Gas and Oil Industry More Vulnerable to Malware then Ever Before

    Oil and gas companies within the Middle East and Russia have once again been targeted and attacked by various strains of malware. One of the strains appears to be the third version of the Shamoon worm that ran rampant in 2016, and the other one is known as Seedworm, named after the cyber espionage group that created it.

    Shamoon was built as a master boot record eraser that infected Windows® based machines so that once exploited they could not reboot once turned off. Back in 2016, Shamoon spread by using a list of hostnames taken directly from the Active Directory of a compromised host. Version 3 has discarded this method of infection and follows in the footsteps of WannaCry and NotPetya, propagating over compromised networks using the Server Message Block protocol within Windows. 300 servers and 100 personal computers out of a total of 4000 machines have been crippled in the attack against Italian oil and gas contractor Saipem. Luckily no data was lost due to the company backing up their systems, proving the importance of having proper disaster recovery policies in place.
Seedworm has infiltrated more than 30 organizations already, with most of the targets within the Middle East and Russia. Telecommunications and IT services were the main targets due to the fact that agencies could provide the hackers with additional targets to attack, but the second target were businesses in the oil and gas industry. Seedworm uses a tool called Powermud, a custom made script that allows the threat actors to evade detection in systems that Seedworm compromises. Once compromised, Seedworm executes a payload that scans through web browsers and email to steal credentials, giving researchers the opinion that gaining access to victim personal information is the hacker group’s primary goal. Seedworm, also known as MuddWater or Zagos, is well known for constantly changing tactics. By relying on public tools available on repositories such as GitHub allows the group to quickly update and alter operations through only applying small changes to the code.

    The security of the gas and oil industries is essential to maintain stability in the nation’s critical infrastructure. As more and more malware strains become increasingly sophisticated in their execution, so should the enforcement of the policies and procedures to defend against them. With the digitization of the industry, over 50 percent of the managers responsible for the protection of the industry have said they are more vulnerable to cyber attacks then ever before.
Sources:
https://thehill.com/policy/cybersecurity/420616-security-firm-unveils-newtactics-of-active-cyber-espionage-group

https://www.bleepingcomputer.com/news/security/shamoon-disk-wiperreturns-with-second-sample-uncovered-this-month/

https://thehackernews.com/2018/12/shamoon-malware-attack.html?m=1

Logitech Leaves Keystroke Injection Flaw Unaddressed for Months.

    Three months ago, security researcher Travis Ormandy from Google Project Zero detailed a significant flaw of which Logitech has finally released a patch. In his September 18th meeting the engineers at Logitech gave the impression that they understood the problem and had a fix in mind and were ready to roll out a patch immediately.

    The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method. 
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.

     Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.

     Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.

Sources:

https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystrokeinjection-attacks/

https://threatpost.com/logitech-keystroke-injection-flaw/139928/

Holiday Gift from Microsoft Introducing Windows Sandbox!

If you every attended any of my security talks i talk about the risks of surfacing the web or installing software you not sure of… Well Microsoft gave us a gift this week on the windows 10 Beta Build 18305 they have introduced an great new feature Windows Sandbox !

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were
afraid to run it? Have you ever been in a situation which required a
clean installation of Windows, but didn’t want to set up a virtual
machine?

At Microsoft, we regularly encounter these situations, so we
developed Windows Sandbox: an isolated desktop environment where you can
run untrusted software without the fear of lasting impact to your
device. Any software installed in Windows Sandbox stays only in the
sandbox and cannot affect your host. Once Windows Sandbox is closed, all
the software with all of its files and state are permanently deleted.

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for
    kernel isolation, which relies on the Microsoft Hypervisor to run a
    separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

To install Windows Sandbox, go to Settings > Apps > Apps & Features > Programs and Features > Turn Windows Features on or off, and then select Enable Windows Sandbox.

To start Windows Sandbox, open the Start menu, enter Windows Sandbox and then select it.

For more info and details go here

Securing a company … a group of basic steps a company can take

As a security professional, I
understand the importance of using data classification to protect a company.  The day of believing that the firewall will
protect you is unreal.  Today lots of
companies treat computer security like a tomato, “secure” on the outside but
leave a soft and mushy target on the inside.  We need to rethink this and classify our data
based on the risk and value to the company.  As users click on emails and bad web sites,
the risk of successful attacks like ransomware and other security breaches
increase.

As a security professional who deals
with this issue regularly, it amazes me that companies do not have a process to
understand what data in the company is more important than another.  One of the first steps I undertake as a
consultant is to understand what a company has from both an infrastructure and
data focus.

Does your company have baselines on
your servers and network technology?

Do you know what services are running
on your servers?

Do you know what ports are open?

If not, how would you know if you were
compromised?

Do you use a change management system
to approve, test, update systems and record new baselines?

Have you created a portfolio of all the
applications that you use, and who is responsible for them?

For the applications you have running,
do you understand the workflows and interactions between systems?

Have you built a data classification
process that is used by the company? Listing, for example, the following
classifications: Finance data, Human Resources data, Customer data, Public data
etc.?  Not all data in a company needs
the same level of protection.

After building a data classification
process, you can next work on the data owners starting to put the data the
company owns into proper classifications.

There is tool that you can use to help
you with this task. For example, in Windows, there is the File Server Resource
Manager (FSRM).  One of the features in
FSRM is File Classification Infrastructure
that provides a company insight into their data by automating classification
processes so that the company can manage its data more effectively.  Companies can classify files, and apply
policies, based on classification. Example policies include dynamic access
control for restricting access to files, file encryption, and file
expiration.  Files can be classified
automatically by using file classification rules, or manually, by modifying the
properties of a selected file or folder.

Until companies start to think about their
data, and what must be protected, companies will continue to see major breaches
to their systems.  Infrastructure needs
to be understood. Systems need to be baselined. 
And, processes documented.  Companies need to train users on what to look
for, and what to do, if they have concerns about possible security incidents.  Companies need to train employees on email,
possible attacks and vulnerabilities, and what an employee should do if they
suspect a possible problem.

Companies need to create, and USE data classification systems to
protect and add the appropriate level of security, to those data classifications
that the company agrees are an issue.  Companies do not have unlimited resources, so companies
should spend time and money protecting those things that are most important to
the company.

 

This is the first of a group of blogs
on this topic.

 

Vulnerability chain exploits MacOS

Dropbox recently revealed three critical security vulnerabilities in MacOS that would allow execution of arbitrary programs on a target machine triggered just by visiting a webpage. The vulnerabilities were found by the cybersecurity firm Syndis, who were hired for red team exercises on Dropbox’s infrastructure. The three vulnerabilities by themselves were of minimal actual security impact on their own but when chained together could be used to compromise a target machine by simply getting them to visit a webpage.
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted. 
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.

Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton