San Francisco Airport (SFO) at night

BF-SIRT Newsletter 2018-16

State-Sponsored Cyber Actors do State-Sponsored Cyber Actor stuff

US-CERT published a joint Technical Alert (TA) resulting from efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) providing information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. And they provide some nice concrete information that can be reacted to. The fact that this happens is not new, and there is no reason to think Russia is the only ones who does this, they are not doing anything spectacular or fancy either. Check for the indicators provided, keep calm and carry on.

 

In a separate note, Oracle announces 250 security fixes in quarterly patch update, Cisco published important and critical security advisories for Firepower, ASA and WebEx.

 

Top 5 Security links
RSA 2018 Keynote – The Five Most Dangerous New Attack Techniques
PCI Council Releases Guidelines for Cloud Compliance
Hacking charge for URL-manipulation in Canada
Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers
Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

 

(Blogpost image by Andrew Choy from Santa Clara, California, “San Francisco International Airport at night“, Creative Commons Attribution-Share Alike)

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure

Yesterday, US-CERT posted a bulletin about Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices ( https://www.us-cert.gov/ncas/alerts/TA18-106A ).
Our take on this is that this is something one must always assume to be happening, and if the bulletin is accurate then it’s not something Russia is alone in doing:
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
https://www.engadget.com/2016/08/21/nsa-technique-for-cisco-spying/

It is vital to have critical controls in place to protect against these types of attacks, and to be prepared to take action based on concrete Indicators of Compromise provided in alerts and threat intelligence. Basefarm is a member of FIRST.org, TF-CSIRT and Swedish CERT-Forum, which helps us gather intelligence such as this in a timely manner.

 

(Blogpost image by Erik Mandre, “Karu-Ursus arctos-Erik Mandre.jpg“, Creative Commons Attribution-Share Alike)

BF-SIRT Newsletter 2018-15

Facebook

On Tuesday and Wednesday this week, Mark Zuckerberg took part of congressional hearings regarding Cambridge Analytica and privacy concerns regarding Facebook. There are multiple news outlets covering the story, and KrebsonSecurity also wrote an article about how one should not trust these type of quizzes and such may receive data about you and your friends when you do them (which is how Cambridge Analytica got a hold of information about more than 50 million users when they approved access to the app “This is your digital life”).

Facebook has since added a website that allows you to check if your information was leaked or not, and they have also added additional privacy information on what type of data you have uploaded to Facebook with regards to Contacts, Call and Text history if you allowed Messenger or Facebook on your mobile to do so.

Facebook has also updated their bug bounty program and now offers a $40,000 bounty if you find evidence of Data Leaks.a

 

Top 5 Security links
Finland hit by a data breach affecting over 130,000 users
Drupal CVE-2018-7600 PoC is Public
Outlook bug allowed hackers to use .rtf files to steal windows passwords
Your Windows PC can get hacked by simply visiting a website if you don’t update
PowerHammer lets hackers steal data from air-gapped computers through power lines

 

Malware is so 2017: five new security trends to watch out for

Outbreaks such as Petya and WannaCry really put the malware threat on the IT agenda and made cybersecurity a priority for everyone. Fredrik Svantes, Senior Information Security Manager at Basefarm, explains the latest developments that keep the cybersecurity community busy.

BF-SIRT Newsletter 2018-10

Netflix could pwn 2020s IT security – they need only reach out and take

The container is doomed, killed by serverless. Containers are killing Virtual Machines (VM). Nobody uses bare metal servers. Oh, and tape is dead. These, and other clichés, are available for a limited time, printed on a coffee mug of your choice alongside a complimentary moon-on-a-stick for $24.99. Snark aside, what does the future of containers really look like?

  • No one company is going to dominate IT security in the 2020s, but there is an empire to be built on building the very best workload wrapper money can buy.
  • VMware has all components to build this puzzle piece. Unfortunately, they’re trapped in whatever hell befell Microsoft in 2005.
  • Red Hat has most of the required components, but it will probably take them at least a decade to integrate all of it into systemd.
  • Nobody is going to build an empire on containers, because containers are only one part of a more important puzzle piece.
  • Netflix gave the world the Chaos Monkey, and then decided to build a full-scale Simian Army.
  • Which vendor(s) will pull it together and dominate that niche?

