Saturday, July 13, 2019

NCSC Releases Advisory on Ongoing DNS Hijacking Campaign


 

Original release date: July 12, 2019

The United Kingdom’s National Cyber Security Centre (NCSC) has released an advisory about an ongoing Domain Name System (DNS) hijacking campaign. The advisory details risks and mitigations for organizations to defend against this campaign, in which attackers use compromised credentials to modify the location to which an organization’s domain name resources resolve to redirect users, obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS Infrastructure Hijacking Campaign for more information.

Wednesday, July 10, 2019

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems


    NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

    A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft


CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms


 

Saturday, July 6, 2019

First-ever malware strain spotted abusing new DoH (DNS over HTTPS)

Godlua, a Linux DDoS bot, is the first-ever malware strain seen using DoH to hide its DNS traffic.
               
Go Here to read about this from Catalin Cimpanu @ ZDnet.
    The U.S. Food and Drug Administration released a warning last week recalling certain Medtronic MiniMed insulin pumps over concerns that the device may be vulnerable to cyber attacks. The warning comes after researchers found that an attacker with adjacent access was able to wirelessly communicate with the device and alter the pump settings, either providing or restricting insulin to a patient. These insulin pumps are meant to communicate wirelessly with other medical devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. The models specifically impacted are the Medtronic MiniMed insulin pumps, the MiniMed 508 insulin pump, and the MiniMed Paradigm series which are collectively used by approximately 4,000 patients in the U.S., according to Medtronic. 

    This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.

    While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.


Sources
https://threatpost.com/fda-warns-ofpotentially-fatal-flaws-in-medtronicinsulin-pumps/146109/

https://www.fda.gov/news-events/Press-announcements/fda-warnspatients-and-health-care-rovidersabout-potential-cybersecurityconcerns-certain

https://www.us-cert.gov/ics/advisories/icsma-19-178-01

SmaLock Vulnerabilities

    Smart locks have been increasing in popularity for the last few years. They provide a number of conveniences that make them an enticing option for people looking to replace their current locks. Things like automatically unlocking as you approach with your hands full or allowing a friend to unlock the door only when you’re on vacation sound great at first. But the risks of poorly secured and designed smart locks may outweigh those conveniences.

    Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.

    The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.

    The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.

Sources:

https://threatpost.com/smart-lock-turns-out-to-be-not-so-smart-orsecure/146091/

https://www.pentestpartners.com/security-blog/the-not-so-ultra-lock/

Sunday, June 30, 2019

Sometimes free is the juicy apple with a parasite waiting to land.

    When something is free, chances are pretty high that "the user" is the product. Services that are free usually generate value for the creator or provider by sharing exposure with advertisers or perhaps using the data collected from the "free" product for other means such as market studies or product testing before a final product. But sometimes free is the juicy apple with a parasite waiting to land its hook inside the consumer's gut.

    Researchers from ESET and Malwarebytes labs have found cryptominers within high end music production software products provided for free to download and use. Named LoudMinerby ESET and simultaneously named Bird Miner by MalwareBytes Labs, the cryptominer hides by bundling itself inside already large files. The pirated versions of Virtual Studio Technology programs seem to function normally except that they are slower due to increased processor load. This obfuscation not only hides the existence of the additional malicious installation software, but also focuses their targets on users with high processing power: users who need to process visual and audio media. These two operate themselves within a lightweight virtual machine(VM) in the background. This keeps it hidden from the user, but also generalizes itself for both Mac, Windows, and Linux users, lowering the skill threshold of the developer.

    The cryptominer hides itself once installed by watching the usage of the Activity Monitor, pausing its functions when it might be watched and can consume of up to 90% of the CPU. While the user might notice difficulties, troubleshooting it will be more troublesome than just looking at what's running. It can even detect what kind of CPU is used and how many cores are available, running up to two VMs simultaneously to more efficiently siphon off processing power. The Mac version runs QEMU, and the Windows version runs VirtualBox, and while the installation of the emulators require a trust verification, they name themselves "Oracle Corporation Network Service" to disguise their clandestine nature while setting the folders to which they are installed to hidden. The VM runs a version of Linux called Tiny Core Linux 9.0 and is set to mine Monero using XMRig, mining to a Mining pool. Profits are shared with other Monero users in the mining pool, but they are also untraceable to the attacker.

    It is always inadvisable to use pirated software, but if one ends up using software from less than reputable sources, be wary of unexpected CPU consumption, trust requests, services, or launch Daemons. While it can be nice to provide some value to a service that is otherwise free, it's definitely better when you’re an aware and willing participant.

Sources

Tuesday, June 25, 2019

Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks:


NIST announces the publication of NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, which provides guidance for federal agencies and other organizations to better understand and manage the risks associated with individual IoT devices throughout the lifecycles of those devices. It also considers three high-level goals for risk mitigation: device security, data security, and individual privacy. This introductory report provides the foundation for a planned series of publications on more specific aspects of this topic.

 

Publication details:


 

CSRC Update

Wednesday, June 19, 2019

NIST Announces the Initial Public Drafts of SP 800-171 Rev. 2 and SP 800-171B


Summary

NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. Comments can also be submitted on a Department of Defense (DoD) cost estimate for implementing the enhanced security requirements of SP 800-171B. See the publication details links below for document files and instructions on submitting comments.

Details

Draft NIST SP 800-171 Rev. 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Rev. 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Publication details for SP 800-171 Rev. 2:
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft


////////

Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT.  The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

All public comments received on Draft NIST SP 800-171B will be posted at both https://csrc.nist.gov/projects/protecting-cui/public-comments and https://www.regulations.gov/docket?D=NIST-2019-0002 (Regulations.gov docket no. NIST-2019-0002) without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or business information). 

The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Please submit any comments regarding the DoD cost analysis review by July 19, 2019 to www.regulations.gov/docket?D=DOD-2019-OS-0072 (Regulations.gov docket no. DOD-2019-OS-0072).

Publication details for Draft SP 800-171B (including the document, DoD Cost Estimate, and recommended comment template):
https://csrc.nist.gov/publications/detail/sp/800-171b/draft


 

NOTE: A call for patent claims is included in both draft publications. For additional information, see the “Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications”:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications.


Please send any questions to sec-cert@nist.gov.

 

Tuesday, June 18, 2019

DHS Email Phishing Scam


The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.

CISA encourages users and administrators take the following actions to avoid becoming a victim of social engineering and phishing attacks:

  • Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
  • Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
  • Immediately report any suspicious emails to your information technology helpdesk, security office, or email provider.

Wednesday, June 12, 2019

Researchers presented a toolkit that automates phishing when 2 factor authentication

    Phishing attacks are perhaps the most common method attackers use to gain access to a target network. It is so common that many companies employ outside companies to generate test phishing campaigns in order to train employees on what to look out for. Even with these types of trainings many employees continue to type their credentials into pages designed specifically to steal them.  Implementing 2 factor authentication mitigates a lot of risk because login credentials became useless to an attacker without the time based one time use code 2 factor authentication provides. 

    In order to defeat 2 factor authentication attackers shifted their methods from collecting credentials to collecting session tokens. This makes the attack more complicated because instead of just setting up a fake login page that saves credentials and forwards the user like nothing happened they have to proxy the traffic in real-time in order to make the user type in their one time code. One time codes aren’t able to be used again however, making storing the captured information for later useless. Instead the attacker must capture the session token given out by the server on a successful login and use it in their own browser to gain access to the target system. While this attack was always possible a recently released toolkit makes it much easier.
    Last month at the Hack in a Box conference in Amsterdam researchers presented a toolkit that automates phishing when 2 factor authentication is involved. The toolkit is comprised of 2 parts that work together to automate the attack. The first is Muraena, a minimal configuration proxy designed to middleman the user and the target login page. It supports automatic resource rewriting so that the attacker doesn’t need to spend much time customizing each specific phish page. More advanced configuration options are available too, for sites which employ advanced anti-phishing defenses. The second part of the toolkit is NecroBrowser, an API controlled headless Chrome browser instance that is designed to utilize the session token stolen by Muraena. It is designed to be setup in an automated fashion so that it can immediately perform tasks on behalf of the attacker during a successful attack.  
    Currently there are very few solutions to successfully mitigate a well run attack with this toolkit . Utilizing Universal 2nd Factor authentication instead of traditional 2 factor services is the most successful way to prevent this attack as it completely prevents it from working. It is also important to continue training employees about the ever evolving attack landscape so that they can successfully identify and avoid these attacks.

