My information Resource (blog.mir.net)

MuddyWater malware is believed to be
once again targeting organizations across the world.  This malware was first reported when it
targeted the Saudi government back in 2017 and
was reported to have also targeted other organizations in the US,
Turkey, and other Middle Eastern countries.

Although it is unclear who is behind these attacks,
there is some attribution information that links these attacks with the FIN7
threat group that has been known to be a financially motivated. MuddyWater
itself is document-based malware, which is often spread by phishing campaigns
specifically targeting unaware users.

The malware leverages Microsoft Office documents to deliver macro-enabled
code execution after tricking unaware users into opening the file. The
infection chain starts with the attackers enticing a victim to open a Microsoft
Office file with macros enabled. Once this happens, an initial VBScript is
automatically executed which then executes other PowerShell scripts.

Once the PowerShell scripts execute, a backdoor
payload runs on the victim machine, which automatically calls home and waits
for commands from the attackers. Interestingly, the most noteworthy
enhancements between the malware strains look to be in the obfuscation
techniques. The malware starts with a VBScript that uses character substitution
to initially hide its direct intentions when manipulating images shown in the
document body, then performs the initial PowerShell script execution. The
initial PowerShell  Script “invoker.ps1”, then calls other data within
the document and performs a cryptographic decoding to build other PowerShell
scripts that then have the ability to execute the actual payload
“PRB-Backdoor” within the file. Once PRB-Backdoor is
executed it attempts to communicate with its Command- and-Control server,
hxxp://outl00k[.]net to send and receive commands. According to malware
researchers there have been over ten possible specific types of commands and
functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more
interesting capabilities are gathering system information, file interaction,
key- loggers, and stealing passwords.

 
Although this malware is not overly sophisticated,
it does present us a good opportunity
to learn more about the tools, techniques, and tactics of our adversaries. To
combat such types of attacks, users should be cognizant of suspicious emails
and cautious of file attachments Additionally, there exists others tools that
can help defend an organization’s infrastructure from these types of attacks
including hosted email security, deep packet inspection by network perimeter
devices, and customized end point protection.

 

It was announced that European researchers discovered that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked. Dubbed EFAIL, it is described as vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. From the website, EFAIL abuses active content of HTML emails to exfiltrate plaintext through requested URLs. In “Direct Exfiltration”, the victim’s stolen encrypted message is sent to the victim sandwiched between two parts of an HTML request for delivering the text back to the attacker as an image request. This leverages vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. The “CBC/CFB Gadget Attack” abuses a weakness in the Cyber Block Chaining (CBC) mode of operation used in S/MIME. If you know some of the text that is encrypted – and you do, because most encrypted messages have that phrase at the beginning, you can build a “gadget” – which is just a set of bits in a cipher stream that you can insert into the existing cipher stream with the text you want to insert. OpenPGP uses Cipher Feedback (CFB) which has similar cryptographic properties allowing the same abuse, but by embedding it in the cipher stream any standard-conforming client will be vulnerable. PGP also compresses the plaintext before encrypting it, which complicates guessing any known plaintext bytes. 

Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.

Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.” 
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong – should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.

Sources:  https://www.reuters.com/article/us-cyber-encryption/popularencrypted-email-standards-are-unsafe-european-researchersidUSKCN1IF1LL  https://www.independent.co.uk/life-style/gadgets-and-tech/news/emailsecurity-s-mime-pgp-encryption-latest-broken-not-working-fix-how-toa8351116.html

Red Hat Enterprise Linux (RHEL) is a popular distribution used by many organizations for servers and other network endpoints. Two free versions of the operating system have also branched out of RHEL, Fedora and CentOS. US-CERT issued an alert Wednesday that a critical vulnerability had been discovered in the Network Manager application and how it handles Dynamic Host Configuration Protocol (DHCP) responses. With these responses, this vulnerability could lead to commands being run on the system with full root privileges.
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.