 

Top 5 Security links
https://nakedsecurity.sophos.com/2018/03/08/smart-traffic-lights-cause-jams-when-fed-spoofed-data/
https://arstechnica.com/information-technology/2018/03/it-just-got-much-easier-to-wage-record-breaking-ddoses/
https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
https://threatpost.com/pos-malware-found-at-160-applebees-restaurant-locations/130281/
https://www.theregister.co.uk/2018/03/08/dutch_police_detail_how_they_became_the_admins_for_hansa_dark_web_market/

BF-SIRT Newsletter 2018-09

Memcrashed – Major amplification attacks from UDP port 11211

Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211.

The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.

  • A discovery of a new amplification vector though, allowing very great amplification, happens rarely. This new memcached UDP DDoS is definitely in this category.
  • In total we’ve seen only 5,729 unique source IPs of memcached servers. We’re expecting to see much larger attacks in future, as Shodan reports 88,000 open memcached servers
  • Github DDos incident on 28 Feb 2018, they received at peaks 1.35Tbps via 126.9 million packets per second.
  • Please ensure that your memcached servers are firewalled from the internet!

Top 5 Security links
https://cybersins.com/howto-resposible-disclosure-with-security-txt/
https://www.bleepingcomputer.com/news/security/23-000-users-lose-ssl-certificates-in-trustico-digicert-spat/
https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/
https://nakedsecurity.sophos.com/2018/02/28/single-sign-on-authentication-the-bug-that-let-you-logon-as-someone-else/
https://threatpost.com/bug-in-hp-remote-management-tool-leaves-servers-open-to-attack/130189

BF-SIRT Newsletter 2018-08

Apple fixes that “1 character to crash your Mac and iPhone” bug

Apple has pushed out an emergency update for all its operating systems and devices, including TVs, watches, tablets, phones and Macs.

The fix patches a widely-publicised vulnerability known officially as CVE-2018-4124, and unofficially as “one character to crash your iPhone”, or “the Telugu bug”.

  • Telugu is a widely-spoken Indian language with a writing style that is good news for humans, but surprisingly tricky for computers.
  • Computers can store and reproduce English words really easily, because there are only 26 symbols (if you ignore lower-case letters, the hyphen and that annoying little dingleberry thing called the apostrophe that our written language could so easily do without).
  • Many languages use a written form in which each character is made up of a combination of components that denote how to pronounce it, typically starting with a basic sound and indicating the various modifications that should be applied to it.
  • In English, each left-arrow or right-arrow simply moves you one character along in the current line, and one byte along in the current ASCII string, but what if there are four different sub-characters stored in memory to represent the next character that’s displayed?

For your iPhone, you ‘ll be updating to iOS 11.2.6; for your Mac, you need the macOS High Sierra 10.13.3 Supplemental Update.

Top 5 Security links
https://threatpost.com/dell-emc-patches-critical-flaws-in-vmax-enterprise-storage-systems/129952/
https://www.theregister.co.uk/2018/02/20/unpatched_jenkins_servers_mining_monero/
http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/
https://torrentfreak.com/flight-sim-company-embeds-malware-to-steal-pirates-passwords-180219/
https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/

BF-SIRT Newsletter 2018-07

NCCGroup rebuilt NotPetya, replacing its destructive payload with telemetry and safeguards to see what the impact could have been. They found the following:

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel level access.
  • It infected those three machines.
  • Within ten minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Top 5 Security links
A rebuilt NotPetya gets its first execution outside of the lab
Cryptomining script poisons government websites – What to do
Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware
Winter Olympics network outages blamed on unexplained cyberhack
UK names Russia as source of NotPetya, USA follows suit

BF-SIRT Newsletter 2018-06

Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

 

Top 5 Security links

WordPress users do an update NOW and do it by hand
Apple iboot source code leaked
Covert data channel in TLS dodges network perimeter protection
Leaky amazon S3 bucket exposes personal data of 12000 social media influencers
Bitglass Report Microsoft SharePoint Google Drive and Majority of AV Engines Fail to Detect New Ransomware Variant

BF-SIRT Newsletter 2018-05

We need to prepare ourselves for that Meltdown/Specter-based Malware might be coming soon to devices near us, but are we ready? Lately researchers have discovered more than 130 malware samples trying to exploit these chip flaws.

 

Top 5 Security links
Secret military bases revealed by fitness app Strava
South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks
Cisco Patches Critical VPN Vulnerability
Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit
Keylogger Campaign Returns, Infecting 2,000 WordPress Sites