STE WILLIAMS

HTML5 used to build persistent malware on victims’ computers.

Researchers have created a new framework dubbed MarioNet that allows an attacker to control a victim’s browser and all of its resources.

Modern browsers have become more than simple windows into HTML documents; instead, they are “sophisticated browsing software that essentially behaves as an integrated operating system for web applications,” according to new research presented today at Network and Distributed Systems Security (NDSS) Symposium 2019.

The researchers – Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis – devised a framework for building persistent malicious networks on a browser-based foundation, which they detailed in their paper “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation.”

The power of malware that uses HTML5 and other browser-based software as an attack component stems from the fact that, by default, Web applications are understood to be trusted and can run client-side JavaScript code with no natural limitations.

MarioNet is a three-step system involving components the researchers call the distributor, servant, and puppeteer. And it is these three components and the persistence they enable that make MarioNet something new.

The distributor is the infection piece, placing the rest of the package on the victim’s browser from a single visit to an infected website. The servant is the piece that becomes embedded in the victim’s browser, executing the malicious payload as directed by the puppeteer. 

The puppeteer remains on the victim’s system, communicating with a C2 server, directing the execution of malicious code, and controlling the code’s use of computer resources in order to remain as elusive and evasive as possible.

“The immediate interest is persistence. The paper mentions that these infected sites, however they’re infected, they can have the infection piece removed [and] the attack persists,” says Mike Bittner, associate director of digital security and operations at The Media Trust. “That attack can take many forms, including DDoS traffic engines and cryptominers, credential skimmers, and banking remote-access Trojans.”

Unman Rahim, digital threat analyst at The Media Trust, says this new threat is critical because malicious hackers have been figuring out how to weaponize HTML5’s features.

“They’ve been using obfuscation/deobfuscation JavaScript to disguise malicious code. Now they can use service workers — scripts that offer rich online experiences, push notifications, and background syncs — to gain control of users’ browsers long after users have left the compromised site and to help attacks persist despite browser reboots,” Rahim says.

MarioNet is an evolution of the threat possible through HTML5. While there has been a growing trend of malware built on HTML5, Bittner says, “It’s a trend to make the browser an attack surface. The ability to communicate with a third party over the browser, though, is something you don’t see very often.”

The research raises another issue: academic computer researchers presenting details of an attack mechanism that had not previously been seen in the wild.  “It’s a double-edged sword. It’s good because people like me have something to look out for and defend against, but it may be something that people didn’t know about before and can now take advantage of.”

“From a security professional aspect it’s something I wish we could share just among ourselves, but I think the good outweighs the bad,” he says.

Related Content:

• How to Create a Dream Team for the New Age of Cybersecurity
• 4 Payment Security Trends for 2019
• 8 Cybersecurity Myths Debunked
• Massive DDoS Attack Generates 500 Million Packets per Second
• New Attacks Target Recent PHP Framework Vulnerability

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/researchers-build-framework-for-browser-based-botnets/d/d-id/1333974?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Antisocial media sites like Facebook, LinkedIn, Twitter, and YouTube aren’t merely inciting hatred, enabling discrimination, driving content moderators to the brink, and showing kids how to commit suicide. They’re also making cybercrime more practical and profitable, at the expense of law-abiding internet users.

In a cybersecurity survey, titled Social Media Platforms and the Cybercrime Economy, scheduled for release on Tuesday and sponsored by security biz Bromium, Mike McGuire, senior lecturer in criminology at the University of Surrey in England, finds that crimes enabled by social media create at least $3.25bn in global cybercrime revenue annually.

Such cybercrime affects business as well as individuals: one in five organizations has been infected with malware distributed through social media, according to the study, and one in eight has had data exposed by social media malware. Among individuals, over 1.3bn social media users have had data exposed in the past five years, it is claimed.

Social media platforms aspire to distribute viral content and they do manage to be contagious. About half the illicit data trading that occurred from 2017 through 2018 could be traced to compromised social media platforms. And four of the top five global websites carrying cryptomining code were social media platforms, or so we’re told.

Image problem

One reason for this is that social media platforms have as much as 20 per cent more methods by which malware can be delivered – they have more images, videos, advertisements, and plugins – than media websites.

The problem is magnified by the tendency of social media users to trust content from people they recognize, which makes distributing malicious content easier.

The report says, “The very nature of interaction across social networks promotes rapid and seamless spread of infection – a problem made vastly more complicated by the tendency for social media to allow user profiles to be shared across multiple platforms.”

About 30 to 40 per cent of social media malware comes from ads, the report says, and another 30 per cent of social media infections come from social media plugins. At some sites, the percentage is higher – over 60 per cent of infections on Facebook come from third-party apps downloaded from the site.

Gregory Webb, CEO of Bromium, in a statement, said hackers use social media as a Trojan horse to attack enterprises.

Businesses, the report argues, need to better understand how social media gets used by employees and must craft defenses that go beyond bans that won’t be effective anyway.

McGuire’s research combines original data drawn from the 10 largest social media sites with secondary data drawn from various sources over the past few years. His report concludes that social media companies need to do more to keep cybercriminals from exploiting their platforms and from profiting from cybercrime. They also need to do more to ferret out fake accounts, he argues.

