Tag Archives: attack

ZombieLoad v2 disclosed, affects newest Intel chips

Security researchers disclosed a new version of the ZombieLoad attack and warned that Intel’s fixes for the original threat can by bypassed.

The original ZombieLoad attack — a speculative execution exploit that could allow attackers to steal sensitive data from Intel processors — was first announced May 14 as part of a set of microarchitectural data sampling (MDS) attacks that also included RIDL (Rogue In-Flight Data Load) and Fallout. According to the researchers, they first disclosed ZombieLoad v2 to Intel on April 23 with an update on May 10 to communicate that “the attacks work on Cascade Lake CPUs,” Intel’s newest line of processors. However, ZombieLoad v2 was kept under embargo until this week.

“We present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible,” the researchers wrote on the ZombieLoad website. “Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient.”

One of the ZombieLoad researchers, Moritz Lipp, PhD candidate in information security at the Graz University of Technology in Austria, told SearchSecurity  the problem with the patch for the initial MDS issues is that it “does not prevent the attack, just makes it harder. It just takes longer as the leakage rate is not that high.”

Lipp added that the team’s relationship with Intel has been improving over the past two years and the extended embargo was a direct result of ZombieLoad v2 affecting Cascade Lake processors.

In an update to the original ZombieLoad research paper, the researchers noted that the main advantage of variant two “is that it also works on machines with hardware fixes for Meltdown,” and noted that the attack requires “the Intel TSX instruction-set extension which is only available on selected CPUs since 2013,” including various Skylake, Kaby Lake, Coffee Lake, Broadwell and Cascade Lake processors.

Intel did not respond to questions regarding ZombieLoad v2 — which the company refers to as TSX Asynchronous Abort (TAA) —  or the original MDS patch, and instead directed SearchSecurity to the company’s November 2019 Intel Platform Update blog post. In that blog post, Jerry Bryant, director of communications for Intel Product Assurance and Security, admitted Intel’s MDS mitigations fell short.

“We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,” Bryant wrote. “Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.”

In an attached “deep dive,” Intel also admitted the ZombieLoad v2 attack “may expose data from either the current logical processor or from the sibling logical processor on processors with simultaneous multithreading.”

The researchers also noted that with the range of CPUs affected, the attack could be performed both on PCs as well as in the cloud.

“The attack can be mounted in virtualized environments like the cloud as well across hyperthreads, if two virtual machines are each running on one of them,” Lipp told SearchSecurity. “However, typically huge cloud providers don’t schedule virtual machines anymore.”

Chris Goettl, director of product management, security at Ivanti, told SearchSecurity that while the research is interesting, the risks of ZombieLoad are relatively low.

“In a cloud environment a vulnerability like this could allow an attacker to glean information across many companies, true, but we are talking about a needle in a field of haystacks,” Goettl said. “Threat actors have motives and they will drive toward their objectives in most cases as quickly and easily as they possibly can. There are a number of information disclosure vulnerabilities that are going to be far easier to exploit than ZombieLoad.”

Lipp confirmed that in order to ensure the leak of sensitive data an attacker would need to ensure “a victim loads specific data, for instance triggering code that loads passwords in order to authenticate a user, an attacker can leak that.”

Ultimately, Goettl said he would expect Intel to continue to be reactive with side-channel attacks like ZombieLoad until there is “a precipitating event where any of these exploits are used in a real-world attack scenario.”

“The incomplete MDS patch probably says a little about how much effort Intel is putting into resolving the vulnerabilities. They fixed exactly what they were shown was the issue, but didn’t look beyond to see if something more should be done or if that fix could also be circumvented,” Goettle said. “As long as speculative execution remains academic Intel’s approach will likely continue to be reactive rather than proactive.”

Go to Original Article
Author:

We are taking new steps against broadening threats to democracy – Microsoft on the Issues

It’s clear that democracies around the world are under attack. Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections.

Broadening cyberthreats to both U.S. political parties make clear that the tech sector will need to do more to help protect the democratic process. Last week, Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28. We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week’s order fit this description.

