HNNEpisode146

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #146

Recorded October 24, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • News

    1. 'We've nothing to hide': Kaspersky Lab offers to open up source code - Following damaging news that Russian hackers used Kaspersky to spy on an NSA contractor An independent review of the company's source code by Q1 2018 will be followed by similar audits of its software updates and threat detection rules. Kaspersky states: With this initiative, Kaspersky Lab will engage the broader information security community and other stakeholders in validating and verifying the trustworthiness of its products, internal processes, and business operations, as well as introducing additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly. Clearly Kaspersky is attempting to repair its damaged reputation in the industry, and while the US Government may no longer use their products, they may have a chance to win back some US customers, though only time will tell.
    2. WHOIS embarrassed about security? APNIC, after database leaks - Asia's internet numbers registry APNIC has apologized to network owners after a slip in its WHOIS database config leaked credentials, including weakly-hashed passwords. The breach affected those in the regional registry's Maintainer and Incident Response Team (IRT) database objects. During a June 2017 upgrade, those details were included in downloadable WHOIS data.
    3. The Internet Wants You: Consider a Career in Cybersecurity - According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. It is critical that today’s students graduate ready to enter the workforce and are open to learning more about the growing field of cybersecurity. The US-CERT encourages interested candidates to review some resources for information on employment opportunities, a link to these resources can be found on our show notes page at wiki.securityweekly.com.
    4. US-CERT Warns of Active Attacks Against Industrial Control Systems - US-CERT issued a technical alert advisory on Oct.21 warning of advanced persistent threat activity targeting energy and other critical infrastructure sectors across the U.S. The technical alert was compiled with information provided from both the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). According to the analysis, energy, nuclear, water, aviation and critical manufacturing sectors are at risk from an ongoing cyber-attack. Among the guidelines are Indicators of Compromise (IOCs), IP addresses, domain names as well as IPS signatures to help detect potentially malicious activity.
    5. OSX Malware Spread Via Compromised Software Downloads - Elmedia Player by software developer Eltima boasts over one million users, some of whom have may have also unwittingly installed Proton, a Remote Access Trojan which specifically targets Macs for the purposes of spying and theft. Attackers also managed to compromise a second Eltima product - Folx - with the same malware. This seems to be a trend when attack OS X, embedded yourself inside software already trusted by the user. Not sure if I would trust software from Eltima any longer... Apple, of course, has colorful and insightful commentary on security issues, as an Apple spokesperson told ZDNet the company "at this stage we have nothing to add". It would be beneficial to Apple users to 1) acknowledge security issues and 2) create a plan to offer enhanced security features to OS X users, such as some built-in malware detection and prevention. Hey, a man can dream can't he?
    6. NetBSD, OpenBSD Improve Kernel Security, Randomly - The folks at NetBSD have released their first cut of code to implement kernel ASLR – Address Space Layout Randomisation – for 64-bit AMD processors. The OpenBSD project offered its first look at a similar approach back in June, referred to as KARL (kernel address randomised links). That effort became mainstream early this month in OpenBSD 6.2. In 2001 the term ASLR was first introduced as a patch to the Linux kernel. Ref.

    Expert Commentary: US-CERT Releases Attacker Activity Against Critical Infrastructure

    https://www.us-cert.gov/ncas/alerts/TA17-293A

    On Friday the 20th, US-CERT published an alert that provides some technical information about attacks against US critical infrastructure. The data provided was the result of DHS and the FBI working together(ish) in investigations into attacker activity. We at HNN have previously talked about attacks on critical infrastructure, but this is interesting due to the information about techniques being used by the attackers. I say interesting, but it’s also a little frightening that that these techniques are all an attacker may be needing to do.

    The attacks appear to start by going after “trusted third parties” that do business with CI organizations. These organizations have (apparently) less secure environments, so are easier targets. From there the attacks attempt to pivot into their actual target, a critical infrastructure organization. According to the alert, here are some samples of what is being done.

    First, a phishing message is sent with a link to a document for the victim to download. In this case, the link isn’t to a web server, but is a Windows SMB link. The victim clicks on the link and Word, Excel, or whatever attempts to retrieve the document. When the server prompts for authentication, the Office application sends over the users’ username and password in a challenge/response hash. The document never has to be delivered for this to be sent. The attacker can then crack the hash on their own systems.

    Next the attackers connect to the remote network using the stolen credentials and establish a persistent connection into the environment. They also continue to collect credentials inside the victim organization. Web shells are also deployed to establish control. Finally, they attempt to gather information about the ICS and SCADA environments. This appears to be reconnaissance from the inside of a network to find data to use in future attacks.

    So what to do? Phishing happens to everyone, but allowing SMB (TCP/445) to leave your network to remote systems? That should never happen. If your firewalls allow SMB outbound, you need to configure them to block that immediately. Then monitor closely to see which hosts are being blocked by the firewall when attempting these connections. Seriously, this should never be allowed and it’s a little freaky that these attacks have some success.

    Check out the link in the show notes to review the US-CERT bulletin and the attached IOCs.