The social media giants have been urged to take more responsibility for years. Rather than shouldering the expense of preemptive editorial oversight, they prefer after-the-fact content reviews that leave moderators traumatized or radicalized. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/26/cybercrime_social_media/

Analysis A group of infosec researchers have uncovered neat ways to track a phone’s location via 4G or 5G. However, the mechanics of the surveillance, while fascinating, are difficult to pull off for all but the most determined foe.

The so-called Torpedo attacks are said to allow someone nefarious to trace a person’s whereabouts by using side-channel features of the 4G and 5G cellular comms specifications. It is possible to use the base Torpedo principle to perform an IMSI-cracking attack, which brute-force decodes a device’s encrypted IMSI, or perform a Piercer attack, which links a phone number to an IMSI.

According to a paper [PDF, 985kB] due to be presented today at NDSS (Network and Distributed System Security Symposium) in the US by Syed Rafiul Hussain, along with Ninghui Li and Elisa Bertino, all of Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa, the snooping relies on having some prior knowledge of one’s target and of how to intercept and read LTE paging channel messages.

Crucially, the nature of the surveillance, as described by the team in their paper, means that – much like the minor controversy over password managers this month – it is not an attack vector many people should realistically live in fear of.

The paper appeared online in December, and its findings have been acknowledged by the GSMA, the world’s mobile networks’ trade body, which is working on fixing up the problems. No proof-of-concept exploit code or detailed instructions have been released as the vulnerabilities are said to be still live.

How did they figure this out?

To understand the Torpedo family of attacks you need to understand some basic things about how LTE mobile networks work. What follows here is a little oversimplified.

Your mobile phone’s rough location is always known to your network because it has to talk to a nearby base station run by your mobile operator. When someone wants to call you, the mobile network tells the last base station that was talking to your phone to broadcast a paging message for it. If your phone receives that paging message, it replies to say “here I am!” and the call is connected.

In security terms, your phone’s identity to the network can be split into two parts: the International Mobile Subscriber Identity (IMSI) and the Temporary Mobile Subscriber Identity (TMSI). The IMSI is stored on your SIM card and doesn’t change; the TMSI is assigned to your phone by its nearby base station. Every time your phone goes out of reception from one base station, the next base station assigns a new, unique TMSI.

In the 4G and 5G LTE specifications there’s a fair bit of maths that goes on so phones can time-share radio channels, sync with the base station only at known times to check for new paging messages, and so on. One of the important parts of that maths is called the Paging Frame Index, or PFI, and it is broadcast as part of the paging message. The PFI is unique to each device in a cell’s area, being derived in part from the IMSI.

The goal is discovering that IMSI, so it can be used to track the phone’s travels or presence, as it moves from base station cell to base station cell.

The Torpedo attack

First of all: the snooper must already have your phone number, and know roughly where you and your phone will physically be at a given time. These two things are far from impossible to obtain, but do rely on the miscreant having some knowledge of you and your travel habits.

The attacker must also set up one or more RF sniffers capable of reading a particular paging message over the airwaves. Again, this is not impossible to do, but does require planning and resources.

To carry out the attack, the spy waits until they know their target is in the rough area of the radio sniffer hardware, and calls (or texts, or WhatsApps, or whatever method of choice triggers a pushed service of some sort) the target’s phone. This triggers a paging message broadcast. The researchers summarised one attack method as follows:

1. Make a call.
2. Listen for paging messages over the air during the delivery window.
3. Remove from the set all PFI values that do not have a paging message during the window.
4. If only one PFI value remains in the set, then it concludes that this is [the target’s] PFI

From there you can attempt to use the team’s related Piercer attack to obtain the target’s IMSI, which is normally encrypted over the air, from the cell network, and link it to his or her phone number. Briefly, to achieve this, a snoop hijacks the paging channel and forces the network to eventually broadcast a paging message for the target’s IMSI itself, rather than the derived TMSI.

This behaviour is a routine part of how some operators’ LTE networks are designed to locate to a user device that goes AWOL and can be triggered by a single phone call – provided the attacker has hijacked the paging channel first. It does depend on whether the network has been set up to broadcast an IMSI paging message in clear, though. The technique is not guaranteed to work.

Reg comment: Not as severe as it sounds

Consider somewhere like London, which is smothered in base stations, not-spots and plenty of opportunities for a phone to be abruptly taken out of coverage to a completely different location, as happens when you get on the London Underground.

The surveillance as described in the paper can locate you to within the coverage radius of a mobile network base station. Running Torpedo against a single base station cannot tell an attacker that you are on a particular street, outside a particular shop, or gazing out of a particular window in a particular office block. Just that you’re within that area, because your phone is present with its unique IMSI.

Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmos

READ MORE

With that said, a determined attacker who knows your location well and is equipped with multiple sniffers could more precisely locate you using triangulation techniques that police forces use to locate suspected gang members. They could also track you as your handheld moves from cell to cell.

This method is so useful that British prosecutors routinely convince courts to impose conditions on convicted drug and gang criminals forcing those people to only use a specified mobile phone number unless they notify police of a new one.

