Category Archives: Advice for SMEs

Threat Intelligence – What is it good for?

31 August 2019

I attended a virtual summit on threat intelligence this week. I watched two interesting presentations and found that I am still not convinced of the value of threat intelligence.

In vulnerability management for example threat intelligence speeds up decision making. But is speed in the decision-making phase of vulnerability management an issue?

OODA Loop

OODA Loop

When we deal with critical vulnerabilities, e.g. vulnerabilities of the WannyCry Class, speed is crucial. The OODA procedural model is perfectly suited as execution procedure for environments where speed is crucial for survival.

OODA, an acronym for Observe, Orient, Decide, Act, was developed by John Richard Boyd in the 1950’s as survival strategy in aerial combat. Colonel Boyd, one of the most influential military strategists ever, transferred OODA to other domains after he retired from the US Air Force.

The picture below shows the OODA procedural model adapted for vulnerability management.

OODA for Vulnerability Management

OODA for Vulnerability Management

We must decide whether urgent action is required if a new critical vulnerability is published. Data collected from OSINT sources, asset details, and experience in the evaluation of vulnerabilities are required for creating a well-founded decision.

Threat intelligence speeds up the Observe and Orient phase by e.g. providing data on exploits seen in the wild. But threat intelligence will neither replace current asset data, which are crucial for the Orient phase, nor speed up the Act phase, where the affected assets are patched, and their correct operations is verified.

So, if you decide on investing in threat intelligence ask yourself the question: What benefits do I expect to gain from threat intelligence in what use cases? Otherwise, it is very likely that you get disappointed.

Have a good weekend.

Advertisements

Rogue 7. A new attack on Simatic S7 PLCs. Who should be concerned?

18 August 2019

Pierluigi Paganini’s post (1) on Rogue 7, which popped-up in my LinkedIn news feed last Tuesday, immediately caught my attention. And troubled me somewhat because I am living a mile north from one of the largest German chemical industrial parks where lots of Simatic S7-1200 and S7-1500 PLCs are in operations.

The facts.

A group of Israeli security researchers managed to compromise PLCs of the Simatic S7-1200 and S7-1500 series. They presented the results at the Black Hat 2019 (2). For more technical details see the accompanying conference paper (3).

The SIMATIC developers learned from the past attacks on the S7 protocol, and integrated cryptographic protection in the latest version of the protocol. This includes a key exchange protocol for secure session set-up between the TIA and the PLC, message integrity protection, and payload encryption.

The Israeli researchers re-engineered the protocol and found some design weaknesses in the implementation which they used to execute start/stop attacks on the PLC, program download and stealth program injection attacks.

Countermeasures.

To fix the design flaws in the protocol will take some time.

With CPU access protection (4), the design weaknesses can be mitigated. Unfortunately, the default is “No Protection”, that is,” the hardware configuration and the blocks can be read and changed by all users”. So, it’s time to switch CPU access protection on, at least for high risk environments, e.g. if the PLC is directly accessible from the internet and port 102 is open.

Should we be concerned, or, to put in another way: Who should be concerned?

That depends on the target industry and the threat actor.

Critical Infrastructures.

IEC 62443 request’s that PLCs should be isolated in a separate network zone inside the SCADA partition of the production network. In the best case, communication is allowed from systems in the SCADA partition to the PLC only. If the operator follows this defense in depth strategy during production network build the risk of Rogue 7 style attack on a PLC is low.

Fortunately, operators of critical infrastructures are forced by regulations to implement a defense in depth strategy. But the effort for implementation and operation of an IEC 62443 compliant network is high. To reduce the effort, even large deviations from the IEC 62443 requirements are accepted.

Protection against APTs: The more the better? Own work. Paris 2019.

Protection against APTs: The more the better? Own work. Paris 2019.

State guided or sponsored threat actors, also called APT (Advanced Persistent Threat), and to a certain extent Organized Crime leverage these deviations in attacks on critical infrastructures. Hacktivists and Script Kiddies can be neglected because they lack the specific network infiltration and SIMATIC S7 know how.

