A new report from the SANS Institute warns that the push to digitize all health care records along with the emergence of HealthCare.gov and the general proliferation of electronic protected health information (ePHI) online will only exacerbate the security problems faced by those that store sensitive health care data. In other words, the report says, health care critical information assets are poorly protected and already compromised in many cases.
The “Health Care Cyberthreat Report” suggests that a compliance nightmare looms on the horizon and – more concerning yet – that the health care industry is now facing more exposure to attacks than ever before. The findings are particularly troublesome when you take into consideration that the health care industry has had a sordid history with IT security.
Sensitive health care information was never really all that secure to begin with. Health care data breaches were commonplace long before President Barack Obama signed the Patient Protection and Affordable Care Act into law. In fact, the SANS Institute opens its report with the stark and startling statistic that 94 percent of all healthcare organizations admit they have been the victim of a data breach at some point. That is an incredibly high number and, like all data breach statistics, it fails to account for those companies that have been breached and aren’t fessing up to it or just don’t know about it yet.
The report examined device-based and organizational sources of malicious traffic. Ironically, in terms of devices, most of the malicious traffic either passed through or was transmitted by security devices or applications. More specifically, virtual private networks enabled 33 percent of malicious traffic while 16 percent of malicious packets were sent by firewalls. Routers and enterprise network controllers together accounted for nine percent of such traffic. Other device types vulnerable to compromise included radiology imaging software, video conferencing systems, mail and VOIP servers, digital video systems, call contact software, and networked printers and fax machines.
“Today, almost every network attached device is shipped from its vendor in an insecure configuration with defaults that can be discovered easily through an Internet search,” said Barbara Filkins, a senior SANS analyst and healthcare specialist.
The report went on to note that network administrators are reliably changing easily guessable default credentials for router firewalls but they often overlook other network attached devices such as surveillance cameras, printers, and fax machines. As is so often the case, weak credentials and poorly configured security controls were among the leading causes for security incidents. Attackers can easily daisy-chain access from one poorly secured medical endpoint to more sensitive network devices.
The volume of Internet protocols examined within this targeted sample, the report claims, could be extrapolated to suggest that millions of health care organizations around the globe may already be exchanging malicious information.
“And theoretically,” the report says, “the effects of an ePHI compromise could potentially touch almost every person in the United States if the goal set by President Bush in 2004 that every American have an electronic health record by 2014 comes anywhere close to reality.”
Compliance, the report says, does not equal security. Existing best practices are not keeping up with attack techniques. Not only is patient data at risk, but so too is intellectual property, medical payment and billing information, and systems integrity. The findings showed that once a breach occurred, attackers regularly launched phishing and distributed denial of service attacks.
“This level of compromise and control could easily lead to a wide range of criminal activities that are currently not being detected,” said Filkins. “For example, hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care.”
The costs incurred after breaches – said to include lawsuits, free credit monitoring services, stock fallout, and other expenses – are increasing as well. One Ponemon study from 2013 found that each exposed record could end up costing an organization some $233.
The report warns that many healthcare-related organizations – including one not named by SANS but described as a top three example of vulnerable medical organizations – believe their existing security controls, such as their firewall, are enough prevent compromise. In other words, organizations that have already been breached believe that they can not be compromised because of their existing security solutions.
The report examined all sorts of players in the healthcare industry, from small providers to research and teaching hospitals to clearinghouses, health plans, and pharmaceutical companies. Among these, the lion’s share of malicious traffic originated from health care providers (72 percent). Health care business associates – essentially businesses providing services that support that industry – followed in a distant second, accounting for 9.9 percent of malicious packets. Health plans (6.1 percent), pharmaceutical companies (2.9 percent), and health care clearing houses (0.5 percent) closed out the list. Other related health care entities accounted for the remaining 8.5 percent of malicious traffic.
The report ultimately says that a completely new approach to security will be needed to address these problems. Considering the explosion of newly connected devices, organizations must know what is on their network and find ways to secure these devices. Part of this assessment necessarily includes replacing older, vulnerable software and networked equipment. The report also urges organizations to think like attackers. A fax machine may seem benign, but an attacker could potentially monitor it to siphon off patient prescription information. Surveillance systems can be remotely monitored to determine ways of physically accessing areas with valuable data. Furthermore, vulnerability assessments and software patch management must be an ongoing process.
The SANS report was based on data collected by the Norse threat intelligence network between September 2012 and October 2013. Norse is a health care-industry focused provider of security and anti-fraud products. Their threat intelligence infrastructure consisted of a global network of sensors and honeypots that processed and analyzed hundreds of terabytes of daily data during the sample period. According the report, collected data included 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 U.S.-based compromised health care-related organizations.
Hosted two-factor authentication firm Duo Security acknowledged late last week that it discovered a vulnerability in its WordPress plugin (duo_wordpress plugin) that could allow a user to bypass two-factor authentication (2FA) on a multisite network.
Jon Oberheide, one of Duo’s founders, stressed last week that the problem only exists for users who have multisite WordPress setups with 2FA enabled on one of their sites. Users who deploy the plugin universally (and enable it universally) on their sites are not at risk.
