Lifehacker Australia discusses yet another attack vector cyber security professionals need to consider, and one not many are all that familiar with at the moment:
However, the recent attack detected by Neustar was different. While the types attacks, like DNS reflection attacks aren’t new, the targeting is changing.
George said some early IPv6 implementations were more vulnerable to certain threat vectors because of scale. While companies were in the early stages of IPv6 deployment, they would only deploy the protocol on limited segments of their LANs. As a result, there was limited network capacity and this created a point of weakness that was susceptible to a DDoS attack.
The attraction in using IPv6 for attacks is a lack of awareness and skills, said George.
“A lot of people don’t know it’s there or realise it’s even turned on or have it in their threat profile. They don’t have the same level of protections in place or, if they have a set of plans or run-books for attacks, they don’t have a plan for IPv6,” said George.
Often, this is there result of a focus on deployment leading to a lower prioritisation on security. This is simply because the perceived threat of IPv6-specific attacks is still low.
“They’re deploying it but not focusing on the security side of things. People are working on the assumption that it’s not much of an attack vector”.
In theory and practice, for the most part, defending against IPv6 attacks is no different than IPv4 attacks. If IPv6 is enabled on a networks infrastructure, then the security devices need to be aware of this traffic type and be properly configured to inspect the traffic and act appropriately. If the routers are allowing IPv6 traffic to flow through the network, then the firewalls, intrusion prevention devices, endpoints security suites, and other security tools need to be aware of this and ready to act.
The Register reports on researchers discovering new methods for exploiting the evil CPU Meltdown and Spectre vulnerabilities:
In a research paper – “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.
In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer’s memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.
Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out.
Before you panic: don’t. No exploit code has been released.
Although no code has yet to be released, this does not mean nation states have not developed toolsets to leverage these vulnerabilities. It it highly likely the US, UK, Russia, and China – among others – have already weaponized these exploits.
So while there is not necessarily any need to panic, there is absolutely a need to proceed with caution, especially for governments and large enterprise networks. Those networks within the crosshairs of extremely sophisticated actors will absolutely need to be prepared to defend against attacks leveraging these holes.
Motherboard reports on vulnerabilities discovered in globally used software for controlling gas pumps:
The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. An attacker could also simply alter fuel prices and steal petrol.
Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities after the computer screen on a gas pump in Israel crashed one day last June as Naor was filling his tank and exposed a local IP address. The system turned out to belong to an Israeli company named Orpak Systems, which makes fuel-management software. Orpak’s system is used by commercial gas stations in Israel as well as by the military and large corporations to track gas consumption for their fleets of vehicles, to ensure employees and soldiers aren’t siphoning gas from work vehicles to fuel personal ones.
But Orpak, which makes both RFID vehicle-tracking systems and fuel-management systems, doesn’t just sell its systems in Israel; its software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to marketing literature. And last year, Orpak was acquired by Gilbarco Veeder-Root, a large North Carolina-based maker of gas pump and point-of-sale systems for convenience stores in the US and elsewhere.
As the article notes, if stations are networking the pumps because they are geographically separated, there is a strong chance the vulnerable pumps may be located on Shodan.
TechRadar on a newly discovered Firefox vulnerability:
Mozilla has released a critical update for Firefox that repairs a security flaw that could have allowed hackers to run unauthorized code on a user’s PC.
The new release, fixes an issue with the browser’s interface code, part of which wasn’t properly sandboxed. This provided a possible point of access for malicious code to run on the host computer.
The vulnerability has been present in Firefox since version 56, which was released in September last year. There are no examples of it being exploited in the wild, but the potential threat led Mozilla to release a fix immediately.
Mozilla has already released the update, and it should be automatically installed if auto-update is turned on (it is by default).
Since Quantum was released, I have been using Firefox far more often than Chrome. Safari is still my main browser, but there are times when it fails to properly display certain web sites. On top of that, couple my Google distrust with Firefox’s lightning speed, and I feel comfortable with this change.
Dark Reading discusses a critical zero-day in Adobe Flash – surprise surprise – currently being leveraged in a campaign targeting South Korean victims:
Adobe today confirmed a report yesterday by South Korea’s Computer Emergency Response Team (KrCERT/CC) of the discovery of the zero-day vulnerability in Flash Player ActiveX 18.104.22.168 and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.
