Here are a group of articles on Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool, by Microsoft.
Deep dive on Windows Server 2019 updates
Here is a link to a video on Deep dive on Windows Server 2019 updates..
Link is here
McAfee Researchers Falsify Patient Vitals in Real Time.
During the 26th DEFCON conference this past week McAfee researchers showed how they have successfully been able to falsify patient vitals that are reported to the central monitoring stations. Two variations of the attack are possible due to weak communication protocols between client devices and the central monitoring station. In the first scenario, the attacker would need direct access to the patient and the equipment, where they would be able to disconnect the patient and plug in their own device that would then transmit false information.
However, McAfee researchers found that it was possible to also use a method called ARP spoofing to feed false information to the monitoring station by capturing data coming from a client device, manipulating it, and sending the data on to the central monitoring station because of a UDP based protocol called RWHAT. RWHAT is used by many medical devices, most of which are wired and wireless capable devices. While this is not a widely known protocol, it is easy to see and manipulate due to the simplicity of the UDP packets. Additionally, these devices often use no authentication or weak authentication.
The doctors that helped the researchers vet the potential threat indicated that it is common practice to make diagnoses based on the data on the central monitoring stations. The method that was used by the McAfee researchers was to acquire a client monitoring station and a central monitoring system from eBay. While the units used are from 2004, they are still commonly used today. McAfee was careful not to mention the manufacturer of the units used as they are still in the process of working with the company to patch the vulnerabilities. Once they had the equipment and were able to crack the networking component, their next step was to acquire an ECG simulator from eBay for about $100. With the ECG simulator available, they determined that the traffic was unencrypted and contained counter and patient information.
Using the emulation as a springboard they successfully were able to modify the data being sent to the monitoring station. Then in real-time they were able to simulate a flatline signal to the central monitoring station as well as manipulate oxygen levels and blood pressure information. This creates the potential to falsify information to staff that might result in unneeded or unwanted procedures or prescriptions. This attack could potentially make staff believe that a patient is resting peacefully when they are not hooked up to their bedside equipment, or worse. While this threat vector might not be subjected to mass exploitation it could be leveraged in cases of high-value patients.
Sources
https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patientvitals/ https://www.theregister.co.uk/2018/08/14/patient_monitor_hack/
https://venturebeat.com/2018/08/11/mcafee-researchers-falsify-a-patientsvital-signs-in-real-time/
visual
What Else is your Fax Machine Doing?
Researchers Eyal Itkin and Yaniv Balmas revealed a new type of vulnerability at Defcon 2018 – one which attacks your fax machine. They call this new exploit ‘Faxploit’ and demonstrated how a victim’s network could be infiltrated by sending a malicious fax to a certain model of networked fax machines over a normal phone line connection. By utilizing vulnerabilities, they discovered they could take over the machine and use it as a jump point into the internal network. After an impressive amount of reverse engineering utilizing existing exploits to load a debugger onto the target fax machine, the two researchers discovered additional vulnerabilities which could be used for a device takeover attack.
The vulnerability used in their demonstration relates to the embedded JPEG image parser on the device, normally used when receiving or sending colored faxes. By sending specially crafted JPEG headers to the machine they could trigger a stack based buffer overflow in the header parser and run arbitrary code on the device. Once they discovered the vulnerability in the fax handling mechanism of the device it was time to write an exploit to take advantage of it. They discovered that when the device received a JPEG it simply dumped the contents to a file with no validation. Due to this flaw they were able to store the exploit entirely inside of a specially crafted JPEG, achieving persistence due to it being written to the disk. When they wanted to perform tasks that needed additional input they could simply read from the file sitting on disk.
Their finished exploit implemented 3 main features. First it would take over the LCD display on the printer as a demonstration that they had full control of the device. Next it would check if the printer had an ethernet cable attached. If the cable is attached the third feature is activated – it attempts to attack and take control of other computers attached to the same network using previously leaked NSA tools Eternal Blue and Double Pulsar. While the demonstration exploit shown by the researchers changed the LCD on the printer, a real attacker’s exploit may instead opt to stay quiet to increase the time it goes undetected.
The fax machine attacked in their demonstration was an HP Officejet Pro 6830. HP was coordinated with after the vulnerabilities were discovered and patched firmware has been available on HP’s website since August 1st. While only one specific model was attacked in their demonstration it is possible that other models from other manufacturers may suffer from similar flaws due to the nature of parsing complex file formats from unknown origins.