Recall Triton, the attack on a Schneider Electric Triconex safety controller in 2017. The attackers (APT) compromised the Petro Rabigh corporate network in 2014. “From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access.”(5)

Petro Rabigh Chemical Plant.

In June 2017, the first unplanned shutdown of a safety controller took place. Finally, on Aug. 4, 2017, at 7:43 p.m., two safety controllers brought parts of the Petro Rabigh complex offline to prevent a gas release and explosion.(6)

The attackers compromised also the PLC. “But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.”(6)

This describes exactly the result of the Rogue 7 program download and stealth program injection attack. The PLC runs the malicious code while the operator believes that everything is in order.

Other production environments.

The S7 protocol uses port 102 for accessing the PLC from the TIA portal, the HMI and the engineering station. The Rouge TIA or the Rogue Engineering station must connect to this port on the PLC for running the start/stop attack or the program download attack. If this port is accessible from the network, in the worst case from the internet, APTs and Organized Crime can easily compromise the PLCs. The risk that Hacktivists or Script Kiddies compromise PLCs is low because they lack of the very specific SIMATIC S7 know how.

How big is the problem? A quick check on Shodan (query: SIMATIC CPU-1200, executed 8/18/2019) shows that about 350 S7-1200 systems are directly connected to the internet, thereof only few with Port 102 open. So, no reason to panic. Most of the operators have already implemented the Siemens recommendations on ICS security.

Summary

I welcome the fact that the Israeli security researchers published the weaknesses in the S7 protocol. We can assume, that, like EternalBlue, these weaknesses are already available in stand-by in the arsenals of intelligence agencies around the globe. So, we can prepare for the next leak and, hopefully, prevent a future attack of WannaCry extent.

Direct actions are required to evaluate the current risk.

  • Check the firewall rule base to make sure, that the S7 protocol port 102 is not open for systems outside the SCADA network partition or the internet.
  • Evaluate the risk of activating CPU access protection. If acceptable, update your operating procedures, train the staff, and active CPU access protection.

For critical infrastructure operators.

  • Document every deviation from the IEC 62443 concept. Evaluate the risk with regards to the capabilities of APT and Organized Crime. Take effective protective means if the risk is not acceptable.

Have a great week.


References

  1. Paganini P. Boffins hacked Siemens Simatic S7, most secure controllers in the industry [Internet]. Security Affairs. 2019 [cited 2019 Aug 16]. Available from: https://securityaffairs.co/wordpress/89720/hacking/siemens-simatic-s7-hack.html
  2. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  3. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. In Mandalay Bay / Las Vegas; 2019 [cited 2019 Aug 16]. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf
  4. Siemens AG. Simatic S7-1500 Security [Internet]. Siemens AG; 2013 [cited 2019 Aug 16]. Available from: https://www.automation.siemens.com/salesmaterial-as/interactive-manuals/getting-started_simatic-s7-1500/documents/EN/sec_en.pdf
  5. Giles M. Triton is the world’s most murderous malware, and it’s spreading [Internet]. MIT Technology Review. 2019 [cited 2019 May 11]. Available from: https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
  6. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327

How to defend against file-less malware?

15 July 2019

Stories on file-less malware are constantly appearing in the news. Zeljka Zorz’s post “A file-less campaign is dropping the Astaroth info-stealer” (1), published on 9 July 2019 in Help Net Security, gives a great introduction into the techniques used in file-less attacks.

Andrea Lelli’s technical analysis (2) shows that the malware downloads some DLLs and injects them into the userinit.exe process after becoming persistent. So, no big development since the first report on a file-less malware, Poweliks (3), published in 2014.

Pattern based anti-malware solutions are still no effective means to protect against file-less malware because the malware uses the hacker’s favorite toolkit, the Windows OS, for installation of the malicious payload.

But there is no reason to panic. The Windows OS is part of the problem; the Windows OS is also part of the solution.

First things first.

