. Whether viral social media posts, malicious pop-ups or well-crafted phishing campaigns, high profile events such as the WannaCry attack offer cyber criminals a hook to spread malware or to solicit funds.

It’s not only online incidents that criminals seek to take advantage of. Following news of high profile disasters such as hurricane Catrina in 2005, the 2014 Ebola outbreak and the 2015 Nepal earthquake, scammers set up fake charity websites and sent phishing emails in attempts to steal funds donated to the victims.

Recent examples of scams piggybacking on the WannaCry incident include:

  • Alerts circulating of social media directing users to fake WannaCry patches which deliver malware;
  • A phishing email posing as a BT customer service email which informs the user they are locked out of their BT account and directs them to a malicious link to obtain a ‘security upgrade’ to re-establish full access;
  • Third party app stores offering ‘patches’ for mobile users - despite the fact no mobile operating systems are believed to be vulnerable to WannaCry.

The recent UK Action Fraud alert has more information on specific fraud attempts.

The NCSC guidance page has further information on how to protect against phishing attempts as well as our recent blog on social engineering.


Europol arrest 27 individuals involved in black box ATM attacks

An international law enforcement effort has resulted in the arrest of 27 individuals in connection with a string of successful black box attacks against ATMs across Europe. These attacks are thought to have generated up to EUR 0.5 million for the criminals responsible. Black Box attacks are cyber-enabled and involve physically penetrating an ATM’s casing to obtain access to exposed cables and ports. A laptop can then be connected and used to issue instructions to an ATM to cash out its bank notes. These attacks are less sophisticated and more common than cyber-dependant attacks that deploy malware to ATMs remotely, over a financial institution’s network. For more information on the cyber threat to UK ATMS, please see our recent assessment on CiSP.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.

 

Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
 

Vulnerabilities

Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 28th April 2017

This report is drawn from recent open source reporting

Increase in Homographic Phishing Attacks

Recent media reporting highlights a threefold increase in homographic phishing attacks over the past fourteen months.

Homographic attacks have been widely known about for many years, and rely on the fact there are visual similarities between many different Unicode characters to spoof well-known web addresses using similar-looking Punycode domains. For example, by registering the Unicode domain “www.xn--googl-z8a.com” an attacker would be in control of a web address, which will render in browsers as “www.googlė.com”, almost indistinguishable from the real thing.

Moreover, researchers have recently demonstrated they can use this technique to convert Unicode into ASCII characters in some browsers. By choosing letters from a single foreign language set, an attacker can register a domain that looks identical to a targeted one when rendered by vulnerable browsers. For example, proving the concept, a researcher recently registered the domain name “xn--80ak6aa92e.com”, which renders as “apple.com”.

Mitigations such as using password managers can help users spot fake websites, and therefore help mitigate this threat. In addition, email anti-spoofing measures can help prevent phishing email attacks from reaching users in the first place.


Vulnerabilities

An altogether quieter week than we have seen for a while on the vulnerabilities front. There were a number of updates from Cisco for IOS, ASA, Prime Infrastructure and Prime Network Registrar to fix cross-site scripting attacks, denial of service or target restart vulnerabilities. IBM updated WebSphere and Security Guardium this week to fix escalation of privilege bugs and also updated Domino to fix a remote code execution bug.

Palo Alto fixed an input validation flaw in PAN-OS to prevent cross-site scripting attacks and F5 Networks fixed a denial of service bug in BIG-IP and let users know about a bug in F5 Enterprise Manager which could lead to denial of service conditions, but for which no fix is currently available.

Elsewhere there were updates for Adobe ColdFusion, Apache Batik, Novell NetIQ and cURL/libcurl.

In terms of Debian this week there were updates for MySQL, Python-Django, Icedove/Thunderbird and libav.

Also a quiet week with regard to ICS-specific updates with just two: one for BLF-Tech and one for Sierra Wireless AirLink Raven.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.
 

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.
 

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.
 

Vulnerabilities

There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.

Comment

.author-name { display: none; }

Comment

VULNERABILITY DISCLOSED IN UBQUITI NETWORKS ADMIN INTERFACE

Update Ubiquiti Networks, a maker of networking gear for service providers, has been since November dealing with a critical command-injection vulnerability in the administration interface of more than 40 of its products.

Researchers at SEC Consult went public with the issue this week after privately disclosing the flaw to the vendor via its HackerOne bug bounty program. According to a timeline published by the researchers, Ubiquiti initially marked the issue as a duplicate, then promised a patch in a future stable release.

“We take network security very seriously and are in the process of fixing this vulnerability for all products affected,” a Ubiquiti Networks representative told Threatpost.

The company said it has patched 37 of the 44 affected products starting Feb. 3 with an update for airMAX 11ac and patches for the remaining products are imminent.

“Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware,” the representative said. “We are also improving our vetting process for security issue reports to speed up our response time.”

A post to a Reddit thread about the vulnerability from a Ubiquiti employee cited a communication breadown between the company’s internal ticket on the issue and the initial submission to HackerOne.

“We’re reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn’t happen in the future. And making sure all updates back from submitters make it to the appropriate development team,” the post said. “Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”

As egregious as the four-month wait for a patch, was the fact that the root cause of the vulnerability is the use of a 20-year-old PHP script in the interface. According to SEC Consult, the vulnerability lives in the pingtest_action.cgi script, which is using PHP/FI 2.0.1 which was built in 1997.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website,” SEC Consult said in its advisory. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

SEC Consult previously disclosed the lack of cross-site request forgery and cross-site scripting protection in January. Most of the same Ubiquiti gear was impacted as well, and the vendor told SEC that it considered this a low-risk threat and had no estimate for a patch. The researchers went public with an advisory Jan. 30.

The command injection flaw exposes the Ubiquiti admin interface to a number of risky attacks, SEC Consult said. For example, an attacker could connect to a vulnerable device by opening a port binding or reverse shell, and also change the password because the service runs as root.

“Low privileged read-only users, which can be created in the web interface, are also able to perform this attack,” SEC Consult said. “If the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.”

The Reddit post, meanwhile, indicates that Ubiquiti is working on patches, and that the vulnerability has been addressed in AirOS 8.0.1, the operating system running in Ubiquiti airMAX products, and that additional patches were imminent.

This article was updated March 17 with comments from Ubiquiti Networks regarding currently available patches.

Comment

.author-name { display: none; }

Comment

Intel, Microsoft Announce New Bug Bounties

Intel announced its first bug bounty program, offering up to $30,000 to researchers who find critical vulnerabilities in its hardware.

The invite-only program, which is being run on the HackerOne platform, was announced today at the CanSecWest conference in Vancouver.

Intel said its software, firmware and hardware are in scope for rewards, with critical software and firmware finds being worth $7,500 and $10,000 respectively.

“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” Intel said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”

Intel announced further pricing for its bounty: up to $10,000 for high-severity hardware bugs, up to $2,000 for medium-severity issues and up to $1,000 for low severity.

High-severity firmware bugs could be worth up to $5,000 while high-severity software flaws could fetch up to $2,500.

Intel said that its Intel Security products, the former McAfee, are not in scope for a bounty, nor are Intel’s web infrastructure, or recent acquisitions.

Microsoft also announced today that it was launching a bug bounty for its Office Insider Builds on Windows.

Insider Builds, Microsoft said, provides users with early access to new Office capabilities and security features. Microsoft said it hopes researchers will test early Office builds for vulnerabilities before they drop into production.

Microsoft said it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default. Other high-severity bugs that enable code execution that bypass Outlook’s attachment block policies will be worth up to $9,000.

The program opens today and will run for three months until June 15.

“The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing,” Microsoft said.

Comment

.author-name { display: none; }

Comment

Patch Tuesday Returns; Microsoft Quiet on Postponement

Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January.

Microsoft, however, was relatively silent on the reasons why the February updates were suddenly yanked at the last-minute. The company pushed out a brief blog post last month that explained there was an issue that could impact customers that could not be resolved in time.

Today, a Microsoft representative sent a less-than-satisfying response to a request for an interview or comments on last month’s postponement: “Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved.”

Since the January updates, Google’s Project Zero research team had publicly disclosed details and proof-of-concept exploits for two vulnerabilities, a code execution flaw in its Microsoft Edge and Internet Explorer browsers, and a memory leak issue in the Windows GDI library. Another flaw in the SMB file-sharing protocol was also publicly disclosed after it was discovered the original patch released last year for the bug was incomplete. The Department of Homeland Security released an advisory upon disclosure of the SMB bug, a memory corruption issue which could crash Windows systems.

The worry expressed by a number of experts centered on the time users were exposed and the public availability of proof-of-concept code accelerating in-the-wild attacks.

“While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” said Tod Beardsley, senior research director at Rapid7 in a Feb. 23 interview with Threatpost.

Among today’s 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs. MS17-006 patches 12 vulnerabilities in IE, including CVE-2017-0037—which is also patched in Edge—disclosed by researcher Ivan Fratric, who privately disclosed the flaw to Microsoft last Friday and expressed surprise the company was not able to patch it sooner. The flaw is a type-confusion bug in Edge for Windows 10 and in IE 11 that allows for arbitrary code execution.

Microsoft said four other bugs addressed in the IE bulletin were also publicly disclosed, a privilege escalation flaw (CVE-2017-0154), an information disclosure bug (CVE-2017-0008) and two browser spoofing vulnerabilities (CVE-2017-0012 and CVE-2017-0033).