We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections. That’s why today we are expanding Microsoft’s Defending Democracy Program with a new initiative called Microsoft AccountGuard. This initiative will provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack. The technology is free of charge to candidates, campaigns and related political institutions using Office 365.

As a special master appointed by a federal judge concluded in the recent court order obtained by DCU, there is “good cause” to believe that Strontium is “likely to continue” its conduct. In the face of this continuing activity, we must work on the assumption that these attacks will broaden further. An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector.

An expansion of political targets

Last week’s order transferred control of the six internet domains listed below from Strontium to Microsoft, preventing Strontium from using them and enabling us to more closely look for evidence of what Strontium intended to do with the domains. These six domains are listed here:

List of six internet domains that were ordered transferred from Strontium to Microsoft

Importantly, these domains show a broadening of entities targeted by Strontium’s activities. One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices. To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.

Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators.

Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.

Our new Microsoft AccountGuard initiative

AccountGuard will provide three services that will cover both organizational and personal email accounts:

  1. Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
  2. Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
  3. Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.

You can read a more complete description of Microsoft AccountGuard in today’s blog by Tom Burt, the corporate vice president who heads Microsoft’s Customer Security and Trust group.

Microsoft’s Defending Democracy Program

Since we launched Microsoft’s Defending Democracy Program in April, we have focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns. In the coming months, we will offer AccountGuard in additional countries, as we continue to invest in and evolve other aspects of the Defending Democracy Program.

Our Defending Democracy Program is an important piece of our work to protect customers and promote cyberdiplomacy around the world. While cybersecurity starts with Microsoft and other companies in the tech sector, it’s ultimately a shared responsibility with customers and governments around the world. Together with our industry partners, we’ve launched the Cybersecurity Tech Accord, now endorsed by 44 leading tech companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. And we will continue to call for stronger adherence to existing international norms and the creation of new international laws – like a Digital Geneva Convention.

As last week’s court order and today’s AccountGuard initiative reflect, we are committed not only to stronger principles and laws but stronger action as well.

A democracy requires vigilance

In 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was asked as he departed Independence Hall what type of government the delegates had created. He famously replied, “A republic, if you can keep it.”

We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks.

Democracy requires vigilance and at times action by citizens to protect and maintain it. No individual or company can hope to meet this imperative by itself. We all need to do our part. We’re committed to doing our part by helping to protect candidates and campaigns in preserving their voices and votes no matter what party they support.

Tags: , , ,

Report: ERP security is weak, vulnerable and under attack

ERP systems are seeing growing levels of attack for two reasons. First, many of these systems — especially in the U.S. — are now connected to the internet. Second, ERP security is hard. These systems are so complex and customized that patching is expensive, complicated and often put off. 

Windows systems are often patched within days, but users may wait years to patch some ERP systems. There are old versions of PeopleSoft and other ERP applications, for instance, that are out-of-date and connected to the internet, according to researchers at two cybersecurity firms, which jointly looked at the risks faced in ERP security.

These large corporate systems, which manage global supply chains and manufacturing operations, could be compromised and shut down by an attacker, said Juan Pablo Perez-Etchegoyen, CTO of Onapsis, a cybersecurity firm based in Boston.

“If someone manages to breach one of those [ERP] applications, they could literally stop operations for some of those big players,” Perez-Etchegoyen said in an interview. His firm, along with Digital Shadows, released a report, “ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels,” which was recently cited as a must-read by the U.S. Computer Emergency Readiness Team within the Department of Homeland Security. This report looked specifically at Oracle and SAP ERP systems.

Warnings of security vulnerabilities are not new

Cybersecurity researchers have been warning for a long time that U.S. critical infrastructure is vulnerable. Much of the focus has been on power plants and other utilities. But ERP systems are managing critical infrastructure, and the report by Onapsis and Digital Shadows is seen backing up a broader worry about infrastructure risks.

“The great risk in ERP is disruption,” said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda, Md.