Finally, making a number of phone calls in a short period of time and hanging up before they are answered can trigger a paging message without alerting the target device to an incoming call, which an attacker can use to track a victim’s location. Knowing the victim’s paging occasion also lets an attacker hijack the paging channel and inject or deny paging messages, by spoofing messages like Amber alerts or blocking messages altogether, the researchers say.

In the infosec lingo, does this feature in your threat model? If so, you are more likely to be the target of determined state-level adversaries than you are from a drive-by cyber-crim or even a moderately organised criminal gang, unless you’ve managed to annoy some seriously well-resourced people.

The cops or intelligence agents could just ask, with a warrant or other suitable powers, your mobile network operator to hand over your phone location, of course – and potentially fall back to the above techniques if they’d rather do this without a telco’s involvement and have the right kit.

There’s also the question of timing. The researchers said in their paper that it is “necessary to wait (about 30-35 seconds) for the device to move to the idle mode before making the next trial. Therefore, for ToRPEDO to be successful, it requires 2.4–4.3 minutes on average when successive phone calls are placed with an interval of 30-35 seconds.”

If you’re stationary (sitting at home or in a workplace) that is easily doable – assuming, that is, the target doesn’t do something disruptive like wonder why their phone’s going off every 30 seconds with a dropped call or message and turn it off. If you are outdoors and moving around between base station areas, it becomes more of a question of luck than a hostile person or group’s technical judgement.

As for the IMSI-cracking attack, which is an alternative way of obtaining the ID if Piercer doesn’t work, it can take a week: the team spent about 74 hours spread over seven days to brute-force a single subscriber’s identity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/26/torpedo_piercer_attacks/

Efforts to pressure the White House into banning Huawei hardware from America’s networks may have backfired.

President Trump appears to have jumped the establishment’s tracks, and tied the banishment of the Chinese manufacturer’s kit to his ongoing trade tiff with China – meaning any deal hammered out with the Middle Kingdom could lift any restrictions or criminal charges against Huawei.

For the past year, Republicans in Congress, and Uncle Sam’s spymasters, have been arguing, without publishing any evidence, that Huawei represents a national security threat as the Chinese government may oblige the company to add backdoors to its products, and thus Beijing’s spies can remotely control the devices to snoop on Western citizens, corporations, and intelligence.

As part of that effort, Congress passed the National Defense Authorization Act which instructed all federal agencies to avoid using equipment from Huawei or ZTE.

But in recent months that effort has expanded to trying to pressure European allies to also ban Huawei equipment from critical networks, and there have been efforts to persuade President Trump to sign an executive order that would ban Huawei and ZTE equipment in networks that carry any government data, which could have far-reaching broader consequences in the private sector.

As efforts to prevent a trade war between the US and China have advanced in the past few days, the Huawei ban and even criminal charges against the manufacturer and its chief beancounter have seemingly been put on the table by Trump, alarming officials.

On Thursday, Trump tweeted about 5G and wanting the US “to win through competition, not by blocking out currently more advanced technologies” just prior before entering trade talks China’s vice-premier Liu He take place in the White House.

The next day, Trump appeared to confirm that Huawei had become part of the talks when he told reporters he was going to discuss another possible ban on Chinese equipment with Liu He. “I guess it will be somewhat of a subject… We may or may not include that in this deal,” he said.

In response to subsequent questions about the criminal charges filed against Huawei and its chief financial officer, Trump then notably refused to say whether a possible dropping of those charges was also on the table. Instead he said the White House will “be talking to the US attorneys” and his Attorney General about dropping the charges.

One big blur

That blurring of boundaries: connecting national security and criminal charges to a trade deal has caused concerns.

At a briefing on Capitol Hill this week, one of the politicians that has pushed most heavily on the issue, former Republican representative for Michigan, Mike Rogers warned against “any linkage” between the issue, and urged the White House to drop the idea of tying national security and criminal charges to trade “like a hot potato.” Others warned that it could send the message that the US justice system is for sale.

Meanwhile, the effort to ban Huawei everywhere has started gaining critics. A former FCC official has criticized the executive order idea banning Chinese equipment on networks that “carry government data” as “too blunt an instrument” which is diplomatic code for “stupid.”

Previously the FCC, under political pressure, has said it will look into whether to ban companies that pose national security threats from receiving funds from the multi-billion dollar fund it is using to subsidize the rollout of 5G networks, effectively forcing companies not to use Huawei equipment.

Jeez, what a Huawei to go

READ MORE

European allies have also made it increasingly plain that they don’t buy the American national security argument, with both the UK and Germany noting that they cannot find any evidence of a spying program.

Both are being careful not to upset an increasingly irrational US establishment, with the UK saying that China does represent a threat but it will work with Huawei to fix potential issues that its review of the company’s source code uncovered. Germany is also avoiding a direct conflict while making it clear that it is not just going to take the US’ word for it.

But despite the growing pushback and signs that anti-Chinese rhetoric may have gone too far, some are still aggressive pushing the issue.

This week, senators from both parties wrote a letter to the White House asking it extend a Huawei ban from 5G network to solar power systems, again claiming that the company’s electrical converters pose a national security threat.

