Rig Exploit Kit delivering ransomware via Adobe Flash exploit (CVE-2018-4878)

Exploit kits are very efficient tools used in the cybercrime underground. These frameworks are packed with a number of exploits and mechanisms to detect vulnerabilities in systems/applications and serve matching exploits.  For malicious actors, it is very convenient to purchase, rent or even steal exploit frameworks from their creators (usually higher skilled criminals) and put them to work and obtain profits from malicious activity. In other instances malicious actors can adapt code from open source frameworks and turn them into exploit kits (I.E blackhole vs Beef).

Exploit kits are versatile as they target different platforms (Windows, Linux) or devices (Desktops, Phones) and they can help criminals build up botnets pretty quick. Once the botnet is built, there are plenty of post exploitation payloads and additional attack tools that can be installed at victims for additional malicious activity such as Spam, DDoS, crypto mining, etc…

These exploit kits have evolved into many variants some of them more popular than others, one of the current popular ones is Rig Exploit kit (RigEK). This particular exploit kit has been observed to adapt and serve many different payloads in the recent years. A new campaign has been observed by security researcher Nao_Sec. In this campaign RigEK was serving GandCrab ransomware, rendering targeted systems unusable unless paying ransom in the form of DASH or BTC.

Figure shows GandCrab ransom demand message (From Nao_Sec Blog)

Ransomware payloads have been proven to be effective and are currently one of the most widespread attack efforts. To the victim it is usually cheaper to pay ransom instead of trying to decrypt the system. The use of cryptocurrency is also preferred for ransom payments as they provide a level of anonymity and obfuscation that enables these type of malicious activities.

Exploit kits work as quick hit approaches, but tend to have limited duration since once they are discovered, takedowns and prosecution may follow. They posses several obfuscation mechanisms that allow them to target specific populations such as countries, languages, range of IPs, specific applications, etc., and by doing so they avert detection and become more effective focusing on targeted vulnerable systems/applications/populations. During the writing of the threat advisory one of these mechanisms was observed when trying to reach exploit kit landing page.

Figure Shows RigEK customized message

Malicious actors know they are being observed and their tools are constantly probed by security companies and white hat researchers in order to publish information that allows effective defenses against these exploit kits. When these kits are “burned” they cease to be effective, making some of these campaigns short lived and forcing them to move on to other hosts, regions or simply stop. Observed malicious server was cleaned few hours after the writing of threat advisory and this blog, as the following message shown below.

For full details of exploit and payloads of this campaign please view the Threat Advisory here.

 

About JASK.AI

JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.


Drupalgeddon2

A new vulnerability affecting the popular content management system (CMS) framework Drupal has been announced. This vulnerability is said to affect over 1 Million websites.  The vulnerability has been assigned as CVE-2018-7600. It has also been deemed highly-critical based on CMSS scoring. This highly critical rating means the following:

  • Anonymous access (No need for authentication)
  • Can be triggered remotely (No need of local access)
  • Makes all data accessible (Public AND non public)
  • Data can not only be accessed but modified or even deleted
  • Targeted site can be taken over

Vulnerabilities affecting CMS frameworks are particularly concerning as these systems are prime candidates for botnet herding. Botnets are fundamental means of crime activity and is a primary profit driver for the cybercrime underground economy, as they can be used for cryptocoin mining, spam, identity theft, phishing, financial fraud, DDoS, and more.

CMS frameworks take a significant portion of the internet and when one of these types of vulnerabilities are found, they need to be addressed as they will likely affect millions of websites that can be potentially targeted for malicious activity.

No known exploitation in the wild… as of now

According to the Drupal Security team this vulnerability was found by Jasper Mattsson and as of this time, there are no specific details of a proof of concept or knowledge of exploitation in the wild. However, the differences in previous code and patch are public. It will not take long before malicious actors reverse engineer the patch code and produce exploitation code.

A review of the published patch code reveals a new class named DrupalRequestSanitizer according to WordFence. This new class is basically sanitizing or controlling input in specific elements of the code that can be seen in the next graph.

Fig Shows diff code between Drupal affected versions and patch (Source WordFence)

It is well known that malicious actors including nation states can and will reverse engineer patch code in order to create exploit code. This has been seen previously and widely known vulnerability management programs where state actors have purposely delayed, or abuse exclusive knowledge of upcoming vulnerability publications in order to exploit them.