Don’t work with permanent administrative privileges!

It cannot be repeated often enough! Userinit.exe is part of the Windows OS. Admin privileges are required to load a DLL into the userinit.exe process. So, no admin rights, no DLL injection.

Now the big change.

We need change!

We need change!

In a Windows environment, Microsoft AppLocker does the job. AppLocker is an efficient solution; it is part of the Windows OS and it can be configured centrally by group policies. AppLocker is an effective solution; all kind of dropper malware is blocked, and with DLL rules enforced, DLL injection is no longer possible. Thus, AppLocker is the perfect solution for SMBs to overcome the shortcomings of pattern based anti-malware solutions. For a brief overview on AppLocker see my post (4).

If AppLocker does not fit into your computing environment, for example in production, look at the application whitelisting solutions from the big anti-malware solution providers. Application whitelisting provides additional features, e.g. the lockdown of systems, which is of interest especially in production because of the much longer solution lifecycles.

Application whitelisting is the long overdue change in the strategic approach to cyber security. Give it a try. Once you locked down your systems you can take care of the really important issues. Like supporting your business in digitalization initiatives.

Have a great week.


References

  1. Zorz Z. A fileless campaign is dropping the Astaroth info-stealer [Internet]. Help Net Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.helpnetsecurity.com/2019/07/09/astaroth-fileless-malware/
  2. Lelli A. Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack [Internet]. Microsoft Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
  3. Jochem K. Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques [Internet]. IT Security Matters. 2014 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2014/08/09/poweliks-malware-variant-employs-new-antivirus-evasion-techniques/
  4. Jochem K. Windows Applocker – The almost forgotten IT security workbench [Internet]. IT Security Matters. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2019/01/05/windows-applocker-the-almost-forgotten-it-security-workbench/

HiddenWasp malware targets Linux systems – Don’t Panic!

23 June 2019

Ignacio Sanmillan’s excellent post(1) on the HiddenWasp malware could have been truly frightening: HiddenWasp targets Linux systems, the technology used is really impressive, and the detection rate on VirusTotal was zero as of 29 May 2019.

Unfortunately, the infected systems were already under the attacker’s control. Even if anti-malware solutions for Linux would have better detection capabilities it would hardly have mattered. Also, there is no need to implement sophisticated anti-malware evasion technologies. In the easiest case, the attacker must only define an anti-malware exception for the files to be downloaded.

Pattern based anti-malware solutions are reactive protective means. The anti-malware solution provider must first analyze the new malware and create a detection pattern. Thus, it is unsurprising that the detection rate on VirusTotal was and is still low.

The big questions remain open:

  • How was the RAT (Remote Access Trojan), the precondition for the infection with HiddenWasp, initially installed?
  • How did the attackers get root privileges?

Very often, it is lack of cyber hygiene that results in the takeover of a system. Implementation of cyber security best practice will raise the bar. Extended by a restrictive SELinux configuration will reduce the likelihood of getting compromised dramatically.

It’s free, and ready-to-use.

Have a great week.


    References
  1. Sanmillan I. Intezer – HiddenWasp Malware Stings Targeted Linux Systems [Internet]. Intezer. 2019 [cited 2019 Jun 2]. Available from: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.


References

  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/

The Costs of Doing Application Life Cycle Management Not Right

12 May 2019

For the following text, let us assume that we created a fictional application named Our Awesome App (OAA) on the basis of the Microsoft technology stack. OOA runs on top of the Windows 2008 R2 Server OS. Microsoft stops the support for this version in January 2020, thus we may have some migrations to do.

What is application lifecycle management?

Application lifecycle management (ALM) is a continuous process of managing the life of an application through governance, development and maintenance.”(1)

I prefer this brief definition of ALM of 2010 although the current Wikipedia definition(2) is more comprehensive.

It is the restriction to applications that creates the trouble in both definitions because applications are bound to a Web or Technology Stack.(3)

Technology Stack

Technology Stack

Each product in the technology stack has a life cycle, usually independent of the life cycle of the other layers and of OAA. With this, application life cycle management cannot be considered independently from the technology stack. Even if no development takes place on the application layer, changes in the technology stack might demand changes in the application.