The logic is that such converters could be subverted and used in a cyberattack, cutting off power to parts of the US, although you can’t help but feel that at this point politicians are flipping through the Huawei product catalogue and wondering what else could theoretically pose a threat. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/26/trump_huawei_ban_china/

Computers have enough trouble defending sensitive data in memory from prying eyes that you might think it would be unwise to provide connected peripherals with direct memory access (DMA).

Nonetheless, device makers have embraced DMA because allowing peripherals to read and write memory without oversight from the operating system improves performance. It’s become common among network cards and GPUs, where efficient data transfer is necessary.

To prevent abuse, vendors have implemented input-output memory management units (IOMMUs), which attempt to limit the CPU memory regions available to attached devices.

Unfortunately, as with CPU architecture capabilities designed to deliver speed, like speculative execution, device makers turn out to be overconfident in their defenses. A wide variety of laptop and desktop computers can be compromised by malicious peripherals, allowing the extraction of secrets from memory or root shell access, despite supposed protections.

Proof that peripherals can pwn you

A paper presented today at the Network and Distributed System Security Symposium (NDSS) in San Diego, Calif., describes a set of vulnerabilities in macOS, FreeBSD and Linux, “which notionally utilize IOMMUs to protect against DMA attackers.”

“Notionally” here serves as polite academese for “fail to.” As the paper’s author’s put it, “We investigate the state-of-the-art in IOMMU protection across OSes using a novel I/O-security research platform, and find that current protections fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent.”

The aforementioned research platform, dubbed Thunderclap, and the associated paper represent the work of assorted academic and think tank boffins: A. Theodore Markettos, Colin Rothwell, Allison Pearce, Simon W. Moore and and Robert N. M. Watson (University of Cambridge), Brett F. Gutstein (Rice University) and Peter G. Neumann (SRI International).

Thunderclap is an FPGA-based peripheral emulation platform. The researchers claim that it can be used to interact with a computer’s operating system and device drivers, bypassing IOMMU protections. You connect it to a device and seconds later it’s compromised.

“The results are catastrophic, revealing endemic vulnerability in the presence of a more sophisticated attacker despite explicit use of the IOMMU to limit I/O attacks,” the paper explains. “We are able to achieve IOMMU bypass within seconds of connecting on vulnerable macOS, FreeBSD, and Linux systems across a range of hardware vendors.”

Malicious peripherals may not be as alarming as remote code execution vulnerabilities because local access to a target device is necessary and physical security precautions can be effective. But DMA attack scenarios shouldn’t be brushed aside too lightly.

“In the most accessible version of our story, you obtain a VGA/Ethernet dongle, power adapter, or USB-C storage device from a malicious person/organization and your device is immediately compromised,” explained Robert N. M. Watson, senior lecturer in systems, security, and architecture at the University of Cambridge Computer Laboratory, in an email to The Register.

“But it’s worth thinking a bit further: we can consider a range of supply-chain and remote device attacks, such as attacks against Thunderbolt or PCI-e devices themselves that allow them to then be used against an end user.”

Think supply and demand

As examples, Watson cites supply chain attacks originating in a factory, in firmware development or as a result of a vulnerability in Ethernet dongle firmware or Wi-Fi firmware that could be triggered via malicious network traffic. He also suggests the possibility of a supply chain attack involving malicious firmware on public USB charging stations.

Devices that include a Thunderbolt port (Apple laptops and desktops since 2011, some Linux and Windows laptops and desktops since 2016) or support for Thunderbolt 3 (USB-C) or older versions of Thunderbolt (Mini DisplayPort connectors) are affected by this research. So too are devices that support PCI-e peripherals, via plug-in cards or chips on the motherboard.

Apple, Microsoft, and Intel have issued patches that partially fix the revealed vulnerabilities, but additional mitigation will be required to address the issues identified by the researchers. Windows, which makes limited use of the IOMMU, remains vulnerable.

For example, the paper says, macOS 10.12.4 implements a code-pointer blinding feature, which limits the injection of kernel pointers, but fails to secure other data fields, including data pointers, that may leave systems vulnerable.

Microsoft released Kernel DMA Protection to provide IOMMU support in devices shipped with Windows 10 1803 (updates don’t count), but hasn’t yet provided documentation for device-driver makers to implement such defenses.

The Linux security team considers peripheral security within its threat model but considers the problem difficult to address due to the variety of driver drivers. An Intel patch in kernel 4.21 enables the IOMMU for Thunderbolt ports and disables ATS. The FreeBSD Project doesn’t consider malicious peripherals part of its threat model but asked for a copy of the paper for review.

Protect yourself

“For systems where it’s under admin control (Linux and FreeBSD), we recommend enabling the IOMMU at boot,” said Theodore Markettos, senior research associate in the University of Cambridge Computer Laboratory, in an email to The Register.

“This will likely have a performance implication. More deeply, we are highlighting that the interface between peripherals capable of DMA and the kernel is much richer and more nuanced than previously thought.”

Markettos argues that operating system kernels and device drivers should treat interactions with peripherals with the same wariness that operating systems and applications treat data from the internet.

