Internet threat news

Sustainable Business Plan?

The now infamous hacking group termed “The Shadow Brokers” recently announced that they will be selling exploits and other tools initially hacked from the NSA in the autumn of 2013. For the somewhat staggering sum of 20,000 USD a month you can subscribe and receive monthly released exploits as well as SWIFT network data and information concerning Russian, Chinese, and North Korean nuclear programs. The group would like the fee paid in Zcash, a cryptocurrency advertised as “permissionless cryptocurrency that can fully protect the privacy of transactions using zero-knowledge cryptography.” 100 Zcash is approximately 20,000 USD. The group who initially gained notoriety for the above-mentioned hack recently gained their name in headlines as the group that released the EternalBlue and DoublePulsar exploits that aided WannaCry in infecting a number of computers it did. They have threatened to release more in the month of June but this new subscription business model has got experts asking more questions than they have answers.

This is not the first time the group has looked to monetise their hacking skills. They initially attempted to auction of all the data to the highest bidder, for which it was proposed that the group expected to receive over 10,000 Bitcoin for the exploits. That did not materialize and then attempted a Kickstarter campaign to raise the funds they thought the information was worth. It is estimated that the group has earned only 10,5 Bitcoin, or roughly 24,000 USD, through the various fundraising methods. It is yet to be seen if the subscription model will be a success. The group itself has admitted that they looking at what they deem as “high rollers” to be their main customer base. Based on previous attempts to monetise their hacking ability, experts are not convinced this will meet with any more success.

Security researchers at Whitescope have found over 8,600 vulnerabilities in the devices regarded as in the broader pacemaker ambit. These vulnerabilities were found across four producers of several products defined as pacemakers. These vulnerabilities were discovered in radio controlled devices such as pacemakers, Implantable Cardioverter Defibrillators, Pulse Generators, and Cardiac Rhythm Management collectively termed “pacemaker devices” in the study. These vulnerabilities not only raise worrying questions as to the safety of such devices but also the vulnerabilities that may come to plague the fabled Internet of Things.

Convenient, most definitely

The rise of appliances connected to the internet that enables users to change heat settings, lock doors, order food, and connect to other drivers have undoubtedly added new convenience to today’s refrigerators, motor vehicles, LCD television sets, and thermostats. However, they may be a future source of strife and frustration. Such convenience comes at a cost, the devices are practically unpatchable. Combine this with that such devices are intended to have a longer lifetime than the laptop this article is been written on and the company’s manufacturing such devices do not have the budget to pour into security features and upgrades means that they are extremely vulnerable to attack.

Fake News Hack

On May 23 reports surfaced that Qatar’s state news agency was hacked. Their website was hacked and allegedly uploaded fake news story pertaining to statements made by Emir Sheikh Tamim bin Hamad Al-Thani, Qatar’s current leader, supposedly made as to the small oil-rich nation’s political relations. The fake news stories included calling Hamas "the legitimate representative of the Palestinian people," comments as to the strong relations with Iran, and supposed tensions between Qatar and the US President Donald Trump. Qatari government officials and the news agency in question were quick to say that the news agency was indeed hacked and there is no substance to the stories.

Despite the broad denials and the admission of being hacked, many of Qatar’s allies in the region were quick to condemn the nation. The Saudi Arabian news agency Okaz was most vociferous in its coverage. Comments such as "Qatar splits the rank, sides with the enemies of the nation." Illustrate that the denial was not accepted by Saudi Arabia and other Gulf nations. As if in retaliation Al Jazeera’s website, with its head office based in Doha, was blocked in Saudi Arabia and the United Arab Emirates.

Ever since WannaCry made it onto the front page of every newspaper and received a dedicated segment on twenty-four-hour news channels, every Friday since then another worm using the same exploit appeared. This past Friday was no different. On Friday, May 19, another worm using the same exploit as WannaCry emerged. Discovered by Croatian analyst Miroslav Stamper, it has been dubbed EternalRocks. It has also gone by the name MicroBotMassiveNet. This exploit yet again uses the NSA tools dumped by “The Shadow Brokers”. However, while WannaCry used an unsophisticated code, the more recent malware detections like Adylkuzz and EternalRocks are believed to be far more advanced.

Pandora’s Box

The initial dump of NSA linked hacking tools has opened a veritable Pandora’s box to hackers and affiliated groups worldwide, not to mention rumors of other international spying agencies taking note. While some debate whether it was North Korean groups with links to the hermit kingdom or not which created WannaCry, the point seems almost moot considering a number of new attack campaigns which leverage the dumped tools. EternalRocks uses several of the dumped tools which exploit the now infamous SMB zero day in Window’s older operating systems. Stamper discovered that EternalRocks uses EternalBlue, EternalChampion, EternalRomance, and EternalSynergy to compromise vulnerable systems while it uses SMBTouch and ArchiTouch for reconnaissance purposes. Once the worm has gained a foothold in a vulnerable system it then uses DoublePulsar to spread to other vulnerable machines.