If a user has 2FA set up on a site, they’ll be asked for primary credentials (a username and password) and the second factor information. But if there’s another site on the same multisite network, a user from the first site can go to the second site and only be asked for primary credentials. If they have those credentials, they’ll be authenticated, and then redirected back to their first site without being asked for 2FA. It’s bypassed entirely.
Oberheide described the vulnerability’s impact in bullet points in a blog entry last week in order to clarify some misinformation he said was being spread.
- Only WordPress “Multisite” deployments that have chosen to deploy the plugin on an individual site basis are affected.
- Normal WordPress deployments or Multisite deployments with the plugin enabled globally are NOT affected.
- The user must still present correct primary authentication (eg. username and password); only the second factor is bypassed.
Duo discovered the vulnerability and confirmed it internally earlier this month before issuing the advisory for it last week. At this time it affects version 1.8.1 and earlier of the product.
Oberheide writes that Duo is putting together a permanent fix and is working with WordPress but suggests a “core modification” may have to be made to the way the platform handles plugins to fix the issue.
The problem doesn’t solely exist on Duo’s plugins but is also present on those belonging to other two-factor vendors as well. Oberheide and company said they’ve informed vendors who are affected and several of them, like Duo, are working on fixes.
In the meantime Duo is encouraging users who have duo_wordpress deployed on multisite setups to enable the plugin globally, and then disable it for specific user roles until a fix is issued. Users who run a different WordPress two-factor authentication plugin may want to look into seeing if its vendor is planning a patch.
Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks.
Metasploit recently added an exploit module that targets the vulnerability, which was patched in 4.2.2 released one year ago. However, with carriers and device makers reticent to be quick with updates and security patches, close to three-quarters of the Android user base is at risk for attack. For some perspective, Android Central reports that KitKat, the latest version of Android, has yet to hit 2 percent adoption.
“I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” said Rapid7 senior manager of engineering Tod Beardsley. “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.”
The exploit module, built by contributors Joe Vennix and Joshua Drake, could enable access to the device camera, location data, information stored on a SD card and even the user’s address book. Drake said he was recently able to get code execution on Google Glass using the exploit.
Rapid7 said an attacker would need to be man-in-the-middle on a device in order to exploit it, something its new exploit module simplifies. The company demonstrates the exploit in a video, which is triggered in this case by a malicious QR code the victim scans with their Android smartphone and opens a command shell for the attacker.
The best mitigation is to update Android to 4.2.2 or higher, but that isn’t always feasible for users. Device manufacturers and carriers control when updates are rolled out, despite the fact that Google is generally prompt with patches and updates.
The carriers and manufacturers have been under fire from privacy and security experts and even the U.S. Federal Trade Commission. Last April, the American Civil Liberties Union asked the FTC to investigate four major carriers, accusing them of deceptive business practices and knowingly selling defective phones to consumers that are shy on security updates and patches. The ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.
Last February, the FTC reached a damning settlement with device makers HTC America. The FTC forced HTC to enact expensive security enhancements that included regular security patches for Android devices, establish a security program that focuses on developer security, and submit to security assessments.
Cisco’s UCS Director infrastructure management product contains a set of default credentials that any remote attacker can exploit to take complete control of any vulnerable machine. The flaw is in UCS Director versions 184.108.40.206 and below.
The Cisco UCS Director software is designed to allow administrators to manage a variety of storage, networking, virtualization and other equipment. The company said that its internal security team discovered the vulnerability during testing of the product and isn’t aware of any public exploitation of the bug.
“The vulnerability is due to a default root user account created during installation. An attacker could exploit this vulnerability by accessing the server command-line interface (CLI) remotely using the default account credentials. An exploit could allow the attacker to log in with the default credentials, which provide full administrative rights to the system,” the Cisco advisory says.
The company has released a patch for the bug, pushed out as version 220.127.116.11 HOTFIX.
Cisco also released patches for vulnerabilities in a variety of other products, including the Cisco Unified SIP Phone 3905, Cisco IPS software and the Cisco Firewall Services Module software. The flaw in the SIP Phone 3905 is a vulnerability that allows a remote unauthenticated attacker to get root access to the phone. The issue is the result of an undocumented test interface in the TCP service on the phone, the kind of vulnerability that attackers love to get their hands on.
The flaws in the IPS software are all denial-of-service vulnerabilities and affect a variety of different Cisco products.
“The Cisco IPS Analysis Engine Denial of Service Vulnerability and the Cisco IPS Jumbo Frame Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or crash. When this occurs, the Cisco IPS will stop inspecting traffic,” the advisory says.
“The Cisco IPS Control-Plane MainApp Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.”
The Cisco Firewall Services Module software has a vulnerability that allows a remote, unauthenticated attacker to cause the system to crash and reload.
“The vulnerability is due to a race condition when releasing the memory allocated by the cut-through proxy function. An attacker could exploit this vulnerability by sending traffic to match the condition that triggers cut-through proxy authentication,” the advisory says.
