<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Fri, 24 Jan 2020 00:00:00 -0500 en-us info@decipher.sc (Amy Vazquez) Copyright 2020 3600 <![CDATA[Citrix Releases Patches for ADC Flaw]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/citrix-releases-patches-for-adc-flaw https://duo.com/decipher/citrix-releases-patches-for-adc-flaw Fri, 24 Jan 2020 00:00:00 -0500

Citrix has released patches for all of the versions of its Application Delivery Controller and Gateway that are affected by the nasty directory traversal vulnerability disclosed last month.

The flaw affects a wide range of Citrix products, including several versions of its ADC and Gateway appliances, as well as its SD-WAN WANOP boxes. Researchers discovered the vulnerability in December and disclosed it to Citrix, which published an advisory on Dec. 17. However, it took the company several weeks to build, test, and release the patches for all of the vulnerable products and this week has seen the rollout of those fixes.

The vulnerability is a directory traversal bug that can lead to remote code execution by an unauthenticated attacker in some cases. There have been reports of active attacks against the vulnerability and there are several public exploits available for the bug, so Citrix officials and security researchers are urging enterprises to install the patches as soon as possible. Citrix also released a free tool developed in conjunction with FireEye Mandiant that scans affected appliances for indicators of compromise by the known exploits.

“In addition to immediately installing these fixes, we encourage all customers to use the free Indicator of Compromise Scanning tool that we teamed up with FireEye Mandiant to launch this week. This tool is available under the Apache 2.0 open source license, and provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits,” Citrix CISO Fermin J. Serna said.

Earlier this week, Citrix released patches for versions 11.1 and 12.0 of the ADC and Gateway, and on Thursday permanent fixes for versions 12.1 and 13.0 became available. Version 10.5 was set to be patched on Jan. 24.

On Thursday, security researchers began reporting exploitation of the Ctrix bug (CVE-2019-19781) as part of targeted ransomware infections in Windows networks.

“Very tactical preliminary update. It appears an actor is using CVE-2019-19781 for initial access, and other vulnerabilities to pivot into a Windows environment in order to deploy ransomware. If you haven't already begun mitigating, you really need to consider the ramifications,” Andrew Thompson of FireEye said on Twitter.

<![CDATA[Emotet Sets Sights on Military and Government Targets]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/emotet-sets-sights-on-military-and-government-targets https://duo.com/decipher/emotet-sets-sights-on-military-and-government-targets Thu, 23 Jan 2020 00:00:00 -0500

A recent wave of activity by the Emotet malware has focused much of its attention on victims in the U.S. military and government sectors, leading the Department of Homeland Security to issue a warning about the spike in infections and targeting tactics.

Emotet is by no means a new threat, having been active for about six years now, but the threat actors behind it continually change their tactics and adapt to network defenses. A few months ago, Emotet began using a new technique post-infection that involved gathering the contents of a victim’s email inbox and then building new messages from existing threads. The malware will then insert a malicious attachment to the new message and send it to the recipient of the original emails, a tactic that takes advantage of the recipient’s trust of the sender.

This technique has proven to be quite effective and is ingenious in its simplicity. The Emotet-generated malicious emails often have text that looks completely legitimate and appropriate to the conversation in the existing thread, adding to the authenticity of the message. In order for this tactic to work, Emotet only needs to infect one victim in a given organization, or even a victim adjacent to the organization, such as a supplier, contractor, or customer. Anyone with an existing trust relationship is good enough.

In December and January, researchers with the Cisco Talos Intelligence Group noticed a major increase in the volume of Emotet-infected emails coming from and going to addresses in military and government domains.

“Looking at the individual messages sometimes allows us to determine the identity of the Emotet victim and whether that victim is internal or external to the recipient organization. After all, Emotet wants recipients of its messages to recognize who the message came from as part of their social engineering efforts. Unfortunately, this doesn't work 100 percent of the time, because some of the messages sent by Emotet strips the original victim's personal data and drops the TLD in an attempt to impersonate only the organization. This results in the unintentionally comical reduction of domains like ‘us.af.mil’ to simply ‘Us.af’,” a Talos analysis says.

“However, more often, Emotet will leave the contact information for the individual victim inside the propagation email. The message may also include the contents of a previous email exchange between the two recipients, just to add extra authenticity. For example, the following message was sent by Emotet to an individual working for U.S. Sen. Cory Booker. The From header and signature generated by Emotet both suggest that this message originated from an infected colleague at ‘booker.senate.gov’.”

The secondary issue with Emotet infections is the potential collateral damage once the malware is on a network. Through its theft of email contents, Emotet may have access to confidential information that could be used in other operations. This hasn’t been an observed technique from the Emotet attackers, but the potential certainly is there.

In an alert published Wednesday, the Cybersecurity and Infrastructure Security Agency warned about just such an issue.

“Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” the CISA alert says.

<![CDATA[Senators Propose Cybersecurity Coordinators for Every State]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/senators-propose-cybersecurity-coordinators-for-every-state https://duo.com/decipher/senators-propose-cybersecurity-coordinators-for-every-state Wed, 22 Jan 2020 11:17:00 -0500

A bipartisan group of Senators are interested in establishing a cybersecurity leader for each state in order to increase the states' abilities to respond to cyberattacks.

Sen. Maggie Hassan (D-NH), the lead sponsor of the bill, highlighted the wave of ransomware attacks which have crippled cities and government entities in recent months.

“Cyberattacks can be devastating for communities across our country, from ransomware attacks that can block access to school or medical records to cyberattacks that can shut down electrical grids or banking services,” Hassan said. “The federal government needs to do more to ensure that state and local entities have the resources and training that they need to prevent and respond to cyberattacks.”

The Cybersecurity State Coordinator Act proposes creating a federally-funded program that would create a cybersecurity coordinator position for each state. The program would be part of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The placement is a logical one as CISA already works closely with state and local governments on security issues.

The 50 coordinators—CISA employees—will be responsible for working with all levels of government to prepare for, prevent, and respond to attacks. The state coordinator would act as a security risk advisor, point-of-contact, and facilitator between federal and non-federal organizations, including state and local governments, schools, and hospitals. The coordinator will also be expected to raise awareness of the financial, technical, and operational resources non-government entities can receive from the federal government.

The role would require a combination of training, advisory work, and program development as the coordinator will be expected to establish governance structures, support training exerices and incident response planning, and assist with developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

Having these coordinators in place for each state will help the federal government make sure that local and state entities have the appropriate training and resources to mitigate and defend against future attacks.

State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," the bill's text said. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses.

Hassan was the lead sponsor of the related DHS Cyber Hunt and Incident Response Teams Act 2019, which was signed into law in December. That law created teams within the Department of Homeland Security to help private businesses, and state and local government agencies respond and recover from cyber incidents such as ransomware attacks, and rebuild their infrastructure. The act provides "assistance to asset owners and operators in restoring services following a cyber incident" and males "recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks."

Hassan's state, New Hampshire, has been hit by ransomware more than once over the past few months. About 500 computers belonging to the state's Strafford County were infected, as were teacher records and school records stored by the Sunapee School District.

Sens. Gary Peters (D-Mich), John Cornyn (R-Texas), and Rob Portman (R-Ohio) are co-sponers. Hassan is currently working with members of the House of Representatives to develop a companion bill, The Hill reported.

Cybersecurity for state and local governments is just as important as federal cybersecurity, and frequently, they lack the resources, technical know-how, and situational awareness to secure their systems, or respond in the event of an attack," Portman said. The bill would "help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs.

<![CDATA[New Tool Detects Indicators of Compromise for Citrix Systems]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-tool-detects-indicators-of-compromise-for-citrix-systems https://duo.com/decipher/new-tool-detects-indicators-of-compromise-for-citrix-systems Wed, 22 Jan 2020 00:00:00 -0500 In the absence of patches for some versions of Citrix Application Delivery Controller affected by the recently disclosed directory-traversal vulnerability, the company has worked with Fire Eye Mandiant to develop a tool that enterprise security teams can use to determine whether their systems have been compromised.

