Saturday, July 14, 2018

Another type of phishing attack

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Here a new one that has started to circulate.
__________________________________________

You don't know me and you're thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you've got a fine taste haha), and next part recorded your webcam (Yep! It's you doing nasty things!).

What should you do?

Well, I believe, $1900 is a fair price for our little secret. You'll make the payment via Bitcoin to the below address (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: XXXXXXXXXXXXX
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don't get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don't waste my time and yours by replying to this email.
 
______________________________________________
 
FYI i wish they would learn to use a spell checker..
 
ONCE AGAIN,  IF YOU DO NOT KNOW THE SENDER DO NOT OPEN UP
THINK BERFORE YOU CLICK
 

CERT Advisory (ICSMA-18-179-01) Medtronic MyCareLink Patient Monitor

1. EXECUTIVE SUMMARY

  • CVSS v3 6.4
  • Vendor: Medtronic 
  • Equipment: MyCareLink Patient Monitor
  • Vulnerabilities: Use of Hard-coded Password, Exposed Dangerous Method or Function

2. RISK EVALUATION

If exploited, these vulnerabilities may allow privileged access to the monitor’s operating system. However, physical access to the MyCareLink monitor is required. Additionally, these vulnerabilities may allow a MyCareLink monitor, when operated within close physical proximity of an implantable cardiac device, to read and write arbitrary memory values of that device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following MyCareLink Monitors are affected:
  • 24950 MyCareLink Monitor, all versions,
  • 24952 MyCareLink Monitor, all versions.

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF HARD-CODED PASSWORD CWE-259
The affected product contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system
CVE-2018-8870 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2    EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749
The affected product contains debug code meant to test the functionality of the monitor’s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can apply the other vulnerabilities within this advisory to access this debug functionality.
This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
CVE-2018-8868 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Dublin, Ireland

3.4 RESEARCHER

Peter Morgan of Clever Security reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure.
Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
  • Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.  
  • Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. 
  • Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. 
Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov

CERT Advisory (ICSMA-18-107-01) Abbott Laboratories Defibrillator

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely
  • Vendor: Abbott Laboratories
  • Equipment: Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator
  • Vulnerabilities: Improper Authentication and Improper Restriction of Power Consumption
MedSec Holdings Ltd., has identified vulnerabilities in Abbott Laboratories’ (formerly St. Jude Medical) Implantable Cardioverter Defibrillator (ICD) and Cardiac Synchronization Therapy Defibrillator (CRT-D). Abbott has produced firmware updates to help mitigate identified vulnerabilities in their eligible ICDs and CRT-Ds that utilize radio frequency (RF) communications. A third-party security research firm has verified the new firmware updates mitigate the identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on April 17, 2018, titled “Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication,” regarding the identified vulnerabilities and corresponding mitigation. In response, NCCIC is releasing this advisory to provide additional detail to patients and healthcare providers.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.
Impact to individual organizations depends on many factors unique to each organization. NCCIC recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ICDs and CRT-Ds manufactured and distributed prior to April 19, 2018, are affected:
  • Fortify,
  • Fortify Assura,
  • Quadra Assura,
  • Quadra Assura MP,
  • Unify,
  • Unify Assura,
  • Unify Quadra,
  • Promote Quadra,
  • Ellipse,
  • Current,
  • Promote.

3.2 VULNERABILITY OVERVIEW

 

3.2.1   IMPROPER AUTHENTICATION CWE-287

The device’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via RF communications.
CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2   IMPROPER RESTRICTION OF POWER CONSUMPTION CWE-920

The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life.
CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.

3.3 BACKGROUND

Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.

3.4 RESEARCHER

MedSec Holdings Ltd., reported these vulnerabilities to Abbott Laboratories and NCCIC.

4. MITIGATIONS

Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.
Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
  • Healthcare providers and patients should discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. As part of this discussion, it is important to consider patient-specific issues such as pacemaker dependence, frequency of high voltage therapy, age of device, patient preference, and provide patients with the “Patient Communication.”
  • Determine if the update is appropriate given the risk of update for the patient. If deemed appropriate, install this firmware update following the instructions provided by the manufacturer.
  • The cybersecurity firmware update should be performed in a facility where appropriate monitoring and external defibrillation are readily available.
Abbott’s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.
Therefore, the Medical Advisory Boards recommends the following:
  • Healthcare providers and patients should discuss the risks of cybersecurity vulnerabilities and benefits of remote monitoring at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.
  • If deemed appropriate, RF communication may be permanently disabled during an in-clinic device interrogation with the Merlin programmer software.
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate  for more information.
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

Keen Security Lab Finds 14 Security Vulnerabilities in BMW Vehicles

The Chinese cybersecurity research team known as Keen Security Lab has disclosed 14 security vulnerabilities affecting a range of BMW vehicles. Eight of the flaws affect the infotainment system, four affect the Telematics Control Unit (TCU), and two affect the Central Gateway Module (CGM). The TCU handles remote communication in the vehicle, such as the ability to unlock the doors remotely. The CGM handles communication between the different subsystems and dispatches the communications appropriately across different Controller Area Network (CAN) buses. 

Most vehicle vulnerabilities found in the past have relied on having physical access to the vehicle. These types of vulnerabilities could be triggered by plugging in a malicious USB device or accessing diagnostic ports inside the vehicle. While vulnerabilities requiring physical access can still be dangerous, the risk of compromise is much lower than a remote vulnerability.