Intel Management Engine JTAG flaw proof-of-concept published

READ MORE

“The system call interface between processes and the kernel has received substantial scrutiny and hardening, and the same process should be applied to the interface between peripherals and the kernel,” he said.

The researchers have been exploring IOMMU issues since 2015 and working with vendors since 2016. They’ve have now released Thunderclap as an open source project to assist with the identification and remediation of DMA attacks.

“We began our research into this problem in early 2015 using OS tracing techniques to investigate how IOMMUs were managed by various operating systems – the results were not encouraging,” said Watson.

“This led us to a far more detailed multi-year vulnerability analysis, hardware prototyping, and close conversations with multiple vendors to help them understand the implications of the work on their current and future products. We hope very much that our open-source research platform will now be used by vendors to develop and test their I/O security protections going forwards.”

And it appears there’s more work to do. Markettos said DMA in peripherals has become popular due to increasing performance requirements. He and his colleagues have yet to poke around NVMe storage on phones, other phone peripherals including Wi-Fi, GPU, audio, mobile baseband, and cameras, SD card spec v7 (which supports PCIe/NVMe), NVMe over ethernet and other fabrics, and DMA in embedded systems.

“We’ve been advising vendors to be cautious about adding new devices that support DMA before they understand the security model,” said Markettos. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/26/peripherals_hacking_scheme/

Firmware vulnerabilities provide direct access to server hardware, enabling attackers to install malware that can pass from customer to customer.

Firmware vulnerabilities in so-called bare-metal cloud servers let attackers install malware and backdoors, which remain active and grant access as servers are reassigned to new customers.

Researchers at Eclypsium are today releasing a report on firmware security issues they believe represent “a fundamental gap” in cloud infrastructure security. Their findings show baseboard management controllers (BMC) built into cloud servers could put customers at risk. While their study is based on IBM SoftLayer technology, they emphasize other providers may be exposed.

“This is a huge industry issue,” says Yuriy Bulygin, Eclypsium founder and CEO, who formerly led the advanced threat research team at Intel Security.

With most infrastructure-as-a-service (IaaS) offerings, customers share resources on a physical server. Some organizations, however, have high performance requirements for certain applications or sensitive information they don’t want on a machine shared with other firms.

In these cases, providers offer bare-metal cloud services. Customers buy full access to a dedicated physical server they can use however they want, without worrying it will interfere with others’ data or buying and supporting additional hardware. When they’re done using a bare-metal server, it’s reclaimed by the provider, wiped, and repurposed for future customers.

Bare-metal cloud provides certain advantages; for example, performance improvement and the ability for businesses to install their own software stack. It also introduces new security risks as attackers have direct hardware access. This isn’t the first time Eclypsium has published findings on firmware flaws: last June, they published findings on vulnerabilities in Supermicro systems.

What is Cloudborne?

Now, researchers say, bare-metal servers may not be fully erased before future use. The vulnerability, which they dubbed Cloudborne, is in the BMC – a privileged component used to manage the server. Using the Intelligence Platform Management Interface (IPMI), admins can send commands to the server or modify/reinstall an OS without physical access to the machine.

Vulnerabilities in the BMC could allow any customer to leave a backdoor on the server. “It’s a fundamental gap in the cloud infrastructure, and it’s exaggerated in bare-metal cloud infrastructure,” says Bulygin. “The problem is that a customer – potentially a malicious customer – of a cloud service provider can have access to bare-metal instances,” on which they can modify firmware and infect future users of the same machine with data theft, ransomware, and other threats.

Eclypsium conducted an experiment using IBM’s SoftLayer cloud server platform, which offers bare-metal instances in most of its 35 global data centers. The team initially chose SoftLayer because of its simplified logistics and hardware access, as they explain in a blog post. But researchers also noticed Softlayer used Supermicro hardware, which based on earlier research they knew as vulnerable.

Researchers bought access to a bare-metal server, verified it was running the latest BMC firmware, and noted the product chassis and serial numbers for future identification. They made a minor change – a single bitflip inside a text comment they had prepared – and created an additional IPMI user, which they gave administrative access to the BMC channels.

They returned the server to IBM, which conducted the reclamation process, and were later able to reacquire the same server. While the new IPMI account was gone, their change to the BMC firmware remained. Researchers say this shows the BMC firmware wasn’t re-flashed during reclamation, which they say makes it possible to implant malicious code into the firmware and steal data from future users.

Researchers also noticed the BMC logs were retained across provisioning, as was the root password. Since the logs were not deleted, future customers could view the actions of previous server owners and attackers could use the root password for future access.

“Most people aren’t doing any verification,” says John Loucaides, vice president of engineering at Eclypsium, of the reclamation process. “Most people ignore the whole firmware layer altogether.” Given IBM is a large player and was affected by this issue, he anticipates other companies in the industry are affected as well.

BMC Bugs Have Been Found Before

This isn’t the first time security experts found evidence of Supermicro BMC issues affecting bare-metal cloud servers. It has been a few years since researchers at Rapid7 found security issues in the Supermicro IPMI firmware, used in the BMC of Supermicro motherboards. At the time, HD Moore, then its chief research officer, analyzed the issue related to bare-metal cloud servers. Rapid7’s results were similar to Eclypsium’s, he says, but at the time the team felt publicly disclosing an insecure process from a specific provider wouldn’t benefit the public.