It is a matter of time before exploitation code is published so it is imperative to update affected Drupal distributions as soon as possible. 

What versions are affected and how to mitigate

The following graph shows a detail mitigation route suggested by Drupal security team.

Fig Shows Drupal recommended mitigation route

https://www.drupal.org/sa-core-2018-002

 

Access the Threat Advisory here.


New Samba Vulnerabilities

The importance of behavioral multi-contextual threat detection

A new set of vulnerabilities found in the SAMBA service protocol highlight the need for approaches that go beyond the simple use of static signature defense technologies. These two vulnerabilities have been disclosed as CVE-2018-1050 and CVE-2018-1057. The first one, CVE-2018-1050, allows denial of service for printing services through failure of the null point checking and subsequent crash. The second one, CVE-2018-1057, allows unprivileged users to reset users’ passwords, including environments where SAMBA is used in Active Directory environments. Every version of SAMBA, with the exception of 4.7.6, 4.6.14, 4.5.16, is affected by both vulnerabilities.

According to the SAMBA official security page, no useful logs currently exist that can be used to monitor password reset. However, it suggests some commands in order to monitor for this attack.

Figure shows suggested monitoring commands *

The page also suggests a number of workarounds, but they need to be applied very carefully, as some of them require disabling or deprecating services that are absolutely necessary for many organizations to function on a daily basis. For example, a large company that depends on LDAP for scanning, indexing, and storing documents cannot possibly disable that service as it would practically cease to operate (think about the legal or healthcare industry).

It is important to point out that these vulnerabilities are likely to be used as post-exploitation payloads, as SMB/SAMBA protocol is not typically exposed to the internet but instead inside the perimeter. The biggest threat, however, is still the ability to reset passwords of any user. This opens the door for malicious actors to pivot, move laterally, or write code within organizations.  

Recent cases show how attacking file and sharing printing services is not uncommon, as it was seen in exploits such as EternalBlue and EternalRed/SambaCry, which caused a good amount of compromises and were coupled with Ransomware in many campaigns. These vulnerabilities create a scenario where the combination of being a data hub (SAMBA services) and the ability to possibly change credentials and then execute on it, makes them possible candidates to replicate the past attack vectors mentioned above.

Compromised SMB shares can be used for many malicious activities, such as to steal sensitive information, at rest or in motion in specific devices.  They can also be used to pivot and move laterally from unsuspecting devices (NAS, Printers). In addition, many of these types of devices are placed on corporate networks that may allow attackers with these exploits to run code and proceed to execute malicious activities such as cryptomining or installing ransomware and proceeding to demand ransom payments.

The importance of multi contextual behavioral detection

The above scenarios clearly show that organizations that depend solely on static-based/ signature-type defense technologies, would likely miss these types of attacks, as there is practically no visibility through logs or even traffic. Usually, organizations notice a noisy denial of service attack or a reckless attacker in their environment as the first sign. However, this approach is passive with a very low probability of success for recognition.

JASK’s ASOC platform possesses several mechanisms to detect these threats. As outlined above, it’s likely these vulnerabilities will be used as post exploitation payloads. As such, they can be detected as part of exploitation chain. This exploitation chain detection by JASK ASOC allows analysts to place together a visual representation of the elements related to possible exploitation of SMB/SAMBA services.

 

Figure Shows JASK ASOC Smart Alert

The above figure shows a JASK ASOC Smart Alert where SMB/SAMBA port/service scanning is detected after a user has connected to a suspicious URL shortener, then accessing a file share that this user had not previously accessed before.

This may indicate, depending on this particular user’s patterns and privileges, that a post- exploitation payload may have been used to grant access from the user’s account/device to a targeted device running SMB/SAMBA services. The following figure shows such individual signal.

Figure Shows First Seen Access signal

JASK ASOC can also detect port/service scans of SMB/SAMBA services and display a specific and detailed visual interface that provides analysts with situational awareness. The figure below shows origin and targeted ports/services and hosts.

Figure Shows SMB/SAMBA scanning detection

By providing these simplified situational awareness items, analysts can spot suspicious activity, and even exploitation, without having the attack signatures (which can difficult to obtain), as they are vendor-dependent and many times subjected to publication embargoes.