If the attackers were just interested in extortion or gaining customer data, there are easier targets, such as hospitals and e-commerce sites, Paller said. What the attackers may be doing with ERP systems is prepositioning, which can mean planting malware in a system for later use.

In other words, attackers “are not sure what they are going to do” once they get inside an ERP system, Paller said. But they would rather get inside the system now, and then try to gain access later, he said.

The report by Onapsis and Digital Shadows found an increase among hackers in ERP-specific vulnerabilities. This interest has been tracked on a variety of sources, including the dark web, which is a part of the internet accessible only through special networks.

Complexity makes ERP security difficult

The complexity of ERP applications makes it really hard and really costly to apply patches.
Juan Pablo Perez-EtchegoyenCTO, Onapsis

The problem facing ERP security, Perez-Etchegoyen said, is “the complexity of ERP applications makes it really hard and really costly to apply patches. That’s why some organizations are lagging behind.”

SAP and Oracle, in emailed responses to the report, both said something similar: Customers need to stay up-to-date on patches.

“Our recommendation to all of our customers is to implement SAP security patches as soon as they are available — typically on the second Tuesday of every month — to protect SAP infrastructure from attacks,” SAP said.

Oracle pointed out that it “issued security updates for the vulnerabilities listed in this report in July and in October of last year. The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products. Oracle continues to investigate means to make applying security patches as easy as possible for customers.”

One of the problems is knowing the intent of the attackers, and the report cited a full range of motives, including cyberespionage, which is sabotage by a variety of groups, from hacktivists to foreign countries.

Next wave of attacks could be destructive

But one fear is the next wave of major attacks will attempt to destroy or cause real damage to systems and operations.

This concern was something Edward Amoroso, retired senior vice president and CSO of AT&T, warned about.

In a widely cited open letter in November 2017 to then-President-elect Donald Trump, Amoroso said attacks “will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens.” The ERP security report’s findings were consistent with his earlier warning, he said in an email.

Foreign countries know that “companies like SAP, Oracle and the like are natural targets to get info on American business,” Amoroso said. “All ERP companies understand this risk, of course, and tend to have good IT security departments. But going up against military actors is tough.”

Amoroso’s point about the risk of a destructive attack was specifically cited and backed by a subsequent MIT report, “Keeping America Safe: Toward More Secure Networks for Critical Sectors.”  The MIT report warned that attackers enjoy “inherent advantages owing to human fallibility, architectural flaws in the internet and the devices connected to it.”

NetSpectre is a remote side-channel attack, but a slow one

Researchers developed a new proof-of-concept attack on Spectre variant 1 that can be performed remotely, but despite the novel aspects of the exploit, experts questioned the real-world impact.

Michael Schwarz, Moritz Lipp, Martin Schwarzl and Daniel Gruss, researchers at the Graz University of Technology in Austria, dubbed their attack “NetSpectre” and claim it is the first remote exploit against Spectre v1 and requires “no attacker-controlled code on the target device.”

“Systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing [it] to read arbitrary memory over the network,” the researchers wrote in their paper. “The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.”

Gruss wrote on Twitter that Intel was given ample time to respond to the team’s disclosure of NetSpectre.

Gruss went on to criticize Intel for not designating a new Common Vulnerabilities and Exposures (CVE) number for NetSpectre, but an Intel statement explained the reason for this was because the fix is the same as Spectre v1.

“NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753) and is mitigated in the same manner — through code inspection and modification of software to ensure a speculation-stopping barrier is in place where appropriate,” an Intel spokesperson wrote via email. “We provide guidance for developers in our whitepaper, ‘Analyzing Potential Bounds Check Bypass Vulnerabilities,’ which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp and Stefan Mangard of Graz University of Technology for reporting their research.”

Jake Williams, founder and CEO of Rendition Infosec, agreed with Intel’s assessment and wrote by Twitter direct message that “it makes sense that this wouldn’t get a new CVE. It’s not a new vulnerability; it’s just exploiting an existing vulnerability in a new way.”