“That equation has shifted a bit with consolidation among providers and the much broader adoption of cloud services,” Moore says. Now, he says, Eclypsium’s research is “an important problem” and “something both customers and providers should be aware of.”

A compromised Supermicro BMC can be used to attack the host operating system in several says, he continues. The most straightforward is via the built-in kernel-based virtual machine (KVM) and remote media boot functionality. An attacker who installs a backdoor into a cloud server can use their access to assume control of the operating system and read the affected customer’s hard drive data.

However, mitigating the problem is tough. An attacker with server access can bypass authentication when using IPMI over keyboard controller style (KCS), and create administrative accounts or flash a malicious image to the BMC, as Eclypsium did. Reflashing is handled by BMC firmware, so attackers have access even if the provider restores to a factory version.

IBM’s Response

Eclypsium notified IBM of their findings; in response, IBM published a blog post indicating it has addressed the issue, and there is no evidence it has been exploited for malicious purposes.

IBM reports it is forcing all BMCs, including those reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned for future customers. It erases all logs in BMC firmware and regenerates all passwords for the firmware, officials report.

“IBM’s approach to sanitizing servers before redeploying them is a good start, but not a complete resolution,” says Moore. The firmware update process can be compromised with malicious firmware; an attacker that flashes a custom firmware can prevent providers from possibly detecting the backdoored image. He also notes that public tools exist to create custom firmware images for Supermicro components; attackers can use these to achieve access.

Researchers take issue with the fact that IBM categorized this issue as “low severity.” Using the CVSS 3.0, they classified the problem as 9.3, or critical severity. “It’s not a low-severity issue by any means,” Loucaides says.

Related Content:

• Your Employees Want to Learn. How Should You Teach Them?
• Secure the System, Help the User
• To Mitigate Advanced Threats, Put People Ahead of Tech
• Researchers Propose New Approach to Address Online Password-Guessing Attacks

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/cloudborne-bare-metal-cloud-servers-vulnerable-to-attack/d/d-id/1333969?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Botnets continue to spread to places never dreamed of a few years ago. But you can fight them off, and these tips can help.

Botnets have been around for over two decades, and with the rise of the Internet of Things (IoT), they have spread further to devices no one imagined they would: routers, mobile devices, and even toasters.

Some botnets are legions of bot-soldiers waiting for a command to attack a target server, generally to overwhelm the server with a distributed denial-of-service (DDoS) attack. Other botnets target specific devices by stealing passwords or mining cryptocurrency. Cryptocurrency mining, in particular, has been a dramatically growing threat for organizations recently, with botnets such as Coinhive and CryptoLoot enabling cybercriminals to make as much as $100 million a year at the expense of victims’ computing power. Smominru, among the largest cryptocurrency-mining botnets, has infected over half a million machines using the infamous EternalBlue exploit leaked from the NSA.

To prevent botnet infections, organizations must be able to detect them. But botnet detection isn’t easy. Let’s explore some of the top techniques and challenges in botnet detection.

Methods for Botnet Detection
So, what’s a botnet? Simply put, it’s a cluster of bots — compromised computers and devices — that perform commands given by the botnet owner. Usually, the botnet owner will dedicate a command and control server (C2), a compromised server for communicating with the bots, usually via Internet Relay Chat commands. The botnet owner uses the C2 server to order botnets to execute attacks, whether that’s DDoS attacks, data theft, identity theft, or another type of attack. Thus, the smoking gun that points to a botnet is its C2 server.

Unfortunately, finding the C2 isn’t usually a simple task. Many botnet commands emerge from multiple servers or take hidden forms, masking the malicious commands as harmless activity such as Tor network traffic, social media traffic, traffic between peer-to-peer services, or domain-generation algorithms. Further complicating matters, the commands are often very subtle, making it difficult to detect any anomalies.

One method for attempting to detect C2s is breaking down and analyzing the malware code. Organizations can try to disassemble the compiled code, from which they can sometimes identify the root source of the botnet’s commands. However, since botnet creators and administrators increasingly are using integrated encryption, this technique is less and less effective.

Generally, C2 detection requires visibility into the communication between a C2 server and its bots, but only security solutions that specifically protect C2 servers will have this kind of visibility. A more common approach for detecting botnets is tracking and analyzing the attacks themselves — into which standard security solutions provide visibility — and determining which attacks originated from botnets.

When looking at exploit attempts, there are a few possible indications for a botnet. For example, if the same IP addresses attack the same sites, at the same time, using the same payloads and attack patterns, there’s a good chance they’re part of a botnet. This is especially true if many IPs and sites are involved. One prominent example is a DDoS attempt by a botnet on a web service.

False Positives
The likelihood of false positives makes botnet detection particularly difficult. Some payloads are widely used, raising the probability of a randomly occurring pattern triggering a false positive. Additionally, attackers can change their IP addresses by using a virtual private network or a proxy, making it look like many attackers or bots are involved when there’s really only one.

Hacking tools and vulnerability scanners also behave similarly enough to botnets to often return false positives. This is because hacking tools generate the same payloads and attack patterns, and many hackers use them, regardless of the color of their hat. And, if different players happen to conduct a penetration test on the same sites at the same time, it may look like a botnet attack.

Organizations can often identify false positives by Googling the payload and referencing any documented information around it. Another technique involves simply gleaning any information readily available within the raw request in the security solution. For example, if a vulnerability scanner is to blame, most security solutions will reveal that by identifying it, especially if it’s one of the more common vulnerability scanners.

False positives are an unavoidable challenge in botnet detection given the enormous amount of potential incidents; recent research shows that 27% of IT professionals receive over 1 million security alerts every day, while 55% receive more than 10,000. But with the right techniques and diligence, organizations can discern the harmless traffic from the malicious, botnet-driven traffic.

Related Content:

• 7 Non-Computer Hacks That Should Never Happen
• New Botnet Shows Evolution of Tech and Criminal Culture
• Paul Vixie On DNS Security Botnet Takedowns (video)
• Anti-Botnet Guide Aims to Tackle Automated Threats

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Johnathan Azaria is a Data Scientist and Security Researcher at the Threat Research group within Imperva. Johnathan specialized in network and application based attacks, and now develops solutions for the detection of such attacks using machine learning and AI algorithms. … View Full Bio

Article source: https://www.darkreading.com/cloud/diy-botnet-detection-techniques-and-challenges/a/d-id/1333949?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Because many organizations tend to overlook or underestimate the threat, social media sites, including Facebook, Twitter, and Instagram, are a huge blind spot in enterprise defenses.

Social media platforms present far more than just a productivity drain for organizations.

New research from Bromium shows that Facebook, Twitter, Instagram, and other high-traffic social media sites have become massive centers for malware distribution and other kinds of criminal activity. Four of the top five websites currently hosting cryptocurrency mining tools are social media sites.

Bromium’s study also finds one in five organizations have been infected with malware distributed via a social media platform, and more than 12% already have experienced a data breach as a result. Because many organizations tend to overlook or underestimate the threat, social media sites are a huge blind spot in enterprise defenses, the study found.

“It’s certainly something businesses should be taking seriously,” says Mike McGuire, author of the Bromium study and a senior lecturer of criminology at the University of Surrey in the UK. “Users are unwittingly introducing risk to the enterprise and creating backdoors into corporate networks in a variety of ways” that endanger customer data and company IP.

For the study, McGuire analyzed data gathered from a variety of sources, including social media platforms and users, social media posts, and several academic, business, and law enforcement sources.

The analysis reveals that social media-related security incidents surged more than three hundredfold in the US between 2015 and 2017. Over 1.3 billion social media users have had their data compromised one way or the other during the past five years, and up to half of all stolen data illicitly traded between 2017 and 2018 stemmed from breaches of social media platforms.

Criminals are using a combination of tactics, including malicious applications, advertisements, plug-ins, and links on social media platforms, to get users to download cryptomining software and other malware in a massive way. Up to 40% of the malware infections on social media sites stem from malicious ads, and 30% come from rogue apps and plug-ins. McGuire’s analysis shows that the large user bases of major social media sites and the manner in which many of them share user profiles enable malware to spread rapidly across platforms.

One silver lining is that merely using a social media platform does not increase risk. “The cases we saw did require some action from the user – for instance, clicking a link or a download” in order to enable malware, McGuire says. “So just visiting a site would not automatically mean cryptomining malware would be enabled.”

The threat doesn’t stop with malware, according to the study. Just like the Dark Web, social media platforms have become a major marketplace for cybercrime tools and services. Four in 10 of the social media sites that McGuire includes in his analysis has some form of service offering malicious hacking services, hackers for hire, and hacking tools. The sites also host services for buying and selling stolen credit card data and other sensitive information, and for recruiting money mules for laundering money and selling drugs.

Significantly, cybercriminals appear to have become adept at taking advantage of trusted features on many of these sites to trick users into following links or clicking on things they should have known to avoid. For instance, cybercriminals have been using fake “confirm that you know” emails to try and redirect LinkedIn users to malicious sites. Similarly, criminals have taken advantage of Instagram’s comments feature to post comments that direct users to rogue sites.

McGuire estimates that criminals are generating somewhere around $3.2 billion annually from social media-enabled crime.

A Tough Choice for Enterprises
The worsening situation puts enterprises between a rock and a hard place, says Ian Pratt, co-founder and president at Bromium. “Banning employees from social media platforms altogether isn’t the right solution and is completely impractical in the modern age,” he says.

For many organizations, social media has become an important tool for sales, marketing, recruiting, and other business functions. “As such, it is important to mitigate the risk of infection from social media by deploying layered defences and reducing the harm that social media-enabled attacks can cause,” Pratt says.

One approach is to isolate social media pages in such a manner that even if an individual user clicks on an infected app or other malware, the damage is contained, Pratt notes. User education and awareness about social media risks is key, too, he says.

Social media platforms also have a responsibility, McGuire says. They need to do more to prevent cybercriminals from misusing their platforms to disseminate malware and malicious services, he says.

More also needs to be done to ensure that social media platforms are not profiting from the criminal activity — for instance, from paid malicious ads taken out by criminals to redirect users to rogue sites.

