STE WILLIAMS

In a talk at the Black Hat Asia conference later this month, researchers from the Graz University of Technology in Austria plan to show how attackers can abuse Intel’s Software Guard Extensions (SGX) microprocessor security feature to steal cryptographic keys and other secrets.

The researchers will present proof-of-concept malware that takes advantage of SGX’s code protection features to hide from state-of-the-art detection tools. They will show how the malware can be used to mount an attack for extracting RSA keys and other code that SGX is specifically designed to protect.

According to the researchers, the exploit is the first involving malware running on SGX hardware. Additionally, the researchers will show how such exploits can be used to search for and abuse so-called double-fetch privilege escalation vulnerabilities in secure enclaves — or the special execution environments in SGX.

The main takeaway is that SGX can help attackers hide and execute malware without requiring any root privileges, or operating system modifications says Michael Schwarz, a doctoral student in information security at Graz University.

“This attack, and also the detection of double-fetch bugs, shows that SGX is not this perfect black box, but that certain activities can be observed from the outside,” Schwarz says.

SGX is a security mechanism that Intel introduced with its Skylake processor architecture. It is designed to protect code and data from leaks and disclosure. As Schwarz notes in a technical paper, SGX uses secure enclaves working in hardware-isolated memory areas to protect application secrets from hardware attacks. Such enclaves can be used to securely store hardware-encrypted passwords, password managers, cryptographic keys, bitcoin wallets, and other secrets.

Schwarz says his malware does not exploit any vulnerability in SGX. Rather it takes advantage of the fact that Intel considers software-based side-channel attacks on SGX as not possible and therefore out of scope. Side channel attacks gather and use information about some aspect of a system’s physical operation to attack and expose sensitive data.

According to Schwarz, despite the restrictions of SGX, attackers can execute malware inside an SGX enclave and use that enclave to then attack and extract data from other enclaves.

“We show how easy it is to extract real-world 4096-bit RSA keys across enclaves using the widespread mbed TLS crypto library,” he says. The attack is not limited to RSA, but can be applied to any software, which leaks secrets when attacked via software-based side-channel attacks, Schwarz notes.

“As a further exploit, we show how one can utilize cache attacks to automatically detect double-fetch bugs in scenarios where the code and the binary is not known,” he says. Also in the cards is a demonstration of how such vulnerabilities can be exploit using the shared cache, he adds.

The exploit against SGX itself is harder to mount than a regular zero-day exploit, Schwarz concedes. But for someone with a background in micro-architectural attacks, it is perfectly doable, he says. In fact, several undergraduate and graduate level students at Graz University have already mounted such attacks, he claims.

“We require the cryptographic implementation to not be hardened against software-based side-channel attacks,” Schwarz says. “Other than that, there are no special requirements.”

Related Content:

• Critical Microprocessor Flaws Affect Nearly Every Machine
• The Long Tail of the Intel AMT Flaw
• How the Major Intel ME Firmware Flaw Lets Attackers Get ‘God Mode’ on a Machine
• Meltdown Spectre: Computing’s ‘Unsafe at Any Speed’ Problem

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/intel-sgx-can-be-used-to-hide-execute-malware/d/d-id/1331211?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Corero Network Security has disclosed a “kill switch” for the Memcached vulnerability to national security agencies and shared new evidence indicating the flaw is more dangerous than previously believed. For the first time, threat actors have been exploiting unsecured Memcached servers to launch distributed denial-of-service (DDoS) attacks on target businesses.

Memcached is an open-source memory caching system that stores data in RAM to accelerate access times. It was not built for Internet access; users don’t have to authenticate. This exploit lets attackers create spoof requests and boost attacks up to 50,000 times.

The attacks, which hit businesses including GitHub, started in late February. German DDoS mitigation service provider Link11 was among the first to report the new activity, which included UDP attacks using Memcached servers to spread. Link11 found 5,000 vulnerable Memcached servers on the public internet.

Corero researchers have discovered that any exposed Memcached server that can be leveraged for a DDoS attack can also be tricked into sharing user data it has cached from its local network or host. Because Memcached servers don’t require authentication, anything added to a vulnerable server can be stolen. Attackers can also modify data and reinsert it in the cache without owners’ knowledge.

The “kill switch” sends a command back to the attackers’ server to suppress the current DDoS exploitation. This invalidates the cache of a vulnerable server, including attackers’ potentially malicious payload. It has been effectively tested on live attacking servers, Corero reports.

Read more details here.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/memcached-ddos-attack-kill-switch-new-details-disclosed/d/d-id/1331207?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Privileged account abuse is one of the most dangerous threats because it is relatively easy to execute and takes a long time to detect. The 2017 IBM Cost of Data Breach Study disclosed that organizations lost at least $3.62 million on forensic and investigative activities, remediation and legal expenditures associated with security incidents in 2016. But the overall damage for businesses can be irrecoverable.

No matter who the threat actor is — a disgruntled ex-employee looking for revenge or an insider with sticky fingers anticipating financial gain — privilege abuse patterns are pretty much the same. Four common scenarios offer cybersecurity professionals valuable lessons about proper privilege account management.

Scenario 1: Privilege Abuse
The simplest and most common situation is when an insider uses legitimate permissions for malicious activities. A vivid example of this is the July 2017 Anthem breach in which a third-party consulting firm, LaunchPoint Ventures, discovered one of its employees, in July 2016, had sent a file containing personal health identity information of 18,500 Anthem customers to his personal email. Besides that, the employee allegedly committed identity theft and misused non-Anthem data.

The investigation is underway. It is not yet known how the attack started, what the motives were, or what the employee did with the stolen data. But both Anthem and LaunchPoint are likely to face fines for noncompliance, bad publicity, and lawsuits from enraged customers.

Lesson Learned: Be aware of what your employees and contractors are doing by regularly monitoring the activity of all privileged users. You can deter misbehavior simply by letting people know they are being watched.

Scenario 2: Privilege Escalation
Privilege escalation is when an insider deliberately raises his or her level of permissions to get more access rights. Privilege escalation requires more effort and knowledge than simple privilege abuse. The most obvious example is the case of Edward Snowden, a contractor who worked as a systems administrator for the NSA, who leaked classified details of a NSA electronic surveillance program to the Washington Post and the Guardian in 2013.

We don’t know all the details, but the most reasonable version of what happened is that the agency had poor visibility into user activity and little awareness of the keys and certificates in the IT environment. Snowden fabricated digital keys to obtain privileged access to areas way above his clearance. He also asked some NSA staffers for their usernames and passwords under the pretext that he needed them for his job.

Lesson Learned: Make sure you have rigorous control over access to systems that store confidential information, and a complete key and certificate inventory. In addition, remind your employees about your security policy and the consequences of violating it, for example, by sharing their passwords.

Scenario 3: Unauthorized Access
The unauthorized use of another user’s account is particularly difficult to detect and investigate. It occurs when an employee either purposely steals someone’s credentials or obtains them by mistake. These cases rarely go public, but here is one good example. Before leaving his job at engineering firm Allen Hoshall and starting his own competitive business, Jason Needham gained the email credentials of a colleague and used them over the next two years to steal marketing proposals and client correspondence — as well as the rotating password credentials to the firm’s FTP server. This enabled Needham to download schematics, staff emails, budget plans, and other sensitive data.

It is still unknown how Needham gained access to his colleague’s account. Most likely, they were either left in a visible location (hello, sticky notes on the screen) or were shared with Needham voluntarily. Since the company couldn’t explain to regulatory bodies how the incident happened, it’s fair to conclude they didn’t have sufficient awareness of what was happening in their systems.

Lesson Learned: Detecting account hijacking can be tough, but thorough monitoring and analysis of user activity will help you detect anomalies that could indicate a security incident. It’s also a good idea to implement a user termination policy that includes steps such as immediately disabling the employee’s account, terminating VPN and remote desktop access, and changing all shared account passwords. Be sure that the policy is closely followed whenever an employee quits or is terminated.

Scenario 4: Human Error
Human mistakes are perhaps the most common type of privilege abuse. Actually, there are two types of mistakes to consider: when a user accidentally misuses access rights that were granted properly, or an admin grants a user excessive access rights by mistake or out of negligence. I bet every organization has experienced this issue. One example that was made public was about two employees at Vanderbilt University Medical Center (VUMC), who were granted access to 3,000 patient medical records that they didn’t need for work. Their unauthorized access to this protected health information continued for 19 months, until it was discovered during a routine audit of access logs.

The audit revealed the employees had viewed far more information than was necessary to perform their work duties, such as patients’ Social Security numbers and medical record numbers. While VUMC does not believe that any data was misused, the individuals involved were disciplined for their actions, and the data breach is a violation of HIPAA regulations.

Lesson Learned: Strictly enforce the least-privilege principle to minimize the amount of data each employee can reach, and closely monitor user behavior to detect suspicious activity and new patterns. Also educate users about proper behavior and let them know they are being monitored; these steps can go a long way toward preventing costly mistakes.

The Main Lesson
These four common scenarios for privilege abuse resulting in data compromise all share the same key problem: a poor understanding of what users are doing in critical systems and how they interact with sensitive data, according to the 2017 Netwrix IT Risks Report, which my company recently published. To mitigate the threat or privilege abuse, security pros need to ensure that users have only the permissions they need to perform their duties, and monitor user activity across all levels of IT infrastructure.

Related Content:

• 7 Key Stats that Size Up the Cybercrime Deluge
• Security Starts with the User Experience
• Passwords: 4 Biometric Tokens and How They Can Be Beaten

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Fimin joined Netwrix Corporation in 2007, bringing more than a decade of IT industry experience, management practices and innovation. Prior to joining Netwrix, Michael held several key positions at Aelita Software (later acquired by Quest Software), driving the … View Full Bio

Article source: https://www.darkreading.com/endpoint/privilege-abuse-attacks-4-common-scenarios/a/d-id/1331186?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Group-IB, an international organization dedicated to cyberattack prevention and security product development, announced the takedown of a criminal group that had been launching distributed denial-of-service (DDoS) attacks and extorting companies for over two years.