Sources:

https://www.csoonline.com/article/3399858/phishing-attacks-that-bypass2-factor-authentication-are-now-easier-to-execute.html

http://fortune.com/2019/06/04/phishing-scam-hack-two-factorauthentication-2fa/

SensorID, the calibration fingerprinting attack

    Over the years, app security has improved enough that developers must request permissions to areas of your smartphone that their applications need to access. Now we have some control over which apps have access to things such as your camera or extended storage. But did you know that there are still parts of your phone that require no permissions whatsoever? The average smartphone can have over a dozen sensors in it from accelerometers and gyroscopes to proximity sensors and GPS. When these sensors are calibrated at the factory, each one comes off the line with tiny imperfections. This results in each phone having its own unique fingerprint baked right into the firmware and accessible from any application or website.

    SensorID, the calibration fingerprinting attack, uses the calibration data from iOS magnetometers and gyroscopes and Android accelerometers, magnetometers, and gyroscopes to create a unique profile of a phone. Because this type of a fingerprint doesn’t change, a user could potentially be tracked across any application and on any website without ever knowing about it. The calibration data can be pulled from a device nearly instantly and requires little more than an app download or some JavaScript. 

    Apple devices are disproportionately impacted by SensorID due to the more rigorous calibration processes they go through at the factory, but the good news is that Apple addressed the issue in their March release of iOS 12.2. Junk data is now added to the calibration data to eliminate the fingerprint.
On the other hand, Google has yet to address the vulnerability, leaving some Android devices still open to this attack. It's mainly the higher-end Androids that are vulnerable as the less expensive devices often skip the sensor calibration step to save on cost, thus there exists no calibration data on the device to exploit. Google researchers are supposedly looking into the issue. 

    Even if your device is open to a calibration fingerprinting attack, there are still plenty of simpler attacks that cyber criminals (or advertisers) are more likely to leverage before one like SensorID.

    While that's not exactly comforting, hopefully SensorID has been cut off at the pass before it could become a bigger problem. 
Sources

https://nakedsecurity.sophos.com/2019/06/03/your-phones-sensors-could-be-used-as-a-cookie-you-cant-delete/

https://www.zdnet.com/article/android-and-ios-devices-impacted-by-newsensor-calibration-attack/

https://www.ieee-security.org/TC/SP2019/papers/405.pdf

Draft NIST Cybersecurity Whitepaper on Adopting a Secure Software Development Framework (SSDF)


NIST has released a Draft NIST Cybersecurity White Paper for public comment, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF). This white paper recommends a core set of high-level secure software development practices, called a secure software development framework (SSDF), to be added to each software development life cycle (SDLC) implementation.

The paper facilitates communications about secure software development practices amongst business owners, software developers, and cybersecurity professionals within an organization. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes.

The public comment period ends August 5, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:


 

Thursday, June 6, 2019

Microsoft releases new Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

Download the content from the Microsoft Security Compliance Toolkit (click Download and select Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline.zip).

Note that Windows Server version 1903 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. In the past we have published baselines only for “full” server releases – Windows Server 2016 and 2019. Beginning with this release we intend to publish baselines for Core-only Windows Server versions as well. However, we do not intend at this time to distinguish settings in the baseline that apply only to Desktop Experience. When applied to Server Core, those settings are inert for all intents and purposes.

This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. This baseline recommends configuring only two of those. However, we have made several changes to existing settings, including some changes since the draft version of this baseline that we published last month.

