05/21/2018 New PDF malware combines recent Windows & Adobe exploits
New PDF malware combines two zero day exploits discovered as recently as last week. The malware, detected by anti-malware firm ESET, combines the most recent Windows & Adobe exploits to compromise Microsoft Windows operating systems. The patches for the flaws being exploited have been available for a short period of time; Microsoft released their patches May 8th, with Adobe releasing security patches for Reader and Acrobat on May 14th. The PDF malware in question compromises Window’s systems when users open an infected PDF on a vulnerable system. Both the flaws offer remote command execution to the attacker, with the Windows flaw offering System level access. The major impact of this is that these are two new zero day exploits found in a malicious PDF file, in the wild.
The impact of combining two zero days into a lethal piece of malware could be devastating. How many were hit before the patches? The end result is not known at this time. The sample identified by ESET did not contain a final payload, so the initial goal of the malware is not known. That said, the malware is sophisticated and the zero day exploits embedded in it are more so.
With zero day exploits in the wild it is usually too late to simply patch your systems. By all means, we are not advocating delaying in patching your systems, but at this time it is advisable to engage in a full, internal hunt team to identify vulnerable and/or compromised systems. This is a good reminder that we need to implement the basics first: patch/vulnerability management, software/data inventory, governance etc. Once shored up, start to look at additional segmentation, access management, application firewalls and white listing. Zero day exploits are in the wild, and our organizations have to evolve to be resilient against exploits we do not have patches for.
Microsoft Patch for CVE-2018-8120
Adobe Security Bulletin:
Anton Cherepanov Blog on the two zero days found in PDF malware
05/14/2018 Industrial Control System product vendor Schneider Electric’s InduSoft and InTouch products contain critical security vulnerabilities.
Schneider Electric makes products that allow HMI clients to read, write, tags and monitor alarms and events. Their InduSoft and InTouch software is vulnerable to remote compromise, and should be patched immediately.
Schneider Electric’s software is often deployed on critical Industrial Control systems, and it’s InduSoft and InTouch applications are vulnerable to remote compromise. The vulnerable software runs with high privilege level, so compromised systems should be completely wiped and reinstalled before being put back into production. Given the severity of the vulnerability, and the criticality of the systems we would rate the impact as high.
InGuardians recommends the following steps be taken:
- Identify if you run either of the two applications – software inventory
- If running the software, ensure that it is running on isolated network segments
- Check production systems for indicators of compromise
- Patch vulnerable systems &/or rebuild compromised systems
Schneider Electric Security Bulletin LFSEC00000125
Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution (Tenable Research Advisory Detail)
Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability
05/07/2018 Plaintext Passwords Exposed on Twitter and Github, Suggesting Password Safes and MFA
Last week, both Twitter and GitHub publicly announced that their services had exposed plaintext passwords in internal log streams. While neither company has disclosed a compromise, mature information security programs assume that at least one machine in the organization is under the control of a bad actor, and thus that any cleartext password must be replaced. While Twitter has begun requiring some users to change passwords and Github has made no such requirement, it would behoove all users of both Twitter and Github to assume their passwords are compromised.
If one or more bad actors have compromised either Twitter or GitHub, they may possess your organization’s credentials for the respective service. If your organization uses multi-factor authentication (MFA/2FA) for any accounts, the bad actors will likely not have gained access using those accounts.
A GitHub account compromise produces significant risk in multiple ways. First, if a bad actor can alter code stored on GitHub that a user deploys to your or their own systems, they can achieve an indirect compromise of those systems and any systems accessible by them. Second, a bad actor may find access credentials, private certificate keys, or other secrets stored in GitHub. InGuardians often finds this kind of data in its red team penetration tests, particularly API keys that provide full cloud service administration capabilities. Finally, when targeting a DevOps environment, a bad actor with GitHub access gains full knowledge of routing, firewall and system provisioning code.