The speed of NetSpectre

Part of the research that caught the eye of experts was the detail that when exfiltrating memory, “this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system.”

Kevin Beaumont, a security architect based in the U.K., explained on Twitter what this rate of exfiltration means.

Williams agreed and said that although the NetSpectre attack is “dangerous and interesting,” it is “not worth freaking out about.”

“The amount of traffic required to leak meaningful amounts of data is significant and likely to be noticed,” Williams wrote. “I don’t think attacks like this will get significantly faster. Honestly, the attack could leak 10 to 100 times faster and still be relatively insignificant. Further, when you are calling an API remotely and others call the same API, they’ll impact timing, reducing the reliability of the exploit.”

Gruss wrote by Twitter direct message that since an attacker can use NetSpectre to choose an arbitrary address in memory to read, the impact of the speed of the attack depends on the use case.

“Remotely breaking ASLR (address space layout randomization) within a few hours is quite nice and very practical,” Gruss wrote, adding that “leaking the entire memory is of course completely unrealistic, but this is also not what any attacker would want to do.”

Ticketmaster breach part of worldwide card-skimming campaign

The attack that caused the Ticketmaster breach of customer information last month was actually part of a widespread campaign that’s affected more than 800 e-commerce sites.

According to researchers at the threat intelligence company RiskIQ Inc., the hacking group known as Magecart has been running a digital credit card-skimming campaign that targets third-party components of e-commerce websites around the world.

At the end of June, ticket sales company Ticketmaster disclosed that it had been compromised and user credit card data had been skimmed. A report by RiskIQ researchers Yonathan Klijnsma and Jordan Herman said the Ticketmaster breach was not an isolated incident, but was instead part of the broader campaign run by the threat group Magecart.

“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites,” Klijnsma and Herman wrote in a blog post. “The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.”

A digital credit card skimmer, according to RiskIQ, uses scripts injected into websites to steal data entered into forms. Magecart “placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta,” the researchers said, noting specifically that Ticketmaster’s network was not directly breached.

RiskIQ has been tracking the activities of Magecart since 2015 and said attacks by the group have been “ramping up in frequency and impact” throughout the past few years, and Ticketmaster and Inbenta are not the only organizations that have been affected by this threat.

According to Klijnsma and Herman, Inbenta’s custom JavaScript code was “wholly replaced” with card skimmers by Magecart.

“In the use of third-party JavaScript libraries, whether a customized module or not, it may be expected that configuration options are available to modify the generated JavaScript. However, the entire replacement of the script in question is generally beyond what one would expect to see,” they wrote.

RiskIQ also noted that the command and control servers to which the skimmed data is sent has been active since 2016, though that doesn’t mean the Ticketmaster websites were affected the entire time.

The Ticketmaster breach is just “the tip of the iceberg” according to Klijnsma and Herman.

“The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern,” they wrote. “We’ve identified over 800 victim websites from Magecart’s main campaigns making it likely bigger than any other credit card breach to date.”

In other news:

  • The U.K.’s Information Commissioner’s Office (ICO) is fining Facebook £500,000 — more than $600,000 — for failing to protect its users’ data from misuse by Cambridge Analytica. The ICO is also going to bring criminal charges against the parent company of Cambridge Analytica, which gathered the data of millions of Americans before the 2016 presidential election. The ICO has been investigating data privacy abuses like the one by Cambridge Analytica — which has since gone out of business — and its investigations will continue. The fine brought against Facebook is reportedly the largest ever issued by the ICO and the maximum amount allowed under the U.K.’s Data Protection Act.
  • Apple will roll out USB Restricted Mode as part of the new version of iOS 11.4.1. USB Restricted Mode prevents iOS devices that have been locked for over an hour from connecting with USB devices that plug into the Lightning port. “If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and, in some cases, it might not charge,” Apple explained. Apple hasn’t provided the reason for this feature, but it will make it more difficult for forensics analysts and law enforcement to access data on locked devices.
  • Security researcher Troy Hunt discovered an online credential stuffing list that contained 111 million compromised records. The records included email addresses and passwords that were stored on a web server in France. The data set Hunt looked at had a folder called “USA” — though it has not been confirmed whether or not all the data came from Americans — and the files had dates starting in early April 2018. “That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those, at least, will unlock all sorts of other accounts belonging to the email addresses involved,” Hunt said. The site with this information has been taken down, so it’s no longer accessible. Hunt also said there’s no way to know which websites leaked the credentials and suggests users implement password managers and make their passwords stronger and more unique.

TLBleed attack can extract signing keys, but exploit is difficult

An interesting, new side-channel attack abuses the Hyper-Threading feature of Intel chips and can extract signing keys with near-perfect accuracy. But both the researchers and Intel downplayed the danger of the exploit.

Ben Gras, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida, researchers at Vrije Universiteit’s systems and network security group in Amsterdam, said their attack, called TLBleed, takes advantage of the translation lookaside buffer cache of Intel chips. If exploited, TLBleed can allow an attacker to extract the secret 256-bit key used to sign programs, with a success rate of 99.8% on Intel Skylake and Coffee Lake processors and 98.2% accuracy on Broadwell Xeon chips.

However, Gras tweeted that users shouldn’t be too scared of TLBleed, because while it is “a cool attack, TLBleed is not the new Spectre.”

“The OpenBSD [Hyper-Threading] disable has generated interest in TLBleed,” Gras wrote on Twitter. “TLBleed is a new side-channel in that it shows that (a) cache side-channel protection isn’t enough: TLB still leaks information; (b) side-channel safe code that is constant only in the control flow and time but not data flow is unsafe; (c) coarse-grained access patterns leak more than was previously thought.”

Justin Jett, director of audit and compliance for Plixer LLC, a network traffic analysis company based in Kennebunk, Maine, said TLBleed is “fairly dangerous, given that the flaw allows for applications to gain access to sensitive memory information from other applications.” But he noted that exploiting the issue would prove challenging.

“The execution is fairly difficult, because a malicious actor would need to infect a machine that has an application installed that they want to exploit. Once the machine is infected, the malware would need to know when the application was executing code to be able to know which memory block the sensitive information is being stored in. Only then will the malware be able to attempt to retrieve the data,” Jett wrote via email. “This is particularly concerning for applications that generate encryption keys, because the level of security that the application is trying to create could effectively be reduced to zero if an attacker is able to decipher the private key.”

Intel also downplayed the dangers associated with TLBleed; the company has not assigned a CVE number and will not patch it.

“TLBleed uses the translation lookaside buffer, a cache common to many high-performance microprocessors that stores recent address translations from virtual memory to physical memory. Software or software libraries such as Intel Integrated Performance Primitives Cryptography version U3.1 — written to ensure constant execution time and data independent cache traces should be immune to TLBleed,” Intel wrote in a statement via email. “Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.”

Jett noted that even if Intel isn’t planning a patch, it should do more to alert customers to the dangers of TLBleed.

“Intel’s decision to not release a CVE number is odd at best. While Intel doesn’t plan to patch the vulnerability, a CVE number should have been requested so that organizations could be updated on the vulnerability and software developers would know to write their software in a way that may avoid exploitation,” Jett wrote. “Without a CVE number, many organizations will remain unaware of the flaw.”

The researchers plan to release the full paper this week. And, in August, Gras will present on the topic at Black Hat 2018 in Las Vegas.

Trisis ICS malware was publicly available after attack

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.

The

Trisis
industrial control system (ICS) malware was first disclosed by FireEye’s Mandiant threat research team on Dec. 14,

2017
after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and has been called either Triton or

Trisis
because of this. One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the

Trisis
malware framework to VirusTotal — an antivirus scan database owned by Google — on Dec. 22nd.

Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.

Although the

Trisis
framework accidentally posted by Schneider Electric by itself would not be enough to recreate the ICS malware, the main

Trisis
executable — Trilog.exe — had also been published.

Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of

Trisis
could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers.” 

“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like

Trisis
, or a variant therein,” Brager told SearchSecurity. “What we are seeing is an effort to engage control systems not only at the constituent

components,
but the underlying systems that seek to manage those control environments.  Just as

Trisis
was written to target a specific Schneider SIS, there is nothing preventing

nation state
actors with the means and resources to refashion

Trisis
to target any SIS or other ICS subsystem with vulnerabilities that can be exploited.”

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.” 

“Hackers can move much more quickly than industry. 

Industry
may not patch a system for months or ever, depending on assessed risk,” Habibi told SearchSecurity. “Although this may sound ominous,

industry
does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them as we saw in the

Trisis
attack.”

Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of

Trisis
being repurposed may not have sunk in with organizations.

“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target

and
Triconex, everyone freaks out but doesn’t do anything,” Singer told SearchSecurity. “We’ll see a lot of the same here — people like to dismiss the threat and think it won’t happen because they’re not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won’t happen to us.”

ICS patching issues

Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”

“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically

extends
out the patching cycle within [operational technology (OT)] environments, often months, and ultimately depends on the ability to patch and the resource availability to do so.”

Emily Miller, ‎director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the

Trisis
attack were not an inherent vulnerability in the device, but “due to poor cyber hygiene.”

“In operational

environments
patching is tricky business — remember, in OT we’re talking about devices that control physical processes that can impact lives, not just bits

and
bytes of data,” Miller told SearchSecurity. “Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment.”

ICS defense

Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.

“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and

short run
links that allowed communication through a closed loop architecture,” Brager said. “Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet/network facing, suddenly were — and the facilities needed to patch these devices were largely immature and arduous.

Habibi agreed that isolating ICS is no longer a sufficient security strategy.

“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over

process
. CRASHOVERRIDE did not need a vulnerability to bring down power in

the Ukraine
— only ICS and process knowledge that had been built over time,” Habibi said. “A successful

Trisis
-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the failsafe that ultimately protects the plant from a catastrophic event.”

Miller said the

Trisis
attack is “more evidence that we need to start approaching this problem differently.” 

“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”

CCleaner malware spread via supply chain attack

Researchers discovered a popular system maintenance tool was the victim of a supply chain attack that put potentially millions of users at risk of downloading a malicious update.

CCleaner is a tool designed to help consumers perform basic PC maintenance functions like removing cached files, browsing data and defragmenting hard drives. CCleaner is made by Piriform Ltd., a UK-based software maker that was acquired by antivirus company Avast Software in July. The compromised update of the tool was first discovered by Israeli endpoint security firm Morphisec following an investigation that began on Sept. 11th, but the company claims it began blocking the CCleaner malware at customer sites on Aug. 20th.

“A backdoor transplanted into a security product through its production chain presents a new unseen threat level which poses a great risk and shakes customers’ trust,” wrote Michael Gorelik, vice president of research and development at Morphisec in a blog post. “As such, we immediately, as part of our responsible disclosure policy, contacted Avast and shared all the information required for them to resolve the issue promptly. Customers safety is our top concern.”

The CCleaner malware gathered information about systems and transmitted it to a command and control (C&C) server; it was reportedly downloaded by users for close to one month from August 15 to September 12, according to Morphisec. However, Avast noted that the CCleaner malware was limited to running on 32-bit systems and would only run if the affected user profile had administrator privileges.

Avast said CCleaner claims to have more than 2 billion downloads and adds new users at a rate of 5 million per week, but because only the 32-bit and cloud versions of CCleaner were compromised, the company estimated just 2.27 million users were affected.

Impact of the CCleaner malware

A team of researchers at Cisco Talos, which included Edmund Brumaghin, threat researcher, Ross Gibb, senior information security analyst, Warren Mercer, technical leader, Matthew Molyett, research engineer, and Craig Williams, senior technical leader, discovered and analyzed the CCleaner malware soon after Morphisec. According to the Cisco Talos team, Avast unwittingly distributed legitimate signed versions of CCleaner and CCleaner Cloud which “contained a multi-stage malware payload that rode on top of the installation.”

