Saturday, February 22, 2020

NSA-Developed Open Source Software

For you security professions this is a great site to get guidance and software.

 The software listed here developed within the National Security Agency and is available to the public for use. I encourage you to check it out!

I would also tell you to check out  this site as well code.gov

National Security Agency released the source code of Ghidra, its reverse engineering tool

    The National Security Agency released the source code of Ghidra, its reverse engineering tool.

    This source code repository includes instructions to build on all supported platforms (macOS, Linux, and Windows). With this release, developers will be able to collaborate by creating patches, and extending the tool to fit their cybersecurity needs.

    The source code is available for download at ghidra-sre.org along with the 9.1.1 patch.
Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. It helps analyze malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.

  • Includes a suite of software analysis tools for analyzing compiled code on a variety of platforms including Windows, Mac OS, and Linux
  • capabilities include disassembly, assembly, decompilation, graphing and scripting, and hundreds of other features
  • supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.

  • users may develop their own Ghidra plug-in components and/or scripts using the exposed API


  •    For more NSA releases, check out CODE.NSA.GOV for open source, and NSA’s Technology Transfer Program for other technology.

    Hacks of the week








    SmokeLoader Malware Found Spreading via Fake Meltdown/Spectre Patches

    New KillDisk Variant Hits Financial Organizations in Latin America

    GhostTeam Adware Can Steal Facebook Credentials

    ‘Hacking Incident’ Impacts Nearly 280,000 Medicaid Patients

    Hackers Hijack DNS Server of BlackWallet to Steal $400,000

    U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 
    Midterms


    UPnP-enabled Connected Devices in the Home and Unpatched Known Vulnerabilities

    Denial of Service attack on the victim’s source of ad revenue, Google AdSense

        We expect services to protect themselves from fraudulent activity. Automated services tend to be particularly tempting to unscrupulous individuals that seem to think that they can pull one over on an unmanned operation. So it makes plenty of sense for Google AdSense to be constantly vigilant for any bot activity trying to extract artificial ad views to collect on the bounty of ad revenue. But what if our fences become cages?

        Security researcher Brian Krebs details a new extortion scheme that recently targeted one of his readers involving a Denial of Service attack on the victim’s source of ad revenue, Google AdSense. The attacker threatens the victim with the loss of revenue by flooding the victim’s website with traffic that is indicative of fraudulent activity. It seems obvious how a criminal mind would use fraudu-
    lent activity to create false views to draw upon the stone of advertising wealth, but the effort of keeping up with defensive algorithms might just not be worth the trouble if shaking down the customer is easier. Why break into the ATM when you can threaten the card holder?

        The extortion note sent to the victim details how there will be an increase in fraudulent traffic that will trigger an investigation by Google. This might increase ad revenue for a short while, but they’ll maintain the attack if they don’t pay up. The attacker then claims that Google will award a permanent ban if the attack persists. All this will go away if the victim simply pays up a five thousand dollar fee in the form of Bitcoin. Or at least, that’s what they claim. The attacks are situated best against victims who have significant traffic on their site already meaning that they most likely rely on that ad revenue for income and would be more inconvenienced by paying than they would be bankrupted otherwise the attacker’s efforts would all be wasted.

        Google claims that the best course of action when subject such forms of sabotage is to contact the AdSense help center immediately and to discontinue any contact with any persons who would threaten such fraudulent actions. Contacting their Ad Traffic Quality team will lead to an investigation into the traffic and will allow Google to monitor and evaluate the traffic. Hopefully this will enhance the ability for AdSense to employ their extensive safeguards which filter out any fraudulent page views to then protect both the advertisers and the customers of AdSense.

    Sources:

    ·        https://krebsonsecurity.com/2020/02/pay-up-or-well-make-google-ban- your-ads/
    ·        https://network-times.com/general/new-blackmail-mail-demands-bitcoin- payment-from-google-adsense-users/
    ·        https://threatpost.com/hacker-scheme-threatens-adsense-customers-with
    -account-suspension/152943/

    Two-Day Shutdown of U.S. Gas Pipeline complements of ransomware

        Many people believe that cybersecurity training and awareness isn’t important in their jobs, especially if their role isn’t technical. However, social engineering has led to the human element being the weakest link in the cybersecurity chain and attackers can be very resourceful and clever in their attempts. A recent attack on a U.S. natural gas compression facility shows just how important this awareness can be.

        The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week stating that attackers had compromised the IT and Operation Technology (OT) networks of a natural gas compression facility. They deployed ransomware that encrypted data on both networks, causing a Loss of View event affecting Human Machine Interfaces (HMIs), data historians, and polling servers. Human operators could no longer monitor the status of operations, which lead the company to enact an operational shutdown of the entire pipeline for 2 days while parts were replaced and backups were restored. 

        The attack did not result in any operational loss of control, however. he attackers didn’t get into the network through some zero-day vulnerability or magical hacking skills: they used a spear-phishing campaign to get an employee to click a malicious link. The link allowed them access to the IT network where they were able to pivot into ICS machines due to a lack of segregation between the corporate business network and the operations network. The ransomware only affected Windows-based systems and not Programmable Logic Controllers (PLCs).