Windows Error Reporting, also known as Dr. Watson reports, are Windows crash reports sent by default unencrypted to Microsoft, which uses them to fix bugs. The reports are rich with system data that Microsoft also uses to enhance user interaction with its products. Since, however, they are sent in clear text back to Redmond, they are also at risk for interception by hackers who can use the system data to blueprint potential vulnerabilities in order to ultimately exploit them.
While it may sound far-fetched, a German publication reported in late December that the U.S. National Security Agency was doing just that—using its XKeyscore tool to collect crash reports and target exploits accordingly.
The only mitigation is that Windows administrators must manually opt-out of sending crash reports back to Microsoft, something that isn’t happening on a large scale; Microsoft receives billions of these reports from 80 percent of its installed user base.
Security company Websense, in December, urged administrators to be proactive about these reports and use them as a first step in detecting advanced attacks against an organization since exploits generally cause applications to behave abnormally. The company released a report today that demonstrates exactly how to do that and said it was able to find advanced attacks in progress against a major cellular network operator and a Turkish government website. It also threw back the covers on another campaign targeting point-of-sale systems with a variant of the Zeus Trojan built to infect POS devices and backends.
The key is to differentiate between crashes that are indicative of exploits and those that are merely crashes due to a programming bug. For example, crashes that happen outside of programmable memory space could be an indication of an active exploit that enables remote code execution.
“It goes from a breadcrumb to something interesting,” said Alex Watson, director of security research at Websense.
Watson said his company collected 16 million Dr. Watson reports during a four-month period, looking for system crashes caused by previously unseen exploits against CVE-2013-3893, a use-after-free vulnerability in Internet Explorer 6-11 that was used in the Deputy Dog watering hole attacks against a number of companies in high-profile industries in Asia. Those failed processes leading to system crashes enabled Websense to fingerprint the damage caused by an exploit attempt.
Of the 16 million reports, five crash reports in four organizations matched the fingerprint Websense built that included memory locations where IE might crash if it were attacked using a CVE-2013-3893 exploit. As it turned out, both organizations were hit by the HWorm remote access Trojan used in targeted attacks. The RAT beaconed from both organizations at the same time as the failed exploit happened, Watson said.
“We were able to link the failed exploit attempt to the RAT to get some indicator of common techniques,” Watson said.
Websense said it also collected crash data from point-of-sale applications similar to those compromised in the Target and Neiman Marcus breaches by RAM scraper malware which steals credentials and payment card data from the device before it is encrypted and sent to the payment processor. A majority of the crash reports Websense used were from a clothing retailer in the Eastern United States, it said, which was infected with a variant of Zeus that zeroes in on POS devices and applications. Watson said the malware attempted to connect to command and control servers at the same time the applications crashed.
“Most exploits today force applications to behave in a way they’re not supposed to and they end up executing shell code and things like that,” Watson said. “With Microsoft rolling out advanced stuff like ASLR making it really hard for attackers to successfully execute exploits, there’s a much higher chance they’re going to fail. Once attackers gain a foothold in the network and make it past the perimeter-based security system, there’s a mindset that their content is no longer monitored by IPS systems and you’ll see attackers use the most direct path with exploits toward their target, thinking they’re not going to be monitored. Again, there’s a high chance of crashing applications on the network.”
There are at least two different groups running attacks exploiting the recently published zero day vulnerability in Internet Explorer 10, and researchers say one of the groups used the bug to impersonate a French aerospace manufacturer and compromise victims visiting the spoofed Web page. The attackers also used a special feature of their malware to change portions of the Windows host file to steal credentials when users visit secure sites.
Last week, researchers at FireEye identified a compromised page on the site of the Veterans of Foreign Wars and discovered that it was being used to exploit visitors using the IE zero day. The company said that the attack bore some resemblance to previous operations from a known group that also incorporated zero days. However, researchers at Seculert said that there also appears to have been a second, separate attack by an unaffiliated group of attackers.
“Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer (Figure 2). The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C). Seculert’s investigation has concluded that the C&C is hosted on the same server as the exploit, located in the United States. Moreover, typical red flags would remain unraised as the malware itself has a valid digital certificate. The certificate belongs to MICRO DIGITAL INC. and is valid since March 21, 2012,” Aviv Raff, CTO of Seculert, wrote in an analysis of the attack.
The attackers are using the malware to change the host files on infected machines and add in several secure domains for French aerospace companies. This kind of behavior has been seen in the past from attackers running so-called pharming campaigns, in which compromised machines are used to send traffic to phishing sites. This attack group is using the host-file modification for a different reason, though.
“But what is disturbing about this attack is that the same behavior accomplished a completely different goal. The domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer. The IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,” Raff said.
Given the differences in the attack methodology and the malware used, as well as the C&C infrastructure, Raff said the logical conclusion is that there are two different groups using the IE 10 0-day.
“The main differences in this attack lead us to conclude that the group behind the attack is different than previously hypothesized,” Raff said.
Image from Flickr photos of Jeremy Seitz.
More than 300,000 credentials, usernames and passwords, were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm.
As part of an experiment to determine how big the hacking industry is, High-Tech Bridge, a company until now perhaps better known for spurring the formation of Yahoo’s bug bounty program last fall, scoured through information Pastebin users posted to the site during the last 12 months.