Sources:  https://threatpost.com/critical-linux-flaw-opens-the-door-to-full-rootaccess/132034/  https://thehackernews.com/2018/05/linux-dhcp-hacking.html  https://bugzilla.redhat.com/show_bug.cgi?id=1567974 

It was a busy end of May for cybersecurity in our nation’s capital. The White House Office of Management and Budget issued a report saying that most federal agencies are not prepared for cyberattacks, while noting that almost three quarters of the agencies assessed have programs that are at risk or high risk.  At nearly the same time, the FBI reported a botnet with ties to Russia has infected the nation’s routers and that they should all be rebooted.   Now, the Department of Commerce and Department of Homeland Security (DHS) has released a report on how the federal government can combat botnets or networks of infected internet-connected devices that can be leveraged by hackers. The report listed six principal themes for reducing distributed threats including: 1) working closely with international partners as these are global threats; 2) utilizing tools that are available but not being commonly used; 3) ensuring devices are secured through all stages of their “lifecycle;” 4) boosting education and awareness of botnets for businesses and citizens; 5) changing market incentives to encourage security; and 6) collaboration to address an ecosystem-wide problem. 

To address these, the DHS report outlines five goals: 1) Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; 2) Promote innovation in the infrastructure for dynamic adaptation to evolving threats; 3) Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks; 4) Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world; 5) Increase awareness and education across the ecosystem.

This report was not unexpected. A year ago, President Trump signed an executive order directing Commerce and Homeland Security to issue a report about combating botnets and automated and distributed attacks, with a deadline of one year.   Given these facts, what’s Washington to do about cyber security? The report outlines some steps, but it appears it would take an advocate in the White House to help agencies improve the very cybersecurity programs the initial report calls deficient. Unfortunately the White House eliminated the top cybersecurity post several weeks ago, and although organizing a plan to execute the goals of this latest report would be right in the cyber czar’s swim lane, the responsibilities of White House cybersecurity coordinator have now been delegated to two members of the National Security Council’s team.

Sources:  https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity202/2018/05/30/the-cybersecurity-202-white-house-cybersecurity-report-showsfederal-agencies-still-struggling-to-getsecure/5b0d79c81b326b492dd07ed3/?utm_term=.d8258a22e35b  https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-RiskDetermination-Report-FINAL_May-2018-Release.pd

Since 2012, the Necurs botnet has been an evolving work horse of a botnet, backing up the Jaff ransomware, Dridex banking Trojan, and Locky ransomware campaigns. Most recently it has been found pushing URL files with misleading icons to trick victims into exposing themselves to the malware of the attacker’s choice. It eludes some spam filters by contacting the command and control server instead of directly downloading the malware.
The researchers at Trend Micro have found that the newest iteration of Necurs spreads spam with Internet Query (IQY) files instead. IQY files are test files that are meant to help in adding external resources to an Excel spreadsheet. Once activated, Windows® will automatically execute any commands in an IQY file in Excel. This in turn results in a domino effect which leverages the Dynamic Data Exchange capabilities of Excel, which allows a file-less execution of a PowerShell script, which finally downloads a remote access application.

Figure 1: Infection chain starting with the IQY file
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-newchallenge-using-internet-query-file/

The final payload is known as FlawwedAMMY named after the Ammy Admin remote administration software from which it is derived. FlawwedAMMY can take control of the infected computer using commands such as: File Manager, View Screen, Remote Control, Audio Chat, RDP SessionsService, Disable Desktop Composition, Disable Visual effects, Show Tooltip, or Activate Mouse Cursor Blinking.
The only indication that the IQY file might be malicious is the existence of a URL which makes detection at that stage difficult. But using Dynamic Data Exchange has been a known attack vector by Microsoft so there are two separate warnings that occur before the attack can proceed.

Sources:  https://securityaffairs.co/wordpress/73916/malware/necurs-iqfattachments.html  https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-anew-challenge-using-internet-query-file/  https://www.securityweek.com/necurs-campaign-uses-internet-query-fileattachments

