Month: July 2019

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State
Information Sharing & Analysis Center (MS-ISAC), National Governors
Association (NGA), and the National Association of State Chief Information
Officers (NASCIO) have released a Joint
Ransomware Statement with recommendations for state and local governments
to build resilience against ransomware:

1. Back
   up systems—now (and daily). Immediately and regularly back up all critical agency
   and system configuration information on a separate device and store the
   backups offline, verifying their integrity and restoration process. If recovering
   after an attack, restore a stronger system than the one lost, fully
   patched and updated to the latest version.
2. Reinforce
   basic cybersecurity awareness and education. Ransomware attacks
   often require the human element to succeed. Refresh employee training on
   recognizing cyber threats, phishing, and suspicious links—the most common
   vectors for ransomware attacks. Remind employees of how to report
   incidents to appropriate IT staff in a timely manner, which should include
   out-of-band communication paths.
3. Revisit
   and refine cyber incident response plans. Have a clear plan to
   address attacks when they occur, including when internal capabilities are
   overwhelmed. Make sure response plans include how to request assistance
   from external cyber first responders, such as state agencies, CISA, and
   MS-ISAC, in the event of an attack.

CISA encourages organizations to review the Joint
Ransomware Statement and the following ransomware guidance:

• MS-ISAC
  Security Primer on Ransomware
• CISA Tip
  Sheet on Ransomware
• NGA
  Disruption Response Planning Memo
• NASCIO
  Cyber Disruption Planning Guide

    A team of cybersecurity researchers – Abhishek Anand, Chen Wang, JIan Liu, Nitesh Saxena, and Yingying Chen – have discovered and demonstrated a new side -channel attack that could potentially allow apps to listen in on the voice coming through an Android phone’s loudspeakers without requiring any device permissions.

    This new attack has been named Spearphone.  It works by taking advantage of the accelerometer built into most Android phones. An accelerometer is a sensor that can detect and monitor the movement of a phone, like being shaken, tilted, or lifted up. The accelerometer can be accessed by any app with any permissions.

    According to The Hacker News, “Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.” The nature of sound is vibrations that travel through a medium transferring energy to our ear drums which then translate the mechanical vibrations into electric signals which our brains translate into sounds. This attack bypasses the need for a second microphone replacing the audio receiver with the accelerometer in the phone itself to translate the soundwaves into electrical messages.

    The researchers created and Android application that was designed to record speech reverberations using the accelerometer and send the captured data back to an attacker-controller server as a proof-of-concept. The researchers have shown that this attack can successfully be used to spy on phone calls, listen to voice notes or multimedia, and to spy on the use of an assistant such as Google Assistant or Bixby, as shown below.

    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.

Sources:

• https://thehackernews.com/2019/07/linux-gnome-spyware.html

• https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/

• https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

Hardware/Server
Virtualization is a foundational technology in a cloud computing environment
and the hypervisor is the key software in that virtualized infrastructure.
However, hypervisors are large pieces of software with several thousand lines
of code and are therefore known to have vulnerabilities. Hence, a capability to
perform forensic analysis to detect, reconstruct and prevent attacks based on
vulnerabilities on an ongoing basis is a critical requirement in cloud
environments.

To gain a better understanding of
recent hypervisor vulnerabilities and attack trends, identify forensic
information needed to reveal the presence of such attacks, and develop guidance
on taking proactive steps to detect and prevent those attacks, NIST has
published NIST Internal Report (NISTIR) 8221, “A Methodology
for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.”
NISTIR 8221 outlines a methodology to enable this forensic analysis, and
illustrates the methodology using two open-source hypervisors—Xen and Kernel-based
Virtual Machine (KVM). The source for vulnerability data is NIST’s National
Vulnerability Database (NVD).

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8221/final

CSRC Update:
https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221 

NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

The United Kingdom’s National Cyber Security Centre (NCSC) has released an
advisory about an ongoing Domain Name System (DNS) hijacking campaign. The
advisory details risks and mitigations for organizations to defend against this
campaign, in which attackers use compromised credentials to modify the location
to which an organization’s domain name resources resolve to redirect users,
obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages
administrators to review the NCSC
Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS
Infrastructure Hijacking Campaign for more information.

    NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

    A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

                Go Here to read about this from Catalin Cimpanu @ ZDnet.

    The U.S. Food and Drug Administration released a warning last week recalling certain Medtronic MiniMed insulin pumps over concerns that the device may be vulnerable to cyber attacks. The warning comes after researchers found that an attacker with adjacent access was able to wirelessly communicate with the device and alter the pump settings, either providing or restricting insulin to a patient. These insulin pumps are meant to communicate wirelessly with other medical devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. The models specifically impacted are the Medtronic MiniMed insulin pumps, the MiniMed 508 insulin pump, and the MiniMed Paradigm series which are collectively used by approximately 4,000 patients in the U.S., according to Medtronic. 

    This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.

    While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.

Sources
• https://threatpost.com/fda-warns-ofpotentially-fatal-flaws-in-medtronicinsulin-pumps/146109/

• https://www.fda.gov/news-events/Press-announcements/fda-warnspatients-and-health-care-rovidersabout-potential-cybersecurityconcerns-certain

• https://www.us-cert.gov/ics/advisories/icsma-19-178-01

    Smart locks have been increasing in popularity for the last few years. They provide a number of conveniences that make them an enticing option for people looking to replace their current locks. Things like automatically unlocking as you approach with your hands full or allowing a friend to unlock the door only when you’re on vacation sound great at first. But the risks of poorly secured and designed smart locks may outweigh those conveniences.

    Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.

    The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.

    The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.

Sources:

• https://threatpost.com/smart-lock-turns-out-to-be-not-so-smart-orsecure/146091/

• https://www.pentestpartners.com/security-blog/the-not-so-ultra-lock/