InGuardians recommends changing all organization accounts on both Twitter and GitHub. Given the tendency for code and data to proliferate to both personal and business GitHub accounts, InGuardians recommends requiring all staff to change their personal and business GitHub passwords and implement multi-factor authentication on that platform.
InGuardians also recommends deploying password safe software or hardware, whether free or commercial, to ensure that every password an organization uses is unique. Bad actors will gain access to passwords – to understand, contain and recover from the damage, its important to make sure that compromised passwords are useful only on one service.
Further, InGuardians recommends conducting a quarterly internal review of what code, data and secrets lie in GitHub repositories, to both understand and reduce the amount of sensitive or secret information is entrusted there.
Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub
GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
04/30/2018 Multiple known Java and HPE iLO vulnerabilities being targeted for ransomware
Software management is often boring. It is, however, essential to business survival. The many “new” attacks the grab media attention all too often exploit known vulnerabilities for which patches have been published – and missed or ignored. Atlanta’s recent ransomware attack exploited Java’s deserialization bug, which was called the most under-hyped vulnerability of 2015.
It’s is NOT just Java. HPE iLO, an integrated remote management console for HP servers, has many known vulnerabilities. They are now being hit with disconnect and lock out ransom demands. This one may not be encrypting drives, but instead is remotely locking out administrators. The effect and impetus for ransom is the same.
Atlanta’s one case has so far incurred $2.6 million in external consulting costs, there is no capture of internal costs or disruption effects, and as of this writing Atlanta’s departments are still using paper and other offline tools. In many commercial environments, this is a business killer. The iLO attacks effectively take servers offline – they are no longer under your control.
Any unpatched or unresolved vulnerability is opportunity for exploitation and disaster. Delays in patching increase the window of vulnerability and the likelihood of exploitation. A ‘standardized’ weekly or monthly or worse patch cycle, if known publicly, advertises an organization’s unpreparedness. E.g., Outfit A, Inc., patches on first Mondays of the month; a vulnerability and patch are published in the second week; attackers can posit Outfit A will remain vulnerable AT LEAST 3 weeks … and maybe even into more than one cycle.
1. Do frequent and aperiodic vulnerability assessments. Scan for vulnerabilities and create a realistic, prioritized, ACTION list.
2. Pay attention to other organizations, news, and vulnerability announcements.
3. PATCH. Just Do It. When patches are more complex, mitigate with layered defenses and architecture – network segmentation.
4. Review policy and architecture to ensure systems that should NOT face the internet, such as HPE iLO interfaces, DON’T.
5. And do not let anyone tell you to relax, it’s only a “theoretical vulnerability.” Ever.
In 2015 the Java vulnerabilities “were considered to be theoretical and hard to exploit.”(1)
STOP. That mistaken viewpoint goes back decades – was wrong then and is wrong now.
Atlanta fall-out continues
2018 – Atlanta projected to spend at least $2.6 million on ransomware recovery
This is NOT new – it’s been skipped and left to fester:
2015 – Java Serialization Vulnerability Threatens Millions of Applications
… and it persists
2018 – Cisco Secure Access Control System Java Deserialization Vulnerability
(1) 2016 – Lessons Learned from the Java Deserialization Bug
And it is NOT just Java
2018 – Ransomware Hits HPE iLO Remote Management Interfaces
The CVE list of HPE iLO vulnerabilities:
04/23/2018 Attackers Compromising Drupal-based Web Sites En Masse for Financial Gain
Attackers are using two vulnerabilities, including Drupalgeddon2, to compromise Drupal installations, install DDoS and currency-mining malware, and attack non-Drupal machines made accessible by that foothold.
The impact for organizations which run Drupal now (or ran it at any time since March 28th, 2018) is severe. Multiple organized criminal groups have raced to exploit the first vulnerability, named Drupalgeddon2. The most prolific uses malware named “Muhstick,” which infects a host, then spreads to other machines using SSH and WebDav, as well as exploits against the Drupalgeddon2 vulnerability and vulnerabilities in Oracle’s WebLogic, ClipBucket, Webuzo, and the WordPress content management system. Muhstick is a variant of Tsunami, which has infected tens of thousands of Linux hosts. Muhstick has built a botnet from servers and Internet of Things (IoT) “smart devices,” allowing it to scan the Internet for vulnerable hosts very quickly.