The group found 311,095 username/password pairs in total, a number that translates to about 1,000 user credentials per leak, according to a post on the firm’s site today.
At just shy of 41 percent of the leakages found, credentials belonging to email systems took the largest slice of the pie. In particular Gmail and Yahoo mail users accounted for nearly 50 percent of the compromised credentials. Users still clinging to Hotmail accounts and Russians who use the mail.ru platform followed up with about 8 percent and 5 percent of the compromised email log-ins.
The group also discovered something that anyone who’s ever been to the site has likely been able to deduce: There’s a lot of clutter to sift through as well.
The group found and filtered through a lot of what it calls “garbage,” mostly minor information leaks—breaches affecting groups fewer than 100 users, blatantly fake/forged claims of hacks and copies of previously reported hacks.
Administrators on the site regularly remove information, especially when it’s sensitive, so forensics experts at High-Tech used “Google’s cache and other tools” to track information that was previously removed.
Pastebin has long been thought of as a den of iniquity of sorts as far as websites go – the site has served as a treasure trove of secrets, sensitive information and as the folks at High-Tech Bridge have proved, plenty of usernames and passwords. In 2012, the site was a destination for hackers with Anonymous and Lulzsec, so much so the site’s owner said at the time he was planning to hire more staff to patrol the site to erase sensitive information.
While the 300,000 figure pales in comparison to the staggering amount of information stolen from Target in November and December, Ilia Kolochenko, High-Tech Bridge’s CEO, acknowledged that his firm’s research uncovered just a small part of the problem.
“These 300,000 [credentials] are just a small percentage of the stolen information posted publicly by hackers. It’s impossible to make a precise estimate of how many user accounts were really compromised, but I think we can speak about several hundreds of millions at least,” Kolochenko said.
Last October Kolochenko prompted Yahoo to revise its bug bounty program after he famously reported receiving two scant $12.50 company store discount codes for discovering a pair of cross-site scripting (XSS) bugs.
Facing a torrent of bad publicity, Yahoo revamped its policy and claimed going forward it would reward researchers who responsibly report “new, unique and/or high-risk issues” with between $150 to $15,000.
Yang Yu is no stranger to writing mitigation bypasses for Microsoft Windows products.
A year ago at the CanSecWest conference in Vancouver, the 35-year-old security researcher from Beijing did an extensive presentation on bypassing Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) without return-oriented programming. ASLR and DEP are memory protection and code execution mitigations native to the Windows operating system.
Within five months, Microsoft had patched the vulnerability Yu had disclosed during the conference, marking the first time a mitigation bypass was treated as a vulnerability. Less than a year later, Yu’s research had paid off in a bigger way. On Friday, Microsoft announced that it had awarded Yu a $100,000 bounty for his submission of three variants on his bypasses. This was the second $100,000 payout since its program kicked off last summer.
“I do this for three reasons: the passion for technology; the love of challenge; and the bounty,” Yu said.
Microsoft has invested significant resources building exploit mitigations into not only Windows, but Internet Explorer as well. The mitigations target memory-corruption vulnerabilities such as buffer overflows that ultimately give hackers free run on the underlying system to run code of their choosing. The company’s bounty program rolled out in June 2013, challenging coders and defenders to come up with bypasses for mitigations such as ASLR and DEP which are then rolled into the Windows or IE codebase as a security enhancement.
Submissions for the bypass bounty, one of three offered by Microsoft, must demonstrate a new way of exploiting a remote code execution bug in Windows, making use of stack- and heap-corruption mitigations; there are seven criteria the submissions must meet.
Yu, who works for NSFOCUS, a security company in Beijing, said the techniques he submitted to Microsoft completely bypass DEP and ASLR, even under the watch of Microsoft Enhanced Mitigation Experience Toolkit (EMET). Ironically, last April, Yu found and reported a critical vulnerability in EMET v4 Beta, which was patched in June.
“[The mitigation bypasses are] Windows version independent, software version independent, even CPU independent in some cases,” Yu said. “I also submitted the relevant mitigation recommendations.”
The mitigation bypass bounty is one of three offered by Microsoft. Microsoft also awards the Blue Hat Bonus for Defense and previously, the Internet Explorer 11 Preview Bug Bounty. The Blue Hat Bonus for Defense pays up to $50,000 for defensive ideas that accompany a mitigation bypass; the IE bounty paid out up to $11,000 for critical vulnerabilities in the beta version of IE 11. The program was closed July 27.
The previous $100,000 winner, James Forshaw, won his prize in October. He collected for a bypass he developed that also eluded Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
“I think vulnerabilities are like bullets, and mitigation bypass techniques are like guns,” Yu said. “Trying to stop so [many] bullets is never better than destroying the gun.”
Linksys routers sold to consumers as a home or small office networking box are vulnerable to a simple exploit that could give an attacker remote access to the router. The vulnerabilities are wormable, yet are unrelated to the Moon worm reported last week by the SANS Institute.
Linksys, which was acquired by Belkin a year ago, was notified in July but has yet to deliver a fix, according to researcher Kyle Lovett.