The changes from the Windows 10 v1809 and Windows Server 2019 baselines include:


  • Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.

  • Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.

  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.

  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.

  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.

  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.

  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.

  • Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

Additional changes that we have adopted since publishing the draft version of this baseline include:


  • Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. We had floated this proposal at the time of the draft baseline, and have since decided to accept it. The change is discussed in more detail below.

  • Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.

  • Changed the Windows Defender Exploit Protection XML configuration to allow Groove.exe (OneDrive for Business) to launch child processes, particularly MsoSync.exe which is necessary for file synchronization.

  • GO Here for the full article

 

Friday, May 31, 2019

Docker Vulnerability

    Docker is a well known application that uses operating-system-level virtualization to develop and deliver software in packages called containers. Senior software engineer Aleksa Sarai discovered a flaw that affects all versions of Docker, that could allow an attacker to gain read and write access to any file on the host system. Recently, a proof-of-concept code has been released demonstrating how an attacker could use this vulnerability.

     The vulnerability stems from FollowSymlinkInScope function, allowing a basic time-of-check to time-of-use (TOCTOU) attack that gives read and write access to any file on the host system. The purpose of the FollowSymlinkInScope is to “resolve a specified path in a secure manner by treating the processes as if they were inside the Docker container.” The resolved path is not operated on immediately, meaning that an attack could potentially speculate on the gap and then add a symbolic link path that could resolve on the host with root privileges. The docker cp utility is what allows copying content from Docker containers to the host file system.

    There are a few different approaches being proposed when it comes to addressing this vulnerability. Sarai proposed making changes to “chrootarchive.” This would allow archive operations to take place in a secure environment where the root is the container “rootfs.” However, this would involve changing a core piece of Docker, which is not feasible. According to Sarai, “Unfortunately, changes to this core piece of Docker are almost impossible (the TarUntar interface has many copies and re-implementations that would all need to be modified to be able to handle a new ‘root’ argument). Therefore, another approach that has been proposed is to pause the container when using the file system. This would not actually prevent all of the possible attacks. However, it would protect against some of the more basic attacks. A patch to do just this has been submitted upstream and is currently under review.

    Sarai provided two different scripts to show off the exploit, one for read and one for write. Sarai explained the scripts are “...a fairly dumb reproducer which basically does a RENAME_EXCHANGE of a symlink to “/” and an empty directory in a loop, hoping to hit the race condition. Then our “user” attempts to copy a file from the path repeatedly,” explained the expert. “You can call it like this (note that since this requires exploiting a race condition, only a small percentage of the attempts succeed — however if I had made my reproducer a bit more clever about how quickly it does the RENAME_EXCHANGE it could be more likely to hit the race).” Sarai explained that the success rate with this exploit is about .06%, which seems low, but realistically, it would only take about 12 seconds for this exploit to reach success. 
Sources: • https://securityaffairs.co/wordpress/86272/hacking/docker-race-condition-flaw.html 
https://nvd.nist.gov/vuln/detail/CVE-2018-
https://github.com/moby/moby/pull/39252

Thursday, May 30, 2019

Intel VISA: Through the Rabbit Hole Undocumented Concern ??

    The end of last month at Black Hat Asia 2019, Mark Ermolov and Maxim Goryachy from Positive Technologies gave a presentation titled “Intel VISA: Through the Rabbit Hole”. Slashdot characterized the presentation as researchers had discovered and abused new and undocumented features in intel chipsets.

    The capability is named Intel Visualization of Internal Signals Architecture (Intel VISA) and it is a utility included in modern Intel chipsets to help with testing/debugging during manufacturing. It is included with Platform Controller Hub (PCH) chipsets, is a part of modern Intel CPUs, and functions much like a logic signal analyzer. It is able to collect signals sent from internal buses and peripherals to the PCH and CPU. Effectively this means unauthorized access to the VISA would expose ANY data to examination by an unscrupulous person to intercept and collect data from the computer memory and function at the lowest possible level.

    The real question is: Is there a real threat? The researchers said they have several methods of enabling Intel VISA and capturing data, including the secretive Intel Management Engine (ME) which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.  But there are caveats. On the positive side, Intel has not publicly disclosed the feature and is only shared with others under a non-disclosure agreement. Additionally, the feature is disabled by default, so attackers must first figure out how to enable it before exploiting it. On the negative side, the researchers found a way to disable Intel VISA using an older Intel ME vulnerability. Intel released a firmware patch that fixes that particular vulnerability in 2017 (INTEL-SA-00086), but unless there was an explicit update to the firmware (it’s not correctable via OS update) the CPU remains affected.

      It’s worth noting that if the attacker has exploited the Intel ME vulnerability, they are well into your system and there is little additional capability offered via VISA that they don’t already have. But back on the negative side, if an attacker finds an alternate to enable VISA, that could indeed become a new attack vector.

     The researchers indicated that they know three alternate ways to enable VISA, which they revealed in the presentation slides (link below). The bigger question remains: what other secret or undocumented modes/ features lie in Intel's CPUs? Intel may try to keep them secret from the public, but security through obscurity is no paradigm to follow.
   As the researchers proved, people will uncover those secret features, and some will abuse them.

Sources:

https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Goryachy-Ermolov-Intel-Visa-Through-the-Rabbit-Hole.pdf

https://www.zdnet.com/article/researchers-discover-and-abuse-new-undocumented-feature-in-intel-chipsets/

Steganography techniques that deliver malware

    Researchers at Blackberry’s Cylance Labs have discovered novel techniques utilizing steganography, the practice of concealing a file, message, image, or video within another file, message, image, or video, to load malware payloads onto victims’ machines. 

    The Advanced Persistent Threat (APT) group “OceanLotus”, primarily believed to be Vietnam-based, is using steganography techniques to deliver malware backdoors on compromised systems. The malware loader utilizes steganography techniques to read an encrypted payload contained within an image file to decrypt and execute the malicious payload which loads one of two backdoors onto the machine. The backdoors are associated with OceanLotus’ parent cyber espionage group, APT32, and were first discovered back in 2017, namely the Denes backdoor and the Remy backdoor. 

    Researchers at Cylance labs pointed out that it would not be difficult to swap out the backdoors for some other malicious payload and that what is essential is the tactic of using steganography to hide the payload and that it would still be just as effective. The threat actor would encode the image with their payload of choice before distributing it with a simple decoder to the target.   The obfuscation of the malware payload loading portion of the technique is what’s impressive from a security detection point of analysis.

    The group has seemingly avoided discovery using common steganography detection techniques. To accomplish this, they utilize the “bespoke” tool to encode data into the images using a least significant bit approach to both minimize visual differences between the encoded image with it’s original and to avoid detection/ analysis by discovery tools.

    “The user does not interact with the image (nor is the image sent via email), rather the image is used to hide the payload from analysts/tools/monitoring software. In a way, the payload is hiding in plain sight, as an image carrying a payload will be virtually indistinguishable from an original image”, said Tom Bonner, BlackBerry Cylance director of threat research.  

    The payload, once executed and loaded onto the machine, then downloads Dynamic Link Libraries (DLL) and Command and Control communications libraries that are heavily obfuscated with large quantities of useless junk code, said researchers from Cylance. The junk code significantly inflates the library’s size which makes both static analysis and debugging more difficult.

Source:
• https://cyware.com/news/oceanlotus-threat-actor-group-leveragessteganography-to-deliver-backdoors-781be11c 

NIST Mobile Application Single Sign-On: 2nd Draft of SP 1800-13 Available for Comment


The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a revised draft of the practice guide NIST SP 1800-13, Mobile Application Single Sign-On. The guide aims to help public safety first responder personnel efficiently and securely gain access to their mission-critical data via mobile devices and applications. 

The goal of this project is to illustrate a method for public safety organizations to deploy efficient and interoperable multifactor authentication and single sign-on tools to protect access to sensitive information while meeting the demands of an operational environment that relies on rapid response. This revision of the original NIST SP 1800-13 was updated at the request of the public safety community to incorporate iOS version 12. Organizations are encouraged to review the draft and provide feedback for possible incorporation into the practice guide.

This project will result in a publicly available NIST Cybersecurity Practice Guide (NIST SP 1800 series) --a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses a particular challenge. 

The public comment period ends on June 28, 2019. See the publication details for links to the document files and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/sp/1800-13/draft


Project homepage:
https://www.nccoe.nist.gov/projects/use-cases/mobile-sso


 

Saturday, May 25, 2019

What new in Windows 10 build 1903

Microsoft has always focused on building the tools and platforms that IT needs to be successful. In this era of digital disruption, we are working to deliver a modern workplace experience that is loved by users and trusted by IT. This focus is at the heart of how we build Windows 10—bringing you the latest advances in security, IT tools, and productivity, anchored in intelligence powered by the cloud. 

I’m happy to announce that Windows 10, version 1903 is now available through Windows Server Update Services (WSUS) and Windows Update for Business, and will be able to be downloaded today from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center[i]. Today marks the start of the servicing timeline for this Semi-Annual Channel release, and we recommend that you begin rolling out Windows 10, version 1903 in phases across your organization—validating that your apps, devices, and infrastructure work well with this new release before broad deployment.

As you look to roll out this new update to your organization, here are some of the new capabilities that will enable you to benefit from intelligent security, simplified updates, flexible management, and enhanced productivity. For a closer look at these improvements, join me and my colleague Alan Meeus for a one-hour webcast on Tuesday, May 28, 2019, then bring your questions to our next Windows 10 Ask Microsoft Anything (AMA) event on Tuesday, June 4, 2019.
To see the full article go here

Tuesday, May 14, 2019

Microsoft Releases a critical Remote Code Execution vulnerability for Windows 7, Windows Server 2008 R2, and Windows Server 2008

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  


Source Microsoft TechNet

Wednesday, May 8, 2019

New About Bitlocker enhancements

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.
 
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:
  •     Cloud-based BitLocker management using Microsoft Intune
  •     On-premises BitLocker management using System Center Configuration Manager
  •     Microsoft BitLocker Administration and Monitoring (MBAM)

To learn more about the new enhancements to BitLocker Go Here
Detailed Information found on Microsoft web site..

Monday, May 6, 2019

Alert: Phishing Scam Email From "sales@icann.org"

Normally I would not post a Phishing attack but this one seems to be working
02 May 2019
LOS ANGELES – 2 May 2019 – The Internet Corporation for Assigned Names and Numbers ("ICANN") has received reports that a phishing email from "sales@icann.org" has been sent to ICANN contracted parties.
The sales@icann.org email address, for example, is not a valid ICANN organization email address. Contracted parties may have recently received emails from "accounting@erp.icann.org", which is a valid ICANN org email address. If you receive an email from the "sales@icann.org" address, or any other suspicious email address, do not respond. Please forward the email in its entirety to globalsupport@icann.org.
For additional information about phishing scams, visit https://www.icann.org/resources/pages/phishing-2013-05-03-en.

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
 

New NIST draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices


The National Cybersecurity Center of Excellence (NCCoE) has published a preliminary draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD),” and is seeking public comments. The popularity of IoT devices is growing rapidly, as are concerns over their security. IoT devices are often vulnerable to malicious actors who can exploit them directly and use them to conduct network-based attacks. SP 1800-15 describes for IoT product developers and implementers an approach that uses MUD to automatically limit IoT devices to sending and receiving only the traffic that they require to perform their intended functions.

We will use this feedback to help shape the next version of this document.

Please submit your comments by June 24, 2019. See the publication details link below for a copy of the document and instructions for submitting comments.