        The CISA recommends asset owners to ensure IT and OT networks are segregated and provide logical zones within to help stop lateral movement. They also recommend multi-factor authentication for remote access to operations net- works and a robust backup system. Another failing point in this attack was the lack of preparedness in the emergency response plan for cyberattacks: it only addressed physical safety threats.

        User training and cybersecurity awareness can go a long way in helping to prevent attacks like these. Humans may always be the weak link in cybersecurity, and it requires effort on the part of everyone in an organization to help protect it, no matter what their role may be.

    Sources




    Emotet banking Trojan gets smarter

        Emotet banking Trojan has been around since 2014 as banking malware. As the software was changed, the developers added additional spamming and malware delivery services found in other
    banking malware. Key to Emotet is how it incorporates functionality allowing the software to evade detection by antimalware products.

        Emotet also uses  Worm-like capabilities to help spread to other connected computers. Because of
    this, the Department of Homeland Security (DHS) concludes that Emotet malware is one of the most costly and destructive pieces of malware out there. Emotet spreads on a connected network using a list of common passwords in a brute-force attack. The primary off network propagation mechanism used by Emotet is spam laced with malware. By 2018 newer versions included stealth, new targets, and the ability to install other malware such as ransomware onto infected machines. This was the cause of the July 2019 Lake City, Florida ransomware attack.

        Malwarebytes Labs reported a botnet-driven spam campaign in September of 2019 where opening the infected attached Microsoft Word document initiates a macro which downloaded Emotet. A key functionality to Emotet is the ability to deliver custom modules or plugins suited for specific tasks such as stealing Outlook contacts or spreading over a LAN.

        Binary Defense has identified a new functionality that uses the wlanAPI interface to enumerate all Wifi networks in the area, and then attempts to spread to these networks and infect all devices that
    it can access. With this new propagation method, if a nearby Wi-Fi-capable host is infected, it can attack another Wifi using the same brute-force weak password attacks used on a local network. Zdnet summarized the Wifi spreader's modus operandi nicely as follows: Once a host is infected Emotet downloads and runs the Wi-Fi spreader module. The Wi-Fi spread-er module lists all Wi-Fi devices enabled on the host and extracts a list of all the locally reachable Wi-Fi networks. The module then performs a brute-force attack on each Wi-Fi network by using two internal lists of easy-to-guess passwords. If the brute-force attack succeeds, the Emotet Wifi spreader now has direct access to another network and moves into a second brute-force attack attempting to guess the usernames and passwords of servers and computers connected to this Wifi network much like a connected network attack. If this second brute-force attack succeeds, Emotet begins its infection cycle again widening its reach.


        The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on the increased activity related to targeted Emotet attacks roughly two weeks ago, advising admins and users to review the Emotet Malware alert for guidance. Fortunately, all it takes to stop the malware's spread is having effective passwords on your infrastructure, hosts, and accounts. Emotet will thrive on users who don't use such good passwords, or who never changed the factory-default access pass-words when they set up their routers.

    Sources:


    • https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
    • https://www.zdnet.com/article/emotet-trojan-evolves-to-spread-via-a-wifi-connection/
    • https://www.tomsguide.com/news/emotet-wifi-worm

    SweynTooth, targeting Bluetooth

        Bluetooth technology seems to be nearly everywhere now. It is an extremely convenient method to make all sorts of different devices speak the same language and perform greater functions. As we already know though, when computing devices can communicate trouble soon follows in one form or another. This week the details of 12 different security vulnerabilities, collectively called SweynTooth, targeting Bluetooth low energy devices became public. 11 of the 12 vulnerabilities are just denial of service vulnerabilities. The twelfth however allows a complete security bypass on affected devices.

        The group releasing the vulnerabilities is comprised of 3 researchers from the Singapore University of Technology and Design, Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang.
    Most devices that implement Bluetooth connectivity do not implement it from the ground up. They instead rely on a specialized system on a chip (SoC) from a larger manufacturer to handle the inner Bluetooth workings and interface with it via a software development kit (SDK). The SDK can allow them to configure specific parameters for connectivity as well as receiving/sending information over the link. Due to most devices sharing SoCs with other devices it is no surprise that a vulnerability in a specific SoC may affect hundreds or thousands of otherwise unrelated devices.

        The vulnerabilities released this week affect SoCs from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor. The devices using these SoCs range from smart watches, smart locks, and even medical devices.

        As stated the majority of these vulnerabilities are able to trigger denial of service. They trigger a denial of service by sending specially crafted packets to the target device to put it into a deadlocked state where it can no longer process incoming or outgoing data.

        To make the device functional again a reboot is required. Most of these attacks require only 1 or 2 packets to be transmitted to exploit successfully. The most dangerous vulnerability of the set is CVE-2019-19194, which can allow an attacker to completely bypass secure communication protections. An attacker using this vulnerability may be able to access functions on the affected device as if they were an authorized user. This could lead to information leakage or even code execution in certain cases.

        This specific vulnerability only appears to affect the Telink SMP family of SoCs.
    Before releasing the vulnerability details to the public the researchers followed responsible disclosure guidelines and notified the affected vendors. After 90 days the research went public, with 6 of the 12 vulnerabilities still without patches. When updates become available affected devices should be upgraded to prevent these attacks.

    Sources:


    • https://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/
    • https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/