Usually, ALM deals with Layers 1 to 4 of the technology stack. Neither the database nor the server is in focus of ALM. For the LAMP (Linux, Apache, MySQL, PHP) stack, this creates no big trouble because the middleware (Apache) and the database (MySQL) are largely immune to changes in the Linux OS.

Microsoft Technology Stack

Microsoft Technology Stack

But in the case of OAA we face some trouble because the Internet Information Server (IIS 7.5) is a component of the Windows 2008 R2 Server OS. A change in the server OS might have a great impact on the application.

What’s the trouble with the Windows 2008 R2 Server end of life?

Every day new vulnerabilities in IT products are published. All layers in the technology stack are impacted. The Windows update service takes care that newly detected vulnerabilities on layers 2 – 5 are automatically patched because we built OAA on top of the Microsoft technology stack. So, the application manager has to deal only with vulnerabilities in OAA.

Microsoft provides no longer patches once a product goes beyond the end of its life. But new vulnerabilities for such products are still discovered and published. This increases the number of unpatched vulnerabilities on the server and middleware layer. With this, the security level of the whole network is lowered because unpatched Windows systems facilitate, in the worst case, the propagation of malware like WannaCry or NotPetya.

What’s the trouble with application life cycle management?

ALM is a tedious and costly task. Getting ALM right requires continuous study of the life cycle of all products on the technology stack and continuous planning, development, integration and testing across all layers of the application stack. Therefore, application managers care often only of the first layer. Developers are responsible for the second, the third and to some extend also for the fourth layer. Someone from IT operations takes care of layers 4 to 6, but no one cares of the entire technology stack.

Eventually, someone realises that some hundred Windows 2008 R2 Servers are still in operation, and only few months left for migration. Migration of applications including the middleware is a lengthy process. Thus, it is obvious to spend some money for extended support, just to buy time to get the migrations done.

What are the costs for extended support?

For the following calculation, let us assume that 20 Windows 2008 R2 servers running the Datacenter Edition and 400 servers running the Standard Edition are still in use. The price for extended on-premise support is at 75% annually of the full license price of the latest Windows server version, provided either software assurance or a subscription is available.(4) Let us assume that the IT team works hard on the migrations and the number of servers to go is reduced every year.

A brief sample calculation based on the regular price sheet(5) shows that a large amount of money is spent just for some security patches.

Sample Windows 2008 Server Extended Support Calculation

Sample Windows 2008 Server Extended Support Calculation

It is very important to note that these expenses are unplanned costs. They reduce the company’s earnings. Fortunately, this cost can be avoided if ALM is extended to the whole technology stack.

How to tackle the application life cycle management challenge?

(1) Move the accountability for ALM to the board.

The board is accountable for revenues and earnings. Since unplanned expenses for ALM lower the earnings the CFO should take control.

(2) Embed ALM in your daily business.

ALM is no project. It is a continuous activity that requires coordinated planning across all stakeholders in the business and IT groups. The application development budget should be extended to cover cost caused by changes in the technology stack.

(3) Start early, at least 2 years before the end of life of a product.

Minimize down times to keep the users happy.

(4) Set up and maintain an asset repository.

The asset repository should provide details on the technology stack of each application and the interfaces between applications. Is the repository up-to-date it takes only few minutes to become an idea of the effort related with the next life cycle change.

(5) Develop a concept for applications that cannot be migrated.

In some application areas, such as manufacturing, it is often not possible to migrate to newer versions in due time, for example due to technical restrictions by the vendor. For these applications, concepts must be developed to ensure secure operations beyond the end of life of tech stack components.

(6) Develop an application design guide to simplify ALM and security operations.

Applications should be developed such that they are to a large extent immune against changes in the technology stack. Procurement should take care that off-the-shelf solutions comply to the guidelines.

(7) Foster the change towards DevOps in the IT organisation.