This marks the first large-scale international case of DDoS extortion in Ukraine that ended with a court sentence, Group-IB reports. The organization worked with law enforcement, cybersecurity firms, and online companies to successfully prosecute the criminals.

The attackers were found as part of an investigation into the September 2015 DDoS attack on international online dating service AnastasiaDate. They demanded $10,000 for stopping the attack, which shut down the site for four to six hours each day of the campaign.

Specialists in Group-IB’s investigation department analyzed the attack, identified the attackers, and discovered other incidents conducted by the same two people: Gayk Grishkyan and Inna Yatsenko, both from Ukraine. The duo later contacted AnastasiaDate in November 2016 to demand ransom and threaten to renew the DDoS attacks on its website.

Both attackers pleaded guilty to the crimes and were each given a five-year conditional sentence. Outside the AnastasiaDate case, Grishkyan and Yatsenko had previously targeted American leasing company Stafford Associated and the PayOnline payment service.

Read more details here.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/group-ib-helps-suspend-ukrainian-ddos-attack-group/d/d-id/1331201?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s getting harder and harder to exploit vulnerabilities in Android, thanks to a combination of Google-enabled security mechanisms and additional protections from individual smartphone manufacturers. However, as two researchers discovered, it’s still possible to break in.

Over the past few years, Google has buckled down on Android device security with new protections to reduce the number and impact of kernel-level bugs. Some of its mitigations include Stack Guard, SELinux, privileged execute never (PXN), hardened user-copy, privileged access never (PAN) emulation, and kernel address space layout randomization (KASLR).

“As far as we know, mainly mitigations are currently applied on Android kernel,” explains Jun Yao, security researcher with the Core team. “However, these mechanisms are difficult to apply to every phone due to Android fragmentation issues.”

To fill the security gaps, smartphone manufacturers integrate additional mitigations into the devices they produce. Attackers need to meet certain conditions to complete an exploit on an Android phone and OEMs’ extra mitigations make these conditions difficult to meet, he says.

In the second quarter of 2017, Samsung, Huawei, Oppo, and Vivo accounted for 47.2 percent of the global smartphone market share, the researchers report. Despite their standing as the world’s top four Android OEMs, deep research on their security mitigations has been limited to the Samsung Knox. Yao and Lin decided to put more manufacturers’ protections to the test.

At this year’s Black Hat Asia conference, being held March 20-23 in Singapore, Yao and fellow Core security researcher Tong Lin will share the details of these mitigations and demonstrate how they can be stably bypassed in ways that have not been made public. One of the implementations they broke was the addr_limit checking protection on Vivo devices.

“Usually, to get root privilege on [a] target device, attackers need to be able to overwrite kernel memory,” Yao explains. “The most popular way to do it is to modify the process’ addr_limit.”

Because the kernel checks addr_limit before the system call returns, it cannot be modified directly. The researchers had to find another way to overwrite the kernel without changing addr_limit, and they successfully did so. They report this mitigation can be easily bypassed on a target device depending on the security mechanisms already in place.

[Learn more about breaking Android security in the Black Hat Asia session “Prison Break Season 6: Defeating the Mitigations Adopted by Android OEMs” in which Yao and Lin will demonstrate how they bypassed security protections built into Android phones.]

“It depends on specific devices,” says Yao. “If PAN is enabled on a target device, I think it’s difficult to bypass it. If it’s not, it’s easy to defeat it.”

PAN emulation works with hardened usercopy, which adds bounds checking to usercopy functions that the kernel uses to transfer data from user space to kernel space memory and back. Missing or invalid bounds checking has often caused kernel vulnerabilities in the past.

Hardened usercopy functions help detect and mitigate security issues in developers’ code, but they can only help if developers use them, explains Sami Tolvanen, senior software engineer for Android Security, on the Android developer blog. Features like PAN in ARM 8.1 and Supervisor Mode Access Prevention (SMAP) in x86 prevent the kernel from accessing user space directly, and ensure developers go through usercopy functions.

“I think mitigations fall into two categories,” says Yao. “One is to reduce the attack surface, and the other is to make exploits harder. The mitigations we are talking about belong to the latter one.” Fewer vulnerabilities lessen the chances of defeating these mitigations, he adds.

The most important thing for OEMs to do is promptly patch kernel flaws, Yao continues. He also advises using a combination of mitigations, as single mitigation is easier to bypass.

Related Content:

• Privilege Abuse Attacks: 4 Common Scenarios
• Identity Management: Where It Stands, Where It’s Going
• More Security Vendors Putting ‘Skin in the Game’
• Number of Sites Hosting Cryptocurrency Miners Surges 725% in 4 Months

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/researchers-defeat-android-oems-security-mitigations/d/d-id/1331209?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple