Wednesday, October 16, 2019

Is Your VPN at Risk ?

    A commonly used method to secure network resources is a Virtual Private Network (VPN). They allow remote network devices to securely communicate with local resources as if they were physically plugged into the same network segment. You may even use one when working remotely to help keep your network traffic secure. While they can easily provide a lot of protection from various network attacks there are many pitfalls to avoid in order to keep the network resources secure.

    One common mistake when setting up a VPN is not properly securing the devices that the VPN provides access to. Because the servers or devices will not have direct inbound internet access many times a relaxed security policy is taken. This is because it is assumed that in order to access them an attacker would first have to either be on the network directly or be connected tuourhrough the VPN. Another common mistake is not regularly updating the VPN software. There are many reasons this can occur, including avoiding downtime or not wanting to break something that appears to be working fine as is.

    This week the National Security Agency (NSA) issued an advisory stating that APT groups have been actively using flaws in some popular VPN software to attack networks. They say the groups have weaponized three vulnerabilities against two pieces of VPN software, Pulse Secure VPN and Fortinet VPN. Two of the vulnerabilities, CVE-2019-11539 and CVE-201911510 specifically target Pulse Secure VPN servers. They allow remote unauthenticated command injection and arbitrary file reads on the VPN server device. The remaining vulnerability, CVE-201813379, targets Fortinet VPN servers and allows for remote unauthenticated arbitrary file reads from the server device. The National Cyber Security Center in the UK posted a separate advisory which added CVE-2018-13383 and CVE-2018-13383 to the list of vulnerabilities being used against Fortinet devices. Palo Alto Networks VPN software was also added to the vulnerable devices list with attackers utilizing CVE-2019-1579 for remote code execution on the affected VPN servers.

    In total the two agencies reported six vulnerabilities against three separate VPN software vendors. For each of the affected VPN products the vulnerabilities being used could allow an attacker access to the network resources as if the attacker were physically on the network. All of the affected products have updates available to fix these flaws so it is important that they are updated immediately if an affected version is still in use. The NSA also recommends rotating any existing VPN keys or tokens just in case they were stolen before the patches were able to be applied. 
Sources:

https://threatpost.com/apt-groupsexploiting-flaws-in-unpatched-vpnsofficials-warn/148956/

https://www.cyberscoop.com/vpnvulnerabilities-china-apt-palo-alto/

Saturday, October 5, 2019

Ransomware attacks across the world - TheCybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of ransomware:
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak for more information.
For recent CISA Alerts on specific ransomware threats, see:
Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

NCSC Releases Fact Sheet on DNS Monitoring

Original release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns that although modernization of transport protocols is helpful, it also makes it more difficult to monitor or modify DNS requests. These changes could render an organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators review the Dutch NCSC fact sheet on DNS monitoring for additional information and recommendations.

Microsoft Reports Cyberattacks on Targeted Email Accounts


Original release date: October 4, 2019

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information and recommendations and CISA’s Tip on Supplementing Passwords.

New Portable Document Format (PDF) attack on encryption features

    The Portable Document Format (PDF) standard has been able to provide many benefits that unify communications across many different software and hardware platforms. One of those elements is the encryption schemes that allow users to password protect their documents from view, edit, or saving permissions without the required password. Another encryption feature included with the PDF standard is the ability to sign documents with an electronic signature with the same legal standing as a handwritten signature, this may include digital signing which uses cryptographic measures to assure authenticity.

    Researchers from Ruhr University Bochum, FH M√ľnster University of Applied Sciences, and Hackmanit GmbH have developed a two pronged attack on the security measures of PDFs and their encryption schemes. They have named their attack PDFex. In their research they developed methods for the exfiltration of the contents of the encrypted PDF with minimal prior knowledge of the contents of the PDF file. The methods studied can also modify the contents to change the plain text as well as add malicious functionality. The first prong of PDFex attack methods rely on how an encrypted PDF only encrypts portions of the PDF file leaving other portions unencrypted and unprotected. The attacker is then able to modify the contents of the unencrypted portions of the file. In this way they can plant data which submits a form including the contents of the PDF to an attacker controlled server granting the attacker access to the contents of the PDF. The attacker can edit an unencrypted field with a URL which will be sent encrypted and unencrypted strings from the document. The last method in this attack on the unencrypted portion of PDF files injects JavaScript code into the document which then ex filtrates the data within the file. This is the "Direct Exfiltration" method of the PDFex attack.

    The other prong of this attack uses CBC malleability gadgets, tools that are able to edit cipher texts encrypted with the cipher block chaining (CBC) encryption mode without integrity checks. It just so happens that the PDF standard does exactly that. This method can modify plain text as well as add in new encrypted content to the file. This technique can enact the PDF forms and hyperlink techniques as listed in the Direct Exfiltration method. The CBC Gadgets method can also edit PDF object streams such that they submit themselves to an attacker controlled server. Both attacks require the victim to open the tainted document so that the traps can deliver the finally decrypted information to the attacker. The researchers have tested their techniques on 27 PDF viewers and all were susceptible to at least one method of the PDFex attack.
    The attack requires that the attacker have access to the file to modify it, some of the attacks have other requirements such as the ability to trigger URL s from the viewer, or for the viewer to have permission to use JavaScript in the background. One of the researchers reported to Threatpost that "There are currently no effective countermeasures, as the weaknesses lie in the PDF encryption standard itself" and that the best mitigation is to use additional layers of encryption outside of the PDF standard to protect their data.

