Radio-frequency (RF) remote controllers are everywhere: they open your car and your garage, they connect peripherals to your computer. You will also find them widely used in manufacturing and construction. Being able to remotely control large and/or multiple pieces of equipment from one device offers convenience and increased productivity, but remote solutions are often implemented with security as an afterthought, if thought of at all.
We’ve seen how trivial it is to hack a key fob or a wireless keyboard, and it’s not much more difficult to hack a controller for large machinery. This week, Trend Micro released a report on how pervasive and vulnerable RF controllers are in the industrial world and they found that garage door openers are more secure than industrial RF controllers. Potential attack vectors might be as simple as a replay attack, where the attacker sniffs the RF packets and sends them back to the machine to gain control—something any script kiddie could do. From there the attacker could modify packets to inject commands.
Another relatively simple attack is called e-stop abuse, where the emergency stop command is replayed to the machine until it causes a denial-of-service (DoS). This could bring an entire factory to a grinding halt or disrupt safety mechanisms, putting workers in danger.
On the other end of the spectrum is a more difficult and more remote attack vector. An advanced hacker could remotely rewrite the firmware on a remote control with their own malicious code in order to gain and maintain access. This impacts all of the vendors tested by Trend Micro that support reprogramming on their devices. Researchers also noted that none of those devices had authentication implemented.
The vulnerabilities discovered have been reported to the manufacturers in the hopes that those companies will take a closer look at the security of their devices. It remains to be seen whether any changes will be made. Physical security is usually very good at manufacturing and construction sites, possibly thwarting a local attack, but it’s never one hundred percent. A determined hacker will find a way and industry provides a large attack surface with many possibilities.
Sources:
• https://www.theregister.co.uk/2019/01/15/ even_cranes_are_hackable_trend_micro/
• https://documents.trendmicro.com/assets/white_papers/wp-a-securityanalysis-of-radio-remote-controllers.pdf
Flaws in Systemd Privilege Escalation in almost all of the systemd based Linux distros
Researchers at Qualys have revealed three security vulnerabilities in a component of systemd. This is believed to be affecting almost all of the systemd based Linux distros. The silver lining is that most of the distros have been made aware of the issue and have been working on fixes for these exploits.
The patches are respectively CVE-2018-16864, CVE-2018-16865, and CVE-201819866. They should be appearing in repos soon. This has been attributed to coordinated disclosure by Qualys. Debian will remain vulnerable for the time being, however, according to The Register, Qualys’s Jimmy Graham has said “that they are aware of the issue and we should be seeing a fix soon.”
The bugs were found in system-journald, a component of system that handles the collection and storage of logs. The first two, CVE-2018-16864 and CVE-201816865, are memory corruption flaws. CVE-2018-16864 can be leveraged by malware to crash and potentially hijack the system-journald service, there-by elevating access from a user to root for the attacker. CVE-2018-16865 and CVE2018-16866 can be used together to crash or hijack a root privileged journal service by a local attacker.
These exploits are believed to affect almost all of the systemd based Linux distros in use today. However, SUSE Linux Enterprise, openSUSE Leap 15.0, and Fedora 28 & 29 do not seem to be affected. This is thought to be due to their user-land code being compiled with GCC’s –fstack-clash-protection.
CVE-2018-16864 entered into the code base in April of 2013, then became exploitable with system v203 in Feb 2016. CVE-2018-16865 seems to have appeared in the code base in 2011 in system v38 and became exploitable in April 2013 (systremd v 201). CVE-2018-16866 was introduced in June of 2015. However, it was inadvertently fixed in August of 2018.
Sources
Card Access Control System Accessed
What you know, what you are, and what you have. These are three of the key components of security. Key cards are a common form of security that can deny access to a space or object to anyone without an object with the proper credentials. Researchers at Tenable have discovered a series of flaws discovered in September of last year. The flaws pertain to PremiSys Identicard Access control System.
The researchers at Tenable found a hardcoded set of credentials in version 3.1.190 of PremiSys IDenticard. This set of credentials would allow an adversary all the capabilities of an administrator including modifying access to existing users, deleting users, and adding users. Though it’s doubtful that an adversary could act without trace, they can certainly act without hindrance.
The researchers also found that the sensitive information in the system was stored with an insecure hashing algorithm. It currently uses the MD5 which has not been recommended since 1996 and is subject to commonly known collision vulnerabilities.
Backups within the system are stored in password protected zip files. Unfortunately, the password has been hardcoded into each instance of the product with no option for the user to change the password without the intervention of the vendor. Along with backups being barely protected by a hardcoded password, the database also comes with a preselected username and password with no opportunity for the user to change those credentials. They must once again go to the vendor for a custom solution.
These issues seem fairly pressing and can be crippling in a product that promises security. The common practice of providing a grace period for a company to patch the issues seems generous in the face of such glaring flaws. So far a patch has not been released and the product is still vulnerable.
Workarounds include network segmentation and restricting access to systems from outside of the network. It might not be possible to maintain vigilance over the entirely of a database without verification hashes.
John Fox, Senior Product Manager at Identicard, has provided a statement to Bleeping Computer claiming to be vigilant of the situation. They “anticipate releasing improvements in the near term” which should be expected of any company experiencing any such complications in their product.
Sources:
• https://www.tenable.com/security/ research/tra-2019-01
• https://medium.com/tenabletechblog/trumping-physical-securitywith-software-insecurity3945a63e1f1a
• https:// www.bleepingcomputer.com/news/ security/flaws-in-a-card-accesscontrol-system-may-allow-hackersto-bypass-security/Flaws
CISA Emergency Directive on DNS Infrastructure Tampering UPDATE
![]()
01/22/2019 06:48 PM EST
Original
release date: January 22, 2019 The U.S. Department of Homeland Security (DHS) Cybersecurity and Federal agencies should review Emergency
|
WordPress Pressed into Service
Researchers at Defiant Threat Intelligence Team have identified a brute force attack campaign on WordPress sites. There have been four command and control (C2) servers identified, over 14,000 proxy servers from best-proxies.ru, and over 20,000 infected WordPress sites. The attacks make XML-RPC authentication attempts against accounts. XML-RPC authentication is used for network services that require security but do not require callers to identify themselves. It is often used in the APIs for mobile app developers to allow their apps to post to WordPress. As such, the apps usually store credentials locally which makes failed credentials fairly uncommon. The high rate of failure caught the researcher’s attention and revealed the campaign.
The plan of this attack contains three steps: create a list of credentials using dynamic wordlist generation, lean on multicall vulnerability to attack on scale, and try to cover its tracks with proxy servers between C2 servers and infected sites. The credentials begin with common passwords along with passwords generated from the list of usernames. Examples given in their report include the domain name, the username, and the username with common values appended to the end. Their example is an attack on example.com with the user name alice, the attack would use example, alice, alice1, alice2, alice2015, alice2016, alice2017, alice2018, and so forth. The attack also relied on the multicall functionality of XML-RPC authentication, the ability to send multiple username and password pairs at once and receive a list of successes and failures. This would allow the attack to make significant initial gains on progress but is limited to attacks on WordPress versions 4.3 and older.
Version 4.4 had since patched this issue and will return failures on any further attempts if the initial attempt is a failure. It is currently on version 4.9.8, but many users are still vulnerable to the multicall attack vector because they have not updated.
Finally, the attacker tries to cover their tracks by using proxy servers to anonymize the control between the attacker and the infected sites. The researchers at Defiant found a word list regeneration script that included a path argument that contained an IP address. The IP address brought the researchers to a login page on a server, which they easily uncovered as one of the C2 servers. They found four different servers which were poorly guarded. The researchers are currently working alongside law enforcement to remedy the attacks and reach out to the victims to alleviate the attacks.
The best defense against such brute force attacks would be to use long randomly generated passwords and updating your services to the latest versions.
