Tag Archives: Threat Actors

Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.

References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

NetCAT – a new side-channel vulnerability. Who should be concerned?

15 September 2019

Swati Khandelwal’s report (1) on NetCAT, published on 9/11/2019 in The Hacker News, scared me somewhat. Security researchers (2) from the Vrije University in Amsterdam discovered a new type of side-channel attack in Intel server processors which can be exploited across the network. This is really frightening.

As always in the case of hardware vulnerabilities, NetCAT is broadly discussed in the security community. A Google search for “CVE-2019-11184” shows 6.340 hits (as of 9/14/2019 8 pm).

CVE-2019-11184 CVSS V3 Specification

CVE-2019-11184: CVSS V3.1 Specification

Intel (3) classified CVE-2019-11184 as follows: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack vector Adjacent is defined in the CVSS V3.1 specification document as follows: “The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”

With this, the attacker must have compromised the network before he can start the attack. In addition, the attacker must compromise “a machine which communicates over RDMA to an application server that supports DDIO”.(2)

So, NetCAT is not that dangerous than the reports suggest.

What goals can be achieved by exploiting this vulnerability?

In secured networks with latest patches applied, this technique can be used to spy on all kind of secrets, e.g. the passwords of high privileged accounts, for the complete takeover of the network.

What organizations should be concerned?

CVE-2019-11184 Threat Landscape

CVE-2019-11184 Threat Actor Targets

My conclusion: From a technical point of view, NetCAT shows again the shortcomings of the current processor architectures. Regarding the applicability in attacks, NetCAT is somewhat overestimated.

Have a great weekend.

References

  1. Khandelwal S. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs [Internet]. The Hacker News. 2019 [cited 2019 Sep 12]. Available from: https://thehackernews.com/2019/09/netcat-intel-side-channel.html
  2. Kurth M, Gras B, Andriesse D, Giuffrida C, Bos H, Razavi K. NetCAT: Practical Cache Attacks from the Network. 2019. Available from: https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
  3. Intel Security Center. INTEL-SA-00290 [Internet]. Intel Security Center. 2019 [cited 2019 Sep 12]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

New LYCEUM Threat Group targets Oil and Gas firms. Don’t panic! Enforce 2 Step Verification!

29 August 2019

Lindsey O’Donnell’s report (1) on a new APT named LYCEUM is well worth reading.  LYCEUM targets oil and gas firms in the middle east. The group leverages PowerShell once they created a foothold on computers in the victim’s network to exfiltrate company secrets. PowerShell is a good choice because the attackers can go undetected for a long time.

For launching the attack, LYCEUM draws on industry attack standards like password spraying: “LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.”(2)

The group aims at company mail accounts hosted by cloud service providers. Why? Credibility matters most in [spear] phishing attacks. A spear phishing email on a popular topic, send from a company account has a very high level of credibility and increases the attack’s probability of success.

This increase in credibility justifies the effort required for collecting email addresses from OSINT sources. Password spraying is then used to get a valid password for login with the victim’s account to the cloud service.

Here, the industry defense standard against password attacks, 2SV (Two Step Verification) or MFA (Multiple Factor Authentication), comes into play.

Yubikey for 2 Step Verification. Own work.

On 27 August, Catalin Cimpanu reported on ZDNet that Microsoft sees 300 million fraudulent sign-in attempts to O365 every day.(3) Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, explained that “enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.“(3)

So, by enforcing 2SV/MFA for login to all company cloud services we can stop all threat actors which use similar password mining technologies, including LYCEUM.

Alastair MacGibbon, National Security Advisor, Australian Cyber Security Center, shows the direction:

“Cyber security is about risk management. You can’t eliminate risk, but you can strengthen your defences to reduce the likelihood of the risk being realised, and the harm caused when it is.”

Let’s get started with 2SV. We have no time to waste.

References

  1. O’Donnell L. New Threat Group Found Targeting Critical Infrastructure Firms With Spear [Internet]. threatpost. 2019 [cited 2019 Aug 27]. Available from: https://threatpost.com/oil-and-gas-firms-targeted-by-new-lyceum-threat-group/147705/
  2. Secureworks Counter Threat Unit. Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign [Internet]. Secureworks. 2019 [cited 2019 Aug 27]. Available from: https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
  3. Cimpanu C. Microsoft: Using multi-factor authentication blocks 99.9% of account hacks [Internet]. ZDNet. [cited 2019 Aug 28]. Available from: https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/