This approach is far more proactive, simplified and cost effective as it does not rely on signatures, and it provides analysts with meaningful suspicious activity that allows them to focus on actual threats without having to deal with multiple disparate, proprietary technologies or special vendor training, before even making sense of an actual threat.

To access the Threat Advisory click here.

 

 

About JASK

JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.


Domain Hijacking Impersonation Campaigns

A number of domain “forgeries” or tricky, translated look-alikes have been observed recently. These attack campaigns cleverly abuse International Domain Names (IDN) which, once translated into ASCII in a standard browser, result in the appearance of a corporate or organization name that allows the targeting of such organization’s domains for impersonation or hijacking. This attack has been researched and defined in past campaigns as an IDN homograph attack.

The interesting part of this attack is that it allows bad actors to hijack the targeted organization’s domain without actually hijacking it. As seen in past campaigns, in order to hijack a domain, malicious users must compromise the targeted entity’s domain guardian, which is usually a name registrar, an administrator or web marketing department within the organization. Malicious users would proceed with different attack vectors in order to obtain credentials that allow the transfering or redirection of such domains. One of the popular attack vectors against an organization’s internet domain was DNS hijacking, which allows malicious actors to find technical ways of tampering or subverting a company’s DNS in order to redirect it to another hosted site, subsequently targeting redirected victims with different attack vectors (Drive By downloads, Phishing, Impersonation, etc).

Malicious actors have cleverly devised a way to use International Domain Names that, when translated into ASCII on standard browsers, look exactly like the targeted organization. Next, malicious actors proceed to register a targeted organization’s domain and get SSL/TLS certificates. Once these are translated into browsers, it is very difficult, and almost impossible, to notice the difference. Previous work from researcher Xudong Zeng of Symantec and recent research by IronGeek and Brian Krebs give a good example of how the use of IDNs can be effective when trying to impersonate a targeted entity.

Figure below show a simple translation tool.

The above example shows a domain name of a known cryptocurrency exchange which was recently targeted, according to TheNextWeb. Malicious actors used an IDN, cloned the site, purchased SSL/TLS certificates and proceeded to present a clone site to trick victims.

Figure Shows cloned site punycode/IDN site.

Figure Shows translated ID with secure icon on browser.

As seen on both images above, this type of attack is very difficult to detect, even for a detailed observer.

 

How can we defend against these types of attacks? 

Although these type of attacks are very difficult to detect by standard users, they don’t represent direct compromises of actual internet domains. Still, there are measures that can be taken in order to protect against them.

  • Protect your domain registrars’ accounts so they cannot be compromised and your domain redirected. (Multiple Factor Authentication, Complex Passwords, Private Registrations)
  • Select reputable domain registrars that will have support and legal weight in case of domain misappropriation/dispute.
  • Monitor for impersonation and registration of rogue/non-standard character domains that may be used against your organization. Here is an IDN checker website that can provide information on possible suspicious IDN registration that match an internet domain when translated to English alphabet.
  • Use tools such as Domain Lock to prevent transfers.. Also, DNSSEC (DNS secure verification of actual domain and name servers) can help users to detect impersonating sites and deter malicious actors.
  • Properly document your domain. It is not far-fetched that malicious actors can, at one point, attempt to claim ownership based on previous registration or other geopolitical factors.
  • Utilize web filters and blacklists to help prevent some of these attacks.

 

For users:

  • Do not install mobile applications outside of authorized application stores. This attack is even more difficult to detect on mobiles.
  • Install punycode alert add-ons from internet browsers’ authorized stores.

Fig Shows Punycode alert chrome add-on.

 

To read a more technical and in-depth summary, access Rod's Threat Advisory on this topic here

 

About JASK.AI

JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times. www.jask.ai.


Cryptocoin Mining Attack Vectors Reshaping the Threatscape

The rise in value of cryptocurrencies is driving malicious actors to implement payloads that allow the use of CPU/GPU of compromised hosts in order to mine cryptocurrency.  The process of mining is defined as “the use of computational power to process transactions for a cryptocurrency blockchain in order to receive a reward of cryptocurrency for the effort. The computational power will come in the form of CPU processing or GPU processing. Miners are rewarded for successful ‘shares,’ or completed computations, by receiving a payment with fees that are collected along the way by the p2p network.”*.