DevOps teams should be responsible for the entire technology stack. At least the testing process should be automated. This will speed-up the roll out of security patches as well.

By the way, Microsoft announced the end of life of Windows 2012 R2 Server for 2023. This change will also affect the whole technology stack, thus start at least in 2021 with preparations.

Have a great week.


References

1. Appelo J. Agile Application Lifecycle Management (ALM) [Internet]. Business presented at; 2010 Nov 22 [cited 2019 May 7]. Available from: https://de.slideshare.net/jurgenappelo/agile-alm

2. Application lifecycle management. In: Wikipedia [Internet]. 2019 [cited 2019 May 7]. Available from: https://en.wikipedia.org/w/index.php?title=Application_lifecycle_management&oldid=895749396

3. Rouse M. What is Web stack? – Definition from WhatIs.com [Internet]. WhatIs.com. 2012 [cited 2019 Apr 29]. Available from: https://whatis.techtarget.com/definition/Web-stack

4. Microsoft. Extended Security Updates for Windows Server 2008 and SQL Server 2008 End of Service FAQ [Internet]. 2019. Available from: https://download.microsoft.com/download/C/8/5/C851D4E2-ED1F-4F56-AEC0-1561D85AB489/Extended_Security_Updates_for_Windows_Server_2008_and_SQL_Server_2008_End_of_Service_FAQ.pdf

5. Microsoft. Windows Server 2019 Licensing & Pricing | Microsoft [Internet]. Microsoft Cloud-Platform – US (English). [cited 2019 Apr 29]. Available from: https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing

Email Data Breach Exposes Over Two Billion Personal Records – Has Cyber Security failed?

20 April 2019

Scott Ikeda’s report(1) on the Verifications.io data breach makes one thing clear: The incurable disease named cyber-security carelessness that leads inevitably to data breaches caused also this incident.

First of all, the company misjudged the criticality of the data. Although the exposed information is publicly accessible the compilation in few data sets simplifies the job of cyber criminals. Phishing emails are just more credible if high quality data(1) is used.

Secondly, the information in the MongoDB was accessible for everyone with internet access. This is not an isolated case. As of today, about 64,000 MongoDB(2) are visible in the internet, thereof about 18,000 with authentication not enabled.

MongoDB accessible to the internet.

MongoDB accessible to the internet.

The system developers ignored the vendors security advice provided in section ‘Limit Network Exposure’ of the MongoDB security checklist(3):

“Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.”

This is easy to implement, at low cost.

Cyber security is about people, processes and technology. In this case, lack of cyber security awareness and missing security processes caused the incident. Nevertheless, security solution vendors advice(1) to implement new security technology for preventing such incidents:

“Security tools that automatically protect your data such as data loss prevention (DLP) and digital rights management (DRM) help secure your sensitive information. In the event that an important cloud vendor doesn’t have the right data protection, you can wrap their applications with a cloud security broker to provide the necessary cloud security and protection for your data.”

The big question is: Are such solutions effectively mitigating the risk if the system is accessible from the internet, without authentication?

I very much doubt because the number and extent of data breaches is continually growing, despite annually increasing investments into cyber security. Technology does just not cure cyber-security carelessness.

Have a great weekend.


References

  1. Ikeda S. Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records [Internet]. CPO Magazine. 2019 [cited 2019 Apr 14]. Available from: https://www.cpomagazine.com/cyber-security/largest-leak-in-history-email-data-breach-exposes-over-two-billion-personal-records/

  2. The Shadowserver Foundation. The Shadowserver Foundation: MongoDB NoSQL Server Scanning Project [Internet]. 2019 [cited 2019 Apr 19]. Available from: https://mongodbscan.shadowserver.org/

  3. mongoDB. Security Checklist — MongoDB Manual [Internet]. https://github.com/mongodb/docs/blob/v4.0/source/administration/security-checklist.txt. [cited 2019 Apr 19]. Available from: https://docs.mongodb.com/manual/administration/security-checklist