Introducing the In-the-Wild Series
Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.
Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.
Avast Antivirus Is Shutting Down Its Data Collection Arm
Avast will no longer collect or sell its users’ internet browsing data
...after getting caught.
Somewhat old, but deserves a spot in the archive of malfeasance.
In this paper I present an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. I received the messages because the spammers, whom I had described previously on my blog, decided to take revenge by putting my email address in the ‘reply-to’ field of a malicious email campaign. Many of the victims were unaware that the message they had received was fake and contained malware. Some even asked me to resend the malware as it had been blocked by their anti-virus product. I have read those 1,976 messages, analysed and classified victims’ answers, and present them here. The key takeaway is that we need to train users, but at the same time we should not count on them to react properly to Internet threats. Despite dealing with cybercrime victims daily for the last seven years I was surprised by most of the reactions and realized how little we, as the security industry, know about the average Internet user’s ability (or rather inability) to identify threats online. We need to build solutions that will protect users, without their knowledge, sometimes against their will, from their ability to harm themselves.
The fifth group is actually the most worrying. I call this group ‘MY ANTI-VIRUS WORKED, PLEASE SEND AGAIN’, as these are recipients who mention that their security product (mostly anti-virus) warned them against an infected file, but they wanted the file to be resent because they could not open it. The group consisted of 44 individuals (2.35%).
Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.
Hackers hit Norsk Hydro with ransomware
The breach last March would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and PCs. The financial impact would eventually approach $71 million.
All of that damage had been set in motion three months earlier when one employee unknowingly opened an infected email from a trusted customer. That allowed hackers to invade the IT infrastructure and covertly plant their virus.
This is kinda fluffy, but somewhat interesting.
Unexpected Norms Setters
I wanted to do a line by line review of Ilina Georgieva’s recent piece on cyber norms because on a brief read-through, I liked a lot of it. That said, the difficulty with reviewing policy pieces is you tend to think the ones that AGREE with you are naturally genius, which is not always the case. So after a more thorough review, there are a lot of serious issues with the piece and these are painfully listed below (if you happen to be Iliana).
Terrible Ninth Circuit 230(c)(2) Ruling Will Make the Internet More Dangerous–Enigma v. Malwarebytes
The Ninth Circuit has issued a Section 230(c)(2) opinion that creates significant problems for anti-spyware/spam/virus vendors (I’ll call them “anti-threat vendors”). The ruling will paralyze their decision-making, expose them to greater legal threats, and reduce their ability to protect consumers from unwanted software. This ruling makes the Internet less safe. I hope the Ninth Circuit will fix it via further proceedings.
Nevertheless, the majority’s legal standard creates two obvious and significant problems. First, many spammers, virusmakers, and adware/spyware makers will claim–legitimately or not–to be direct or partial competitors with anti-threat vendors. In those situations, the threat purveyors will naturally claim that the blocking was motivated by anticompetitive animus. In fact, I would expect such anticompetitive animus claims to be routine for blocked entities, not an exception. Indeed, as the dissent noted, Zango claimed (not credibly) its adware was competitive with Kaspersky’s anti-threat software.
I would say it will be the AV companies facing bogus lawsuits who will lose the most, and probably not users, but it’s a bit of a pickle.
A very deep dive into iOS Exploit chains found in the wild
Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.
I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple’s software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.
The Exxon Valdez of cyberspace
In 1989 the thin-hulled Exxon Valdez supertanker ran aground in Prince William Sound, Alaska, pouring a quarter of a million barrels of oil into the surrounding waters. At the time, it was America’s worst offshore spill, and a huge blow to the reputation of the ship’s owner, Exxon. The firm paid $3bn to clean up the area and settle legal claims, and to improve safety the American government ordered the phasing out of single-hull ships such as Exxon Valdez. All vessels used worldwide by Exxon’s corporate descendant, ExxonMobil, are now double-hulled. But that is not all. The disaster gave rise to a cultlike culture of discipline within ExxonMobil that helped turn it into the profitmaking beast it is today.
If we haven’t yet seen a sufficiently nasty data breach to motivate cleanups, I don’t think we want to.
Tricking the tricksters with a next level fork bomb
Some people make a cruel sport out of tricking newbies into running destructive shell commands.
Years ago, I came across someone doing this, and decided to trick them back.
I was 7 words away from being spear-phished
I reflexively did some basic security hygiene checks. The email was from an @cam.ac.uk email address. I hovered over the link in the email - people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.
John Deere's Promotional USB Drive Hijacks Your Keyboard
Tractor-maker John Deere distributed USB drives that hijacked users’ keyboards and loaded its official website onto the browser. While the John Deere USB drive didn’t do anything to compromise the security of devices it was connected to, it used a method that’s similar to a malicious attack.
I think the real story here is that people still plug in strange devices.
Samsung TVs should be regularly virus-checked, the company says
A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”.
Baltimore is not EternalBlue
Recently a misleading and terribly researched article (via Nicole Perlroth and Scott Shane) came out in the NYT which essentially blamed the NSA and ETERNALBLUE for various ransomeware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense.
The Persistence of Chaos
Airgapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008), Windows XP SP3, 6 pieces of malware, power cord, restart script, malware
(minimum bid: $1,200,750 - reserve met)
0day "In the Wild"
Project Zero’s team mission is to “make zero-day hard”, i.e. to make it more costly to discover and exploit security vulnerabilities. We primarily achieve this by performing our own security research, but at times we also study external instances of zero-day exploits that were discovered “in the wild”. These cases provide an interesting glimpse into real-world attacker behavior and capabilities, in a way that nicely augments the insights we gain from our own research.
Today, we’re sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource:
Hope is not a NOBUS strategy
So typically the first thing I do when I get a new implant to look at is see if the authors implemented public key encryption into it, or if they just have some sort of password authentication, and then maybe a symmetric algorithm for protecting their traffic. This was, for a while, a good way to track nation states because people who wanted their implants “easier” to deploy did not put public keys in them, whereas those of us who wanted a NOBUS backdoor generated a new public key per target (like this amazing one, Hydrogen, from 2004).
Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support Portal
A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.
But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.
Security alert: pipdig insecure, DDoSing competitors