2015 on Untrusted Network

Looking back at October 2015

Jan Kopriva — Wed, 11 Nov 2015 21:14:53 +0100

October was named European Month of Cyber Security and because of that, many events intended to raise cyber security awareness (such as Security Fest in Prague) were held during the 30 day period. Unfortunately, October has seen just as many new developments on the proverbial “dark side” of cyber security.
One of these was a widely followed theft of personal data (including credit card numbers) of up to four milion customers of a British telecommunication service provider TalkTalk. Russian hacker group has claimed responsibility for the attack, however the end of the month has seen arrest of a small number of young men in Great Britain in connection with the theft.
The Stagefright vulnerability in the Android operating system has seen a new development with the discovery of a new vulnerability dubbed Stagefright 2.0. The vulnerability is due to a fault in a code used for accessing multimedia files and enables a potential attacker to execute arbitrary code on the affected device. According to some sources, the vulnerability might affect up to one bilion devices. Google has already published a patch for Stagefright 2.0, however since an update can not be provided for all Android-based devices, the vulnerability might provide to be an interesting vector of attack in the future.
A good final topic for “Looking back” dedicated to European Cyber Security Month might be the discovery of a new “malware” named Linux.Wifatch. It spreads by usual network vectors to vulnerable devices running Linux operating system and changes their configuration in a way which makes them harder for other malware to attack. The interesting point is that Wifatch performed no malicious actions on infected devices, as is documented by an interview with its authors.

Looking back at September 2015

Jan Kopriva — Sun, 18 Oct 2015 16:13:47 +0100

Information concerning number of devices vulnerable to Heartbleed vulnerability has appeared in the news during September. Given that the existence of Heartbleed was made public almost a year and a half ago it may be surprising that the number of vulnerable devices exceeds 200.000.
Affair concerning the Stagefright vulnerability (which was mentioned in the last Looking back) continued in September when Zimperium – the company which discovered Stagefright – released a proof-of-concept code which exploits the vulnerability.
A stealth malware hidden in modified Cisco IOS images and named SYNful knock has been discovered on tens of Cisco routers around the world. The malware functions as a backdoor and besides the (persistent) IOS-embedded main component uses tens of modules which provide further functionality which it loads into volatile memory.
It should be mentioned that Google, Microsoft and Mozzila made a press release announcing that their browsers will stop supporting the RC4 encryption algorithm early next year.
One final piece of interesting news we will mention has been the discovery of a malware targeted at online poker players. The trojan horse is named Odlanor and captures screenshots of applications used for playing poker online and then sends them to the attacker.

Looking back at August 2015

Jan Kopriva — Tue, 08 Sep 2015 17:06:42 +0100

One of the most important information related to cyber security pertains to August release of a patch for the Stagefright vulnerability, to which almost all versions of the Android OS from versions 2.2 to version 5.1 are vulnerable. The existence of Stagefright had been made public at the end of July and it is estimated that vulnerable device number in hundreds of millions. The vulnerability enables the attacker to cause arbitrary code execution by sending a specially crafted MMS. The released patch has unfortunately been shown to be incomplete, the result of which is that even updated devices are still vulnerable.
Another interesting vulnerability which also affects a mobile platform (in this case iOS) is called Ins0mnia. The vulnerability enables malicious applications to circumvent OS security controls and run in the background without users knowledge (and – for example – collect sensitive information). Ins0mnia affects even non-jailbroken devices and has been patched in the iOS 8.4.1 update.
One further August news story has been connected to Apple products – creation of the Thunderstrike 2.0 proof-of-concept worm which is able to infect firmware of Macs. Given the location of infected memory, it is highly problematic to detect the infection from the OS and removal of the worm requires firmware to be re-flashed.
Another newly discovered (however 18 years old) attack vector also exploits vulnerability connected to computer hardware. A vulnerability in Intel x86 processors enables an attacker to install rootkit into memory location used by SMM (System Management Mode – a privileged mode used outside of normal OS execution).
One final interesting news comes from the Czech Republic and concerns signing of a sectoral agreement about cyber security education between commercial and governmental entities.