The personal data of 21 million Timehop customers has been compromised as hackers were able to breach their backend server environment. Timehop functions by connecting to social media platforms to show users’ past memories. The breach was disclosed on Sunday, July 8th, stating that the breach occurred on the week of July 4th. TimeHop stated in an update on July 11th that the breach included names, email addresses, dates of birth, gender, country codes, and some phone numbers, though no private/direct messages, financial data, social media, or photo content was stolen. 
During a technical assessment of the breach, it was shown that the attackers leveraged their attack through stolen admin credentials, which they then used to gain access to the application’s cloud computing environment. From there they attacked Timehop’s production database and started transferring data. Due to the database not using multifactor authentication, it was not hard for hackers to bypass it with the stolen credentials.
Timehop was able to disable the access token keys for all accounts and stated that “none of your memories were accessed”. They also said that the additional data lost was not due to a secondary breach – coincidentally, this was the only data loss incident Timehop has suffered to date. In addition, Timehop reported that there is no evidence to indicate that the attackers were able to use any of the tokens to gain access to social media accounts. 
Timehop has updated their statements about the token keys as well. The keys were deauthorized by Timehop acting in concert with social media partners by Sunday, 8 July. Timehop did not report the breach, which was discovered on 5 July 2018 to its users until after it was certain that the keys had been de-authorized and the social media partners had not observed any suspicious activity. Users will have to re-authenticate their token keys to the application in order to continue using it.
Timehop goes on to say that if users used their phone number for login, then Timehop would have the user’s phone number, which in turn would give attackers access to them as well. It is recommended that users take additional security precautions with their cellular provider to ensure that their number cannot be ported, and in the cases of AT&T, Verizon, or Sprint, they can simply add or change their pin. T-Mobile users are recommended to call 611 from a T-Mobile device, or call 1-800-937-8997 to talk with customer services representative to assist with limiting the portability of the customer’s phone number. 

Sources  https://threatpost.com/timehop-breach-impacts-personal-data-of-21-millionusers/133765/  https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memoriesmay-have-been-compromised/  https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breachaffecting-21-million/  

The internet has become a staple of modern life. Having a website has become a necessity for most small businesses to connect with potential customers and provide information on the business and their offerings. However, one of the most common website development tools, WordPress, has a major vulnerability that could allow full control of a website by an attacker.
WordPress is a Content Management System (CMS) for hosting websites. It provides a framework for easy site creation and maintenance without having to code every aspect of the website. WordPress is one of the most popular CMS tools, alongside others such as Drupal and Joomla, and is used in approximately 30% of all websites.
Security researchers at RIPSTech, a security analysis solution provider for PHP, discovered an authenticated arbitrary file deletion vulnerability in WordPress that could lead to attackers being able to execute arbitrary code on the host webservers or completely take down the site. As any responsible security researcher would do, RIPSTech reported the vulnerability to the WordPress security team in November 2017. However, when the WordPress team was unresponsive as to when the issue would be fixed, RIPSTech decided to release the vulnerability information to the public in late June 2018 (a month longer than the WordPress team’s estimated six months to fix).
The vulnerability stems from a lack of user input sanitization when deleting a thumbnail for an image that was uploaded to the site. The input can redirect the code to delete other files on the system, including important site-related files. For instance the .htaccess file, which can contain security restraints, can be deleted to decrease the site’s security, or the wp-config.php file can be removed which would cause the installation phase to be triggered the next time the site is loaded. This would allow the attacker to create their own administrator credentials providing complete control of the site. The index.php file can also be removed, allowing access to other files and directories on the server that were protected and the entire WordPress installation could be removed. This highlights the importance of maintaining frequent site backups, especially on a different system or network.
This vulnerability does require low-level access to the system with author level privileges at a minimum. This allows uploading of images to, as well as deletion of images on, the site and therefore the ability to exploit the vulnerability. WordPress released version 4.9.7 containing a patch for the vulnerability and users are strongly encouraged to update. Prior to this, RIPSTech released a temporary hotfix that checked to assure user input could not cause a path traversal, protecting security relevant files.

Sources:  https://thehackernews.com/2018/06/wordpress-hacking.html  https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/  https://indivigital.com/news/wordpress-core-vulnerability-could-give-would-beattackers-the-capability-to-delete-files/