Sources:

https://www.pdf-insecurity.org/download/paper-pdf_encryptionccs2019.pdf

https://threatpost.com/hack-breakspdf-encryption/148834/

New Malware Uses messaging app Telegram

    Remote malware has been around for almost the entire history of computers. Attackers are always looking for ways to exfiltrate data from systems and be able to control their malware from a remote location. The Command & Control (C2) devices are usually servers controlled by the attacker, but a new malware dubbed by Juniper researchers as Masad has taken a different approach: using the messaging app Telegram for its C2 functions.

    Telegram is a popular messaging and Voice-over-IP (VoIP) app with over 200 million active monthly users. This makes it a pretty good place to try and hide malicious activity. Masad uses the sendDocument API of Telegram to exfiltrate data stolen from victims as a 7zip archive. Juniper has detected over 1,000 variants of Masad in the wild, as well as 338 unique Telegram C2 bots related to its use. Due to the malware being sold as a product rather than kept to a particular group, multiple groups can be using Masad for different campaigns. The developers of Masad have even created a group within Telegram with over 300 members, designed for potential clients and tech support.
Masad’s attack vectors include disguising itself as a legitimate tool or hiding itself in other third-party tools. For instance, it has been seen mimicking CCleaner, Utilman, Whoami, ProxySwitcher, a Samsung Galaxy software update, and many others. The developers have also included current trends in gaming, especially for younger internet users that may not be security conscious, by hiding Masad as Fortniteaimbot 2019.exe and an EXEA HACK CRACKED executable claiming to be for PUBG, CounterStrike Global Offensive, Fortnite, Grand Theft Auto 5, and DOTA.

    The malware also has the capability to download additional malicious tools, usually more cryptominers. Masad has a wide array of abilities for information stealing in addition to its cryptomining. It can steal system information including running processes, desktop files and screenshots, browser information such as cookies, passwords, credit cards, and AutoFill data, as well as Steam, FileZilla, and Discord files. Masad is also being advertised as a Clipper which looks for cryptocurrency wallet information in the system’s clipboard and replaces it with the attacker’s wallet information. It searches for over two dozen different flavors of cryptocurrency, including Bitcoin, Litecoin, Monero, Ethereum, and DogeCoin.

    Juniper researchers recommend locking down the Telegram communication protocol at the firewall level provided there is no legitimate business use that this would interrupt. They also suggest using a next-generation firewall with Advanced Persistent Threat (APT) protection to help counteract the malware if it gets inside the organization.

Sources

https://threatpost.com/masad-spyware-telegram-bots/148759/ 

https://coingeek.com/new-malware-uses-telegram-app-to-replace-cryptoaddresses/

https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltratingusing-Telegram/ba-p/468559 

Baseband Management Controllers (BMC) critical vulnerability

    Baseband Management Controllers (BMC) are a popular feature found on most motherboards targeting the server market. They provide a number of convenience functions for remote management which is great for machines typically located in a cold noisy room. Some of the functions they provide include remote power cycling, keyboard video mouse (KVM), and virtual media emulation. The combination of these functions can allow an administrator to provision a server without ever having to touch it. With that much power over the system they are bound to be a highly valuable target for attack.

    This week the security company Eclypsium released a critical vulnerability they found in Supermicro’s BMC implementation. The vulnerability reported is in the virtual media service subsystem. This service allows a remote administrator to attach USB devices, such as DVD drives or keyboards, to the machine remotely as if they were physically plugged into the machine. The feature requires authentication to function properly of course but the researchers found a way to bypass this requirement. 

    The first weakness is that the BMC would accept authentication requests via plaintext by default. They noted that encryption support is available but based on an old weak Rivest Cipher 4 algorithm. In addition, the key used when using encryption is shared across all Supermicro devices, making man-in-the-middle decryption possible. They also uncovered a complete authentication bypass in the system. This is possible because the BMC does not timeout a valid authorized session in a timely manner. An attacker would be able to re-use the session and gain access if an administrator had recently successfully logged into the system and used the virtual media service. BMC systems are rarely reset due to their nature of being an always online out of band management system, increasing the likelihood of this attack being successful.

    Supermicro has issued an update to their BMC software, but it is unlikely that machines will be patched immediately. This is due to the machines needing to be completely powered off in order to apply the update. Until then it is recommended to block the port used by the virtual media service, port 623, until the patch can be applied. Researchers warn that this will likely not be the last BMC vulnerability discovered, so additional measures should be taken when possible. The best defense against these attacks is keeping vulnerable machines on a separate network from other traffic. Ideally management interfaces should be on their own network that is not exposed to public facing traffic.

Sources

 • https://csoonline.com/article/3435900/insecure-virtual-usb-feature-insupermicro-bmcs-exposes-servers-to-attack.html

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack

Fake Veteran Hiring Website

    Researchers at Cisco Talos have discovered a fake veteran hiring website, hosted by an Iranian hacking group, luring users into downloading malware by spoofing a legitimate veteran job search site. The sham website, hiremilitaryheroes.com has been designed to resemble the valid US Chamber of Congress sponsored hireheroesusa.org and is targeting veteran job seekers with malicious code including Remote Administration Trojans and spying tools.

    Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.

    The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “ericaclayton2020@gmail.com” and “marinaparks108@gmail.com”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
    The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites. 

Sources:

https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html

Google Play Store and Malicious Applications

    There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base. 

    Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version. 

    The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download

Sources: 

https://www.bleepingcomputer.com/news/security/malicious-androidapps-evade-google-play-protect-via-remote-commands/ 

https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09