By implementing cryptocurrency mining payloads, malicious actors can now increase the value of their victims by using their computer power. It is common in the cybercrime underground to seek profit from compromise hosts. These compromised hosts often called “zombies” or “bots” are usually part of botnets, which is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. These botnets are built with the purpose of executing malicious activity (DDoS, Spam, Identity Theft, Carding, Information Theft, etc).  These activities feed the underground crime ecosystem as malicious actors make profit from the resources obtained from these botnets.

With the addition of cryptocurrency mining payloads, there is now an additional benefit from compromised hosts since the number of crypto mining attacks and payloads are extending and shifting current threatscape with some of the main attack vectors including:

 

  • Cryptojacking: Code hosted in web applications that hijacks CPU processing power to mine cryptocurrency. Coinhive javascript code miner is an example of this that is  used in thousands of websites across the internet. This is one of the most popular attack vectors as websites can receive thousands of views from oblivious users and use their computers CPUs for mining. These attacks can use cleverly disguised web page elements to hide mining code, with reports of mining code hidden in the page’s favicon. A favicon is an icon associated with the web address that is displayed in the browser.

Fig 1.1 Favicon embedded mining code * https://twitter.com/xbs/status/963796410100604929

 

  • Malware Crypto Mining: There are several reports of malware variants now incorporating cryptocurrency mining payloads, such as JS Coinminer. Malware campaigns are always active and seek to compromise as many victims as possible, now with added benefit of CPU processing power use.

 

  • Malicious Mobile Applications: There have been cases reported of malicious actors attempting to mine cryptocurrency via mobile devices. They attempt to do this by publishing malicious applications in application stores that, once installed, proceed to use mobile processing power. As little as it could be, it is important to take into consideration that in mining, the so-called mining “pools” always takes advantage of as many devices as possible by using distributed processing/mining in order to expedite coin production.

Fig 1.2 Shows Malwarebytes Mobile cryptomining site

https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/

 

  • Adware Crypto Mining: Adware crypto mining involves the embedding of crypto mining code in ads, pop-ups, and other type of web advertising, in some cases pushing these advertisements that might be legitimate but with embedded code that then uses hosts/viewers computing power.

 

  • Crypto Mining Post-Exploitation Payloads: As malicious actors are able to compromise hosts with any available exploits, they proceed to use post exploitations payloads that allow the mining of cryptocurrency. This is especially the case for malicious actors targeting major CMS applications such as Wordpress in order to get massive amounts of processing power from very large distributions of servers across the web. It is important to notice that one the most mined cryptocurrency is Monero. This cryptocurrency can be mined using CPUs (more abundant and common than GPUs) and has a higher level of anonymity than many other cryptocurrencies.

 

These new benefits are affecting the threatscape. For example DDoS campaigns seem to be shifting as malicious actors consider the use of compromised hosts for attacks or for mining. Every time an attack campaign is uncovered - be it malware, ransomware, or DDoS - what follows is a process where attack sources - usually infected hosts - get cleaned, taken down or blacklisted.

Before cryptocurrency mining, in order to produce revenue from compromised hosts, malicious actors had to either extract valuable information (identity, banking, credentials) or had to use these hosts for not so subtle activities such as SPAM or DDoS. These two activities are very noisy and usually lead to blacklist and take downs. Now with cryptocurrency mining payloads these hosts can produce more revenue and stay undiscovered for a longer period of time.

This situation presents a factor that may be shifting attack campaigns where DDoS campaigns are more focused on specific targets and less widespread as malicious actors focus on mining and keeping hands on compromised hosts. A constant dynamic of the underground economy where malicious campaigns are driven by return of investment.


Introducing CHIRON: A Case for Home Network Monitoring and Defense

Chiron is an innovative solution developed by JASK’s Director of Security Research, Rod Soto, and Director of Data Science, Joseph Zadeh.  While JASK fully supports our team’s innovation, CHIRON is not a product of JASK, nor is it represented or sold by JASK.

 

Nowadays, all our homes have become microenvironments for complex networking, composed of almost every single home appliance with added processing and networking capabilities. Examples of these home appliances include toasters, refrigerators, thermostats, cameras, TVs, wearables, door locks, light bulbs, vacuum cleaners, routers, printers, as well as personal computing products such as laptops, desktops, phones, tablets, etc.