Rowhammer vulnerabilities are once again making mainstream news with the addition of CVE-2018-9942, dubbed RAMpage. This new variant of Rowhammer-based vulnerabilities allows attackers to compromise other applications and seize complete control over Android-based devices. What makes this vulnerability unique is how efficient the exploit process has become relative to preceding exploits.
The security community has been aware of Rowhammer-based bugs since 2012. Back then it was recognized as more of a theoretical based hardware reliability issue with Dynamic Random Access Memory (DRAM) chips. Back then, to save on cost and increase system response time, manufacturers were allowing applications to directly access memory instead of utilizing the processor which opened up the doors for possible vulnerabilities. At that point it was known that when repeatedly and rapidly accessing rows of memory it was possible to induce bit flipping into adjacent rows of memory. This type of attack typically might crash an application or induce the hardware device into an error condition. Since exploitation was so difficult and more theoretical it would seem that vendors and manufacturers did not take this problem seriously. However, over the past few years security researchers have uncovered additional problems with android based devices and attackers have matured their exploitation techniques.
Using RAMpage exploits, an attacker can leverage a set of Direct Memory Access (DMA) based Rowhammer attacks to bypass system defenses, compromise other applications, and effectively gain root access on the latest Android OS. The RAMpage attack generally consists of three steps: exhausting the system heap, shrinking the cache pool, and then rooting the mobile device. By using traditional Rowhammer techniques an attacker can drain all ION’s (Android’s Memory Manager) internal memory pools. This allows an attacker to break out of their initial allocated application memory in order to access other interesting memory regions. Then, by shrinking the cache pool using the Flip Feng Shui exploitation technique, attackers can trick the kernel into storing a page table within the vulnerable memory region. Finally, by implementing the initial two steps and leveraging a root exploit to place within the vulnerable memory region an attacker can successfully compromise an android device. The prerequisite for this attack requires an attacker to have access over an application that can carry out such an attack on the device. The research paper is linked at the bottom for further details.
At this time it is unrealistic to fix the vulnerability in hardware as it would be expensive and would not address the devices currently in use. Interestingly, the researchers that initially discovered the issue also released a tool called GuardION – a software based mitigation solution against RAMpage attacks.

Sources  https://threatpost.com/rowhammer-variant-rampage-targets-android-devicesall-over-again/133198/  https://vvdveen.com/publications/dimva2018.pdf

Domain Name Service (DNS) is an integral part of today’s public Internet infrastructure. The purpose of DNS is to resolve names to IP addresses and the technology itself was invented in 1983 when security was an afterthought. As a result, over the years many types of DNS attacks have been seen such as DNS spoofing, cache poisoning, and many others. These attacks often consist of sending incorrect DNS responses back to clients in the hope the clients will communicate with network nodes across the internet, which are controlled by attackers instead of the originally requested legitimate nodes.

In response to the security shortcomings of DNS, additional protocols have been created to mitigate security risks such as Domain Name System Security Extensions (DNSSEC). DNSSEC essentially forms a signed chain of trust within the hierarchical infrastructure of DNS nodes so when a client queries a node’s IP address there is verification that the resolved response is legitimate. Cloudflare, a cloud-based company that is known for its content delivery network, DDOS mitigation, and security services has recently made mainstream news with its new DNS public consumer services offering. What makes Cloudflare’s public DNS so attractive is that they can compete, if not surpass, Google’s DNS services in both performance and security. In their recent blog post published this past Sunday, they boast their “fast and highly distributed network, and claim they are the fastest authoritative DNS provider on the Internet with seven million Internet properties.” Additionally, their new public DNS service supports DNS over HTTPS and DNS over TLS for added encrypted communication across the Internet.

What seems to make Cloudflare more attractive than Google is their emphasis on privacy and speed. Their goal according to their blog is to keep expanding their infrastructure until everyone is within 10 milliseconds of at least one of their DNS locations. Additionally, Cloudflare uses protocols such as DNS Query Name Minimization to minimize captured public information as it crosses DNS nodes. Furthermore, Cloudflare states they will never store any information in their logs that identifies end users. All logs collected by public resolvers will be deleted within 24 hours. Their resolvers are built from the open source DNS resolver and the modular designed Knot Resolver, which was released about two years ago and currently has a large and active user base.

To check if you are currently using DNSSEC, you can visit http://www.dnssec-ornot.com/.  To try out Cloudflare’s DNS service visit https://1.1.1.1/.

Sources 
https://blog.cloudflare.com/dns-resolver-1-1-11
https://github.com/hashcat/hashcat  
 https://threatpost.com/cloudflare-launches-publicly-dns-over-httpsservice/130900/