The new tool scans affected systems to look for known indicators of compromise that have emerged from exploitation attempts seen in the wild. The scanner works on several versions of the Citrix ADC and Gateway, including 11.1, 12.0, 12.1, 10.5, and 13.0. Citrix is releasing permanent patches for the vulnerability over the course of this week, and already has pushed out fixes for versions 11.1 and 12.0. Patches for the other affected versions are scheduled for release on Jan. 24.

“While our security and engineering teams have been working around the clock to develop, test and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected,” said Fermin J. Serna, Citrix’s chief information security officer.

The vulnerability (CVE-2019-19781) was first disclosed in December and Citrix warned customers that it could lead to arbitrary code execution by a remote, unauthenticated attacker. The company said at the time that it did not have fixes available and that it would be several weeks before patches would be ready. In the interim, researchers developed proof-of-concept exploit code and made it available publicly while attackers began writing their own exploits.

Last week, researchers began seeing large-scale scanning activity from attackers searching for vulnerable systems, and there were plenty to find. BadPackets discovered more than 25,000 vulnerable systems online last week. Citrix’s internal security team is also scanning the Internet for at-risk endpoints that don’t have the available mitigations or patches installed and working with customers to remedy the situation.

Some of the exploitation activity against vulnerable Citrix ADC appliances has been unusual. Last week, FireEye researchers noticed one threat actor compromising target systems and then installing a tool to prevent other attackers from exploiting the same system in an apparent attempt to hoard compromised systems.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” William Ballenthin and Josh Madeley of FireEye said.

“Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.”

In addition to the Citrix-FireEye scanner, the Department of Homeland Security also has published a tool that enterprises can use to test their installation for the Citrix CVE-2019-19781 vulnerability.

<![CDATA[Ransomware Attacks Factory Honeypot]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/ransomware-attacks-factory-honeypot https://duo.com/decipher/ransomware-attacks-factory-honeypot Tue, 21 Jan 2020 00:00:00 -0500

The factory—a small prototyping company—was attacked several times over the space of seven months. The threats didn't come from sophisticated state-sponsored groups, but rather cybercriminals intent on fraud and financial gain.

MeTech wasn't a real factory. The network was a honeypot consisting of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines, set up by Trend Micro Research to mimic the operations of a small factory. The researchers monitored the attacks against the honeypot to determine how “knowledgeable and imaginative” attackers had to be to compromise a manufacturing operation, and to monitor firsthand what kind of attacks manufacturing companies dealt with on a regular basis. Over the course of the project, researchers saw the network compromised for cryptocurrency mining, crippled by two separate ransomware attacks, and abused for consumer fraud.

“Too often, discussions of cyber threats to industrial control systems have been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes,” said Greg Young, Trend Micro’s vice-president of cybersecurity.

Manufacturing and other sectors that rely on ICS are understandably worried about advanced attacks such as the ones involving Stuxnet and the Triton malware. However, the Trend Micro investigation showed that industrial environments were just as susceptible to fraud and financially-motivated exploits that plague enterprise information technology networks.

Building a Factory

The honeypot was designed to be as realistic as possible, with ICS hardware, physical hosts, and hardened virtual machines. Trend Micro included programmable logic controllers (PLCs) from Siemens, Allen-Bradley and Omron, and the virtual machines ran an human machine interface (HMI) for controlling the factory in the honeypot. There was also a robotics workstation that controlled a palletizer and an engineering workstation used for programming PLCs. Finally, a physical machine running an old version of Windows served as the factory's file server. The file server had a shared directory with global read/write permissions populated with randomly created files of various extensions and filesizes.

Some ports were intentionally left open on the honeypot, including VNC services that could be accessed without a password. The robotics workstation was exposed via Remote Desktop Protocol (RDP). The engineering workstation, on the other hand, was not exposed outside of the network. Instead, it used the same administrator password as that of the exposed HMI and robotics workstation, mimicking "a common setup in companies maintained by an administrator."

"The goal was to build a honeypot that appeared so real that not even a well-trained control systems engineer would be able to tell that it was fake without diving deeply into the system," the researchers wrote.

Recognizing that attackers frequently research the target beforehand, Trend Micro researchers went beyond the technical details to make this fake company look more legitimate. The "small industrial prototyping boutique working for special customers" in the military, avionic and manufacturing sectors had a professional-looking website with a motto and logo, made-up employee names and email addresses, and working phone numbers which played a recording instructing callers to leave a message. This level of detail was necessary because if it was too obvious that the network was actually a honeypot, the malware may not execute its payload, and attackers would not bother completing the attack.

"Advanced attackers could be very picky in choosing systems they wanted to compromise and would check every small detail that they could before conducting an attack," the researchers wrote.

Commonplace Attacks

One of the earlier attacks involved malicious cryptocurrency miners, the report found. An attacker came on to one of the virtual machines on the network, opened up a web browser on the system, and set up a remote access tool to mine Monreo cryptocurrency. The attacker is believed to have entered the network at least three times. A different attacker tried downloading a different miner at a later date, but did not succeed.

The researchers also observed a significant number of attempts to use the honeypot's systems and resources for fraud, such as cashing out airline miles for gift cards and buying smartphones by upgrading mobile subscriber accounts. There were also some reconnaissance activities that could have been related to phone fraud.

Scanning attempts don't automatically mean the system is under attack. The researchers identified scanning traffic from 9,452 unique IP addresses, of which 610 were linked to scanners such as ip-ip, Rapid 7, Shadow Server, Shodan, and ZoomEye, as well as others performing monitoring services for other companies. The researchers also identified scanning activity against PLCs which collected information about exposed devices—while the scans did not appear malicious, the researchers could not say with certainty that the scans were not part of reconnaissance activity for a future attack.

There were cases where the attacker closed applications running on the compromised workstation, shut down the system, or logged the current user out of the system. Another stopped the conveyor belt, started the palletizer application, and stopped the factory.

Infected by Ransomware

The network was infected by ransomware twice during the course of the research project—once by Crysis and the other by Phobos. While the researchers believe the infections were carried out by "two unrelated individuals or groups," the execution flows were similar. The group behind Crysis first spent some time looking around the shared drive and the robotics workstation. The attackers installed the remote desktop software Team Viewer and used that tool to copy the malware files to find and encrypt files on the the system. The group behind Phobos also spent some time browsing the file system and scanning the network before deploying the ransomware.

Interestingly, researchers also observed an attempt to fake a ransomware attack, where the files were all renamed to have a .rnsmwr extention but nothing was encrypted.

Focus on Cybercrime

Security professionals are increasingly shifting their focus towards protecting ICS, but there is a disconnect on the dangers they worry about and the threats that are more likely. A lot of the discussion centers around sophisticated attacks from nation-state adversaries, and while that is still a possibility, Trend Micro's research suggests that cybercriminals are even more likely to cause problems on these networks.

“A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line,” Trend Micro's Young said.

There have already been several incidents where ransomware disrupted factory operations. Back in 2017, Honda stopped production at one of its vehicle plants in Japan after finding WannaCry in its networks. Global aluminum producer Norsk Hydro had to shut down some production lines and switch others to manual functions after a ransomware attack. ASCO, one of the world's largest suppliers of airplane parts, ceased production in factories across four countries after finding ransomware in its Belgian plant.

"We created openings for attacks that could realistically be found in actual smart factories," the researchers wrote.

The researchers "had to do everything wrong" with MeTech's security so that the honeypot could be compromised, but many small factories would have made similar decisions—open VNC with no passwords, reusing weak administrator passwords throughout the network, no firewall filters to block unknown traffic.

"Our findings should serve as cautionary examples for organizations who run similar systems," the researchers wrote.

<![CDATA[Unpatched IE Vulnerability Under Active Attack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/unpatched-ie-vulnerability-under-active-attack https://duo.com/decipher/unpatched-ie-vulnerability-under-active-attack Tue, 21 Jan 2020 00:00:00 -0500

Attackers are using an unpatched vulnerability in Internet Explorer for targeted attacks while Microsoft is working to come up with a fix. The vulnerability allows remote code execution and can be exploited through a simple malicious website or email attachment.