New NIST Drafts 8213 Reference for Randomness Beacons: Format and Protocol Version 2


NIST has released Draft NIST Internal Report (NISTIR) 8213, A Reference for Randomness Beacons: Format and Protocol Version 2, for public comment. A randomness beacon is a timed source of public randomness. It pulsates fresh randomness at expected times and makes it available to the public. The pulses contain random values that are timely generated, stored, timestamped, signed and hash-chained in a publicly-readable database. Thereafter, any external user can retrieve—via database queries—any past pulse and its associated data. Beacons offer the potential to improve fairness, auditability and efficiency in numerous societal applications that require randomness. A notable benefit of using public randomness is in enabling after-the-fact verifiability, for the purpose of public transparency.

Draft NISTIR 8213 provides a reference for implementing interoperable randomness beacons. The document defines terminology and notation, a format for pulses, a protocol for beacon operations, hash-chaining and skiplists of pulses, and the beacon interface calls. It also provides directions for how to use beacon randomness, and includes security considerations. With the release of this draft publication, NIST intends to seek constructive feedback from interested parties.

The public comment period for this draft closes on August 5, 2019. See the publication details link below for the document and instructions for submitting comments.

NOTE:  A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Publication detaills:
https://csrc.nist.gov/publications/detail/nistir/8213/draft


NIST Randomness Beacon project:
https://www.nist.gov/programs-projects/nist-randomness-beacon



Saturday, May 4, 2019

E-mail Signature Verification Methods Secuity Issue

    E-mail changed the communication world forever, allowing for instant communication as opposed to what is now commonly referred to as “snail mail”. When it was designed, security was not really a concern that was built in. Over time cryptographic methods were developed to help communicators verify the authenticity of senders through electronic signatures, such as the OpenPGP and Signed Multipurpose Internet Mail Extensions (S/MIME) standards. However, new research has discovered some serious flaws in many popular implementations of these methods.

    Researchers from Ruhr University Bochum and M√ľnster University of Applied Sciences tested 25 popular e-mail clients from various operating systems including Windows, Linux™, macOS, iOS, and Android as well as web-based clients to see how they fared against signature spoofing attacks. The team used five attack classes with the goal of the attacker being able to “create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice” where Bob and Alice are legitimate communicators who have securely exchanged cryptographic keys/certificates.

These classes are:
    • Exploiting flaws due to mishandling of Cryptographic Message Syntax (CMS).
    • Performing GnuPG API injection attacks.
    • MIME attacks against handling of partially signed messages.
    • Displaying a valid ID on the e-mail header with a false signature.
• Using HTML and CSS to mimic valid signatures in the user interface.
    The testing revealed that 14 of 20 OpenPGP clients and 15 of 22 S/MIME clients were at least partially vulnerable to these attacks. Many were able to be tricked with spoofed signatures on all UI levels, with all of the subset being able to spoof a signature even with limitations that could still go unnoticed by users. The only client to show no vulnerabilities on the OpenPGP or S/MIME tests was the web client Horde/IMP. This testing shows that just because certain standards and methods may be in wide use doesn’t necessarily mean they are secure by default. For a full list of tested clients and detailed testing methods and results, please refer to the “johnny-fired” PDF from the researchers linked below.
Sources:
https://thehackernews.com/2019/04/email-signature-spoofing.html 
https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf
https://www.technadu.com/popular-email-clients-vulnerable-signaturespoofing-attacks/66443/05

Dells SupportAssist Vulnerability

    The Dells SupportAssist software is currently associated with a vulnerability allowing Remote Code Execution (RCE) attacks. It comes pre-installed on virtually all new Dell devices running Windows®, the SupportAssist application "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."

    Dell released an advisory, DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, where it announced "An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites." The vulnerability is being tracked as CVE-2019-3719 and comes with a Base Severity score 8.0 HIGH in NIST’s CVE database. MITRE has performed an analysis on the vulnerability and has also added that description to the CVE stating, “Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables.”
    Primarily Dell uses the SupportAssist application to be able to install drivers and other software remotely, but to accomplish this, it must be able to detect what is already present on your system.   Installing the SupportAssist package installs two packages, the SupportAssistAgent, and the Dell Hardware Support service. The services essentially expose a REST API of sorts which supports the communication between the service and Dell’s websites.