Most of these devices, once connected, interact not only with the user but also with the internet. One of the reasons why they constantly interact with the internet is because these devices are basically propped-up sensors, that have enough processing power to interact among each other and send information to the cloud where very large distributed computing infrastructure ingests it, processes it and responds to requests from these devices. This type of architecture requires a lot of computing power and expensive infrastructure, making it only affordable by very large enterprises.

However, at home, these interactions require a networking infrastructure that is very simple: an internet connection, a router and a WiFi access point. These interactions are transparent to the end user, as multiple network connections and data (some of it containing very personal information) goes from home to the cloud. Home users do not have any insight into these exchanges. They have no idea what is transferred to and from their home networks except for what they immediately see on their screens. This blind spot is a very dangerous, as home networking is faced with many challenges including:

  • Malicious file downloads: Many Drive-by malicious sites will push malicious files into unsuspecting victims, as well as phishing emails which lead victims into executing malicious code via browser or fake/malicious applications.
  • Privacy risks: Many devices can lead to loss of privacy. A simple example is how malicious actors were able to spy on victims via webcams.
  • Data theft: Malicious actors have been known to target home based Network Attached Storage exfiltration personal data such as photos, financial data, sensitive private data.
  • Piracy: Are there torrent peer-to-peer type of file sharing software running inside homes? Is their home network running a node for a piracy service?
  • Are there people using their home networks without their knowledge? People using WiFi for personal use, downloading movies.
  • Are they being targeted by malicious organizations or even state sponsor actors?
  • Are there malicious/criminal linked services running at their home networks like Dark Web TOR services or SPAM email servers?

The above items are legitimate use cases for home networking monitoring and defense. Today, home defense is usually limited to antivirus software, but considering that many devices in the home network cannot run antiviruses, and users only count with common sense to face many of current internet threats, the home network is pretty much defenseless.

 

Enter CHIRON: a home-based analytics, machine learning threat detection tool

CHIRON is a home analytics framework based on ELK stack combined with Machine Learning threat detection framework AKTAIONCHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility into home internet devices (IoT, computers, cell phones, tablets, etc).

It provides a picture of who and what your home devices are communicating to and interacting with. This graph below shows examples of how IoT devices such as Google Chrome and Amazon Firesticks, dots and echos can be seen by CHIRON.

The following is a CHIRON dashboard that shows identified operating systems, most active services/ports, and the most active local and external IP addresses.

These dashboards are simple and easy to read, however they reveal a great deal of what is happening in the home network. This would allow users to find unusual services, operating systems, communications and services that may indicate something suspicious is occurring in the home network.

The line between home networks and internet is blurring, as all these internet-enabled devices are constantly communicating back and forth. CHIRON seeks to provide basic answers for home network monitoring such as:

  • Do you live in highly dense building? Is anybody poaching your Internet service?
  • Where do all those devices connect to?
  • Where are all my users connecting to?
  • Is there any suspicious NORTH-SOUTH traffic? Are there suspicious IPs connecting to your webcam or door locking system?
  • Dynamic asset discovery (know what devices in your home are actually live and communicating).

CHIRON will perform the following basic tasks:

  • Performs basic discovery and analytics of home network assets (IoT devices, workstations, laptops, servers, routers)
  • Fingerprints users, services, and protocols
  • Applies analytics to users and devices (Average session length, Traffic, Visited sites)
  • Identifies odd application/traffic/services

 

AKTAION - Machine Learning Threat Detection framework

Besides providing simple and easy to understand analytics, CHIRON also works with AKTAION a Machine Learning framework for threat detection and active defense. Aktaion is scheduled to run every 4 hours and comes with its own benign training dataset.

If either phishing or ransomware delivery is discovered, Micro behavior indicators will be shown as in the following picture.

Future CHIRON iterations will incorporate other home related protocols and tools such as BlueTooth, Zigbee, Kismet and popular open source IDS.

CHIRON framework was conceived to be open source. The objective is to bring collaboration from the security community in developing a home based monitoring, analytics, detection framework that is easy to use and transparent for end users. With collaboration and feedback from the community this framework can eventually become a free and easy to use and deploy tool for those who do not have technical knowledge yet are exposed to the dangers of the internet.

Give CHIRON a try, go ahead and download the virtual machine here.  You can also reach out to the creators via twitter @rodsoto @josephzadeh

https://www.github.com/jzadeh/chiron-elk

 


Meltdown - The mirror in the CPU

A new series of vulnerabilities have been disclosed (CVE-2017-5753/5715/5754) affecting the most popular computer processors, and leaving millions of devices exposed to exploitation. These vulnerabilities allow users/applications with low level privileges to view data in the memory. Data stored in the memory may include passwords, pictures, texts, and any other types. At first these vulnerabilities were thought to only affect INTEL, however other reports indicate that AMD and ARM processors are affected as well.

Meltdown and Spectre are the two trending names associated to these vulnerabilities. Meltdown implies there are no limits between applications and operating system, in this case, exploitation will allow attacker to access memory data across any  running application or processes. Spectre exploit forces/tricks programs/applications to dump memory by causing errors then this memory data can be accessed.

Fig 1.  Meltdown POC

Fig 2. Spectre POC  Modified from * https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#file-spectre-c-L50

Proof of concept exploitation code suggests, side channel type attack which may require some previous steps before full exploitation (I.E Tricking user to browse page with exploit code, access server transferring code then executing). However this does not minimize the risks of these types of vulnerabilities, as for example a malicious actor could simply create an account in a popular cloud based provider then execute exploit on his/her servers and be able to see others information via memory/application leakage.

It is also very possible that these vulnerabilities will soon be chained to other exploits, enabling them to be executed in a manner that allows more streamlined memory access.

The biggest implication of these vulnerabilities is the number of devices that may be affected. Considering that Intel, AMD, ARM are probably the majority of modern processors, the task of applying mitigations seems very difficult. Some of these devices may not be patchable (Think embedded processors such as Cable Modems, Routers, and many other IoTs), some others may be patched however the current mitigations as of the writing  of this blog indicate that more than fixes they are workarounds and these workarounds, come with a price which is reduction in performance and latency. These reductions in performance may be significant enough to discourage patching these devices for some vendors.

Suggested mitigations consists applying patches at the operating system level, as deployed hardware at this point is flawed and unmodifiable.  Below a list of detailed technical resources and mitigation information.

 

U.S Cert

https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

 

Official Intel

https://security-center.intel.com/advisories.aspx

 

Official AMD

https://www.amd.com/en/corporate/speculative-execution

 

Official ARM

https://developer.arm.com/support/security-update

 

MITRE

CVE-2017-5715

CVE-2017-5753

CVE-2017-5754

 

Official Vulnerability page with technical POC and Research information

https://www.meltdownattack.com

 

Mozilla

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

 

Google Chrome

https://support.google.com/chrome/answer/7623121?hl=en

 

Official Microsoft

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

Google Project Zero

https://googleprojectzero.blogspot.com/


2018 CYBER SECURITY PREDICTIONS

Predicting big events in cyber security can be a tricky task. Attacks seem to have waves of innovation and adaptation then plateau and stay low on the radar, only to come back years later in new forms or adapted to other new exploits. An example of this is the use of encryption and destructive software in malicious ransomware campaigns. Both have been used before but are now repurposed in a much more effective manner. Predicting malicious campaigns or new exploits, is made even more difficult because of new software or hardware with unreleased bugs and vulnerabilities that may drive and shift attack and defense paradigms

With the creation of new technology and development of new software applications, the possibility of abuse and exploitation is always parallel. Hence, predicting these type of events may be linked to the creation or widespread adaptation of new technologies, even though we have seen at times how code that was allegedly a decade old as of 2017 was still very powerful..

Cyber attack trends and the use of weaponized code are also inexorably tied to geopolitical factors, as cyber has become part of warfare. It is known that once such code is disclosed, it will be repurposed and adapted to exploits and known type of attack vectors to make them more effective. Example of that is the addition of EternalBlue to WannaCry ransomware software last year.