Microsoft issued an advisory on Jan. 17 about the vulnerability, which affects IE 9, 10, and 11 on many current versions of Windows server and desktop. The company said it is aware of some limited targeted attacks that are exploiting the flaw, but gave no timeline for releasing a patch. The next regular patch day for Microsoft is Feb. 11, but the company has a history of publishing out-of-band patches for critical vulnerabilities, especially those that are under active attack.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the Microsoft advisory says.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

"Blocking access to [jscript.dll] can prevent exploitation of this and similar vulnerabilities

The exploitation scenarios for the vulnerability (CVE-2020-0674) are quite simple and would not require advanced technical skills. An attacker could construct a malicious website with the exploit code on it, or send an email with a malicious PDF or Office document. This is the type of attack tactic that would be commonly used by phishing gangs or cybercrime groups once they have the appropriate exploit code.

In the absence of an official patch, researchers recommend disabling access to a scripting DLL, which is normally on by default and has been used in the exploits targeting this vulnerability.

“jscript.dll is a library that provides compatibility with a deprecated version of JScript that was released in 2009. Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology. When Internet Explorer is used to browse the modern web, jscript9.dll is used by default,” said Will Dormann of the CERT/CC at Carnegie Mellon University.

Microsoft recommends the same mitigation strategy, but warns that blocking access to that DLL will also reduce the functionality of IE.

Clément Lecigne, a researcher from Google’s Threat Analysis Group, discovered the vulnerability, as did Elia Yu from Qihoo 360.

<![CDATA[Decipher Podcast: Kenn White on the Windows Crypto Bug]]> info@decipher.sc ( ) https://duo.com/decipher/decipher-podcast-kenn-white-on-the-windows-crypto-bug https://duo.com/decipher/decipher-podcast-kenn-white-on-the-windows-crypto-bug Fri, 17 Jan 2020 00:00:00 -0500

<![CDATA[Kubernetes Launches Bug Bounty]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/kubernetes-launches-bug-bounty https://duo.com/decipher/kubernetes-launches-bug-bounty Wed, 15 Jan 2020 00:00:00 -0500

Kubernetes, the open-source container management system, has opened up its formerly private bug bounty program and is asking hackers to look for bugs not just in the core Kubernetes code, but also in the supply chain that feeds into the project.

The new bounty program is supported by Google, which originally wrote Kubernetes, and it’s an extension of what had until now been an invitation-only program. Google has lent financial support and security expertise to other bug bounty programs for open source projects. The range of rewards is from $100 to $10,000 and the scope of what’s considered a valid target is unusual.

“The bug bounty scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts. Basically, most content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope. We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. Any information leak about a workload, or unexpected permission changes is also of interest,” said Maya Kaczorowski and Tim Allclair of Google.

“Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”

"With more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them."

Kubernetes is used on a number of cloud platforms and is now maintained by the Cloud Native Computing Foundation (CNCF). Bug bounties are now commonplace in the web application, cloud, and mobile environments, but there are far fewer of them in the open source community. The main reason for this is funding, because many open source projects are either volunteer-driven or run by a small team of developers with tight budgets.

The major exception is the Internet Bug Bounty program, which is sponsored by Microsoft, Facebook, and GitHub, among others. That program offers bounties for several software projects that are integral to the security of the Internet, including OpenSSL, Apache httpd, Perl, Nginx, and Ruby. The Internet Bug Bounty is managed by HackerOne, as is the new Kubernetes program.

“What’s exciting is that this is rare: a bug bounty for an open-source infrastructure tool. Some open-source bug bounty programs exist, such as the Internet Bug Bounty, this mostly covers core components that are consistently deployed across environments; but most bug bounties are still for hosted web apps. In fact, with more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them,” Kaczorowski and Allclair said.

<![CDATA[Citrix ADC Exploits Appear With No Patch Available Yet]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/citrix-adc-exploits-appear-with-no-patch-available-yet https://duo.com/decipher/citrix-adc-exploits-appear-with-no-patch-available-yet Tue, 14 Jan 2020 00:00:00 -0500

As enterprises wait for the patches for the Citrix ADC CVE-2019-19781 vulnerability that are still several weeks away, mass scanning for vulnerable hosts is continuing and there are now at least two proof-of-concept exploits available for the bug.

The vulnerability emerged in mid-December and Citrix released a security advisory for it on Dec. 17, warning customers of the issue. The weakness is a directory traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway and it can allow an unauthenticated remote attacker to run arbitrary code. Citrix officials said they expect to begin releasing the first patches on Jan. 20, but some versions won’t have patches available until Jan. 31.

In the meantime, security researchers have been watching large-scale scanning by attackers searching for vulnerable installations and have observed active exploit attempts in several cases. There are at least two exploits available publicly, and attackers are actively using their own, as well. The two public exploits have been released on GitHub and both seem to work as intended to target the Citrix flaw.

“After the first exploit was released, TrustedSec released its exploit. It should be noted that TrustedSec held back on publishing until the first exploit was released. TrustedSec's exploit uses essentially the same method as the first exploit. But TrustedSec's exploit is written as a Python script and establishes a reverse shell,” said Johannes Ullrich, dean of research at the SANS Institute.

“Overall, TrustedSec's exploit is more professionally done and works very well. I had to make one small adjustment to make it work on my version of Citrix ADC. Over the last few hours, many other variations of the exploit have been released.”

Citrix ADC is a line of controllers designed to make application performance faster and increase availability. The appliances are widely used in data centers and enterprises.

Researchers at BadPackets detected large-scale scanning for the Citrix vulnerability from an IP address in Germany on Friday. The remote machine attempted to download a configuration file to any host that responded to the scan, indicating it was vulnerable.

“This configuration file doesn’t appear to contain highly sensitive information by default, however a successful response to the scan will indicate the targeted server is vulnerable to further attacks,” said Troy Mursch, chief research officer at BadPackets.

“On Sunday, January 12, 2020, our honeypots detected multiple CVE-2019-19781 exploit attempts from a host in Poland. This differed from the previous scanning activity as it conducted the actual remote code execution exploit and targeted ports 443, 2083, 2087, and 8443/tcp.”

The BadPackets researchers found a little more than 25,000 vulnerable endpoints in their scans.

Citrix has released some mitigation information for customers as they wait for the patches, and Fermin Serna, CISO of Citrix, said the company said the mitigations should help defend against attacks.

“These mitigations cover all supported versions and contain detailed steps designed to stop a potential attack across all known scenarios,” he said.

“We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested.”

The Department of Homeland Security has released a utility that customers can use to test their systems to see if they’re vulnerable.

<![CDATA[Microsoft Patches Flaw in Windows Cryptography Component]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/microsoft-patches-flaw-in-windows-cryptography-component https://duo.com/decipher/microsoft-patches-flaw-in-windows-cryptography-component Tue, 14 Jan 2020 00:00:00 -0500

Microsoft kicked off its first Patch Tuesday of 2020 by fixing a potentially serious spoofing vulnerability in a cryptographic component for Windows that was discovered by the National Security Agency.

The vulnerability exists in the way the CryptoAPI (Crypt32.dll) component in the Windows operating system validates Elliptic Curve Cryptography (ECC) certificates (CVE-2020-0601), Microsoft said. Digital signatures are used to indicate software is authentic and has not been modified. By exploiting this flaw, an attacker could potentially sign malicious files using a spoofed code-signing certificate and make it appear to come from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.

The flaw can be used to intercept and modify HTTPS (or TLS) communications, CERT-CC, the vulnerability disclosure center at Carnegie Mellon University, said in its advisory. This could lead to man-in-the-middle attacks to intercept sensitive information.

The issue impacts Windows 10, Windows Server 2016, and Windows Server 2019, as well as applications that rely on Windows for trust functionality—such as web browsers—by using CryptoAPI. Windows 7, Windows 8, and earlier versions are not affected.

The library is used by pretty much all Windows software that deals with encryption and digital signatures, which means third-party software will also be impacted, said Johannes Ullrich of the SANS Technology Institute. “If you have an endpoint solution that blocks users from running untrusted code: You likely need to worry and apply this patch quickly,” said Ullrich.

"We have not seen any evidence that this technique has been used in the wild," Microsoft said. "As always we encourage customers to install all security updates as soon as possible.”

How Bad Is It?

