Tag Archives: Cyber Attack

Australia Fights Sophisticated State-Backed Copy-Paste Attack with The Essential Eight!

20 June 2020

Reports on a wave of sophisticated nation state sponsored cyber-attacks against Australian government agencies and critical infrastructure operators spread like wild-fire through international media the day before yesterday.

From an IT security point of view, the access vector is really interesting. In Advisory 2020-008 (1) , the Australian Cyber Security Centre (ACSC) states that the actor leverages mainly a remote code execution vulnerability in unpatched versions of Telerik UI, a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the 2019 Citrix vulnerability.

The name Copy-Paste for the attacks comes from the actor’s “capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.” (1)

The Essential Eight

The Essential Eight (Click to enlarge)

In the advisory the ACSC recommends some really basic preventive measures like patching or multi-factor authentication. These are two controls of “The Essential Eight”(2). I like the name “The Essential Eight”. It reminds me on the 1960 Western-film “The Magnificent Seven”, reinforced by Chuck Norris 😉

The Essential Eight focus on very basic strategies to reduce the likelihood and the impact of an attack. Without them, UEBA, SIEM, Threat Intelligence, Deep Packet Inspection, PAM, etc. make few sense.

Except of multi-factor authentication, The Essential Eight are part of the feature-rich Windows and Linux OS or already (backup solution) in place. So, only some internal effort and leadership is required to dramatically increase the resilience against cyber-attacks.

The Essential Eight are a prefect weekend reading. Have fun.

References

  1. Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks | Cyber.gov.au [Internet]. [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
  2. Australian Cyber Security Center. Essential Eight Explained | Cyber.gov.au [Internet]. Australian Signals Directorate. 2020 [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/publications/essential-eight-explained

US Gas Pipelines Hit by Cyber-Attack

15 April 2018

The report “US Gas Pipelines Hit by Cyber-Attack” (1), published on April 13, 2018 in Infosecurity Magazine, sounds more dramatic than it actually is. The attackers compromised a system for “electronic data interchange” (EDI) to some of the largest US energy providers. No impact on critical infrastructures, at least until now.

Bloomberg Technology (2) reports that at least four US pipeline companies were affected by the attack.

What surprised me was that Jim Guinn, managing director and global cyber security leader for energy, utilities, chemicals and mining at Accenture Plc, said (2):

 

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious. All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

I cannot support this. The EDI system contains the access details to the systems used in the customer networks for data exchange. These details are the free admission ticket to the customer networks for the cyber-criminals.

Thus, it is very important that at least the access data to customer systems are changed directly after an attack is detected. In addition, the customers should check their networks for suspicious data transfers and indicators for lateral movement.

Have a good weekend.

1. Muncaster P. US Gas Pipelines Targeted in Cyber-Attack [Internet]. Infosecurity Magazine. 2018 [cited 2018 Apr 13]. Available from: https://www.infosecurity-magazine.com:443/news/us-gas-pipelines-hit-by-cyberattack/

2. Malik NS, Collins R, Vamburkar M. Cyberattack Pings Data Systems of At Least Four Gas Networks. Bloomberg.com [Internet]. 2018 Apr 3 [cited 2018 Apr 15]; Available from: https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts

Chernobyl hit by Petya/NotPetya

2 July 2017

The short post New Ransomware Crippling Chernobyl Sensors published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.

Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

The following press statement was published at the Power Plants homepage:

As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.

From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.

Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.

Have a good week.

British man arrested after 900,000 broadband routers knocked offline in Germany

5 March 2017

About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.

Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.

Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.

For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:

Username Password
 root     xc3511
 root     vizxv
 root     admin

How can such attacks been avoided?

We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.

But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.

The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.

in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.

Sounds easy, doesn’t it?

Have a good weekend. And check the complexity of your internet router password.

Software failures are systematic. Stop all patching?

22 January 2017

In the past days I reviewed the draft of the NAMUR Worksheet NA 163 “IT Risk Assessment for Safety Instrument Systems”. In the age of the IIoT even Safety Instrument Systems (SIS) are equipped with embedded IT components and attached to the production or company network. With this, the safety systems become the target of IT threats, which may result in a malfunction of the SIS in the worst case.

Process safety engineers are often unaware of this new threats. IEC 61511 “Functional safety – Safety instrumented systems for the process industry sector” requires an IT risk assessment for SIS, but makes no recommendations about the details of the assessment.