In order to identify remote vulnerabilities, the research team setup their own mock GSM cellular network in order to middleman the traffic coming from the vehicle. By capturing and analyzing the traffic from the vehicle they were able to find a flaw in the ConnectedDrive service. This flaw was exploited by the team to gain a root shell on the vehicle’s head unit. The team also attacked the Bluetooth functionality of the head unit to explore different avenues of remote exploitation. While they were not able to gain remote access via Bluetooth, they were able to cause the head unit to reboot at will by sending malformed packets to it. This vulnerability however requires the system to be in pairing mode for successful exploitation.

The flaws discovered in the various subsystems can be chained together to impact the vehicles in a more meaningful way than just requiring a reboot of the head unit. For example one could send arbitrary messages to the vehicles Engine Control Unit (ECU), which is the brain of the vehicles drive system. These vulnerabilities in the hands of sufficiently motivated and technical attackers could possibly result in takeover of the exploited vehicle. The team found that the exploits discovered were able to be triggered even when the vehicle is in motion.

BMW was notified of the vulnerabilities found in advance of the team’s publication of their findings. BMW acknowledged the team’s findings and has begun rolling out fixes to the systems which can be updated via over the air updates. Some systems cannot be patched in this method however and require the vehicles to be brought to a dealer to be updated.

Sources:
     https://thehackernews.com/2018/05/bmw-smart-car-hacking.html
 https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_ Cars_by_KeenLab.pdf
 https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/

New Malware Strain Spreads Through Documents

MuddyWater malware is believed to be once again targeting organizations across the world.  This malware was first reported when it targeted the Saudi government back in 2017 and was reported to have also targeted other organizations in the US, Turkey, and other Middle Eastern countries.

Although it is unclear who is behind these attacks, there is some attribution information that links these attacks with the FIN7 threat group that has been known to be a financially motivated. MuddyWater itself is document-based malware, which is often spread by phishing campaigns specifically targeting unaware users.
 
The malware leverages Microsoft Office documents to deliver macro-enabled code execution after tricking unaware users into opening the file. The infection chain starts with the attackers enticing a victim to open a Microsoft Office file with macros enabled. Once this happens, an initial VBScript is automatically executed which then executes other PowerShell scripts.
 

Once the PowerShell scripts execute, a backdoor payload runs on the victim machine, which automatically calls home and waits for commands from the attackers. Interestingly, the most noteworthy enhancements between the malware strains look to be in the obfuscation techniques. The malware starts with a VBScript that uses character substitution to initially hide its direct intentions when manipulating images shown in the document body, then performs the initial PowerShell script execution. The initial PowerShell  Script “invoker.ps1”, then calls other data within the document and performs a cryptographic decoding to build other PowerShell scripts that then have the ability to execute the actual payload
“PRB-Backdoor” within the file. Once PRB-Backdoor is executed it attempts to communicate with its Command- and-Control server, hxxp://outl00k[.]net to send and receive commands. According to malware researchers there have been over ten possible specific types of commands and functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more interesting capabilities are gathering system information, file interaction, key- loggers, and stealing passwords.

 
Although this malware is not overly sophisticated, it does present us a good opportunity to learn more about the tools, techniques, and tactics of our adversaries. To combat such types of attacks, users should be cognizant of suspicious emails and cautious of file attachments Additionally, there exists others tools that can help defend an organization's infrastructure from these types of attacks including hosted email security, deep packet inspection by network perimeter devices, and customized end point protection.




Sources





 

Read My Mail, Please…

It was announced that European researchers discovered that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked. Dubbed EFAIL, it is described as vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. From the website, EFAIL abuses active content of HTML emails to exfiltrate plaintext through requested URLs. In “Direct Exfiltration”, the victim’s stolen encrypted message is sent to the victim sandwiched between two parts of an HTML request for delivering the text back to the attacker as an image request. This leverages vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. The “CBC/CFB Gadget Attack” abuses a weakness in the Cyber Block Chaining (CBC) mode of operation used in S/MIME. If you know some of the text that is encrypted – and you do, because most encrypted messages have that phrase at the beginning, you can build a “gadget” – which is just a set of bits in a cipher stream that you can insert into the existing cipher stream with the text you want to insert. OpenPGP uses Cipher Feedback (CFB) which has similar cryptographic properties allowing the same abuse, but by embedding it in the cipher stream any standard-conforming client will be vulnerable. PGP also compresses the plaintext before encrypting it, which complicates guessing any known plaintext bytes. 

Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.

Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.” 
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong - should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.

Sources:  https://www.reuters.com/article/us-cyber-encryption/popularencrypted-email-standards-are-unsafe-european-researchersidUSKCN1IF1LLhttps://www.independent.co.uk/life-style/gadgets-and-tech/news/emailsecurity-s-mime-pgp-encryption-latest-broken-not-working-fix-how-toa8351116.html

Red Hat DHCP: Gateway to Full Root Access

Red Hat Enterprise Linux (RHEL) is a popular distribution used by many organizations for servers and other network endpoints. Two free versions of the operating system have also branched out of RHEL, Fedora and CentOS. US-CERT issued an alert Wednesday that a critical vulnerability had been discovered in the Network Manager application and how it handles Dynamic Host Configuration Protocol (DHCP) responses. With these responses, this vulnerability could lead to commands being run on the system with full root privileges.
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.

Sources:  https://threatpost.com/critical-linux-flaw-opens-the-door-to-full-rootaccess/132034/https://thehackernews.com/2018/05/linux-dhcp-hacking.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1567974