There is a bit of a disconnect on the severity of the flaw. Microsoft categorized the vulnerability “important” and rated as level one or "exploitation more likely," while the NSA described the vulnerability as critical. The government agency said that vulnerability, if exploited, could impact trust in HTTPS connections, signed files and emails, and signed executable code.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available,” the NSA said in its advisory.

The difference in severity is a matter of definition. Microsoft considers flaws that can be exploited with no user interaction as “critical.” Since this flaw requires some kind of user interaction to be exploited, it was assigned the second hightest category.

Remote code execution cannot be achieved directly through CVE-2020-0601. What could happen: Once trusted communication channels like automatic update downloads and non-validated input between systems have been compromised, an attacker would be able to use a different component to trigger remote code execution. This could be particularly dangerous in industries that rely on a trusted network infrastructure, such as banking communications and transportation systems.

It is an indicator of how seriously government officials are taking the issue that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive instructing federal agencies to patch their systems immediately within 10 days.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA wrote in a blog post accompanying the directive. This is only the second time CISA has ever issued an emergency directive. “But left unpatched, these vulnerabilities hit at the core of digital trust, and pose an unacceptable risk to the Federal enterprise that require an immediate and emergency action.”

NSA’s Motives

The fact that the NSA notified Microsoft of the vulnerability instead of adding it to its stockpile of exploits to use in offensive operations is unusual enough there is some question about the government agency’s motives. The disclosure could be an attempt at rebranding and polishing up its reputation—especially after Microsoft president Brad Smith criticized the government in 2017 for weaponizing EternalBlue instead of disclosing it. EternalBlue was leaked in the ShadowBrokers dump, and used in the WannaCry attacks.

It could be that NSA already had similar exploits and didn’t really need this one. It could also be that the agency sees a potential attack that could cause so much damage that the dangers outweigh any advantages from keeping the vulnerability to itself.

It could be that once the agency's experts realized how this flaw could be exploited, they realized how unprepared the home team (the United States) would be if another country was able to use the vulnerability. The thing about cyberweapons is that once used, they can be copied and pasted and used again by anyone else. Rising tensions means more cyberattacks. Disclosing the vulnerability could be a critical step in shoring up U.S. defenses in advance of a serious attack.

“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past,” said Chris Morales, head of security analytics at Vectra.

It isn’t clear exactly when the NSA found the flaw, so it is possible the agency kept the vulnerability for its own purposes for a while before contacting Microsoft. Reporting by the The Washington Post, however, suggests the disclosure was done in a fairly timely manner.

The fact that the NSA is publicly credited for reporting CVE-2020-0601 indicates a change in philosophy at the NSA, Anne Neuberger, director of the NSA’s Cybersecurity Directorate, said on a call with reporter. The agency has never permitted public attribution in the past. The NSA followed the vulnerabilities equities process (VEP), which is used by the federal government to determine how to treat vulnerabilities on a case-by-case basis, to report CVE-2020-0601.

<![CDATA['We Can't Be Complacent' About the Crypto Debate]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/we-can-t-be-complacent-about-the-crypto-debate https://duo.com/decipher/we-can-t-be-complacent-about-the-crypto-debate Mon, 13 Jan 2020 00:00:00 -0500

The encryption debate never really ends, it simply goes in cycles that are quieter or louder, depending upon how the political winds are blowing at the moment. Those winds are blowing quite strongly in one direction right now, and experts warn that any compromises that the technical community makes on backdoors or key escrow in the short term could have painful long-term consequences.

The history of the crypto wars is a decades-long one going back to the earliest days of the public Internet and includes periods of intense debate and conflict followed by years of relative calm. The people, technology, and rhetoric change over time, but the basic issue remains the same: the desire by government and law enforcement to weaken strong encryption for surveillance and investigative purposes. Cryptographers, security experts, and civil liberties groups have argued consistently over the years that any scheme that implements a backdoor or similar tool in a product or service would weaken security for everyone and ultimately be a prime target for adversaries, as well.

Policy makers and law enforcement officials counter that national security and criminal investigative interests should outweigh the need for personal privacy. This line of reasoning has taken various forms over the years, with the current version focusing on the recent implementations of strong device encryption by Apple and Google on their mobile devices, which has made it difficult or impossible in some cases for law enforcement agencies to gain access to encrypted phones. The vendors do not hold the encryption keys for users’ devices and therefore can’t supply them to law enforcement, even with a subpoena or court order. Congress has held a number of hearings recently on this issue and some members have pushed tech leaders to come up with a way to create and store keys for every device they sell in the event that law enforcement should need access in the future.

But Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, who has been involved in the encryption debate for many years, said any technical concessions could have cascading effects that would be felt for many years to come.

“The message I’m trying to give here is we can’t be complacent about this issue."

“One of the things we have to be very careful about, particularly given the fervor of the political debate, is not to trade away things or accept compromises we’re going to be sorry about later on,” Granick said during a talk at the Real World Crypto conference last week.

“I don’t think this is a problem of this administration. It is a battle that will be ongoing and unfortunately that’s one of the reasons why we need to be very careful about how we hold the line here. The Department of Justice will still be here caring about this stuff thirty-five years later and I’ll be retired. We need to expect that this will be a continuous ongoing battle.”

One of the complications in the crypto debate is the fact that it’s not just about one thing. It involves encryption of data at rest, like that used on mobile phones, encryption of data going across the network, and encrypted messaging apps, such as WhatsApp, iMessage, and Signal. Each of the various components is unique but they often get conflated and lumped into one bucket, especially in policy debates and congressional hearings, adding to the confusion.

But there’s also another somewhat separate element: law enforcement hacking. Federal law enforcement agencies, along with some state and local ones, have access to a variety of spyware tools and attack tools sold by a small cadre of vendors. Many of those tools rely on using private vulnerabilities or techniques in order to access target devices or systems. Lawful intrusion tools are highly controversial and Granick said this tactic can have unintended consequences, too.

“Backdoors are bad, but so is law enforcement hacking. If the government is an incentivized attacker on the network we’re going to see vulnerability forwarding and money flowing to organizations like NSO Group and FinFisher Is this something that companies that require users’ trust are really going to stand up for?” she said.

“The message I’m trying to give here is we can’t be complacent about this issue. There’s a real lack of expertise on this issue among policy makers.”

<![CDATA[Industry Groups Don't Like Commerce Department's Supply Chain Security Rules]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/industry-groups-don-t-like-commerce-department-s-supply-chain-security-rules https://duo.com/decipher/industry-groups-don-t-like-commerce-department-s-supply-chain-security-rules Mon, 13 Jan 2020 00:00:00 -0500

Multiple business groups have pushed back on proposed Commerce Department rules on information and communications technology supply chain security, citing concerns about lack of transparency and potential overreach .

The proposed Commerce rules Securing the Information and Communications Technology and Services Supply Chain would execute May’s Executive Order 13873, which banned United States entities from purchasing information and communications technology from “foreign adversaries.” While the rules are written to be country-agnostic and does not name any companies, they are understood to mean United States companies cannot buy from Chinese telecom equipment providers Huawei and ZTE.

The “proposed framework would likely have only a marginal impact on improving supply chain security, while severely constraining US companies’ ability to innovate,” said BSA, The Software Alliance. BSA represents companies with supply chains that are highly dependant on international partners. U.S. intelligence agencies have warned over the years that Huawei and ZTE’s close ties with the Chinese government posed significant risks to national security. Using equipment from these companies in U.S. critical infrastructure could potentially give the Chinese government the ability to infiltrate and compromise U.S. networks for espionage.

In the rules, the Department of Commerce outlined the process for identifying, assessing and addressing certain information and communication technology and service (ICTS) transactions that pose a risk to the U.S. critical infrastructure, digital economy, or national security. The evaluations would be on a case-by-case basis, since the rules do not designate which technologies, participants, or transactions are exempt or prohibited.

“Nothing less than a very significant reconsideration of both substance and process will render such a rule workable or effective in terms of American national security, U.S. economic competitiveness, or overall due process,” said the Information Technology Industry Council (ITI), while urging the department to rewrite the rules, which were "fundamentally flawed."