“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” Talos researchers wrote in their analysis. “In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.”

What makes this attack particularly worrying is the volume of downloads this software receives leaving a huge number of users exposed.
James MaudeSenior security engineer for Avecto

James Maude, senior security engineer for Avecto, a privilege management software maker, said it was especially concerning that the CCleaner malware included the official code signature from Avast.

“Given that CCleaner is designed to be installed by a user with admin rights, and the malware was not only embedded within it but also signed by the developers own code signing certificate (giving it a high level of trust), this is pretty dangerous,” Maude told SearchSecurity via email. “This means that the malware, and therefore the attacker, would have complete control of the system and the ability to access almost anything they wanted. What makes this attack particularly worrying is the volume of downloads this software receives leaving a huge number of users exposed.”

Itsik Mantin, director of security research at security software company Imperva, said the CCleaner malware incident shows “there’s not much users can do when the vendor gets infected.”

“This hack creates a new reality where users need to assume that their desktops, laptops and smartphones are infected, which has been the reality for security officers at organizations in the last years,” Mantin told SearchSecurity. “For organizations, this does not really matter as security officers are accustomed to the reality that they should always assume the attackers are in, are looking for ways to spread the infection within the organization and are searching for business sensitive data to steal or corrupt.”

Avast response to the CCleaner malware incident

Vince Steckler, CEO of Avast Software, and Ondřej Vlček, executive vice president and general manager of the consumer business unit, released a statement saying the company remediated the issue within 72 hours of becoming aware of the problem by releasing an clean update without the malware. They also stated Avast is working with law enforcement to shut down the CCleaner malware C&C server on Sept. 15th.

The Avast execs downplayed their company’s involvement by saying they “strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” and that the compromise “may have started on July 3rd,” two weeks before Avast’s acquisition of Piriform was complete. Avast also claimed the compromised update took four weeks to discover due to “the sophistication of the attack.”

Avast asserted users “should upgrade even though they are not at risk as the malware has been disabled on the server side,” and claimed it was unnecessary to follow the suggestions by Talos and other experts to restore systems to a date before Aug. 15, 2017 to ensure removal of the CCleaner malware.

“Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” Steckler and Vlček wrote. “Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.”

Supply chain attacks

Experts said the CCleaner malware incident should be a reminder of the dangers of supply chain attacks.

Marco Cova, senior security researcher at malware protection vendor Lastline, said the recent NotPetya attacks were another case of a supply chain attack “where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware.”

“This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” Cova told SearchSecurity. “It appears that the build process of CCleaner itself was compromised: that is, attackers had access to the infrastructure used to build the software itself. This is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor.”

Jonathan Cran, vice president of product at Bugcrowd, told SearchSecurity the CCleaner malware issue appeared to be “less of a traditional supply chain attack and more of a case of poor vendor security. Given that the affected installer was signed as a verified safe binary by Piriform, this indicates that they didn’t realize at the time of release and that the corporate network of Piriform was likely compromised.”

Justin Fier, director for cyber intelligence and analysis at threat detection company Darktrace, said this “should come as yet another wake-up call that corporations must have visibility into how their suppliers interact with their systems, as well as a real-time assessment of their suppliers’ cyber risk.”

“The risk that companies inherit from their suppliers is a pervasive problem for cybersecurity. Quite simply, companies with a supply chain cannot avoid compromises — supply chain breaches are inevitable,” Fier told SearchSecurity. “The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber security level, and is rarely as in-depth as it should be. While we can’t change the security posture of our supply chains, we can have a transparent relationship when it comes to cyber risk.”

Educate users to avert email phishing attacks

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches.

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Next Steps

Train employees to ward off attacks

Test your Office 365 Advanced Threat Protection knowledge

Respond quickly to a malware attack

Powered by WPeMatico