Lovett said Linksys EA2700, EA3500, E4200 and EA4500 routers have an innate weakness through which during installation or upgrade, port 8083 is left open. An attacker would need to merely scan Shodan or another search engine for the open port on the respective models and be dropped into the remote administration GUI, bypassing existing authentication, Lovett said. Up to 30,000 routers have been found in scans, Lovett said. He added that port 443, through which HTTPS traffic passes, also shows as open during setup in order to allow non-volatile RAM (NVRAM) to pass data.
An attacker could then upload malicious code or tamper with configuration settings in order to redirect traffic. The vulnerability, though unconfirmed, appears to be with a number of vulnerable CGI scripts that can be exploited.
“What happens is during installation or upgrade, often times one of the CGI script hangs and doesn’t complete,” Lovett said. “The system then just bypasses the rest of the setup and operates as is.”
Four vulnerable scripts have been identified: fw_sys_up.cgi; override.cgi; share_editor.cgi; switch_boot.cgi.
“The port exploit is just a matter of scanning for an open port,” Lovett said. “Then someone could upload malicious code.”
Lovett reported the bug to Linksys last July and did a partial disclosure a month later to alert users after Linksys failed to produce a fix. Lovett said his last email to the company two weeks ago regarding the vulnerability went unanswered.
An advisory on Bugtraq, meanwhile, warns users not to rely on the router’s GUI to show the true status of remote access; the bug is present regardless of whether remote access is disabled by default.
“In the case of this bug, [remote access] gets switched on because of the CGI issue,” Lovett said. “By default, without the bug occurring, remote access is turned off. Honestly, I just don’t see the benefits of turning on remote access unless there is a very specific need. Most consumers don’t understand that turning that feature on, that they are in fact hosting a web site, which is subject to the same attacks and problems as other full websites.”
The Moon worm, reported last week by the SANS Institute, has also been spreading on Linksys routers. However only one of the products vulnerable to Moon overlaps with the vulnerability reported by Lovett–the E4200. Moon does, however, also exploit a vulnerable CGI script that allows remote access to flawed routers.
Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Johannes Ullrich of SANS said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes. SANS CTO Ullrich said researchers had not been able to find a malicious payload and were unsure whether a command and control connection is functional.
“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide,” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”
Linksys said its older E-series routers and Wireless-N access points ship with the Remote Management Access feature off by default and customers must enable it to be vulnerable.
“Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network by disabling the Remote Management Access feature and rebooting their router to remove the installed malware,” Linksys said in a statement. “Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”
AT&T, in its first transparency report, said that it received at least 2,000 National Security Letters and nearly 38,000 requests for location data on its subscribers in 2013.
The new report from AT&T is the latest in a growing list of publications from telecom companies, Web providers and cell phone carriers who have been under pressure from privacy advocates and security experts in the wake of the Edward Snowden NSA surveillance revelations. Telecoms had been resistant to providing such information in the past and it’s really only in the last month or so, since the Department of Justice loosened its restrictions on the way that companies can report NSL and Foreign Intelligence Surveillance Act requests that more companies have come around on the issue.
AT&T’s report shows a higher number of NSLs and subpoenas in 2013 than its most relevant competitor, Verizon. In January, Verizon’s first transparency report showed that the company received between 1,000 and 1,999 NSLs in 2013 and 164,000 subpoenas. AT&T said it got 2,000-2,999 NSLs and 248,343 subpoenas last year. AT&T also received nearly 37,000 court orders and more than 16,000 search warrants.
Interestingly, the number of demands for location information that AT&T received last year is pretty close to what Verizon saw. AT&T got nearly 38,000 requests for location information for its subscribers, including more than 12,500 requests for real time information. Verizon received about 35,000 requests for location data in 2013.
“We take our responsibility to protect your information and privacy very seriously, and we pledge to continue to do so to the fullest extent possible and always in compliance with the law of the country where the relevant service is provided. Like all companies, we must provide information to government and law enforcement agencies to comply with court orders, subpoenas, lawful discovery requests and other legal requirements. We ensure that these requests are valid and that our responses comply with the law and our own policies,” AT&T said in its report. “Interest in this topic has increased in the last year. As you might expect, we may make adjustments to our reporting processes and create ways to track forms of demands in the future.”
Of the more than 301,000 total criminal and civil requests from United States agencies that AT&T received in 2013, the company only rejected or challenged about 3,700 of them and provided partial or no data in about 13,700 cases.
The FISA request data in the AT&T report only covers the first six months of 2013, per the Department of Justice regulations, and it shows that the company received between 0-999 FISA requests for content covering more than 35,000 customer accounts. By contrast, the company got the same range of non-content requests, but they only covered fewer than 1,000 accounts.
Image from Flickr photos of Mike Mozart.
There has been a joke going around the tech industry for years about refrigerators and other home appliances one day being connected to the Internet and being able to order more milk for you or allow you to turn off your lights remotely. That day is today, and those Internet-connected devices–surprise!–have many of the same vulnerabilities that normal software applications and hardware devices have had for decades.
Security researchers who have had an increasingly difficult time in recent years finding major vulnerabilities in browsers or desktop applications are now finding that a little time spent on home-automation products can yield serious results. Researchers at IOActive found a series of vulnerabilities in the WeMo home automation products built by Belkin that enable them to gain remote control of connected devices, provide malicious firmware updates and gain access to the internal LAN.