Scope Overreach

The scope was “staggeringly” broad, as the department would be able to intervene with any transactions involving anyone (“any person subject to the jurisdiction of the United States”), involved any property a foreign country may be interested in, and was initiated or completed after May 15, 2019. If a transaction was “an undue or unacceptable risk,” then the Secretary of Commerce would be able to impose measures to mitigate the risks, or prohibit the transaction entirely. Even if the technology was already deployed and in use, it would need to be suspended.

The rules would give the Secretary of Commerce “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” Christian Troncoso, BSA's director of policy, wrote in the comment letter. The vague terms (what makes something a ‘transaction’?), the lack of transparency, and the fact that there was no way to know what transactions were being reviewed, put unnecessary pressure on companies.

“This undefined scope would leave industry in a constant and irremediable state of uncertainty about whether their operations are, or soon will be, subject to regulatory scrutiny,” Troncoso warned.

ITI called the scope and breadth of the proposed rule "alarming and unnecessarily undermines" all ICTS transactions that may touch the United States, even peripherally. The executive order gives authority to block transactions with "a clear connection to a foreign adversary and pose unacceptable risks to national security or undue risks to critical infrastructure or the digital economy," but the proposed rules do not limit the Commerce Department's authority to only those situations, wrote John S. Miller, ITI's vice president of policy and senior counsel. In fact, as written, the rules would allow Commerce to evaluate and block transactions that present no or low risks to national security.

The U.S. Chamber of Commerce (not a government agency) was also concerned about the rule’s reach, as ICTS can be found in "virtually every type of company in every industry, with thousands of ICTS transactions happening every day," the Chamber of Commerce wrote in its comments. The rule would provide the Department with "nearly unlimited authority to interfere in virtually any commercial transaction,” wrote Neil L. Bradley, chief policy officer for the Chamber of Commerce, and Christopher D. Roberti, the senior vice president of cyber, intelligence, and security at the Chamber. The uncertainty associated with operating in an environment where any and all ICTS transactions may be subject to review could disrupt global supply chains and make investment and sourcing decisions very difficult, Bradley and Roberti wrote.

Practical Challenges

The broad and vague language used would make it difficult for organizations to know what they have to do in order to make sure they are following the rules.

The rules as drafted are "too broad to be practically implementable," Miller said.

USTelecom, which represents larger telecommunications operators, recommended modifying the rules "to draw clearer lines between prohibited and permitted transactions." That could mean publishing a list of persons or governments that are foreign adversaries providing ICTS, or a "policy guidance with unmistakably clear criteria," USTelecom wrote. That would help organizations understand what types of transactions would fall under the scope of the rules.

Overlapping Authority

The Chamber of Commerce also noted that there are several national security programs already working on this problem, such as the Bureau of Industry and Security’s Entity List and the Committee on Foreign Investment in the United States (CFIUS). The supply chain may be an “attractive target for espionage, sabotage, and foreign interference activity,” but supply chain security which leaves out the U.S. business community cannot be done. This proposal provides “little in terms” on what businesses can do to make sure they are planning around potential threats.

“A more deliberate discussion of how this proposal would complement existing programs without overlapping them is necessary,” the Chamber said.

USTelecom said the department needed to coordinate its evaluations “formally with other agencies at every step.” One way to do so is to look at the ongoing work done by the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency's Supply Chain Risk Management Task Force, and other arenas to develop a framework on how subcomponents are evaluated instead of trying to come up with their own approach.

The Rural Wireless Association, which represents smaller rural carriers in the United States, noted in its comments a parallel effort at the Federal Communications Commission to block Huawei and ZTE from collecting funds from the Universal Service Fund. The fund is an annual pool of $ 8.5 billion collected from consumers for expanding broadband access. RWA members would be particularly affected by the proposed rules because they rely on low-cost equipment from Huawei and ZTE to extend internet connectivity to hard-to-cover rural areas.

ITI's Miller also noted the challenge of providing comments to a rule "with such vast legal scope and economic implications" within an "expedited timeframe." As the draft provided "almost no specifics, industry cannot meaningfully comment on it," Miller said.

<![CDATA[Microsoft Mines Events Logs for RDP Brute-Force Attacks]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/microsoft-mines-events-logs-for-rdp-brute-force-attacks https://duo.com/decipher/microsoft-mines-events-logs-for-rdp-brute-force-attacks Fri, 10 Jan 2020 00:00:00 -0500

Windows systems with Remote Desktop Protocol exposed to the Internet make attractive targets because they provide adversaries with a simple and effective way to get initial entry into the targeted network. There are off-the-shelf tools to scan the Internet for exposed systems, and the password’s strength—uniqueness—will determine how easy it would be for the attackers to guess the login credentials.

Microsoft researchers found that out of about 45,000 Windows workstations that had both RDP public IP connections and at least one network failed sign-in attempt, on average, several hundred machines per day had high probability of undergoing one or more RDP brute-force attack attempts.

“Across all enterprises analyzed over several months, on average about one machine was detected with high probability of being compromised resulting from an RDP brute force attack every three to four days," the Microsoft research team said.

RDP as an Open Door

A built-in Windows component, Remote Desktop Protocol lets users log into a remote computer via a desktop-like interface using the computer’s IP address, over port 3389. RDP is particularly helpful for system administrators managing servers and workstations in remote locations and is also used by employees when they are away from their desks. Attackers don’t have to bother with sophisticated malware or advanced techniques if the machine with RDP isn’t protected behind virtual private networks or other security layers. All they need is that machine’s IP address.

In some cases, RDP may be set up without a password. Attackers can also make their way into the targeted machine and the network if the password is weak or easily-guessable, and multi-factor authentication is not enabled.

“On average about one machine was detected with high probability of being compromised resulting from an RDP brute force attack every three to four days,” Microsoft said.

In a brute-force attack, attackers use automated tools to cycle through different username/password combinations to try to guess the login credentials. Adversaries may compile frequently used usernames and passwords (such as admin/admin), valid credentials harvested from password dumps after breaches at various online services, or potential combinations stolen through other methods.

Identifying Attacks

As part of the analysis, Microsoft researchers collected both successful and failed login-related events for RDP (identifiers 4265 and 4264 in Windows events logs) and the usernames and IP addresses associated with those events. Many failed sign-ins (events with the ID 4625) occurring over very short time frequencies—in minutes or seconds—from a single IP address would suggest a brute-force attack in progress. However, the researchers found that attackers were spreading out the brute-force attempts over a longer period of time—a few combinations per hour rather than hundreds or thousands at a time—to avoid getting their IP addresses blocked.

Brute-force attacks against RDP typically lasted between two and three days, Microsoft researchers found. The majority, or 90 percent, of the attacks last for a week or less. Less than 5 percent last for two weeks or more.

A relatively large number of 4625-events appearing suddenly in the logs don’t automatically mean a brute-force attack is underway, as it could mean that the user is using a script with an expired password, for example. Other factors have to be considered, such as seeing failed login attempts for many unknown usernames, across multiple RDP connections, and originating from unknown IP addresses, Microsoft said.

“Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like abuseipdb.com, can directly confirm if an IP is a part of an active brute force,” Microsoft said.

RDP Events for Defense

Microsoft suggested system administrators monitor for multiple signals to detect inbound brute-force traffic against RDP. Signals include time and day of week of failed attempts, timestamp of a successful login after multiple attempts, count of usernames that failed to sign in, count of attempts from external IP addresses, and counts of other machines having inbound connection attempts coming from the same IP addresses. Microsoft said it was possible to develop a time series anomaly detection model with these signals to accurately identify RDP brute force attacks.

"A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it's critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events,” Microsoft said.

<![CDATA[Lawmakers Ask FCC to Do Something About SIM Swapping]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/lawmakers-ask-fcc-to-do-something-about-sim-swapping https://duo.com/decipher/lawmakers-ask-fcc-to-do-something-about-sim-swapping Thu, 09 Jan 2020 00:00:00 -0500

A group of Senators and Representatives have asked the Federal Communications Commission to require wireless carriers to protect consumers from having their phones hijacked via SIM swapping.