The researchers coordinated with HP to rectify the vulnerability; patched firmware has been available from HP since August 1st. This means special care should be taken similar to other riskier devices on the network, such as ensuring that the devices are firewalled off appropriately or on different network segments. While these precautions would prevent the device from being used as a door into the network, they wouldn’t protect against other types of local attacks.
Sources: • https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/ • https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-andexploits/faxploit-vulnerabilities-in-hp-officejet-printers-can-let-hackersinfiltrate-networks
Adware Doctor App Turns Out To Be Adware Itself
Store is considered and recommended to be the best way to get programs for
your Mac. After all, Apple states that
“The safest place
to download apps for your Mac is the Mac
App Store. Apple reviews each app before it’s accepted by the store…”. But what if one of the apps claiming to clean your computer of
adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.
Doctor has risen to become one of the most popular
paid apps in the
Apple App Store.
It is the top paid utility app, and the fourth paid
app overall, giving it a spot on the app store main site. However, there has been
some controversy in its history. When the app was first released, it was called Adware Medic. However, it was
removed when Malwarebytes complained due to their app Adware Medic which was
released first. A few days later
the app reappeared as Adware Doctor. Many of the high rated
reviews are suspected to be fake to boost the app’s popularity as well.
has been revealed to secretly collect a user’s internet browsing history from
multiple browsers, as well as active
processes running on the computer, and then sending that information to
a server located in China. A security researcher with the Twitter handle
@privacyis1st discovered the behavior and teamed up with
another researcher Patrick
Wardle to delve deeper
into the app.
Adware Doctor requests access
to the user’s files, which
would be a legitimate need for a malware scanner. However, it abuses that access
by finding browsing history from Chrome, Firefox,
and Safari as well
as search history
within the app store and a list
of running processes on the machine. That by itself violates Apple rules by
breaking out of the sandbox to enumerate the processes.
into a zip file, history.zip, and sends it off
to a web server located
in China,
adscan.yelabapp.com.
their findings to Apple
over a month
ago, but Apple seemed to not do anything about
it.
remained on the store. However, when the
researchers finally went public with
their findings, the app
was quickly removed. Along with Adware Doctor and another app
by the same developer called
AdBlock master, Apple
removed 3 other related apps that were accused of exfiltrating browsing and
search histories: Open Any Files,
Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment
on why it took so long to remove the malicious apps that flagrantly violated
the rules or how
it got past the app store review
in the first place.
https://thehackernews.com/2 018/09/macadwareremoval
tool.html#commentbox
https://threatpost.com/apple finallybootssneakyadware
doctorappfrommacapp
store/137319/ https://objective see.com/blog/blog_0x37.html
Internet exposed 3D printers Pose Fire Risk
In the last few years the price of 3D printers fit for home use has fallen substantially. They have become cheap enough for people without advanced technical skills, especially security skills to venture into this market area. By default, most of the current 3D printers require being tethered to a PC full time via USB to configure and run print jobs.
Octoprint, a 3D printing application, makes life easier for non-technical users by removing this requirement. It can be installed on a device such as a Raspberry Pi and connected to your home network where it exposes a HTTP interface for interaction with the printer which greatly improves usability. During the Octoprint installation process, the user is prompted to enable authentication on the web interface although many people choose to disable the authentication for ease of use. This is not ideal but usually fine if the printer is exposed on the local network only.
As 3D prints can take upwards of 24 hours to complete many people don’t wait long before thinking ‘it would be great to monitor the progress remotely’. Therein lies the issues. In order to accomplish this, they must open a HTTP port in their network via port forwarding to access Octoprint from anywhere and typically forget to enable authentication first. This is how thousands of unsecured Octoprint instances ended up accessible from the internet.
There are MANY risks associated with having these web interfaces publicly exposed. The first is that Octoprint isn’t really designed as a secure web application. It was designed with advanced users in mind and as such can be tweaked and modified endlessly. In it’s default configuration, it is essentially an unauthenticated portal to your network as you can run arbitrary system commands from the web interface. By leveraging this feature an attacker could easily move to more sensitive machines in the network. The second major risk is that 3D printers are essentially simple robots with attached heaters. These heaters can reach extremely high temperatures very quickly. Most modern 3D printers have temperature limits enabled in the firmware to prevent thermal runaways from causing a fire. However, by modifying the firmware and flashing the printer from the Octoprint interface these limits can be removed. This could allow an attacker to start a fire with the printer in just a few clicks. While not as dangerous, an attacker could also possibly damage the machine by commanding the motors to move past their defined areas.
Octoprint has always stated to its customers that making the application available to the internet even with authentication enabled is a terrible idea. Many software applications designed for advanced users, and or experimentation don’t go through rigorous security assessments and aren’t meant to be exposed on the internet. Similar to a cheap lock, the authentication mechanisms are meant to keep the honest out. It is important to review the software’s security posture before opening a port in your network to access it remotely. Even better although not as convenient, using a VPN to access network services running in your home network is the best idea to reduce risk of exposure.
Sources: • https://www.csoonline.com/article/3303562/security/over-3700-exposed3d-printers-open-to-remote-attackers.html • https://octoprint.org/blog/2018/09/03/safe-remote-access/
PowerShell Updates
Announcing PowerShell Core 6.1
latest version of PowerShell has been released! This marks our second supported release of PowerShell Core, the
open-source edition of PowerShell that works on Linux, macOS, and Windows!
release is compatibility of built-in Windows modules with PowerShell Core. This
means that you can natively run those modules/cmdlets with PowerShell Core and
easily transition from Windows PowerShell. You can see the full post here
PowerShell Gallery
The PowerShell
Gallery is the place to find PowerShell code that is shared by the
community, Microsoft, and other companies. The site has averaged over 21
million downloads per month for the past 6 months and has more than 3,800
unique packages available for use. It’s amazing when we consider we were
handling just under 4 million downloads in July 2017. We clearly needed to
invest in the PowerShell Gallery to support that kind of growth.
the PowerShell Gallery. The result is now available to everyone, and includes
new features, performance enhancements, security improvements to accounts and
publishing keys, and better alignment with the NuGet.org codebase that we rely
on for our service and cmdlets
New features and performance enhancements
Most users should
see an improvement in package download speeds from the PowerShell Gallery. The
new release takes advantage of CDN to provide faster downloads, particularly
for those outside the United States. This should be most noticeable when
installing a module with many dependencies.
The new updates
include things users have requested for a long time, including:
- A manual
download option from the PowerShell Gallery. It cannot replace
install-module / install-script but does solve some specific issues for
those with private repositories or older versions of PowerShell. - A change to Install-Module and
Install-Script to simply install to the current user scope when not
running in an elevated PowerShell session.
The
new user experience is more than just a face-lift, as providing a modern UI
also improves the performance. The PowerShell Gallery pages now display only
the most critical information initially, and move the details to expanding
sections in the UI. This makes the pages faster and easier for users to find
the content they want to see. You can see the full post here
PowerShell
Training Resources
Microsoft
Virtual Academy (MVA) is a logical first-stop when searching for sources
of free learning. A search for “powershell” on the main page of the MVA website
returns 68 hits, 13 of which include PowerShell in the course title. Other
highly rated courses include Getting Started with PowerShell Desired State
Configuration (DSC), Advanced Tools & Scripting with PowerShell: 3.0 Tools
That Make Changes and Advanced PowerShell Desired State
Configuration (DSC) and Custom Resources. To go to the MVA click here.
PowerShell.org Supporting
all platforms and languages that use PowerShell, this site’s Videos section
provides links to the organization’s PowerShell on YouTube channel (with more
than 100 videos) as well as a few structured learning courses. You’ll also find
pointers to a whole slew of lengthy articles and tutorials on PowerShell in the
site’s eBooks section. The Build
Server section lets you sign up for virtual instances of PowerShell
for testing and learning purposes. And while you’re on the PowerShell.org site,
be sure to browse the articles and forums, both of which are good sources of
PowerShell how-to information
Windows PowerShell
Survival Guide: This
is perhaps the motherlode of resources — Microsoft’s list of lists for
PowerShell. To go to this tool click here
The Spectre Looms Over Us Still
The Spectre attack has been an unexpected danger to our security since January of this year. It’s an attack on most modern processors that use speculative execution to leak sensitive information to a potential attacker. Speculative execution allows processors to execute instructions in parallel, and in cases where instructions are dependent upon the results of other instructions, tries to predict which instructions are likely to take place. When there are hundreds of instructions to run, predictions provide a significant gain in performance. The Spectre attack starts by miss training the processor with processes that will cause erroneous speculative executions which also create covert side channels for exfiltration. Then the attacker has the victim perform an action that usually is allowed and requests sensitive information. Permissions are not checked until the instructions are committed so it has no problem reading the sensitive information and modifying the cache state in a vulnerable way. The attacker then retrieves that information despite the erroneous instructions being discarded.
Researchers at University of California, Riverside (UCR) have discovered a new form of the attack named SpectreRSB that uses the Return Stack Buffer (RSB) instead of the Branch target Buffer to acquire and smuggle sensitive information. Instead of causing the Branch Predictor to miss speculate onto a poisoned branch, SpectreRSB poisons the return address of the RSB.
Intel already has a patch but only on the Core-i7 Skylake and later processors. The patch is called RSB refilling and it fills the RSB with a benign address whenever there is a switch to the Kernel. Some of the proposed attacks in the UCR paper can bypass RSB refilling, but the researchers believe their proof of concept attacks are unlikely to be practical because of the difficulty in implementing the gadget that smuggles the return address to a recoverable cache.
Sources:
https://securityaffairs.co/wordpress/74698/hacking/spectrersb-attack.html https://arxiv.org/pdf/1807.07940.pdf https://www.bleepingcomputer.com/news/security/researchers-detail-newcpu-side-channel-attack-named-spectrersb/
More Vulnerabilities in the Smart Home
Researchers at Cisco Talos recently spent some time probing the Samsung SmartThings Hub, a device designed to be the center of your smart home. They discovered a number of vulnerabilities that allow remote information leakage up to arbitrary remote code execution. The device is designed to communicate with a range of devices over Ethernet, Z-Wave, Bluetooth, and Zigbee. These devices could be smart locks, IP cameras, alarm systems, thermostats and more.
The researchers found a total of 20 vulnerabilities in the hub. They noted that while each of the vulnerabilities by themselves might not have a great impact on the security of the device, in many cases the vulnerabilities can be chained together to form a complete exploit. Three vulnerability chains were identified that allows an attacker to have complete control over the device.
The first chain allows for remote code execution on the hub. By using a vulnerability that allows for the execution of arbitrary SQL queries an attacker would be able to trigger a different vulnerability that allows for memory corruption. Specially crafted queries would allow the attacker to execute arbitrary code via this attack vector. The second chain allows the attacker to get a glance inside the ‘hubCore’ process of the device, leaking sensitive information. This is accomplished via a vulnerability that allows an empty file to be created anywhere on the device. While at first glance this vulnerability doesn’t seem impactful, the researchers learned that creating this empty file in a specific location causes the ‘hubCore’ process to crash and create a memory dump.
The third vulnerability in this chain allows for the capture of this information over the network. The last of the 3 chains allows for remote code execution with no prior authentication. This chain relies on sending specially crafted queries to the ‘video-core’ process running on the device. A vulnerability in the HTTP pipeline allows the requests to reach the vulnerable service with an arbitrary payload that triggers a buffer overflow, allowing for remote code execution. While the third exploit chain requires no authentication, the first two have varying requirements depending on a number of factors. In some cases anyone holding a valid OAuth bearer token can talk to the remote servers in order to trigger some of the vulnerabilities. Malicious apps designed for the hub can also be used to trigger the exploits.
Cisco Talos reported all the found vulnerabilities to Samsung. Samsung responded by fixing the bugs and pushing a firmware update to all connected SmartThings Hubs. While the hubs are designed to update automatically, it is always a good idea to verify the firmware version currently running and update manually if necessary.
Sources:
https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html https://www.csoonline.com/article/3292942/security/researchers-reveal-20vulnerabilities-in-samsung-smartthings-hub.html
https://www.securityweek.com/samsung-patches-critical-vulnerabilitiessmartthings-hub
Idaho prison officials: Inmates hacked system to get credits
BOISE, Idaho (AP) — Idaho prison officials say 364 inmates exploited
vulnerable software in the JPay tablets they use for email, music and
games to collectively transfer nearly a quarter million dollars into
their own accounts.
Here the link to the story https://apnews.com/dfd5dccdf75c4b5dbc97ff5ecf3f3d5b, this show where this a way people will find it and use it to their own ends