Looking back at July 2015

Jan Kopriva — Wed, 05 Aug 2015 10:27:36 +0100

The most important IT security-related news in July has definitely been the affair surrounding a theft of data from the Hacking Team – company, which develops commercial spyware intended for use by police departments and other security agencies. More than 400 GB of stolen data were made public and afterwards analyzed by IT security specialists, leading to discovery of a large number (still growing) of zero-day vulnerabilities which were used in Hacking Team’s products.
An interesting news appeared also in connection with vehicle security. Two researchers managed to leverage a vulnerability in a wirelessly accessible on-board entertainment system of a Jeep Cherokee which enabled them to remotely control some of the vehicle’s functions and components, including transmission. Fiat Chrysler has responded to publication of the vulnerability by a recall of 1.4 million of affected vehicles. Similar action in connection with software bugs/vulnerabilities was also taken by Land Rover and Ford.
A mention should be made of a press release by Europol, made in the middle of the month, regarding a successful operation to take down the Darkode cybercriminal forum. Although 28 users and administrators were arrested in, the forum resumed its operation only two weeks later.
Another vulnerability has also been discovered in OpenSSL, which enables an attacker to potentially use invalid certificate as a valid one. A fix for the vulnerability was released only few days after its publication.
An interesting new attack which could lead to extraction of data from an air-gapped system has also been made public. It is based on transmitting a radio signal generated by the computer using a video card bus as an antenna and received by a nearby mobile phone.

Looking back at June 2015

Jan Kopriva — Sat, 18 Jul 2015 17:29:33 +0100

Probably the most interesting of security-related news in June has been an announcement by OPM (Office of Personnel Management of United States), organization which is responsible for HR services and administration of US federal employees, about an attack which exposed records for approximately four million current and past employees. The breach has apparently been active for some time before it was discovered using a special IDS called Einstein. Anonymous US officials attributed the attack to China.
Information about a similar attack in Japan has been made available in June. Personal information about approximately 1.25 million citizens was stolen during the attack. Primary attack vector appears to have been a malicious e-mail attachment.
For owners and users of Apple products might be interesting news about discovery of a vulnerability, which enables attacker to rewrite FW in older (devices shipped before the second half of 2014) Macs. The vulnerability enables the attacker to make changes in BIOS when the device is waking up from sleep (when the FLOCKDN protection which should ensure that some parts of the system are accesible in read-only mode is disabled) which may be used to gain root privileges.

Looking back at May 2015

Jan Kopriva — Fri, 05 Jun 2015 00:00:57 +0100

May has been at least as rich on cybersecurity incidents and events as any of the previous months of the year. Some of the more important are described in the following text.
The VENOM (Virtual Environment Neglected Operations Manipulation) vulnerability may be considered to be a very significant one. VENOM is a vulnerability in the code of a virtual floppy drive which is used by some of the virtualization platforms (QEMU, KVM, Xen). It enables the attacker to access underlying hypervisor from a virtualized OS using a buffer overflow attack. Since the vulnerability is non OS specific its impact is fairly high.
A mention should also be made of another of the TLS/SSL protocol implementation vulnerabilities, the so-called Logjam. Using Logjam, a downgrade of encryption is possible in man in the middle attacks on connections which use Diffie Hellman key exchange algorithm and support its export version.
Finally, it is noteworthy that the government has ratified an Action plan for National Cyber Security Strategy 2015 – 2020. Further information (in Czech) may be found here.

Looking back at April 2015

Jan Kopriva — Sat, 09 May 2015 20:51:28 +0100

During April, we have witnessed - among others - a discovery of an 18 years old “Redirect to SMB” vulnerability which can be used to attack all versions of Windows released since then. The vulnerability can be exploited in cases when attacker has some control over the network, enabling him to gain user login information by redirecting of network traffic to a malicious SMB (server message block) server. The server forces the target to automatic authorization process during which the target sends users login, domain and hashed password.
Next to this vulnerability an April discovery of a modern macro malware BALTEX. It spreads using phishing messages with a link to a page containing an infected Word document and instructions to enable macros. After the downloaded document is opened, the macro downloads a variant of DYRE banking malware.
It is also worth mentioning that the RSA conference was held at the end of April.

Looking back at March 2015

Jan Kopriva — Wed, 01 Apr 2015 00:00:24 +0100

Looking back at March, probably the most important information security news has been discovery of a significant vulnerability (which could be exploited using a FREAK attack) in some TLS/SSL implementations, including the ones used by Windows operating systems.
Another worth while news has been a discovery of a new campaign aimed at energy sector companies in the Middle East. Trojan Laizok - a reconnaissance malware for gathering information about infected systems - has been used in the campaign, along with other malicious programs which have been modified for specific systems based on the information gathered by Laizok.
A mention should also be made about two very powerful DDoS attacks made during the second half of the month - first one was targeted at Greatfire.org and the second one at GitHub. According to published analysis China was the source of both attacks.
Finally, at the end of “Looking back” we shoud mention that in course of March the Rowhammer attack was made public. It is based on changing specific bits in memory by exploiting a weakness in DDR3 memories which leads to priviledge escalation.