Sources:
• https://www.wordfence.com/blog/2018/12/wordpress-botnet-attackingwordpress/
• https://threatpost.com/infected-wordpress-sites-are-attacking-otherwordpress-sites/139666/12
Free Ebook Azure in a month of Lunches
To help developers build and run their applications, services and
integrate upcoming technologies, Microsoft has released an eBook – Learn Azure in a Month of Lunches.
The eBook offers great insights into entry into cloud administration.
Besides, it also gives a high-level explanation of each concept and
common implementations. It breaks down the most important Azure concepts into bite-sized lessons. Using this you will be able to learn how to:
Get Started with Azure
- Use core Azure infrastructure for writing and deploying web servers.
- Make your applications and data secure
- Utilize platform services—including how to choose which service for which task.
- Get ready to adapt to new technologies, including containers and Kubernetes, AI/Machine Learning, and IoT.
There’s a powerful suite of Azure services dedicated to containers
that aligns more with the PaaS approach. If you are not aware,
containers offer a concept of isolation similar to VMs. However,
Containers are typically much more lightweight than VMs and can start up
quicker than VMs, often in a matter of seconds rather than minutes.
Moreover, the size of a container image is typically only tens or
hundreds of MBs, compared to many tens of GBs for VMs.
You can download this Azure eBook here.
Phishing for 2FA
Cybersecurity professionals have known for a long time that passwords alone are not secure enough. Two-factor Authentication (2FA) has become an increasingly common way to add another layer of security. But like anything else in the security world, it is not infallible. This week Amnesty International reported that hacker groups are targeting the email accounts of journalists and human rights activists from the Middle East and North Africa.
One campaign targeted well -known secure email services like ProtonMail, while another campaign focused on Google and Yahoo! accounts where the hackers were able to harvest credentials even from 2FA-enabled accounts.
Chances are, you have at least one account with 2FA. If you’ve ever had to enter a code sent to your smartphone, you’ve used it before. It may seem like a hacker wouldn’t be able to get that code, but if they couldn’t stay one step ahead, they wouldn’t be in business. This report found that the attacks used tried-and true phishing techniques, but with some extra infrastructure in place to automate the process.
It starts with a security alert email that links to a counterfeit login page. Once the victim enters their credentials, the attackers’ server automatically sends those credentials to the legitimate login page. This triggers a request for a 2FA code from the legitimate site that is sent to the victim. The victim enters the code on the fake site, which also passes it to the legitimate site, giving the hackers access to the account. From here the attackers would enable access for third-party apps to keep control of the account.
Despite the extra steps happening in the background, the time it takes to do it is negligible and the victim would not notice the process taking any longer. However, the hackers behind these campaigns did make some mistakes. The servers hosting their fake Google and Yahoo! pages were not locked down. Researchers were able to use exposed directories to view various files and determine what the hackers were up to.
This is not to say that we shouldn’t keep using 2FA – it absolutely is better than a password alone. But it’s worth keeping in mind that phishing is still prevalent because it works and its success isn’t limited to stealing passwords. For folks that feel they are at risk or that just want some extra protection, researchers recommend using hardware tokens.
Sources:
• https://motherboard.vice.com/ en_us/article/bje3kw/how-hackersbypass-gmail-two-factorauthentication-2fa-yahoo
• https://www.amnesty.org/en/latest/ research/2018/12/when-bestpractice-is-not-good-enough/
• https://thestack.com/ security/2018/12/20/hackers-bypass -two-factor-authentication-at-scale/
Lojax UEFI Rootkit
Unified Extensible Firmware Interface (UEFI) rootkits gained quite a bit of attention in the security community over the years with a considerable amount of research going into the topic. However, there’s been limited practical use of this malware type in the wild until the discovery of LoJax. Researchers at ESET associate this new malware with the Sednit group, also known as Fancy Bear, and thoroughly discussed it at the 35C3 conference in Germany late last month.