The Edge bulletin, meanwhile, patched 32 vulnerabilities, with four of the same bugs patched in the IE bulletin. Eighteen memory corruption vulnerabilities were patched in the Edge scripting engine alone, while three browser spoofing issues were publicly disclosed (CVE-2017-0012 and CVE-2017-0033 as in IE, and CVE-2017-0069). The Edge bulletin patches remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities.

The disclosed Windows GDI library vulnerability (CVE-2017-0038) was patched in MS17-013; the bug discloses data through memory and was disclosed by Google engineer Mateusz Jurczyk. Microsoft originally patched this issue in June 2016, but the fix was incomplete. The GDI bulletin patches 20 CVEs overall.

In Jurczyk’s proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space,” the researcher said.

The SMB vulnerability, meanwhile, was patched in MS17-012, one of six vulnerabilities addressed in the bulletin. The denial-of-service vulnerability was privately disclosed Feb. 2 by researcher Laurent Gaffie, who found the flaw in SMB 2.0 and 3.0.

“The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client,” Microsoft said in the advisory. “An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.”

In addition to Gaffie’s original proof-of-concept exploit, other researchers quickly found ways to use it in attacks.

Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine.

There are four other bulletins available today rated critical:

MS17-008: Microsoft also patched Hyper-V, the native hypervisor running on Windows that can create virtual machines, addressing 11 vulnerabilities, including four that could allow for code execution, along with a handful of information disclosure and denial-of-service bugs.

MS17-009: Microsoft patched a remote code execution vulnerability in the Windows PDF Library. The memory corruption issue allows an attacker to run arbitrary code on the underlying system; on Windows 10 with Edge as the default browser, an attacker could exploit the flaw by tricking a user into visiting a website hosting attack code.

MS17-010: Microsoft patched a half-dozen flaws in the Windows SMB Server, five of allow for remote code execution because of the way the server handles certain requests. A malicious packet sent to a SMBv1 server could trigger the vulnerability. The bulletin also addresses a separate information disclosure issue.

MS17-011: Microsoft patched 29 vulnerabilities in Uniscribe, a Windows service used to render Unicode. Most of the vulnerabilities are information disclosure issues, but the bulletin also includes patches for eight remote code execution flaws.

Comment

.author-name { display: none; }

Comment

Threatpost - Hundreds of Thousands of Vulnerable IP Cameras Easy Target for Botnet, Researcher Says

A researcher claims that hundreds of thousands of shoddily made IP cameras suffer from vulnerabilities that could make them an easy target for attackers looking to spy, brute force them, or steal their credentials.

Researcher Pierre Kim disclosed the vulnerabilities Wednesday and gave a comprehensive breakdown of the affected models in an advisory on his GitHub page.

Kim said the vulnerabilities exist in a mass-produced Chinese IP camera called the Wireless IP Camera (P2) WIFICAM. While the cameras more or less physically look the same, vendors resell them with custom software, Kim said, which is where vulnerabilities appear to have been introduced.

The issues are largely tied to an embedded web server that’s used in each camera. While Kim cautions the web server software, GoAhead, isn’t vulnerable, the OEM vendor who implemented it in each camera is likely responsible for introducing vulnerable code.

According to Kim, who conducted a search for the web server on Shodan, nearly 200,000 cameras should be considered vulnerable. While the bulk of the cameras are based in China, roughly 18,000 are based in the U.S., according to the search engine.

“I advise to IMMEDIATELY DISCONNECT cameras to the Internet,” Kim wrote, “Hundreds of thousands cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”

The “Cloud” protocol Kim refers to is a functionality, enabled by default, on what he purports to be millions of IP cameras. The protocol is essentially a set of clear-text UDP tunnels that an attacker could use to send HTTP requests to cameras through.

An attacker could brute force requests and as soon as a camera registers a request as valid, the attacker could fetch the credentials. From there, any future HTTP requests would be sent to .CGI files hosted by the camera.

Since many of the cameras use the same protocols and the infrastructure seems to be managed by a single entity, Kim hints that it could only a matter of time until someone writes proof of concept botnet code, a la Mirai, to ensnare them all.

“This ‘cloud’ protocol seems to be more a botnet protocol than a legit remote access protocol,” Kim writes.

A faulty cloud management protocol is really just the tip of the iceberg when it comes to the cameras however.

Another, potentially worse outcome which affects 1,250 camera models, could come if an attacker chained together a series of vulnerabilities. Because of the way the custom HTTP server is set up on some cameras, an attacker could bypass authentication to steal credentials, FTP accounts, and SMTP accounts. By combining that with a remote code execution bug that exists in the camera’s FTP CGI file, an attacker could execute remote commands against the cameras. Because of the issue, a pre-auth remote code execution vulnerability, an attacker could execute commands through a local area network or via the internet.