SIM swapping refers to a type of fraud where scammers convince the wireless carrier to transfer mobile accounts from one person to another. Carriers assign phone numbers to cell phones via SIM cards, so if someone convinces the carrier that something happened to the original device, the carrier can assign the phone number to the SIM in the new phone. It’s that simple to game the authentication-by-phone-number scheme, and the original owner loses control of the phone number entirely. With full control of the phone number, the fraudster can intercept SMS messages that are sent as a type of two-factor authentication to log into accounts or to reset passwords.

To put into context, many banks rely on SMS messages for two-factor authentication. Attackers can use the messages to fraudulently log into bank accounts and steal money. Criminals are estimated to have stolen tens of millions of dollars by emptying bank accounts or cryptocurrency wallets this way.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” said the letter to the FCC, which was authored by Sen. Ron Wyden (D-Ore.) and signed by Sens. Sherrod Brown (D-Ohio), and Edward J. Markey (D-Mass), and Reps. Anna G. Eshoo (D-Calif.), Yvette D. Clarke (D-N.Y.), and Ted Lieu (D-Calif.).

In the letter, the lawmakers urged FCC Chairman Ajit Pai to use the agency’s regulatory authority over wireless carriers to address the problem. The lawmakers wanted to know if the FCC currently tracks consumer complaints about SIM swapping and number port-outs, which refer to the process of moving a phone number from one carrier to another, and whether the agency has initiated any investigations or actions against carriers for failing to protect consumers from these scams.

In some countries, such as the United Kingdom and Mozambique, carriers provide banks with the most recent date the customer changed the SIM for that phoe number. This way, financial institutions can flag potentially suspicious login attempts associated with fraudulent SIM swaps. The lawmakers asked in the letter to the FCC whether U.S. federal regulations would prevent mobile carriers from setting up this kind of data sharing with financial institutions.

Easy Scams

There are legitimate reasons why carriers allow SIM swapping and porting numbers. Customers may have lost their phones, or switched to a new device that requires a different-sized SIM card, so the original one can no longer be used. Customers may want to switch carriers for better deals or services and not want to give up the phone number they are comfortable with. It’s customer service that is also a glaring weakness in the carrier’s processes. Thieves can convince employees into thinking the request was legitimate using simple social engineering tricks. In some cases, the scammers may bribe unscrupulous employees at mobile phone stores to switch customer accounts.

The lawmakers also asked what kind of guidance the carriers provide consumers about this problem. Some carriers allow customers to add security protections to their account that prevent SIM swaps or number porting unless the customer physically goes to a store with a valid ID.

“Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late,” the lawmakers’ letter to the FCC said.

Ongoing Problem

The Federal Trade Commission previously issued a warning about SIM swapping back in October. According to FTC data, there were 215 reported SIM swap incidents in 2016, and at least 728 in 2019. However, the lawmakers noted in the letter that not everyone files a complaint (or knows how to) so the reported number of complaints should be viewed as just a fraction of the actual number of incidents.

Twitter CEO Jack Dorsey lost control of his phone number for about 15 minutes, during which the scammers posted vulgar messages online purporting to be him.

Back in 2018, blockchain investor Michael Terpin claimed a SIM swapping scam caused him to lose $24 million worth of cryptocurrency. Terpin eventually filed a $224 million lawsuit (dismissed by the judge) against wireless carrier AT&T for not doing a better job protecting accounts from fraudulent SIM swapping. There have been a handful of similar lawsuits against carriers over the years.

In October, Terpin wrote an open letter to Pai asking the FCC to to force U.S. mobile carriers to hide customer PINs and passwords from employees and to notify customers ways to secure their accounts.

Silent FCC

This isn’t the first time the FCC has been asked to do something about cellphone fraud, and SIM swapping specifically. In an August letter to Pai written by Sen. Amy Klobuchar (D-Minn.), and signed by Sens. Tina Smith (D-Minn.), Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), John Tester (D-Mont.), Maggie Hassan (D-N.H.), Angus King (I-Maine), Ron Wyden (D-Ore.), and Tammy Duckworth (D-Ill.), the lawmakers noted that the “FCC offers virtually no information to consumers about how to prevent this type of fraud or information about how to seek recourse if they are targeted.”

In this latest letter, Wyden pointed out the national security implications of SIM swapping, as someone who gained control of email or other accounts belonging to a “local public safety official” after hijacking the phone number could potentially “issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.”

Wyden requested a response from the FCC by Feb. 14.

“We urge the FCC to initiate a rulemaking to protect consumers from SIM swaps, port outs and other similar methods of account fraud,” the letter said.

<![CDATA[Mozilla Patches Firefox Zero Day Under Active Attack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/mozilla-patches-firefox-zero-day-under-active-attack https://duo.com/decipher/mozilla-patches-firefox-zero-day-under-active-attack Thu, 09 Jan 2020 00:00:00 -0500

Mozilla has issued an emergency patch for a remote code execution vulnerability in Firefox that is being used in active attacks right now.

The vulnerability is in the just-in-time compiler in Firefox and Mozilla has released new versions of the main branch of the browser as well as the extended support release branch to fix the bug. Mozilla warned users that the vulnerability has been used in targeted attacks, making it urgent for customers to update their machines.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw,” the Mozilla advisory says.

On Tuesday, Mozilla released Firefox 72, the latest major version of the browser, which brought with it fixes for a number of other security vulnerabilities. Six of those flaws are high-severity bugs, but none is as dangerous as the one that Mozilla fixed on Wednesday with the emergency release. Mozilla did not provide any further details about the vulnerability or the exploits that are targeting it, but it is quite rare for the company to push out emergency patches like this.

In June, Mozilla issued an emergency fix for a similar type confusion vulnerability in Firefox, a bug that was also being used in active attacks. That flaw was used in an attack on Coinbase and security researcher Patrick Wardle also discovered that the vulnerability was used to deliver the Netwire Mac malware.

Researchers at Chinese security company Qihoo 360 discovered the new Firefox vulnerability and reported it to Mozilla.

<![CDATA[MITRE Adds ICS-Specific Techniques to ATT&CK Framework]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/mitre-adds-ics-specific-techniques-to-attack-framework https://duo.com/decipher/mitre-adds-ics-specific-techniques-to-attack-framework Wed, 08 Jan 2020 00:00:00 -0500

MITRE has released a version of its ATT&CK knowledgebase covering tactics and techniques used in attacks against industrial control systems.

MITRE’s ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a framework widely used by cybersecurity professionals to check whether their defenses are enough to detect and block attacks. Security vendors also use the framework to verify their products can detect specific attacks. ATT&CK for ICS knowledge base provides critical infrastructure operators and other organizations who have ICS in their environments with information about which of their ICS-specific applications and protocols be abused.

“With expertise in this domain [ICS security] in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises,” MITRE said.

Organizations such as energy transmission and distribution plants, oil refineries, wastewater treatment facilities, and transportation systems are concerned about attacks against ICS, as they can cause physical damage to equipment, or may interrupt critical service delivery by disrupting normal processes. ATT&CK for ICS currently has detailed information about 81 attack techniques used by adversaries, 17 pieces of malware used against ICS, 10 threat groups known to have launched ICS-related attacks, and 7 types of assets that can be targeted.

MITRE said the existing tools and techniques outlined in ATT&CK for enterprise IT systems are also relevant for ICS operators, as IT systems may provide the initial entry point into ICS.

Concerns about critical infrastructure attacks are currently high, but not new. Recent attacks include attacks on the Ukranian power grid (attributed to Russia) that caused short blackouts in 2015 and 2016. NotPetya is believed to have caused an estimated $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.

“The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents,” MITRE said.

The first ATT&CK model was released in 2013 with a focus on Microsoft Windows. Since then, it has expanded to include Linux, Mac OS, and cloud platforms. The matrix of tactics and techniques describe how attackers break into and move within systems, from initial access and exfiltration. By breaking out different tactics into specific categories, defenders can detect and block the adversary at any point during the attack. Defenders still have multiple opportunities to detect the attack after the initial entry point by looking for these tactics.

ATT&CK is regularly updated with new information about attack tactics. Last month, MITRE added, or updated, 36 techniques to cover adversary behavior against cloud-based platforms. The update also included attack tactics specifically targeting Azure Active Directory and Microsoft Office 365. Last fall, Immersive Labs integrated MITRE ATT&CK into its skills development platform to help industry professionals improve their abilities to detect and respond to attacks.