Johannes Ullrich, head of the SANS Internet Storm Center, says the fact that this was a targeted, zero-day attack makes it more likely to be the handiwork of a nation-state actor.
“The attack was rather limited, and targeted at individuals in South Korea who are involved in research about North Korea. I think this makes for a pretty strong case that this was a nation-state sponsored attack. Other actors would have little motivation to use a zero-day exploit in an attack against a group like this,” Ullrich says. “On the other hand, it doesn’t have to be North Korea,” given the difficulty of attribution.
It should come as no surprise that although North Korea is attempting to publicly play nice with South Korea, in the background they continue their cyber attack campaigns targeting their neighbor.
The targeted e-mails, which link to the fraudulent domain electronicfrontierfoundation.org, appear to be part of a larger campaign known as Pawn Storm. Last October, researchers at security firm Trend Micro brought the campaign to light and said it was targeting US military, embassy, and defense contractor personnel, dissidents of the Russian government, and international media organizations. Last month, Trend Micro said the espionage malware campaign entered a new phase by exploiting what then was a zero-day vulnerability in Oracle’s widely used Java browser plugin. Separate security firm FireEye has said the group behind the attacks has ties to Russia’s government and has been active since at least 2007.
EFF staff technologist Cooper Quintin wrote in a blog post published Thursday that the round of attacks involving the electronicfrontierfoundation.org site may have the ability to infect Mac and Linux machines, as well as the normal Windows fare. On Windows, the campaign downloads a payload known as Sednit that ultimately installs a keylogger and other malicious modules. Its use of the same path names, Java payloads, and Java exploits found in last month’s campaign mean it’s almost certainly the work of the same Pawn Storm actors that struck last month.
Iran’s ability to infiltrate or even crash rival government systems, including alleged threats to the electrical grid, has “alarmed” U.S. officials over the past few years. But the most recent phishing attacks are a sign Iranian hackers using these much more targeted techniques, too—on everyone from secular voices in Iran to nonprofit workers in the U.S.
One tip-off you’re being targeted for an attack? If you receive a fake “unexpected sign-in attempt” notice that says an attempt was made to log in to your account from “The Iran.” The alert could come from a text or, in Hakakian’s case, an email.
This email is sent by the hacker, not Google. But Google will eventually send an authentic verification code to your phone—which is intercepted by hackers in the process, giving them access to your account.
“For this attack to work, the attackers must actively monitor the phishing page. Once the target enters their password into the phishing site the attackers likely use the credential to attempt to log in to GMail. The attacker’s login attempt then triggers the sending of a code from real Google to the target,” the report states. “They then wait for the target to enter the 2FA code from Google.”
Another version of the attack includes a phone call and an interview request from an English or Farsi-speaker who claims to be from the news agency Reuters. When hackers sent their phishing email to Electronic Frontier Foundation director Jillian York after their phone call—which included specific details about her previous work—the news agency was misspelled “Reuturers.”
Eventually, the email would coax victims into opening a document pertaining to the phone call from “Reuters Tech Dep.” Clicking the link would start the two-step verification hack.
“An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass,” Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.
When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.
MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.
There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.
“This is the same type of vulnerability that weev [Andrew Auernheimer] was incarcerated over and yet as a penetration tester I have seen this type of vulnerability a lot,” Justin Seitz, author of two Python hacking books, said in an email. “Numerous mobile APIs that were never designed to see the light of day can be mined for information using 10 line Python scripts like you see in that proof of concept.”
They took their findings about the weaknesses in the cryptography and authentication protocol to the Swiss manufacturer of the chip in February 2012, giving them nine months to fix the flaw; then they took their research to Volkswagen in May 2013. They had planned to present their research at USENIX 2013, but Volkswagen argued its vehicles would be at risk of theft and filed a lawsuit to block the paper from being published.
Although the code had been available on the Internet since 2009, the UK High Court of Justice awarded an injunction that prohibited the authors, their institutions, and anyone else who might assist them from publishing the research. The British court wrote, “I recognize the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars.”
So much for doing the right thing by responsibly disclosing the security flaw.
Indeed, so much for doing the right thing. Good guys never win.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) released an alert late last week and patches are currently being validated according to ICS-CERT and researcher Aditya K. Sood, who gave the DEF CON presentation. Sood said the alert came as a result of his talk in Las Vegas where he described the flaws in Schneider Electric’s Modicon M340 PLC Station P34 Module human machine interface (HMI) software. HMIs provide infrastructure operators with a visualization of the automation environment and allow admins to manage controls from a single screen or screens.