For any site that ran Drupal since March 28th, it’s critical to patch the Drupal software immediately. InGuardians further recommends assuming that Internet-facing Drupal installations have been compromised, until that assertion can be ruled out. The Muhstik malware doesn’t spread only using software vulnerabilities. It also scans for SSH servers, trying both a pre-populated set of password possibilities as well as credentials that it finds on the system from which it runs. If Muhstik compromised a single Drupal system, it has likely spread to other systems.
InGuardians has seen many clients use a best practice approach to content management system-provided websites. These clients bifurcate their Drupal application servers into two servers: an internal dynamic server and an external static server. The internal server runs the content management system (Drupal) to allow organization staff to update the site’s content. On any update, this server pushes a static mirror of the site to the external server. The external server serves content statically, exposing far less code to attackers. This can be accomplished on Drupal using the Static Generator module.
Additionally, InGuardians recommends disallowing root login via SSH and relocating the SSH server port from 22 to a less well-known number. These two measures massively reduce the number of successful SSH-based attacks, whether in initial infection or lateral movement.
Drupal Patch Instructions for Drupalgeddon2
Drupal Static Generator Module
Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style (Netlab at 360.com)
Big IoT Botnet Starts Large-Scale Exploitation of Drupalgeddon 2 Vulnerability (Bleeping Computer)
04/16/2018 Researchers Can Hijack ATI Systems’ Emergency Alert Sirens Using Software Defined Radio (SDR)
Security researchers at Bastille Networks were able to capture, analyze and replay packets to trigger emergency alert sirens in the city of San Francisco provided by ATI Systems. Over a 2 year period, researchers captured the weekly transmission to initiate system tests. Upon analyzing the captured radio protocol, it was discovered that the transmissions were neither encrypted nor authenticated.
While the ATI Systems emergency alert sirens are a unique implementation, the vulnerability in these systems extends to those installed outside of San Francisco, with identical systems deployed across the globe. Attacks against these types of systems are not unique, as it is theorized similar attacks were used in the erroneous activation of the Tornado Warning sirens. In Dallas, Texas
Adoption of proprietary Radio Frequency (RF) systems is quite common in both legacy and current systems.
InGuardians often finds that organizations do not have an accurate inventory of RF-enabled systems in their environment, nor do they understand the overall implications of compromise of the unknown RF-enabled systems.
This proof of concept is specific to the ATI Systems implementations, which by design, could cause widespread panic should the emergency sirens be triggered by an attacker. However, a bad actor or researcher could use the overall methodology and tools for discovering an attack surface for this system on other RF-enabled systems. Overall impact to an organization will depend on the affected system discovered and analyzed, but it is not outside the realm of possibility that there could be pecuniary or life safety issues.
With the increased development in Software Defined Radio (SDR) and expertise in these tools being gained by the security community, RF protocols that formerly enjoyed “security through obscurity” are unlikely to remain free from attack much longer. This becomes particularly challenging in legacy systems where the RF protocols were designed with obscurity as the only security measure either due to lack of available technology, or little future consideration in technology advancements.
InGuardians recommends its clients perform or commission an overall discovery of RF-enabled systems in the enterprise environment, followed by a thorough risk analysis. Should the risk impact be determined to be elevated for any of the discovered systems, it is recommended, at a minimum, to contact the vendor to in order to determine methods in use for securing, encrypting, and performing authentication of transmissions. Should the answers from the vendor be insufficient, or the RF-enabled systems be critical to the operation of the business, a thorough review and analysis of the RF transmissions should be performed.