<![CDATA[SHA-1 'Fully and Practically Broken' By New Collision]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/sha-1-fully-and-practically-broken-by-new-collision https://duo.com/decipher/sha-1-fully-and-practically-broken-by-new-collision Tue, 07 Jan 2020 00:00:00 -0500

UPDATE--SHA-1, the 25-year-old hash function designed by the NSA and considered unsafe for most uses for the last 15 years, has now been “fully and practically broken” by a team that has developed a chosen-prefix collision for it.

The development means that an attacker could essentially impersonate another person by creating a PGP key that’s identical to the victim’s key. The technique that the researchers developed is quite complex and required two months of computations on 900 individual GPUs, so it is by no means a layup for most adversaries. SHA-1 has been phased out of use in most applications and none of the major browsers will accept certificates signed with SHA-1, and NIST deprecated it in 2011. But the new result shows that SHA-1 is no longer fit for use.

The new collision is the work of researchers Gaetan Leurent and Thomas Peyrin, and while SHA-1 isn’t widely used anymore, it has potential consequences for users of GnuPG and OpenSSL, among other applications.

“Our work show that SHA-1 is now fully and practically broken for use in digital signatures. GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future,” the researchers said in their new paper, published this week.

“SHA-1 usage has significantly decreased in the last years; in particular web browsers now reject certificates signed with SHA-1. However, SHA-1 signatures are still supported in a large number of applications. SHA-1 is the default hash function used for certifying PGP keys in the legacy branch of GnuPG (v 1.4), and those signatures were accepted by the modern branch of GnuPG (v 2.2) before we reported our results.”

“We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1."

There are several potential scenarios in which the new collision could be implemented in an attack, the most likely of which is someone impersonating another user by creating an identical PGP key. But the researchers said there are other possibilities, as well.

"Another important scenario is the handshake signature in TLS and SSH which were vulnerable to the SLOTH attack when MD5 was supported, and could now be attacked in the same way when SHA-1 is supported. However, the attack is still far from practical in this setting because we need to compute the collision in a few minutes at most," Leurent said in an email.

There could also be attacks similar to the MD5 Rogue CA or the attack used by the Flame malware to break windows updates, but that only works is someone is still signing certificates with SHA-1, and using predictable serial numbers. We are not aware of a CA doing this, but it may still exist somewhere.

The chosen-prefix collision is distinct from the SHA-1 collision developed by a team of researchers from Google and the Cryptology Group at Centrum Wiskunde and Informatica in the Netherlands. That work from 2017 showed that it was possible to create two distinct files that would have the same SHA-1 digest and resulted in the browser manufacturers deprecating SHA-1. In the new research, Leurent and Peyrin were able to show that SHA-1 should not be used for digital signatures, either.

“Using our SHA-1 chosen-prefix collision, we have created two PGP keys with different UserIDs and colliding certificates: key B is a legitimate key for Bob (to be signed by the Web of Trust), but the signature can be transferred to key A which is a forged key with Alice’s ID. The signature will still be valid because of the collision, but Bob controls key A with the name of Alice, and signed by a third party. Therefore, he can impersonate Alice and sign any document in her name,” the researchers said.

For many individual users, the new collision likely won’t have any practical effect, as the major browsers have already moved on from SHA-1, as have the major certificate authorities. However, the research does have implications for PGP users because PGP keys could be forged under some circumstances. And any SHA-1 certificates with predictable serial numbers also would be vulnerable.

"Currently, the concrete impact is mostly for people who use the PGP web of trust. If they trust SHA-1 signatures, an attacker could impersonate their contacts," Leurent said.

However, if there are still some automated systems (such as system updates) accepting and issuing SHA-1 certificates (either PGP certificates, or X.509 certificates issued with predictable serial numbers), this could become a more dangerous attack vector.

Leurent and Peyrin notified the developers of GnuPG and OpenSSL of their findings and GnuPG has implemented a countermeasure already, while OpenSSL’s developers are considering removing support for SHA-1.

This story was updated on Jan. 8 to add comments from Leurent.

<![CDATA[Firefox to Allow Users to Delete Telemetry Data]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/firefox-to-allow-users-to-delete-telemetry-data https://duo.com/decipher/firefox-to-allow-users-to-delete-telemetry-data Mon, 06 Jan 2020 00:00:00 -0500

The start of a new year often brings changes, and for enterprise security teams when the calendar rolled over to 2020 it brought with it the beginning of the CCPA era. The new California Consumer Privacy Act went into effect on Jan. 1, requiring businesses to be clear about the data they collect on consumers and offer simple mechanisms for them to opt out of collection, among other things.

CCPA has a broad definition of personal information, which includes basically anything that can be connected directly or indirectly to a specific person or even a household. That data includes things such as names, home addresses, Social Security numbers, email addresses, IP addresses, driver’s license numbers, and other identifiers. The law requires companies to make it simple for consumers to refuse the sale of their data and allow people to request access to whatever data a business has collected on them.

In order to comply with the requirements of CCPA, which applies to many companies that do business in California, enterprises are making changes to their data collection and retention policies. One of the companies making changes is Mozilla, which will soon allow individuals to request that Mozilla delete all of the telemetry data it has collected about their Firefox sessions. In the next version of Firefox, due for release on Tuesday, Mozilla will provide a simple mechanism in the browser to ask the company to delete all past data it has collected on their browsing.

"We don’t think people should have to choose between the technology they love and their privacy."

Telemetry data is not the same as personal data and generally just includes information about the browser’s performance, any crashes or other anomalies, and how long a person’s browsing session was. Most browsers collect some kind of telemetry data, as do many other applications, including security tools. Mozilla has decided that with the advent of CCPA, now is the time to give people the opportunity to have their data erased.

“We don’t collect telemetry in private browsing mode and we’ve always given people easy options to disable telemetry in Firefox. And because we’ve long believed that data should not be stored forever, we have strict limits on how long we keep telemetry data,” said Alan Davidson, vice president of global policy, trust, and security at Mozilla.

“We’ve decided to go the extra mile and expand user deletion rights to include deleting this telemetry data stored in our systems. To date, the industry has not typically considered telemetry data “personal data” because it isn’t identifiable to a specific person, but we feel strongly that taking this step is the right one for people and the ecosystem.”

The change applies to all Firefox users, not just those living in California. Davidson said the move is part of Mozilla’s effort to make privacy easier and more accessible for its users.

“For Firefox, privacy is not optional. We don’t think people should have to choose between the technology they love and their privacy. We think you should have both. That’s why we are taking these steps to bring additional protection to all our users under CCPA,” he said.

<![CDATA[Government Officials Warn of Potential Iranian Cyberattacks]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/government-officials-warn-of-potential-iranian-cyberattacks https://duo.com/decipher/government-officials-warn-of-potential-iranian-cyberattacks Mon, 06 Jan 2020 00:00:00 -0500

United States government officials are warning of possible cyber-attacks from Iran after the United States military killed Qassem Soleimani, the chief of Iran’s Quds Force, in a drone strike in Baghdad last week.

While Acting Secretary of Homeland Security [Chad F. Wolf] wrote on Twitter that “there is no specific, credible threat against the homeland,” the Department of Homeland Security issued a National Terrorist Advisory System Alert stating, “Iran maintains a robust cyber program and can execute cyber attacks against the United States.” The system, which was implemented in 2011, has been used only a handful of times, underscoring the seriousness of the situation.

"Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” the alert said.

New York’s Department of Financial Services, the financial services regulator for the state, also issued an industry alert warning banks, insurers,and other businesses about the “heightened risk” of cyberattacks orchestrated by Iran.

One reason why cyberattacks are attractive as a form of response is because it doesn't care about the country's military capabilities. Success depends on how effectively attackers can design lures to compromise their targets, not who has the best missiles (or drones). The potential for damage is also broader, as attacks go beyond military targets and government systems and affect private sector businesses and regular citizens.