What makes this kind of malware so dangerous is that it lies within the firmware of a physical machine, thus it is extremely hard to detect and very difficult to cleanse. It can survive reboots, operating system reinstallation, and even hard disk replacement. The chain of infection can usually be broken down into four stages: (1) User-Mode client infection, (2) Kernel-Mode escalation, (3) System Management Mode injection, and ($) SPI Flashing. As is the case for other types of malware, an initial client-side exploit dropper (mechanism for an attacker to get user access to a victim system) is needed. Once attackers have user access to a vulnerable host, they then escalate privileges to system access and attempt to bypass various kernel level security controls such as code signing policies to install kernel-mode payloads. Then the malware elevates privileges to execute System Management Mode payloads so it has access to SPI Flash. Lastly they bypass flash writing protection altering Flash firmware to implant their own flash malware.
LoJax, named after Absolute Software Corporation’s LoJack, is unique for using Lojack’s persistence technique of coming pre-installed in the firmware of laptops manufactured by various OEMs. Due to security weaknesses and misconfigurations within LoJack, attackers were able to trojanize the anti-theft tool creating LoJax. Once LoJax implants itself within the firmware and the system is booted, it loads the malicious SecDxe DXE driver and calls EFI_EVENT_GROUP_READY_TO_BOOT. This callback loads an embedded NTFS DXE driver, writes ‘rpcnetp.exe’ and ‘autoche.exe’ to the OS, and modifies the registry key ‘HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Session ManagerBootExecute’. The rpcnetp.exe executable is a small agent that is used to initiate communication back to the attacker Command and Control (C&C) server.
As of the date of the initial LoJax research, the primary targets have been different entities in the Balkans as well as Central and Eastern Europe. The primary defense against this malware is enabling Secure Boot and ensuring UEFI firmware is up to date.
Sources
• https://www.welivesecurity.com/wp-content/uploads/2018/09/ESETLoJax.pdf
• https://threatpost.com/uefi-rootkit-sednit/140420/http://www.ncsl.org/
DNS Infrastructure Hijacking Campaign
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
CryptoMix Misdirection
The group behind the CryptoMix malware have changed tactics once again. The bad actors in this case brute force a login through RDP, and then encrypt the data on your computer while attempting to identify and remove any local backups available. With a successful attack, there’s no way to regain your data without the decryption key or through an off-network backup of the system. When attempting to contact the group of enterprising individuals, they will send you an email claiming that the proceeds of your “donation” are going to be put towards charity. They allude that by paying the ransom, the victim will help fund the treatment and care of sick children! In addition to this patently absurd falsity, the bad actors have taken information from local news and crowdfunding websites to be more believable. While this is a bit far fetched, the idea behind it is rather applicable to malware.
The most vulnerable part of every secure system is the human element. Which brings attention to one of the most widely adopted tactics that has been used to acquire information in recent years: social engineering. By interacting with the human component and appealing to either emotions or inattentiveness, bad actors can obtain information or access to locations with next to zero technical prowess. A study at the university of Luxembourg showed that among three groups of individuals given a gift either at the start of interaction, after the question, or as a reward for revealing their password, anywhere from 3050% disclosed their sensitive information. The number goes as high as 47.9% when the reward is predicated on giving an answer. While this is just a single anecdote involving college students, the mentality doesn’t disappear when applied to the working world. Even clicking a real website link is enough when there exists a piece of malware that utilizes a flash exploit to infect the computer upon displaying the malicious advertisement.
One of the best solutions for this social vector is due diligence. Well-designed policies that employees are intimately aware of through thorough training, including awareness of these threats, better threat identification in e-mail firewalls, and clearer communication of proper procedures for employees will help ease the threat of this specific branch of malware. The science does not lie, people want to trust other people, especially those who are friendly, and identifying those who would abuse this trust for personal gain is easier said than done. As professionals, the education and increased awareness of those who aren’t so technically inclined is paramount for the safety of the collective companies that we represent.
Sources:
• https://www.sciencedaily.com/releases/2016/05/160512085123.htm
• https://www.zdnet.com/article/this-old-ransomware-is-using-anunpleasant-new-trick-to-try-and-make-you-pay-up/
• https://www.zdnet.com/article/this-malvertising-campaign-infected-pcswith-ransomware-without-users-even-clicking-a-link/