With much of the world still reeling from the WannaCry attack of last week, analysts and researchers have discovered a new threat. Researchers at Proofpoint discovered the threat on Monday this week that uses the same SMB exploit as WannaCry. The new threat, termed Adylkuzz, is not ransomware but rather a Cryptocurrency Mining Botnet. Adylkuzz makes use of the same alleged NSA hacking tools EternalBlue which took WannaCry from a purely amateur hour ransomware to the threat that made headlines infecting over 200,000 systems from over 150 Countries. Adyllkuzz further employed DoublePulsar another of the dumped hacking tools in its propagation.

The going wild of the abovementioned NSA hacking tools by the Russian hacking group “The Shadow Brokers” will undoubtedly have massive ramifications for the cyber security industry and the public as a whole. While WannaCry was a shot across the bow as to the seriousness of threats particularly when one saw how a simple ransomware bug when combined with NSA tools, could infect the British National Health Service, US package delivery giant FedEx, Spanish telecoms giant Telefonica, and Germany's Deutsche Bahn rail network. Adylkuzz, on the other hand, turns infected systems and by default their unwitting users into accomplices to financial crime on a grand scale. Little is known yet of the true scale of this attack but due to its more sophisticated nature than WannaCry, Adylkuzz may be significantly larger in scale.

The Wake-up Call

Microsoft has labeled the cyber wildfire called WannaCry a massive wake up call. By Saturday, May 13, it was reported that over 200,000 computers from over 100 countries had been infected with the ransomware in question. The speed at which WannaCry propagated was extraordinary, which leveraged a Windows SMB Exploit which had already had a patch released, by targeting computers and systems without the patch installed. It has been reported that the SMB exploit is the recently dumped EternalBlue, a collection of hacking tools allegedly developed by the NSA and dumped by the hacking group “The Shadow Brokers”.

The ransomware affected the British National Health Service, Nissan manufacturing plants, as well as numerous telecoms and well-developed organizations which one would assume, would do their utmost to protect against ransomware and similar attacks. The version which caused all the fuss had a killswitch which was exploited by the security analyst who goes by the name of MalwareTech to greatly reduce the spread and infection rate of the malware. As to whether the killswitch was a feature included by the ransomware’s creators or was merely an oversight is not apparent yet. Regardless, Europol, cyber security companies, software manufacturers, and other service providers are sending out multiple warnings to help mitigate the damage done. By the end of the weekend, it was estimated that the creators of WannaCry had received over a hundred payments totally over 25,000 USD.

Although not new news Microsoft’s recent Zero Day event which could have had mind numbingly bad consequences. That being said, Microsoft’s response is a great illustration of how the system should work. One must tip one’s hat to the response which has historically, and not just by Microsoft, been poor in general. Briefly, members of Google’s Project Zero team, a team dedicated to rooting out potentially exploitable flaws in products that are used by Google’s clients across the board, discovered a vulnerability in Windows Defender. The vulnerability was deemed rather colorfully as “crazy bad” by Tavis Ormandy, one of the vulnerabilities discoverers.

The Vulnerability

Not only was the vulnerability described as “crazy bad” but it was also deemed by Tavis Ormandy to be “the worst Windows remote code exec [execution flaw] in recent memory.” via his Twitter posts pertaining to the discovery. The Zero Day termed CVE-2017-0290 was discovered by Tavis Ormandy and Natalie Silvanovich in the Microsoft Malware Protection Engine. The engine, known simply as MsMpEng is overprivileged and unsandboxed according to Google’s Project Zero. What is even worse is that the MsMpEng is accessible remotely through other Windows services such as Exchange and the IIS web server.

Last week Cisco’s research arm Talos confirmed that it had detected a Remote Access Trojan (RAT), which they have termed KONNI, that has attacked organizations associated with the Hermit Kingdom. It has also been confirmed that by Talos that the earliest of these attacks using the above-mentioned malware occurred as early as 2014. Meaning it has evaded detection for nearly three years. The most recent attacks which started towards the end of April this year targeted UNICEF, the UN, and other embassies linked to North Korea.

The malware has evolved since the first of an estimated four campaigns. It has evolved from merely stealing information without any form of remote administration to the most recent iteration which uses two binaries which include a dynamic library. Thus the new version, boasting much better code than the previous version, can search for files generated by earlier versions on compromised machines. This means that it is safe to assume the creators of the earlier versions are deploying newer versions against similar, if not the same, targets as the previous ones. In this attack, KONNI was designed to be executed only one and could steal information from the infected machine including keystrokes, clipboard content, screenshot capture, executing arbitrary code, and data from installed web browsers.