Dallas Tornado Siren Hack [Washington Post]
04/09/2018 Security vulnerabilities in two Moxa Industrial Control Systems (ICS) devices
04/02/2018 Drupal CMS High-Critical Remote Code Execution Vulnerability
Security researchers have discovered and publicly released several Highly-Critical Remote Code Execution (RCE) vulnerabilities in Drupal versions 7 through 8.5, as well as the end-of-lifed version 6. Due to the serious nature of these remote code execution vulnerabilities, Drupal has released patches for older, unsupported versions including version 6.
The Drupal Content Management System (CMS) powers 6% of the 10,000 most popular public web sites. Over 647,000 publicly-accessible web sites use this software. This may increase the risk that bad actors may either quickly attack companies running Drupal or will create and release malware targeting this software.
Remote code execution vulnerabilities like these allow an attacker to execute code of their own choosing on an unpatched installation. This could ultimately result in full system compromise and/or allow the attacker to move laterally to compromise other machines, including those on internal network segments.
InGuardians often finds that organizations do not have an accurate inventory of Internet-facing hosts or the applications which they host. In these cases, application vulnerabilities are particularly challenging to defend, as it is impossible to update software that isn’t known to the patch management staff.
Unless Drupal CMS versions are updated to 7.58 or 8.51, it is possible for an attacker to gain full control of the affected system. Drupal CMS version 6 permits the same behavior unless patched against SA-CORE-2018-2. Depending on the attacker’s skillset, as well as the defender’s level of network segmentation, it is possible that an attacker could take full control of the defender’s infrastructure.
InGuardians recommends immediate patching of the Drupal content management system (CMS) across all versions. Until such time as a patch can be applied, InGuardians recommends that affected organizations restrict access severely to a few trusted IP addresses. This restriction should only be utilized to perform appropriate upgrades and patches, before restoring full access.
This is also the perfect opportunity to undergo an aggressive look at internet-facing resources in order to develop an accurate inventory, with the intent of finding previously unknown assets including Drupal. Upon completion of internet-facing asset discovery, InGuardians recommends performing a similar discovery on internal network segments.
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
FAQ about [Security Advisory] SA-CORE-2018-002
https://groups.drupal.org/security/faq-2018-002[Content Management System] CMS Usage Statistics
03/28/2018 Municipal governments battle cyber attacks.
The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco’s cybersecurity response team, to investigate the situation.
The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.
In Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.
Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado’s state Department of Transportation. In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note.The wording — including typos — is identical to the examples shared by researchers working for Cisco’s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.
Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group’s actions, it isn’t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn’t released any technical details to the public.
In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.
InGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, “this is bigger than a ransomware attack, it’s an attack on government and therefore an attack on all of us.”
It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.
InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address the emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:
- Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet – use VPNs and firewall white lists
- Confirm that no operations systems use SMB version 1
- Apply Windows group policy objects (GPOs) to harden government systems uniformly
- Do not allow users to have local administrative privilege on their desktop machines
- Make sure that all patches are deployed quickly – malware victims have lost a race with an attacker
Small Towns Confront Big Cyber Risks (GovTech)
Atlanta Working “Around the Clock” to Fight Off Ransomware Attack (NPR)
We Are a Resilient City – Atlanta Works to Move Forward Following Cyber Attack (11Alive)
Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)
Atlanta’s Computers Crippled by Ransomware – Issues Unresolved After 4 Days (SmartCities Dive)
03/19/2018 New DHS alert on breaches of power grid and other control systems
Disabling safety or security controls invalidate risk assessment and mitigation. It won’t matter if the control was disabled by a hacker or by an employee.
New information is surfacing about breach of control systems first identified in August 2017. One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.
In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling, or shutting fuel valves to stop machinery. The firmware of the controllers can, of course, be updated.
To ensure security, a physical switch is used to change it from “read only” to “read-write” for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators leaving systems in read-write. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.
Remote network access to systems enabled hackers to destroy hard drives inside the company’s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.
InGuardians’ clients may be at LOW risk for the specific attacks used against these Industrial Control Systems (ICS).
However, the broader issue of increased risk from “work arounds” which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep in to daily ops.
Review ACTUAL operating conditions and procedures compared to policy. Third party audits or interdepartmental audit teams provide fresh perspectives.
Think more like an attacker. Be less sure – “my door is locked, I can relax” – and more – “the door has a lock but how would it get picked? Broken? Simply evaded? If it was picked, how would I know”. Red Teams don’t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don’t have any rules.
03/12/2018 Dofoil trojan variant used to install cryptocurrency-mining malware
Microsoft’s Windows Defender Research group identified a new variant of the Win32/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.
The impact of this trend is severe, due in part to the trojan’s ability to download and execute code on command. The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.
In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.
Many attackers are using cryptocurrency mining as a major revenue stream. During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)
InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic. Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks. Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.
In addition to segmentation and instrumentation, InGuardians recommends having solid backup and recovery solutions in place. These should be tested on a regular basis, with verification of the recovered systems.
Win32/Dofoil (Microsoft Windows Defender Security Intelligence)
DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)
The State of Malicious Crypto-mining (MalwareBytesBlog)
03/05/2018 Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October
On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL/TLS certificates, in advance of April and October’s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.
While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico’s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. Digicert, who had purchased Symantec’s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico’s CEO then e-mailed 23,000 certificates’ private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico’s website.
This situation calls into question Trustico’s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico’s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.
Any organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte and RapidSSL, will face a similar problem on April 17th or in October, at which point Google’s Chrome and Mozilla’s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under “Recommendations”) for more detail.
InGuardians strongly recommends that organizations audit their SSL/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:
April 17th: Certificates issued before June 1, 2016 will not work with Chrome 66.
May: Certificates issued before June 1, 2016 will not work with Firefox 60.
October: Certificates will no longer be trusted, as of Firefox 63.
October 23rd: Certificates will no longer be trusted, as of Chrome 70.
Organizations can use a number of tools to check its SSL/TLS certificates, whether for its web servers or its other SSL/TLS-enabled services. The popular open source tool, nmap, will display information about the certificate enabled on one or more ports, like so:
nmap -v -sT -p 443 –script=ssl-cert www.inguardians.com | egrep ‘(Issuer|valid)’
| Issuer: commonName=GeoTrust RSA CA 2018/organizationName=DigiCert Inc/countryName=US/organizationalUnitName=www.digicert.com
| Not valid before: 2018-01-25T00:00:00
| Not valid after: 2019-02-24T12:00:00
Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL/TLS.Additional Resources
Google: “Chrome’s Plan to Distrust Symantec Certificates”
Mozilla: “CA:Symantec Issues”
DigiCert: “How do you handle mass revocation requests?”
Trustico® Abandons Symantec® SSL Certificates
02/26/2018 Increased attacker focus on exposed cloud services, specifically AWS Simple Storage Service (S3) Buckets
Amazon’s cloud-based Simple Storage Service Buckets, colloquially referred to as “S3 Buckets”, have been a recent focus of attackers and security researchers. With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets’ owners have inadvertently granted access to every user on the Internet.
In moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
Organizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.
Impact from exposure of Amazon S3 is varied, depending on an organization’s adoption and configuration of Amazon’s cloud-based storage infrastructure:
Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read/write access, granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization’s cloud infrastructure.
No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3, and if it is see above.
InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker. Results of these tools should then undergo a thorough inventory and risk analysis.
In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.
Tesla Cryptojacked by Currency Miners
AWSBucketDump, an Open Source S3 Bucket Search Tool
BuckHacker, an S3 Search Engine
AWS S3 Documentation: Which Access Control Method Should I Use?
AWS Trusted Advisor
02/20/2018 Theft of Newtek domains is a reminder to stay vigilant
Last week a web services company (Newtek) responsible for hosting over 100,000 e-commerce based websites and email servers had three of its core domains stolen. These domains originally hosted software that allowed customers of these services to manage their websites.