The WeMo products, which include sockets, light switches, motion sensors and Web cams, allow users to connect to their monitored devices from a mobile device. They can monitor usage and turn various devices on and off. The vulnerabilities that the IOActive researchers uncovered relate to the way that WeMo pushes out firmware updates and implements the GPG encryption scheme.
“WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware,” IOActive principal research scientist Mike Davis wrote in an advisory on the vulnerabilities.
“The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.”
Davis reported the vulnerabilities to US-CERT, which tried contacting Belkin, which did not respond. The WeMo devices use a protocol known as STUN to communicate, and was designed to bypass NAT firewalls. The way that WeMo uses the protocol, however, compromises the security of the devices and creates what IOActive called a “darknet” of WeMo devices that attackers can connect to directly.
“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home,” Davis said.
US-CERT also has published an advisory on these issues.
Attackers broke into the network of Kickstarter, the crowdfunding platform, and stole a variety of user data, including usernames, addresses, email addresses and encrypted passwords. Company officials didn’t specify exactly how many users were affected and said that “no credit card data of any kind was accessed by hackers.”
Kickstarter is a popular platform for raising funds for a variety of projects. Supporters pledge various amounts of money in return for certain levels of rewards from the creators of a project. Supporters enter their credit card information when creating an account, and their cards are charged once a specific project they have supported reaches its funding goal. Creators of projects such as Web comics, TV shows, robotic bartenders and books all seek funding on the site.
Officials at Kickstarter said that they were alerted to the intrusion by law-enforcement officials on Wednesday night. This is a common method of detection for data breaches. The Verizon Data Breach Investigation Report, a deep study of breaches at a variety of organizations, shows that 70 percent of breaches are discovered by third parties such as forensics teams, law-enforcement agencies and other security teams. Kickstarter officials were alerted to the compromise earlier this week and published details on the company blog Saturday.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system,” Yancey Strickler, CEO of Kickstarter, wrote.
So far, only two customers’ accounts have shown evidence of unauthorized activity. Strickler said that user passwords were encrypted. Older passwords were encrypted using the SHA-1 algorithm, and salted. Newer passwords were encrypted with Bcrypt. SHA-1 is an older hashing algorithm that has long been considered weak, and security experts have been warning organizations away from using it for several years. Bcrypt is a hashing function based on the Blowfish algorithm.
Kickstarter joins a long list of major Web companies that have faced data breaches in recent months, including Snapchat, Evernote, Dropbox and Yahoo. Attackers love to target companies with large user databases, knowing that users are lazy and will often reuse passwords on multiple sites. Attackers grabbing a password database at one company can sometimes lead to cascading problems for users at other sites.
Strickler said in his statement that users should change their passwords immediately.
“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” he said.
Microsoft has paid out another $100,000 bounty as part of its Security Response Center’s bounty program.
A researcher from Asia named Yang Yu was awarded the prize today for three mitigation bypass variants, Microsoft announced.
“This payout reflects the fact that we learned something new that will help us build more robust defenses, but it was built upon known mitigation bypass techniques,” a Microsoft spokesperson told Threatpost. Efforts to reach Yu in time for publication were not successful.
This is the second $100,000 bounty the program has paid out; more than $253,000 has been awarded to date since the program began last June 26.
The mitigation bypass bounty is one of three offered by Microsoft. It pays out up to $100,000 and rewards novel exploitation techniques against mitigations native to the latest version of Windows. Microsoft also awards the Blue Hat Bonus for Defense and previously, the Internet Explorer 11 Preview Bug Bounty.
The Blue Hat Bonus for Defense pays up to $50,000 for defensive ideas that accompany a mitigation bypass; the IE bounty paid out up to $11,000 for critical vulnerabilities in the beta version of IE 11. The program was closed July 27.
Little is known about Yu’s mitigation bypass. The previous $100,000 winner, James Forshaw, won his prize in October. He collected for a bypass he developed that eluded Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), two memory exploit defenses native to Windows.
Last year, Forshaw won the Java portion of the Pwn2Own contest at the CanSecWest conference with an exploit for a vulnerability in a trusted class in the Java framework. The exploit allowed him to bypass the sandbox and execute code remotely. That Java bug was patched in April with the release of Java 7u21 and the researcher explained in a blogpost shortly thereafter that his code allowed him to disable the security manager in Java and run malicious code as trusted.
According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.
Attackers were able to compromise the U.S. Veterans of Foreign Wars’ website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.
According to researchers at FireEye, the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carry out watering hole attacks, dropping remote access Trojans to takeover machines.
While a number of retired military personnel use the site, VFW.org, active military personnel also frequent it, potentially putting sensitive military information at risk.
FireEye noticed the “classic drive-by download” style attack on Tuesday after discovering that an iframe had been appended to the beginning of the website’s HTML code. The iframe contains a corrupted Flash object that goes on to trigger the IE 10 vulnerability, (CVE-2014-0322), a use-after-free bug in the browser.