The aim of Worksheet NA 163 is to provide a practicable risk assessment method to safety engineers, supplemented by a checklist on possible mitigation measures.

On Thursday I watched a video recording of a lecture on ‘Safety-Critcial Systems’ given by Martyn Thomas, Livery Company Professor of Information Technology at the Gresham College.

Software failures are systematic. Slide 18 of 'Safety-Critical Systems - when software is a matter of life and death' by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Software failures are systematic. Slide 18 of ‘Safety-Critical Systems – when software is a matter of life and death’ by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Professor Thomas makes clear, that “Software failures are systematic. They occur whenever the triggering conditions arise”. I highly recommend to watch the entire lecture because one can gain new insights on software testing and reliability. For a link to the video, the PowerPoint presentation and the Word transcript please see below.

NA 163 recommends to patch all SIS systems components including the supporting systems like the engineering stations or the HMI on a regular basis.

But will continuous patching really increase the reliability of the software components?

Will continuous patching really decrease the risk of a cyber-attack?

How many new systematic defects are built in a software system during continuous patching?

Remember the seemingly endless number of critical vulnerabilities fixed in Adobe Flash Player in the past years…

Let me be clear: I do not call to stop all patching. From my point of view we must focus on the right and important system components, vulnerabilities and patches. With this we can escape from the patch treadmill and focus on the really important issues, e.g. how to build and configure industrial control system networks that are less susceptible to cyber-attacks.

Have a good weekend!

Safety-Critical Systems – when software is a matter of life and death

Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College, 10 January 2017

Word Transcript | PowerPoint Presentation | YouTube Video

Excellus BCBS Breached, 10 Million Customers’ Records Affected

12 September 2015

When I read the headlines of this LIFRAS post my first thought was:  “2015 is going to be an annus horribilis for the US healthcare insurers”. Anthem, Premera, and now Excellus, what organization will be the next?

One paragraph in the Excellus announcement of the data breach is really interesting:

‘On August 5, 2015, Excellus BlueCross BlueShield learned that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.  Our investigation further revealed that the initial attack occurred on December 23, 2013.’

It took 590 days to identify the breach! That are 8 days more than the maximum Mean Time To Identify (MTTI) of 582 days the latest Ponemon cost of data breach study found for 2014.

This is really remarkable because it makes clear that a ‘very sophisticated’ cyber-attack is hard to identify, even with latest security technology in place. And I bet, Excellus has such technology installed. I am really curious about the details of the attack.

Take care! If you like to do some further reading please take a look at the latest issue of the Cyber Intelligencer ‘You can’t detect what you can’t see’.

TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!

Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

Never mind the Next Big Threat Thing. Fix the Golden Oldies first.

11 June 2015

Yesterday evening I attended the webinar ‘Never mind the Next Big Threat Thing. Fix the Golden Oldies first this evening’, a welcome cool-down after a long day of ISO 27005 risk management training.

I found this really remarkable statement:

“First, we’ll start with a few blocking and tackling fundamentals that you really ought to be doing regardless of whether or not you’re worried about espionage. If you don’t do these, all those super advanced cybertastic APT kryptonite solutions may well be moot.”

Source: Verizon 2014 Data Breach Investigation Report.

Have a good day!

Criminals use IRS website to steal data of 104,000 people

30 May 2015

On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.

Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”

FIDO U2F Security Key

FIDO U2F Security Key

Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.

And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.

How many data breaches must still take place before organizations seriously start securing their customers personal data?

Have a good weekend!

Some thoughts about: People and process remain the soft underbelly of banks

25 April 2015

In post ‘Security Think Tank: People and process remain the soft underbelly of banks’, John Colley discusses on the example of the Carbanak attack some new concepts for surviving the cyber war.

I like the idea of sharing knowledge about attack vectors and best practice for the defense against cyber-attacks across industries. But what is the proper scope for action?

John Colley writes:

‘Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programs they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.’

I am discussing such issues for months now. My advice is crystal clear:

Before you start sharing information about your internal systems with whatever partner, carefully consider

  • what information and what level of detail is required, and
  • how the information must be protected.

Every available information about your internal systems will support attackers in finding vulnerabilities in your systems. Remember: It’s merely a matter of time before cyber criminals break into your company network…

Too many details increase the attack surface of your company!

Have a good weekend!