As of the first of May 2017 a new version of the CryptoMix, or CryptFile2, ransomware has been detected. This new version uses the Wallet extension for encrypted files. Previously, the Wallet extension was used on Dharma/Crysis and Sanctions ransomware. This new version of CryptoMix is currently using the following payment email addresses: shield0@usa.com, admin@hoist.desi, and crysis@life.com. This variant was first detected by Robert Rosenborg an independent security researcher and later confirmed by MalwareHunterTeam. Lawrence Abrams conducted some research into the new version and contends that what makes this version so frustrating and insidious is that it makes it harder for victims to detect what ransomware they are infected with.

Currently, at the time of writing, no guides exist to remove this version from the affected systems. If you believe you have been infected with this new version you must lock down the network you are on as Wallet will also scan unmapped network shares for files to encrypt.

Last year hackers were caught on camera using their smartphones to empty ATMs. The thieves stole $2.2 million USD before they fled the country. Nixdorf, the ATM maker, said three different strains of malware were found on the devices. Software on the smartphone enabled the malware.

Security researchers speculated how the hackers were able to load the malware. Some said that networking devices on the device have well-known default passwords. Another said all you needed to do was attach a USB device and boot from that.

Now hackers have done some variation of both by drilling an 8 cm hole into the front and then passing a cable inside and connecting that to a 10-pin connector. They then connect the cable to a computer and send instructions that causes the machine to dispense cash.

Cross-Site Request Forgery (CSRF) is a hacking technique of getting a user who is logged into an application to execute certain commands while authenticated and logged in. The Magento shopping cart (version 2.1.6 and below) has a security issue that allows that. Magento has known about this for some months but as of April 2017 still had not fixed it. Defense Code contacted the company and told them this is a red critical security problem.

Magento is an ecommerce engine for web sites. Defense Code reports that a hacker can exploit the site by using a feature that previews a video before it loads a Vimeo video. The hacker can change the POST to a GET, either in a malicious web page or HTML embedded in an email) and request a file that is an invalid image file, like a .php program. The system will respond saying the file type is invalid but will download it anyway.

Threat Intelligence feeds are designed to provide real time updates on hostile domains, IP addresses, and active malware on the internet. These are two kinds of data feeds: free and paid.

The idea with data feeds is you use those to block IP addresses and IP address ranges, domains with certain registrar email addresses, etc. But just doing that will block legitimate traffic too. So you need to train machine learning algorithms with legitimate sources of data too. For example, you can get firewall logs from all over the word at DShield here and build a list of IP addresses from that. (They will ask you to fill out a form as hackers would like to get their hands on such a list as well.). Dshield users are encouraged to contribute their own firewall logs there to help build up their database.

The SANS Internet Storm website publishes various feeds here.

Heimdal Security says the Rig Exploit Kit has been used to plant Cerber ransomware on domains ending with the .news suffix, including the shortened list shown below. (Cerber has the unique feature of talking to its victims.)

An exploit kit is a set of tools developed by criminal gangs. They keep a staff of programmers to keep the product up-to-date and add improvements.

Virustotal reports show that only 2-5 out of 68 Anti-Virus products they tested can detect this type of attack. (You can enter the URL of any site here and Virustotal will check it.)

mind.pci [.] news (Virustotal report)
fun.rum [.] news (Virustotal report)
open.oral [.] news (Virustotal report)

It is not necessary for users to visit these .news websites. Instead the hackers update WordPress files and other web content that loads iFrames with advertising. The hackers use DoSWF, JavaScript, Flash, and VBscript to direct users to sites where the Rig Exploit kits are hosted. The victim does not even need to click on any of the .news links to be infected.

The Rig Exploit kits looks for and then attacks any of the products shown below to gain remote code execution privileges.

Wikileaks still has not published all of the source code of the CIA zero-day defects that they mentioned a few weeks ago. This is while Julian Assange negotiates with affected hardware and software vendors when to give them this code so they can fix these security weaknesses before Wikileaks publishes all of that. There is some pushback from the vendors who worry about the legal implications of using stolen classified material themselves and some unknown conditions insisted upon by Mr Assange.

Now WikiLeaks has published the second batch of Vaul 7 documents, which they call “Dark Matter.” These detail how the CIA has been hacking iPhones and Macs.

There is not much danger that hackers are going to be able to replicate what the CIA has done as they are using old fashioned spycraft. The CIA has managed to plug itself into the Apple supply chain to physically get their hands on these Apple devices and modify their firmware so that the CIA can use them to spy on their targets. This means they either have someone working with them in the chip manufacturing and distribution process or are attacking these devices in the mails as they are shipped to customers.

On the Mac, the attack is against EFI/UEFI. This is also called bios. This is the hardware part of the boot up process that loads before OS X loads. Even if a Mac user suspects that their device has been infected, if they wipe the device or upgrade the OS they cannot eliminate the firmware, because it is built into the CPU.  That is the same for the iPhone.

Unlike the first publication of CIA documents, this time we have complete instruction manuals for the Sonic Screwdriver, DerStarke, Triton, and DarkSeaSkies exploits published online, as web pages and PDFs.