The internet is now, more than ever, embedded everywhere, from Personal Area Networks, Home AI, Internet of Things and the corresponding big data distributed backends needed to interconnect and process their information in the cloud. They have blurred the edge and made the internet part of our homes, bringing its risks with them. The adoption of Artificial Intelligence in cyber security is still its infancy and yet to be developed. Just as AI is being used mainly to drive defense technologies, however, it is a matter of time until this technology is adapted as well for malicious purposes. With all these caveats in mind, here is what past and present events suggest may happen this year:

  • Exploitation of IoT will increase as they become pervasive in homes and companies. AI technology is here to stay, it is still unknown how many risks and vulnerabilities these devices may have, as such devices are incorporated into houses and companies, it is very likely that malicious actors will target and successfully exploit them.     
  • Likely a byproduct of the IoT home networking exploitation, 1TB plus volumetric DDoS attacks will increase in frequency, as more devices are available for exploitation and abuse, hence being added to attack botnets.

 

  • SMS will be discarded as authentication tool due to phone porting, SS7 and MFA phishing attacks. This is a clear trend as of last quarter of this year, however it is likely to grow in numbers, to a point where SMS will have to be discarded as an authentication factor.

 

  • Cell phone Infrastructure driven attacks. Vulnerabilities in cellphone/wireless spectrums will be targeted to pivot to critical infrastructure (Power, Transportation and other utilities). This type of infrastructure is known to connect in many instances, parts of our critical infrastructure such as Dams, bridges, pumps, etc. This cell phone infrastructure will continue to be targeted and we might witness actual effects on critical infrastructure.

 

  • Ransomware / Destructive malware used against critical infrastructure. In 2017 we witnessed the targeting of governments via specially crafted and obfuscated ransomware, destructive code. Examples of that were the attacks against Britain’s NHS and Ukrainian infrastructure including nuclear power plants. The time will come where these types of attacks pass through our current defenses and affect our critical infrastructure. This likely will happen during 2018.

 

  • Mega breaches will continue, not too long ago SQL injections where the main drivers of mega breaches, nowadays Amazon S3 buckets seem to have replaced them as the driver of mega breaches and data disclosures. This is unfortunately likely to continue as research indicates there are still plenty of unsecured S3 buckets, plus high value target organizations.  

 

  • AI/ML tech will be weaponized. This is inevitable as malicious actors will eventually find a way to incorporate current  AI/ML technology into their attacks, this may likely happen either via addition to DDoS or exploitation attacks.

 

  • Client based exploits (Phishing) will continue to be the main vector of attack as enterprises harden up defenses. Phishing continues to be a challenging attack vector to defend against, and pretty much an unsolved problem for enterprises, this will keep driving these types of attacks.

 

  • Identity "Firewalls" will become a thing. With prevalence of stolen identity information, a tool or mechanism that detects unauthorized use will have to be created. It may imply a new identity framework or technology beyond current "identity protection services".

 

  • Devastating cyber attack may lead to "break up" of internet. It is a matter of time until an attack with grave effects on people's way of life leads to a forced "break up" of the internet. This means the days of reaching governments, airplanes, cars, nuclear plants, dams, etc via internet from everywhere may be numbered.

Single Sign On: Feature or Threat?

A conflicting issue between usability and security is at the core of single sign on capabilities. The use of single sign on (SSO) is from the perspective of usability, a must have. SSO is required to maintain efficency within a workplace. Modern enterprise users are constantly using multiple applications, accessing, sharing, storing data across multiple file shares, sending, downloading emails, authenticating through VPNs, mobile devices, etc. Without single sign on, each step would inhibit productivity levels.  It would be impossible, from the functional view of user interactions and tasks, to require them to authenticate every time they access a resource, read, write or modify a file. It is very clear that SSO is a fundamental need for enterprises.

However SSO represents a single point of failure and a driving factor for credential reuse/extraction attacks. This means attackers can gain access to a variety of resources by simply obtaining and reusing credentials. If organization defense posture is weak, this creates a risk that can come from  simply snooping over someone’s shoulder, reading a sticky note, or all the way to a sophisticated targeted phishing, malware execution, social engineering or post exploitation attack, where attackers can obtain user credentials and then proceed to gain access and move laterally across an organization.

There have been significant numbers of breaches and known compromises that started by simply obtaining credentials from users, and even administrators as malicious actors tend to pretext and target them. Weak passwords and policies clearly augment the damage that an attack of this type can cause. In some cases the reuse of passwords, for example, has exposed not only targeted organizations, but partners and even defense service providers.