    Security researcher Bill Demirkapi who discovered the vulnerability states in his blog “On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest.
ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks. Later in this article, we’ll get into some of the issues in the integrity checks, but for now most are not important to achieve RCE.”

    It should also be noted that Demirkapi discovered the vulnerability in September of 2018 and promptly sent a write up to Dell explaining the RCE vulnerability. Dell confirmed the vulnerability on 11/22/2018 and finally released a patch and advisory on 4/18/2019. 
Sources: 
https://nvd.nist.gov/vuln/detail/CVE20193719#vulnCurrentDescriptionTitle
https://d4stiny.github.io/RemoteCode-Execution-on-most-Dellcomputers

Thursday, May 2, 2019

Windows Server Summit 2019 on May 22nd, 2019

Wednesday, May 22, 2019 9:00 AM–11:00 AM Pacific Time

Join this virtual event to learn about strategies, insights, and technologies to modernize and manage your Windows Server ecosystem. Be among the first to learn about exciting new product capabilities. 
You’ll also:
  • Discover what’s new in Windows Server 2019, Windows Admin Center, and Azure Stack HCI.
  • Learn how to take advantage of Azure services to integrate your on-premises environment with the cloud. 
  • Get tips and tricks to modernize your evolving applications and infrastructure before support for Windows Server 2008 and 2008 R2 ends. 
Agenda:
  • Innovations in Microsoft’s hybrid strategy: Deep dive into Microsoft’s hyperconverged technologies and how to add hybrid services from Azure.
  • Modernize Windows Server apps and workloads: Learn about security, Remote Desktop Services, containers, and features on demand.
  • New in management and security: See what’s new in Windows Admin Center, System Center 2019, and Windows Server 2019.
  • Insights and best practices: Chat with Windows Server community experts.
  • Looking ahead: Learn more about Windows Server Semi-Annual Channel and Windows Server on Azure.
Register here

Hawkeye malware kit

    Researchers have found a new version of the Hawkeye malware kit and have noticed that alongside technical advances, they’ve included some business improvements.

    While Hawkeye has been a product since 2013, the recent change in ownership at the end of 2018 has decided that change beyond just its capabilities is in order. Providing a business via a licensing model extends the longevity and security of a revenue source and maintains the sales relationship with minimal effort. Including a terms of service that forbids illicit use sheds a small degree of liability, but including a restriction against their product being scanned by antivirus software seems to negate any possible plausible deniability. These steps seem to be an effort to distance the provider from the “troubled youth” of the malware and legitimize it to some degree but utterly fails to actually reform it.

    The malware itself is found in ongoing malware campaigns since mid 2018, before the regime change. The formula adheres to many of the usual suspects: vague emails about fiscal functions and duties that sound urgent, confirmations and audits of things that require oversight, general notices of company gatherings with details not contained in the body of the email, and other pedestrian and mundane pieces of bait for the weaponized Excel hook. Sometimes an RTF or Doc file is used for older campaigns and occasionally the malicious document is stored a few more steps away in a drobox or other file sharing location.

    The current attacks use the CVE-2017-11882 vulnerability, a buffer overflow vulnerability in Excel’s equation editor. It triggers the memory handling error when the  data sent for the font name is too long which then allows the attacker to execute arbitrary code on the victims machine with the victims level of privilege. 
    At this point the attacker downloads a payload from an attacker controlled server, which decompiles itself and retrieves a final payload which cements Hawkeye in the user’s system. The researchers found tools not used in the current campaign such as Anti-Virtual machine detection, USB drive infection, and others.
   Hawkeye itself offers keylogging, systems monitoring, and other espionage tools as well as a way to exfiltrate data collected and technical support for as long as your license is valid. The latest campaign hinges on a vulnerability that has since been patched. As always, update your programs and be vigilant of any suspicious documents.
Sources: 
https://securityaffairs.co/wordpress/84008/malware/hawkeyestealer.html
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/