The attackers then replaced the application that users would normally use to manage their websites with his own application in the form of a live-chat service. When users logged in, they believed themselves to be chatting with a helpful admin, when in fact they were communicating with the attacker.
The full impact of this is still being determined. However, corporate email for many of their customers became unavailable, business websites no longer resolved, and sensitive information was most likely communicated to the attacker.
InGuardians recommends that all businesses consider domain hijacking as a potential event in their Business Continuity Plans (BCP). It’s important to stay vigilant in ensuring continued ownership of domains. It’s also important to have plans to use secondary domains for web and email traffic in the event of having lost ownership of a domain.
InGuardians recommends building your own capabilities to gather counter-intelligence and to proactively monitor your organizations digital footprint. Consider scripts or services for monitoring DNS changes to the domains that you control.
Wikipedia list these options as a means to prevent an unwanted domain transfer:
- Use strong email passwords and enable two-factor authentication if available.
- Disable POP if your email provider is able to use a different protocol.
- Tick the setting “always use https” under email options.
- Make sure to renew your domain registration in a timely manner – with timely payments and register them for at least five (5) years.
- Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.
02/12/2018 Smart devices add exposure and threat during a breach and are a source of intelligence and forensic data during incident response.
A common challenge in any incident response is figuring out how access was gained, which vulnerability or exploits were used, and how to prevent recurrence. Many breaches are not single events, but the end of a longer series of probes, penetrations, and exfiltrations. The reality is that we are often dealing not with “a breach,” but a series of incidents that can have been going on longer than many realize.
The explosion of smart devices creates many more opportunities not only to reveal information, but for attack vectors. A “phishing” email might be read on an employee’s cell phone and not directly breach a corporate system. But, it might install malware on that phone so the next time it is in WiFi or Bluetooth proximity of a business network the malware starts searching for new opportunities. This shifts what would have been an external penetration to an internal one.
The specific impact to InGuardians customers is relatively low.
The real challenge is in mapping the many additional connections to your networks, and identifying where such connections are logged – if at all. You cannot effectively investigate the cause or source of a breach if you do not have a clear record of the network.
InGuardians recommends regular review of network architecture as it develops, not merely as planned. Systems and connections often grow organically and in creeping increments, and too often expedient solutions are imperfectly documented. It is important to know what the network looks like today, to know where device access logs are stored, and whether they have ever been reviewed. InGuardians highly recommends robust egress filtering and monitoring.
InGuardians also recommends reviewing the policy for the devices managed by your organization. Secretary of Defense Mattis is reconsidering DoD’s policies for every personal electronic device that “transmits a two-way signal”. That’s much more than just cell phones, but you should at least know WHAT you allow.
02/05/2018 Strava heatmap exposes sensitive military bases invokes the law of unintended consequences.
Something as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users. The Guardian newspaper used a script to generate GPS data to upload to a Strava account. Following this, they used the application to find other users that also do the same run. The runs matched sensitive locations such as military installations and classified government facilities. They identified 50 users by name.
With so many interconnecting devices, where is the boundary of your data. If you don’t know where your data is, and where it goes, you cannot secure it. With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.
Impact from the Strava heatmap to InGuardians customers is relatively low. The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.
InGuardians primary recommendation is analyze the potential exfiltration threats that applications pose, and create policy to deal with these accordingly. Some examples of applications and policies in this arena would be: social media use policy, onsite photography or mobile phone use, or modifying the meta data.
InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization. Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical. Unknown, unmanaged devices should not be allowed on your network. The larger concern goes beyond “Strava” and may include data that is gathered but not publicly mapped.
Strava Heatmap and related articles
07/25/2017 Mac malware (FruitFly) that was detected and patched in January, still making rounds according to BlackHat presenter.