Credential reuse/extraction attacks, used in post exploitation environments, provide powerful tools to move around the enterprise leveraging SSO technologies. Very popular tools such as Mimikatz are designed to especifically exploit SSO features. Tools like this allow attackers to perform things such as Pass The Hash, Pass The Ticket and other related credential extraction/reuse attacks.

These type of attacks and tools constantly evolve as new ways of abusing/exploiting SSO features are discovered. Recently security researcher Juan Diego found a method to extract NTLM hashes that then can be reused (or cracked) to obtain credentials in a post exploitation environments to then move laterally. In spite of all the attacks already available and upcoming, single sign on cannot be abandoned.

Single sign on can be fortified by using strong password policies and complementing monitoring and detection technologies such as JASK Trident. JASK Trident uses a number of multiple sources of information and contextual indicators to detect abnormal activity and credential reuse attacks, these multi contextual indicators are based in experience security operation center operators along with machine learning models.

The following figures show multi contextual indicators used by JASK Trident, that can indicate credential extraction/reuse.

Fig 1 Shows Lateral Movement activity alert (SMB) Scanning

Fig 2 Shows First Seen Access - SMB Share

JASK Research team has produced a threat advisory outlining a proof of concept of this new attack and specific steps for mitigation.  Access the Threat Advisory by clicking here.


Beyond WannaCry: The NotPetya Ransomware attack

Reports earlier today, spread of a widespread infectious worm distributing the well known Ransomware: Petya, targeting the Ukraine infrastructure (Power, Transportation, Finance) and other big companies around the world. It later came to light, that this attack could possibly not be a variant of Petya, but an entirely new kind of ransomware attack, leading to it also being called NotPetya. No matter the name, the findings indicate an ongoing campaign with similar attack vectors as the WannaCry infestation in May 2017, thus leading experts to believe it is the next evolution in a possible series of attacks that will continue to affect companies around the world.

Screenshots of Petya/NotPetya:

Ransomware detection from JASK's product:

Initial reports in the community suggest EternalBlue exploit may be present in some of the researched samples. This would enable the ransomware payload to spread rapidly and aggressively. Further lateral movement would only occur if the targeted environment is not patched.

Other reports indicate that the main attack vector is phishing, a MS office file that proceeds to download malicious payload once user has opened and enabled Macros. Some of the code reported shows a Powershell syntax downloading an executable, there are also other code snippets showing lateral movement using Powershell.

It is important to clarify that even if your systems are patched, some ransomware versions will use compromised user credentials to search, probe, copy, and execute malicious payload based on the rights given to such user. This means spreading and infestation is possible but limited to user's credentials and rights in targeted shares.

These versions of malicious code seem to be using EternalBlue in some cases and in others extracting credentials of compromised systems to move laterally and further infestation. In addition, there are reports of more than one variance of the malicious code currently in play. This makes it more difficult for companies in compromising situations to detect and remediate.

A quick check on BlockChain.info indicates several payments have been made to bitcoin address related to this attack https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX  . The email address referenced in the message hosted on POSTEO has been apparently disabled, preventing the actors behind the attack to receive communications, making it even more difficult to get any type of keys to decrypt.

Current consistent indicators suggest this ransomware campaign is based on the following vectors:

  • Malicious document delivered via email
  • PS code downloads malicious payload
  • User must open file and allow execution
  • Malicious file mimic Petya ransomware signatures
  • Malicious code proceeds to probe for shares adjacent to victim machine and possibly checking for EternalBlue execution. If successful then it proceeds to copy, write and execute ransomware payload on every share. If privileges are high (admin) code will proceed to encrypt MBR, if not it will encrypt specific files.
  • Other instances, malicious code uses credentials of compromised user/machine and only writes to those shares user has privileges
  • Machine is rebooted via scheduled task
  • Messages are presented on screen.

JASK technology already has the capabilities of detecting this type of ransomware attack, as this version uses similar methods as WannaCry. JASK can also detect malicious file download and unusual SMB share access. This attack is more targeted than WannaCry and it seems to specifically target infrastructure companies. This code also more versatile than WannaCry as it checks for EternalBlue or it spreads by SMB rights from compromised user.

 

 

Mitigations:

US-Cert Ransomware prevention/mitigation info

US-Cert Petya bulletin

Petya IOCs & Yara Rules

IBM X-Force Snort signatures

JASK Eternal Blue & WannaCry detection