“Social media can be a Trojan horse, providing an effective tool for hackers to create targeted campaigns,” McGuire says. “It’s important to understand how social media can be used by attackers so that businesses can effectively manage their levels of risk.”

Related Content:

• The Human Factor in Social Media Risk
• Email, Social Media Still Security Nightmares
• Social Engineers Show Off Their Tricks
• 14 Social Media-Savvy CISOs to Follow on Twitter

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/social-media-platforms-double-as-major-malware-distribution-centers/d/d-id/1333973?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ruslan Stoyanov gets 14 years in Russian prison.

The former head of Moscow-based Kaspersky Lab’s computer incidents investigation unit was sentenced today in Moscow’s District Military Court for treason.

Ruslan Stoyanov, who had been with Kaspersky Lab since 2012, was arrested in December 2016 along with Sergei Mikhailov, deputy head of the information security department of Russia’s Federal Security Service, or FSB, and another officer of the FSB for alleged treasonous activities.

Stoyanov received a 14-year prison sentence and a fine, and Mikhailov, a 22-year sentence and a fine, according to an NBC News report today.

Russian media previously had reported that Stoyanov was contacted by Mikhailov to provide FBI cybercrime analysts with information on an investigation into the activities of a Russian businessman, Pavel Vrublevsky. Details of the case have been slim.

While at Kaspersky Lab, Stoyanov led the firm’s cybercrime investigation that ultimately led to the 2016 arrests of 50 members of the so-called Lurk cybercrime gang that stole more than $45 million from Russian financial institutions — Russia’s largest-ever crackdown on financial cybercrime.

Kaspersky Lab said Stoyanov is not related to the company: “The case against this employee does not involve Kaspersky Lab. Ruslan Stoyanov’s trial was held in private and the proceedings were classified; we do not possess any information about the substance of his charges,” Kaspersky Lab said in a statement.

Stoyanov previously had served as head of network security for Russian ISP OJSC RTComm.RU, and was with Ministry of Interior’s Moscow-based Cybercrime Unit in the early 2000s.

In 2015, Stoyanov authored a report for Kaspersky Lab on the inner workings of Russian financial cybercrime that noted that the risk of prosecution is low for cybercriminals in Russia: “The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation,” he wrote.

“Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate,” he wrote at the time.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/former-kaspersky-lab-expert-sentenced-in-russia-for-treason/d/d-id/1333972?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Officials in Tampa, Florida, were scrabbling to regain control of the mayor’s Twitter account this week after a hacker hijacked it to post bomb threats and child sex abuse images. The attacker, who took over the account just two weeks before the city’s municipal elections, tried to implicate others in the hijacking.

Mayor Bob Buckhorn’s account is normally filled with pro-Tampa messages. He encourages developers to submit innovative ideas for urban expansion and promotes owner-occupied home repair programs. Early on Thursday morning, however, things went sideways. The mayor’s account was hacked to post messages, most of which were too vile to reproduce here.

The imposter’s tweets included racist and sexist tweets, images of pornography, and child sex abuse images tagging personalities in the gaming community. There was also this tweet:

In another tweet, the hacker reportedly tweeted Tampa airport with this message:

I have hidden a bomb in a package somewhere…Looking forward to seeing some minorities die.

Tampa City Hall was quick to correct the record, with communications director Ashley Bauman issuing the following statement:

Earlier this morning we noticed someone hacked Mayor Buckhorn’s twitter account, this was clearly not Mayor Buckhorn. Upon noticing the hack we immediately began investigating these reprehensible tweets.

We will work with our Tampa Police Department as well as all investigators to figure out how this breach was made. We urge residents to change their passwords and continue to alert officials when they see an unlikely change in account activity. We are working with law enforcement to investigate all threats made by this hack.

However, City Hall still spent five hours wresting control of the account back from the hacker. After working with Twitter, it finally gained access at 9am Eastern time on Thursday, at which point it was able to delete the offending tweets.

The first illegitimate tweet on Buckhorn’s account attributed the hack to three separate people on Twitter, at least two of whom operate online gaming servers. At least one of the three people denied the claim outright:

A verified account was hacked and they tweeted that I hacked it, fyi it was not me, and the same people who hacked… twitter.com/i/web/status/1…

—
Colby (@MeeZoid) February 21, 2019

The attacker also changed the account for a while to make it seem as though Salem, Oregon, resident Gunner Levy was responsible. Levy has been the victim of other impersonation attacks, including SWATting, before. Someone alerted police that he was going to attack a local school, he told reporters, adding:

This is all just over arguing online.

Most people seem to realise that the attack was a hack pretty quickly, thanks to the egregious nature of the tweets. What would be more worrying is if someone began issuing threats that looked credible.

How did the attacker get in? Experts rolled out the usual weaknesses, including poor passwords.

With that in mind, the use of passphrases or strong passwords with random characters, and the avoidance of words found in the dictionary, are all useful approaches to help protect your Twitter password. Better still is the use of 2FA, which Twitter supports.

The Tampa elections will be held on 5 March, but early voting begins today.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vERzdqt6_VU/