Kim claims the exploit–which he posted proof of concept code for–could also extract valid credentials and allow an attacker to execute a payload.

Since some of the camera servers lack authentication, attackers could also stream content from some cameras via its TCP port 10554. Because telnetd is running on some cameras, a backdoor account exists as well, Kim claims.

It’s the second backdoor to be identified in a IP connected camera product line this week. On Monday an independent security researcher disclosed a backdoor he discovered in a collection of CCTV and IP cameras made by Dahua Techology. The company is urging owners to apply firmware updates it began pushing out the same day.

After getting in touch with Embedthis Software, the makers of GoAhead, Kim was able to clarify this week the vulnerabilities weren’t in the web server software and instead stemmed from the vendor-installed proprietary software. Because of the sheer number of vendors, however – almost 400 in total – Kim wasn’t able to contact them all. In lieu of a fix, the researcher is encouraging owners to discontinue use of the cameras.

Kim, who’s based in the Ivory Coast, has demonstrated a knack for unearthing vulnerabilities, mostly in routers, over the years. The researcher discovered a backdoor, backdoor accounts, and a default Wi-Fi Protected Setup PIN in a router made by D-Link last year. He previously discovered backdoors, hardcoded SSH keys, and a handful of remote code execution bugs in routers by TP-Link, Quanta, Huawei, and Totolink as well.

Comment

.author-name { display: none; }

Comment

Threatpost - Senator Demands Answers About CloudPets Breach

A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach.

Sen. Bill Nelson (D-FL), a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to children’s toys, sent a letter to Spiral Toys CEO Mark Meyers. Nelson’s letter includes 10 questions he wants Meyers to address by March 23, most of which concern the toy maker’s data collection processes, how they’re secured and whether the system was compliant with the Children’s Online Privacy Protection Act (COPPA), which requires company’s secure personal information collected from children.

“The breach of Spiral Toys raises serious questions concerning how well your company protects the information it collects, especially information collected from children,” Nelson wrote.

Nelson’s report released last year was in response to the 2015 breach of VTech, which exposed the personal information of six million children. Nelson told Meyers that the VTech attack “should have served as a wakeup call for toymakers who were not adequately protecting the consumer information they collect.”

Specifically, Meyers is to provide Congress with a summary of the breach that includes details, not only on the data that was accessed, but when and how consumers were notified, security measures in place to protect against intrusions, whether the company had a security officer in place prior to the attack, and policies to control data collection. Nelson also wants to know whether the company discloses to customers that it collects personal information, whether that data is shared or sold to third parties, and specific security questions about controls and procedures in place to protect data, and whether the company had been breached before.

News broke of the CloudPets breach on Feb. 27 after researchers Troy Hunt and Victor Gevers independently and privately disclosed in December that millions of private messages sent through the internet-connected toy were exposed online, along with personal information of more than 800,000 registered users.

The company failed to acknowledge numerous attempts to reach a Spiral Toys security rep as well as Meyers, prompting the public disclosure two weeks ago.

The breach was related to a spate of attacks against MongoDB instances in which attackers were able to find and access the databases and in many cases, copy and delete the data, leaving behind ransom notes asking for money in exchange for the return of the stolen data.

The private recordings, many of which were made by children and meant for family members or others authorized to receive them, were not stored in the stolen database. But the database did contain reference file paths to the message files which were stored on an Amazon Web Services S3 storage bucket.

“The database contains the business logic to let application work. The database contains the metadata that links (like a ledger) to the random generated files in the AWS bucket system,” Gevers told Threatpost on March 1. “By knowing the paths to the files, you extract the data like that. So if you can write to the database you could change the ledger and point to other URLs.”

The database, Spiral Toys said in a notification letter it sent to California’s Attorney General, did include emails and encrypted passwords, which Hunt counters were not encrypted, but were hashed with bcrypt. Combined with a nonexistent password strength rule on Spiral Toys’ part, the hashed passwords could easily be cracked, Hunt said.

Nelson, meanwhile, was also critical of Spiral Toys’ lax security.

“Because Spiral Toys created no requirements for password strength, the hackers could have easily cracked many passwords by simply checking the data against common passwords,” Nelson wrote. “This information could then be used to access and download the private voice recordings of children and parents.”

It’s likely the attack against the CloudPets data was random and targeted exposed MongoDB instances instead. Spiral Toys said the database in question belong to a contracted third party that was performing a migration on behalf of the company. Spiral Toys said this was a temporary scenario, and as a result, it never received a ransom demand. The company also denied knowing about the breach until Feb. 22.

In the meantime, the case highlights the risks to data belonging to children, something that Nelson has been prominent in demanding protection for.

Comment

.author-name { display: none; }