Rowhammer - an attack which uses a weakness in DDR3 memory

Jan Kopriva — Tue, 10 Mar 2015 13:57:46 +0100

Researchers from Google’s Project Zero have released information about a new attack based on flipping bits in DDR3 memory. The attack uses approach called Rowhammer which was devised last year by a team from Carnegie Mellon University and Intel Labs. It is based on repeated writing to and reading from a part of memory in a very short time which causes flipping values of bits in adjacent memory (the flipping is made possible by interaction between adjacent memory cells caused by their close proximity).
Using the described principle, researchers from Project Zero created two exploits which they used to successfully elevate user privileges on a x86-64 Linux system where they achieved unrestricted access to the entire physical memory by flipping bits in page table entries (PTEs). In their announcement, they reported that the described approach was successfully used on machines with DDR3 memory without ECC (error correcting code). Flipping of bits has not been seen on machines with ECC memories. Source codes for the test program used to determine if a machine is vulnerable to Rowhammering have been released by the authors and may be found here.

FREAK - a high impact vulnerability in TLS/SSL

Jan Kopriva — Wed, 04 Mar 2015 10:06:49 +0100

An international research team has devised attack called FREAK (Factoring attack on RSA Export Keys) with which it is possible to lower the level of encryption used in SSL connections. Attack is based on forcing server and client to use legacy (the vulnerability has been present for a long time) weak cryptographic suites which are still supported by some of the mainstream browsers (Safari and OpenSSL-based Android browser among others) and servers. After a key has been factored a man-in-the-middle attack may be launched by attacker against encrypted connection between a server and a browser. The aformentioned legacy cryptographic suites have been added to SSL implementations at a time when export regulations for cryptographic material were in effect in USA and only specific (weak) cryptographic suites were legally allowed to be exported. A link to a page containing further information about potentially vulnerable sites and a test for vulnerability on the client side may be found here.

Looking back at February 2015

Jan Kopriva — Tue, 03 Mar 2015 09:58:57 +0100

Dramatic information security incidents and news were unfortunately fairly common in February – we will shortly remember three of the most interesting ones.

Most attention was probably gained by a story about an alleged theft of massive amount of encryption keys used in mobile communication from the network of Dutch company Gemalto (a major SIM card supplier) by NSA and GCHQ. The keys could be used to decrypt live communication and also, for example, remotely inject malicious code into end devices. Source of the story has been The Intercept, citing a document from 2010 which was acquired by Edward Snowden, formerly from the NSA. After the news went public Gemalto stock took a serious hit. The company responded couple of days later by a press release admitting that operation by NSA and GCHQ resulting in penetration of internal company network probably happened, but emphasizing that the penetration “could not have led to a massive theft of encryption keys”. Gemalto further stated that “in the case of eventual key theft, the intelligence services would only be able to spy on second generation 2G mobile network” since “3G and 4G networks are not vulnerable to this type of attack”.

Another high impact February news has been that the Superfish adware (which is used to inject ads into viewed web pages based on analysis of viewed pictures) which Lenovo used to preinstall on their laptops installed a self-signed root certificate. Using that, the adware could generate certificates for web pages which user viewed using encrypted connections, replacing the legitimate certificates and compromising security of communication between the user and the web page. Superfish was then able to analyze and alter the SSL encrypted communication. Furthermore, since the root certificated seems to have been always the same and itself not very secure, its presence in a system constitutes a vulnerability which can be used quite easily by a potential attacker. Since discovering this, lawsuits have been filed against Lenovo and web pages of the company have been defaced.

It should also be noted that in the course of February, after being criticized by Microsoft (among others), Google decided to change the policy of its Project Zero – an initiative which, after a vulnerability has been discovered in an application, gave 90-day deadline to its developers to work on a patch. After the deadline has passed the vulnerability was made public regardless of existence of a patch or its planed later release. This has been the case for Microsoft and a vulnerability in Windows 8.1 when the 90-day deadline ended two days before planned release of a patch during Patch Tuesday, regular release of updates and patches by Microsoft. Google now grants developers up to 2 weeks reprieve after the deadline has passed, provided they are actively working on patching the vulnerability.