In January, malware that infects Mac OS X was detected impacting organizations performing research in the biomedical field. This malware leveraged old functions that have been around in OS X for many years. The main goal of the malware appears to be surveillance, given that it captures screenshots, accesses the webcam, and reportedly performs key logging.
Apple released a patch for this issue in January when the malware was first detected. Many news outlets are incorrectly reporting that there is no known way to detect this malware. However, most all major AV companies have signatures to detect FruitFly.
According to the BlackHat presenter, the recent infections appear to be mostly home users. This is likely due to the fact that all properly licensed versions of OS X have been patched by Apple through a behind-the-scenes update mechanism, as of January.
The impact of this particular issue is low at the moment.
Even with a low impact, the detection of this malware is a reminder to practice good opsec (operational security) and keep built-in webcams covered unless in use. Also, it is a reminder that even Apple systems can be vulnerable to malware.
InGuardians recommends that organizations ensure that all operating systems are licensed and up-to-date with all relevant security patches. InGuardians also recommends that organizations endpoint security products to properly monitor all operating systems, including Apple products.
MalwareBytes writeup detailing how FruitFly works:
VirusTotal list of AV vendors that detect FruitFly:
07/17/2017 Kaspersky anti-virus removed from two GSA Schedules
Kaspersky Anti-Virus (AV) has been removed from two GSA (Government Services Administration) schedules, due to concerns that the Kremlin may use Kaspersky products to compromise US Government computers.
A commonly used anti-virus product has been banned for purchase by any U.S. Government agencies which use GSA schedules 67 and 70. While the US government has not yet banned Kaspersky products already purchased, or those purchased outside the GSA schedule, the Senate version of the 2018 defense bill places a blanket ban on Kaspersky products. This bill has not yet been passed. Many government and private organizations receiving funding from the U.S. or state governments are required to make such purchases via the GSA schedule.
This ban limits further acquisition of Kaspersky AV by those organizations required to follow GSA. However, many organizations may already have this product entrenched within their infrastructure. Still, organizations which are not required to adhere to the GSA schedule may decide to follow suit with the GSA’s ban on Kaspersky AV. Organizations may have many questions on how to move forward.
Hold tight. There is a significant amount of posturing and saber rattling on the geopolitical stage at the moment. A number of independent research organizations are currently examining Kaspersky’s software, and reports should be forthcoming.
InGuardians recommends that organizations not rely on solely one vendor’s solutions for security products. Organizations should evaluate multiple providers and select only those with which they can form a trusted relationship. In the event that trusted relationship becomes compromised, the organizations should have plans for contingencies which enable the removal and selection of a new vendor without losing coverage. Most of our clients favor endpoint protection, in addition to layered application and network defenses, over traditional anti-virus.
07/10/2017 DHS & FBI warn of attacks against US energy & manufacturing companies and employees
DHS and the FBI released a TLP:AMBER report warning US energy sector and manufacturing companies about ongoing cyber operations. These operations include sophisticated physical and cyber attacks, as well as activities targeting employees and operators with the aim of infiltrating air-gapped networks.
Our customers in the energy sector have seen scanning and attacks increase in the last month, but one interesting twist about the report is the targeting of individual employees in order to infiltrate secure networks. Many details regarding the attacks are now known to the public, in part because an irresponsible organization shared a TLP:AMBER report with the press. The approach of going after operators and employees to target secure networks is reminiscent of how GHCQ hacked into Belgicom’s NOC.
This warning comes almost one month since Robert Lee and his team at Dragos released their research on the CRASHOVERRIDE malware, along with ESET’s analysis of Industroyer. Keep in mind that Robert Lee will be presenting details on CRASHOVERRIDE at Black Hat in just a few weeks.
Your key operations and security staff should be trained in operational security (opsec). Include physical security tests and targeting specific roles and personnel as part of your routine security assessments.
News regarding recent hacking of nuclear plant:
07/03/2017 Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.
The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (“flat”) networks after its initial infection. It is reported to have first hit the Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.
Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (“flat”) networks in June 2017 (NotPetya) does not allow for decryption of the data. As such, InGuardians classifies this as wiperware.
NotPetya uses many different vectors to infect and perform subsequent infections. Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack. It includes mimikatz, with that tool’s LSADump module. This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.
Many people responsible for network security claim that they thought they were patched against the NSA exploits. It’s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.
Infections of NotPetya spread rapidly across non-segmented, or “flat,” networks, stealing credentials and leveraging privileges and trust. The technical result is mangled data on infected systems. This data is unrecoverable. The business impact has been a shutdown of operations in many of the impacted targets.
The one common issue that allows the spread of NotPetya is networks that are not segmented with access control. Logically segmented networks are still considered flat networks, as they lack access controls. When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.
InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems. These tactics are highly recommended to defend against modern malware attacks like NotPetya.
Setting up Private VLANs
Implementing the Principle of Least Privilege within Various Versions of Windows
06/26/2017 Three Drupal updates patch critical vulnerabilities
One of the three critical vulnerabilities patched last week in the Drupal web content management system, allows for remote code execution.
Drupal is one of the most popular content management systems in use, and the vulnerability described in CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
This vulnerability is in the PECL YAML parser, and is related to a bug found recently in PHP. PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not “fix” the vulnerability.
Drupal updated their code, changing the way they pass input to the affected functions, and is no longer vulnerable to this attack vector.
YAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.
Recent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.
- Tactical recommendation: If your organization has deployed Drupal, update to Drupal 8.3.4 or Drupal 7.56, as both branches include the fixes for these vulnerabilities.
- Strategic recommendation: Consider using a static publishing script to separate your editing/publishing platform from your delivery system. This allows your team to reap the benefits of a content management system, and couples it with the security of a static site. WordPress, Drupal and other popular systems have static publishing plugins or scripts.
06/19/2017 Nation states in the ransomware business
Nation states are now confirmed to be using ransomware campaigns to fund state coffers. British National Cyber Security Center (NCSC) reported this week that the wannacry ransomware attack was launched from North Korea. This follows the United States National Security Agency (NSA) assessment with the same conclusion. Security experts believe that the attack was launched by the Lazurus Group tied to the government in Pyongyang.
This revelation further emphasizes the need for full backup, recovery and continuity plans to be tested and refreshed. While most of our customers have a robust patching, backup and recovery processes in place, we see from news reports the impact wannacry had on critical production networks. Many organizations have lost their data, or access to critical systems while being locked out during a ransomware attack. E.G. British National Health Service systems were crippled during the wannacry attack
InGuardians recommends reviewing, testing and validating your patching, and backup/recovery processes. Incident response capabilities should be tested as well, guided by an internal Red Team exercise designed to emulate the ransomware attack threat model. InGuardians does not recommend paying for the return of your data. See link below for new regulations that might impact the practice of paying your way out of ransomware.
Articles related to this issue:
NIST Incident Response:
Bitcoin regulations to prevent infosec companies from helping organizations pay ransom:
06/12/2017 Powershell scripts execute in Powerpoint without macros
Microsoft’s powerful native scripting language, Powershell, is able to execute inside a Powerpoint presentation without using macros. This presents an issue for many organizations that rely on blocking macros or documents with macros to minimize the risk of compromise via Microsoft Office documents.
InGuardians RedTeam operators used this very technique to compromise one of our toughest clients just last week. This is a very real threat posing risk to the information security of your organization. Determine which controls and audit measures best fit your security posture and move swiftly to lock down this threat vector.
InGuardians recommends first determining if systems need powershell. If needed, ensure powershell is up to date. Older versions of powershell do not have many of the security feature set that version 5 has. Take the necessary steps (outlined here:https://adsecurity.org/?p=2604) to detect powershell being used offensively on your systems.
Excellent technical write-up on Powershell Security: https://adsecurity.org/?p=2921
Recent article on this threat: https://thehackernews.com/2017/06/microsoft-powerpoint-malware.html