From there the Flash file downloads a XOR-encoded payload from a remote server, decodes it and executes it.
According to FireEye it starts off as a .JPG image, then the .JPG is attached to the shellcode which is executed to produce two files, sqlrenew.txt and stream.exe, before its executed with a Windows API call.
Like DeputyDog, SnowMan deploys an HTTPS version of Gh0stRAT, a remote access Trojan that has been spotted connecting to some of the same IP addresses as DeputyDog. SnowMan can let the attacker modify one byte of memory at an arbitrary address, meaning it can also bypass ASLR, or Address Space Layout Randomization, along with DEP, Data Execution Prevention, both security features in Windows.
A quintet of researchers – Darien Kindlund, Dan Caselden, Xiabo Chen, Ned Moran and Mike Scott – described the campaign on FireEye’s blog yesterday, acknowledging that the time frame of the attack, “amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,” could have helped the attackers.
Winter storm Pax forced much of the U.S. Capitol to shutter Thursday and Monday of course is a U.S. holiday, President’s Day, a time lapse that could give the attackers the window they need.
While the attack is targeted, Jerome Segura, a researcher with MalwareBytes, was able to reproduce the zero-day on Windows 7 on Internet Explorer 10 with the latest version of Flash Player today, showing how easy it may be for an attacker to replicate.
Users running IE 11 or using Microsoft’s Experience Mitigation Toolkit (EMET) are not at risk because the iframe will abort exploitation under those conditions. The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit.
According to FireEye the threat has several connections to the DeputyDog and Ephemeral Hydra campaigns. All of them use a zero-day to deliver a RAT and use a 0×95-encoded payload – obfuscated by a .JPG extension – among other traits.
Additonally there are a handful of infrastructure overlaps and connections between SnowMan, EphemeralHydra and DeputyDog, including similar domains and IPs. The code found in the Flash file and the way the shellcode is executed share similarities with the attacks as well, suggesting they may be intertwined.
Researchers at security firm Websense had also been looking into the zero day and published information about it shortly after FireEye on Thursday.
While Websense agrees with FireEye that the attack appears to have correlations with DeputyDog and EphemeralHydra, Websense claims it first saw it being used in exploits as far back as Jan. 20, about three weeks before FireEye noticed it.
Websense researchers Alex Watson and Victor Chin write that the attack could also be targeting the Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS) a French aerospace association.
According to the two, the exploit was at one point hosted and distributed via a (U.S.-based) site masquerading as GIFAS’ site, suggesting the French group, or those visiting its website may be a target in addition to those visiting the VFW website.
It’s a small difference but Websense’s analysis also notes that a malicious Shockwave file, not a Flash file, downloads the .JPG payload that leads to the attack.
Counting the US military this week, FireEye points out the threat actors have targeted a swathe of industries with the attacks including but not limited to: law firms, NGOs, mining companies, Japanese firms and IT companies.
FireEye discovered the DeputyDog attack, which also targeted Internet Explorer (both 8 and 9) and delivered a payload via an image file, back in September. That attack targeted Japanese media and government outlets via a watering hole attack, dropping a McRAT variant onto compromised computers.
Ephemeral Hydra, which came to light in November and and dropped a McRAT variant, this time on a U.S.-based non-governmental organization in order to secure “industry-specific intelligence.”
Microsoft has not yet issued an official security advisory about the vulnerability but it likely will soon, in addition to potentially releasing a workaround for IE 10 users. The company has announced it will not release an out-of-band patch for the vulnerability. Microsoft’s next scheduled Patch Tuesday update is March 11.
Microsoft acknowledged the vulnerability on Friday and until the update, encouraged users to update to IE 11.
“Microsoft is aware of limited, targeted attacks against Internet Explorer 10,” a Microsoft spokesperson said, “Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”
The news comes just a few days after the Microsoft released February’s Patch Tuesday update, including the last minute MS14-010 bulletin which addressed 24 vulnerabilities in the browser.
Hackers are targeting FTP upload sites with the hopes of redirecting victims to spam or even infecting webservers that rely on FTP applications for updates.
Hold Security reported yesterday it had secured a list of credentials for close to 7,800 FTP sites being circulated in cybercrime forums. The list includes high-profile targets all the way down to individual FTP servers that are exposed to the Internet and guarded only by default credentials, or access codes that have been stolen by botnets or other infections.
Founder and chief information security officer Alex Holden said he is unsure of the scale and damage of these attacks, or who might be behind them. A number of potential victims have been notified by Hold Security, Holden said.
“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,” Holden said. “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.”
Holden said there are two different attack vectors. One, hackers are uploading malicious PHP scripts to the FTP servers they have access to hoping the FTP server has some link to a webserver where it is used to upload content.
“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” Holden said. “This is probably their end goal because the webserver gives them the ability to access data and the database.” Holden said the attackers have had limited success so far finding this type of connection.
The second exploit observed in these attacks are the uploading of HTML files onto the FTP server, which if opened via a browser, which is often the default client for looking at files on an FTP app or server, can redirect the victim to a hacker-controlled site. The files, Holden said, are named something innocuous, such as Pinterest, AOL, or something related to the victim’s company that would entice the victim to open the file. Holden said some victims have been redirected to malicious sites peddling prescription medication, pornography or even ransomware sites.