“The IRGC’s [Islamic Revolutionary Guard Corps] cyber wing plus Shodan, with its comprehensive listing of compromised Internet of Things (IoT) devices, should give us pause,” Chris Bronk, an assistant professor at the University of Houston’s College of Technology, wrote for Forbes.com. Bronk also warned of disinformation and propaganda operations “aimed at shaping perceptions of the American and other publics with regard to a major military intervention in Iran.”

Past Activity

Cyberattacks has been part of the ongoing conflict with Iran for the better part of the decade, especially after Israel and the US famously developed the Stuxnet to sabotage the Iranian nuclear program. Iranian groups launched multiple distributed denial-of-service attacks against bank websites in 2012 and 2013 in response to US sanctions and is believed to be responsible for the Shamoon malware which wiped the hard drives at oil giant Saudi Aramco in 2012. The malware damaged the computers to the extent that nothing could be recovered and everything had to be replaced.

In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian associates for compromising hundreds of universities to steal intellectual property and benefit financially. The government-backed cyber-espionage group (also known as Cobalt Dickens and Silent Librarian) compromised university resources to send library-themed phishing emails and to intercept researcher login credentials.

“Iran's offensive cyber capabilities have grown significantly since the 2012 days of banking sector denial of service attacks and Saudi Aramco/Shamoon destructive malware,” said Rick Holland, CISO and vice-president of strategy at Digital Shadows.

Iranian actors are known to use account takeover techniques and spear phishing to carry out their operations. They tend to rely on black market malware rather than custom-built tools. Defenders can employ security controls such as multi-factor authentication to mitigate against account takeover attempts and creating PDFs of email attachments to “defang” malicious code in booby-trapped files to stop some of these operations, Holland said.

Wiped Systems

The groups’ reliance on wiper malware to destroy as many computers as possible is an area of concern. In 2014, Las Vegas Sands was hit with a wiper after owner Sheldon Adelson suggested a nuclear strike against Iran. IBM X-Force analysts recently uncovered previously unknown malware believed to have been used by Iranian attack groups in a data-wiping attack against industrial organizations in the Middle East.

Holland said businesses concerned about being targeted can also run through wiper tabletop exercises for help with extortion and ransomware planning.

“Don’t expect DDoS this time, they won’t view it as a proportionate response,” said Hank Thomas, CEO at Strategic Cyber Ventures. While wiper attacks so far targeted private corporations in the Middle East, it wouldn’t be surprising for the groups to “take their masks off” and target the US with wiper attacks for the first time, Thomas said.

“I do not feel that Iran will care about stealth, and will want to the world to know it was them,” Thomas said.

Sowing Chaos

There are concerns the response would target civil society by attacking critical infrastructure—such as electric grids and transportation systems. Iran’s attack groups have been shifting their focus to consider ICS. Wired reported on Microsoft research identifying password-spraying attacks by Iran’s APT33 threat group against manufacturers, industrial equipment suppliers, and other firms associated with industrial control systems.

Setting up attack infrastructure, performing reconnaissance on who to target, and crafting the right kind of lures all take time, though, giving defenders time to familiarize themselves with attack methods they should look for.

Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, wrote on Twitter that defenders needed to “brush up on Iranian TTPs and play close attention to [your] critical systems, particularly ICS.”

Low-Level Activity

Most of the activity at the moment has been minor. A number of websites have been defaced with political messages, and CyberScoop reported a series of pro-Soleimani propaganda posts have appeared on Twitter and Instagram.

The Federal Depository Library Program (FDLP) portal where copies of all government publications are kept was also defaced. The attackers most likely took advantage of the fact that the portal appeared to be running an outdated version of the Joomla content management system. The analysis of the attack suggests that this was an opportunistic attack and not part of an official government response, as the attackers “added the standard ‘lol u got owned’ bit at the bottom of the page and went off to run automated attack tools against some other sites.”

“For companies with Iranian threat actors in their threat model, like Industrial Control System operators, heightened security monitoring is essential,” Holland said.

<![CDATA[CISA Seeks Comments on How Government Should Handle Vulnerability Reports]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/cisa-seeks-comments-on-how-government-should-handle-vulnerability-reports https://duo.com/decipher/cisa-seeks-comments-on-how-government-should-handle-vulnerability-reports Fri, 03 Jan 2020 00:00:00 -0500

There is a only a handful of days left to weigh in on the draft directive from the Cybersecurity Infrastructure Security Agency on how federal agencies should handle vulnerabilities in their public-facing websites.

When final, CISA’s binding operational directive would require federal agencies to establish vulnerability disclosure programs that security researchers could use to report vulnerabilities in Internet-accessible systems and services. Agencies will need to develop and publish their own vulnerability disclosure policies; set up processes to receive, process, and manage vulnerability reports; and provide certain metrics to CISA quarterly through CyberScope.

Since the comment period on the draft opened in November, CISA has received several suggested improvements and clarifications, such as defining legal protections for researchers, and setting mandatory timelines on how quickly vulnerabilities get addressed. The public comment period on the draft was supposed to close at the end of December, but now has been extended to Jan. 10 to give more people a chance to contribute.

“A VDP allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeannette Manfra, the assistant director of cybersecurity of CISA at the time, wrote in a blog post announcing the comment period. According to Manfra, it was the first time CISA had weighed public comment on a BOD before it was issued.

Legal protections

Many commenters focused on legal protections for researchers as there has always been the threat of legal action to suppress security researchers. Finding a vulnerability is one thing, but reporting it can result in cease-and-desist letters or getting arrested. "It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems," Manfra wrote.

One way to protect the researchers is to encourage the agencies to involve their Office of General Counsel when developing the policy. As the VDP would likely be executed out of the agency’s CIO office, it would be safer to know that the OGC had “reviewed and concurred with any assertions made regarding pursuit of legal action,” said Karim Said, a cybersecurity professional at NASA.

Jack Cable, noted bug bounty hunter, said agencies should adopt CISA's language for granting safe legal harbor to authorized researchers and develop a process for what happens when agencies don't fix their bugs. Making it "front and center" in the draft is a good sign, but requiring agencies to use the exact language specified by CISA "minimizes the risk of agencies including language that does not offer requisite protection to researchers," Cable wrote.

Prompt remediation

Researchers frequently complain that despite reporting vulnerabilities, organizations may not fix the issues as quickly as they should. Towards that end, CISA should "plan for the case that agencies fail to adequately remediate reported vulnerabilities," Cable wrote. For many agencies, the VDP would be the first time the agency has to deal with real vulnerability reports, and not every agency will be successful in patching their systems effectively and timely. "CISA and other policy leadership should plan for when this happens and aid agencies to improve their cybersecurity processes and talent," Cable said.

While there is no specific standard on when vulnerabilities have to be made public, the industry has informally adopted 90-days to patch or provide workarounds. A footnote in the draft recomends the agencies also adopt the 90-day policy, but HackerOne founder and CTO Alex Rice thought it should be moved out of the footnote and into the main text else the recommendation could be "easily missed or ignored."

However, it should be clear that the 90-days is still a recommendation and not a requirement. International standards for VDP do not have timeframe requirements, and agencies should follow the standard, wrote Ari Schwartz, executive coordinator of the Cybersecurity Coalition. “Missing an artificial deadline may result in unmet expectations and loss of trust with vulnerability reporters, and potentially prompt premature public disclosure of un-mitigated vulnerabilities that creates additional risks of exploitation,” Schwartz wrote.

The directive should also require agencies to be transparent about remediation and not just say that a vulnerability has been remediated, Cable wrote. Lessons learned and changes going forward to prevent similar vulnerabilities would help improve the agency's security posture. "At minimum, agencies should have a mandatory retesting process where a second set of eyes confirms that a vulnerability has been remediated," Cable wrote. That may involve the researcher who originally reported the vulnerability.

Creating a VDP

CISA laid out a timeline for the agencies. Each agency must designate a security contact at the .gov registrar within 15 days of the directive and publish a vulnerability disclosure policy and a security.txt file within 180 days. The scope of the policy has to increase by at least one internet-accessible system within 270 calendar days, and every 90 days later—which gives agencies the opportunity to start the program on a small set of systems and slowly expand. All internet-accessible systems belonging to the agency must be covered by the policy two years after the BOD.