The vulnerabilities affect the modules that support the Factory Cast Modbus feature.
“[The alert] is based on my DEFCON talk but there are high chances that attackers could have been exploiting these vulnerabilities for some time now,” Sood said.
Sood disclosed vulnerabilities and provided Schneider with proof-of-concept code for two remotely exploitable vulnerabilities, and a related locally exploitable flaw. One of the flaws is a hard-coded credential found in the software that ICS-CERT told Sood had already been reported to them. Sood said it is unknown whether the hard-coded password has been removed since there was discussion of deploying a patch that would disable the affected FTP login.
In case you missed it, the Oracle CSO went on a rant about why security researchers and their own customers digging through their applications to locate vulnerabilities should just stop doing so and pay more attention to securing their own house. Well, as with anything on the internet, it has been making the rounds because of how tone deaf it was. Here are some of the reactions from the security industry to her missive:
To say that the post resulted in a strong industry backlash would be an understatement. Oracle distanced itself from Davidson’s opinions in its statement distributed to the press. “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” Oracle executive vice president and chief corporate architect Edward Screven said in the statement.
”It’s incredibly arrogant for Oracle to suppose that they have all the answers and that their IP protections are sufficient and proper to guard against bad guys hacking your organization,” said Jonathan Feldman, CIO at the city of Asheville, N.C. “We know it’s stupid. It’s not like we have one year of data. Or five. We have at least 20 years of experience saying that the bad guys do deep, debugger-level code dives, and to ignore that with a Pollyanna ‘everybody had better be nice, now, because the Big O has Everything Under Control’ is crazy and irresponsible and ignorant,” Feldman said.
The attackers use valid administrator credentials, an indication the attacks are being carried out either by insiders or people who have otherwise managed to get hold of the highly sensitive passwords required to update and make changes to the Cisco hardware. Short for ROM Monitor, ROMMON is the means for booting Cisco’s IOS operating system. Administrators use it to perform a variety of configuration tasks, including recovering lost passwords, downloading software, or in some cases running the router itself. In an advisory published Wednesday company officials wrote:
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”
The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.
When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating. The classification seemed appropriate, considering the success of the .LNK exploits in infecting large numbers of air-gapped computers. For reasons that aren’t clear, Tuesday’s vulnerability has been rated “important,” Microsoft’s second-highest severity rating. Update: As Virus Bulletin researcher Martijn Grooten pointed out, the .LNK vulnerability was remotely exploitable, allowing it to infect millions of people. By contrast, the bug patched Tuesday appears to require a USB stick, a requirement that would greatly limit the scale of attacks. That’s the likely reason for the lower severity rating.
This vulnerability exists in just about every version of Windows capable of mounting USB drives.
No one attack campaign is behind the spike in malicious domains, but popular and pervasive exploit kits such as Angler are a big piece of the puzzle, he says. “The backend stuff is being done by domains,” he says.
DNS, which converts domain names into machine-readable IP addresses, has become a popular vehicle for the bad guys to use in the distribution of their malware, the theft of information, and distributed denial-of-service attacks.
The DNS Threat Index has been on the rise for three quarters straight. “This could indicate cybercriminals are expanding the infrastructure to leverage targeted attacks for spreadkign malware and/or exfiltrating data,” the Infoblox report said.
Internet pioneer and DNS expert Paul Vixie says there are ways to slow and possibly trip up DNS abuse. He has proposed a “cooling-off period” for DNS providers to activate new domains, an approach that would help minimize domain abuse. A new generation of inexpensive and quick startup domain names has made it easier for bad guys to set up shop in the DNS infrastructure, according to Vixie.
“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.
Esser has published technical details on the vulnerability and explained how it can be exploited for full privilege escalation. He has also released a proof-of-concept (PoC) exploit that provides a local root shell.
While Esser decided to take the full disclosure approach and not notify Apple before making his findings public, it appears this vulnerability was reported to the company months ago by the South Korean researcher known as “beist.”
However, Apple only fixed the flaw in the beta versions of OS X El Capitan 10.11, and not in the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11 is expected to be released in late September or early October.
Esser has pointed out that the local privilege escalation vulnerability also affects jailbroken iPhones running iOS 8.x.