“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”
The list of FTP credentials has been compiled over some time and is being peddled recently on underground forums. PC World reported that the New York Times and UNICEF were among the high-profile victims; both have been notified and told the publication they were in the process of hardening their FTP servers.
Some others, worldwide, were also compromised, Holden said, but they are still in the process of notifying them. Holden said there were no major U.S. banks on the list, likely because FTP is not a secure means of file exchange and not used by financial organizations. He did say a number of media companies were on the list, however; companies in that industry are more likely to exchange graphics files over FTP.
Holden urges organizations to inspect their FTP deployments, scan them with antimalware agents and check for open deployments on the Internet.
A self-replicating worm is spreading among a number of different Linksys home and small business routers.
Researchers at the SANS Institute reported the outbreak yesterday and have not been able to determine whether there is a malicious payload or if the worm connects to a command and control server. Johannes B. Ullrich, chief technology officer at SANS said the worm appears at the moment to be doing little more than scanning for other vulnerable routers and seeding itself.
“The vulnerability allows the unauthenticated execution of arbitrary code on the router. We haven’t published all the details about the vulnerability yet as it appears to be unpatched in many routers,” Ullrich said, adding that Linksys has been notified.
Ullrich said an Internet service provider in Wyoming alerted SANS to the unusual network activity and SANS researchers were able to capture samples of the worm in its honeypots.
The worm has been dubbed The Moon because of a number of lunar references made in code strings that could be part of a command and control channel. SANS released an early list of vulnerable routers that could be vulnerable depending on the firmware version they’re running: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900.
After landing on the router, Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Ullrich said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes.
“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”
It’s unclear what the payload is or whether it’s receiving commands, Ullrich said.
“We haven’t exactly worked out the command and control part yet. There is some evidence of at least a reporting feature,” he said. “It may make changes to DNS settings like a lot of other router exploits, but this is still work in progress.”
Changing the DNS settings on the router will redirect traffic to an attacker controlled site or allow them to monitor traffic in transit. Users will know they could be compromised if they log heavy outbound scanning in port 80 and 8080 and whether there are inbound connections on miscellaneous ports lower than 1024. Ullrich wrote on the SANS Internet Storm Center site that users can ping:
echo “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080
If an XML HNAP output is returned, then the vulnerability is likely present, Ullrich said.
Ullrich said that until Linksys-Belkin releases a patch or new firmware, users can turn off remote administration as a mitigation. Running the latest firmware is advised, but Ullrich said it is unclear whether that will be a help with this vulnerability until a patch is ready. Users may also limit access to the remote administrator interface to specific IP addresses and change the port number of the administration interface to make it more difficult to find.
Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack.
Disguised as official certificates from Google, Facebook, GoDaddy, YouTube and iTunes, just to name a few, the certs aren’t signed, so it’s unlikely they’ll dupe anyone using a conventional browser. Still though, Netcraft, the British security firm that wrote about the fake certificates yesterday on its blog, is sounding the alarm for users who frequently use apps or other non-browser software to access the Internet that may not check the legitimacy of SSL certificates.
While the attacker would have to be on either the same network as the victim, or sharing the same internet connection to carry out such an attack, that hasn’t stopped the certificates from spreading.
Netcraft broke down a handful of them, describing each one’s intentions Wednesday.
For starters a Google certificate the group found is being served by a machine in Romania and claims to have been issued by the America Online Root Certification Authority 42, a non-existent authority trying to pass itself off as America Online. Netcraft rationalizes the certificate could be aimed at executing an attack against “a multitude of Google services”
Another certificate was found impersonating GoDaddy’s POP mail server, something that according to Netcraft, could allow capturing mail credentials, issuing password resets and stealing sensitive data.
Elsewhere a fake YouTube cert was spotted blocking access to the site for Pakistani citizens, a forged iTunes cert was discovered – potentially for use in a scam, and a fake Facebook cert was found redirecting users to a phishing site.
Netcraft notes that the Facebook app is safe from attacks using this particular fake certificate because it “properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.”
Netcraft also found fake certificates pretending to come from Russia’s second largest bank, Svyaznoy Bank and a large Russian payment provider, KIWI International Processing Services.
Paul Mutton, an online security expert with Netcraft, points out several recent studies that suggest mobile websites may be more vulnerable to attacks using these vectors than previously thought.
Either a lack of certificate checks or broken SSL certificate validation has plagued Amazon’s EC2 Java Library, Amazon/PayPal’s merchant SDKs and shopping carts like osCommerce and ZenCart, along with Steam.
Netcraft also points out that 40 percent of banking apps recently tested by IOActive didn’t properly “validate the authenticity of SSL certificates” presented to the server, according to research last month, making them a prime target for man-in-the-middle attacks.
Man-in-the-middle attacks are a type of Internet-eavesdropping attack wherein the attacker can gain access to, send and receive data meant to be sent to someone else.
In these cases an attacker would be able to eavesdrop on either the network or the connection to communicate with the user’s mobile device and sniff online banking traffic or credentials before they’re sent along to their final destination.