Wednesday, April 26, 2017

Monday tech: PRSD DDoS attack

Hi everyone
Today I'm going to talk about a nice variation of DDoS that I recently encountered: PRSD DoS - Pseudo Random Sub Domain attack, also know as "water torture attack".
This DDoS attack sends multiple DNS queries of known domains (such as google.com) but with invalid ransdom sub-domains (such as gfhadffgas.google.com).

What makes this attack cool?
The purpose of this attack is to stress the authoritive DNS servers of the target domain (google.com), but it is also forwarded to the ISP, and it in turn resolve your query using the DNS resolver, and it can also crash in this attack.

Furthermore, this attack is not mitigated in most of the DNS servers out there.
What can you do? Block IPs that send too many failed DNS queries (reponses of SERVFAIL) will do the trick. In addition you can obviously increse hardware resources of DNS servers or limit the number of concurrent requests which will also temporarly bring the server down.

In conclusion: This is a very simple yet effective attack, that exploits the iterative and naive nature of the DNS protocol. DNS DDoS attacks are on the raise, as we wintessed that even the large websites (Twitter, Spotify and others) were hit by it 6 months ago in the notorious attack against the Dyn DNS provider company, that included tens of millions of zomies that were controled by multiple malwares, including the famous Mirai bot (https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/).
We sure are going to so more and more DNS applicative attacks in the future, as it is usually easier to bring down a DNS server comparing to webservers of very large websites.

Have a great day

Saturday, April 22, 2017

Cyber Updates - 22/04

Hey all,
Here are this week's cyber updates:

(1) Browsers use Punycode encoding in order to represent Unicode characters in the URL and protect against Homograph phishing attacks.
Google Chrome, Mozilla Firefox and Opera were vulnerable to a phishing attack due to a flawed implementation of the above encoding. The loophole relies on the fact that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then browsers will render it in the same language, instead of the Punycode format.
This has allowed attackers to redirect users to a website while presenting a different URL in the address bar.
Here are all the details:

(2) Last week we’ve reported a security incident in Marriott. This week it is IHG’s turn to reach the headlines. The company was infected with a malware that searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) from the magnetic stripe of a payment card as it was being routed through the affected hotel server. 

Be sure to check your credit card transactions if you stayed at an IHG hotel on or after September 29, 2016.

A list of affected hotels can be found in the following URL: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Tuesday, April 18, 2017

Windows exploits dump by "TheShadowBrokers" - What you need to know/do

Background


This past weekend, a hacker group calling themselves “TheShadowBrokers” dumped a large amount of content which allegedly relates to the US Government’s cyber espionage activities.

Included in the dump were a number of previously unreleased vulnerability exploits, mostly targeting Windows systems. Some of these exploits provide the ability for an attacker to remotely execute code on a target system with zero client interaction using the SMB service running on port 445. This type of “wormable” vulnerability in Windows (i.e. a vulnerability that can remotely take control of a system and then use the infected system to attack other systems) is very rare. The last notable example where a working exploit was released was the “MS08-067” vulnerability which was used in the Conficker Worm in 2008.

Whilst there was initially a great deal of speculation and panic that these Windows exploits were “0 days”, i.e. unpatched vulnerabilities, Microsoft published a comprehensive blog-post indicating that all relevant exploits in the dump had already been patched in supported Operating Systems. 

Key Issues


It is important to note the following:
  1. These vulnerabilities still exist in unsupported Operating Systems such as Windows Server 2003 which will not receive patches.
  2. Some of the most critical vulnerabilities were only fixed in the March 2017 “Patch Tuesday” release.
As such, organisations running older Windows Operating Systems or which have not applied the latest patches to their newer Windows Operating Systems may still be at risk from these vulnerabilities.

Our Recommendations


We would therefore recommend that organisations take the following immediate actions:
  • Scan for Windows machines where port 445 is externally exposed to incoming traffic from the Internet and block this at the firewall.
  • Where servers were found with this port open, review server logs to look for evidence of malicious activity.
  • Prepare a plan to patch all Windows machines with the key patch (MS17-010) and any of the other patches from the Microsoft blog-post above which have not yet been applied.
  • Prepare a mitigation plan for any Windows machines which are unsupported or cannot be patched in a timely fashion.
  • Review the list of exploits to look for non-Windows exploits which may directly affect you.

We would also recommend the following, mid to long term actions:
  • Ensure that you have a robust Patch Management process in place to allow timely application of updates.
  • Ensure all non-vital ports are inaccessible externally across the technology environment.
  • Prepare a plan to upgrade unsupported OSes as soon as possible.


Closing thoughts


This incident also shows the importance of being prepared for a case when an attacker gains internal network access (be it through a “0 day” vulnerability or through social engineering. 

Organisations should ensure that strong detection controls are in place to discover unexpected or malicious activity in the internal network and design the network to make it harder for an attacker to move laterally from one part of the network to another without detection.

Josh Grossman
Senior Information Security Consultant and Team Leader
@JoshCGrossman

Saturday, April 15, 2017

Cyber Updates - 15/04

Hey all,
Here are this week's cyber updates:

(1) A security vulnerability (CVE-2017-0199) has been discovered in Microsoft Word, allowing users to execute operating system commands when a Word document is opened. As opposed to attacks that require the user’s interaction (such as allowing a macro to be executed), this attack merely requires the victim to open the document while not in protected mode.

In particular, the vulnerability resides within the OLE2link parser. A malicious OLE2link object can be placed in the document, causing Word to send a connection to a C&C server and download a malicious HTA file. This file is then automatically executed.

The most important thing to note about this vulnerability is that it can affect any version of Windows!

Comsec has observed malicious entities exploit this vulnerability in the wild. Thus, clients are advised to update their Word as soon as possible. Until the Word version is updated, it is recommended to only view documents in protected mode.
Here are all the details:

(2) Microsoft's developers did not have an easy month. Another vulnerability has been discovered in Microsoft Office (CVE-2017-2605) that remains to be unpatched! The flaw resides in the Encapsulated PostScript (EPS) filter in Microsoft Office, allowing malicious code to be executed when Word is opened. As a countermeasure, Microsoft has issued a “patch” that disables EPS by default.


(3) An ex Marriott employee has hacked the chain’s reservation system after being fired. The employee has changed rooms’ prices to be as cheap as $12 a night. While it is still unclear how the employee has hacked the system, he did not do a fine job in hiding his traces, as his home IP address was logged, leading to his arrest.

While this case was resolved with the hacker’s arrest, many times an organization can’t be sure if a malicious employee has indeed hacked the system. Organizations are thus encouraged to engage with Red Team or Ethical Hacking exercises in order to protect organizations from the internal threat.


(4) Mobile developers often think that sensitive data remains safe if they properly implement PIN code protection. A team of scientists from Newcastle University might make them reconsider the above statement, as they were able to potentially guess users’ PIN code by monitoring the phone’s sensors. 

The team has built a JavaScript code with the ability to access several features of the mobile device (such as the device orientation and motion). This allows the researches to guess a 4 digits PIN code with a success rate of 74% on the first try and over 90% after 4 attempts. 

And the most important aspect of this attack is that is does not require a malicious app to be installed. All the victim needs to do is merely visit a malicious website and have the JavaScript code executed in the background.


(5) Hackers have activated Dallas’ emergency warning sirens for nearly two hours. This has resulted in numerous calls to the 911 system by concerned citizens. 

It appears that the system can be operated using radio signals. The hacker has apparently managed to access the documentation, or the code, used to trigger the sirens. By repeatedly playing the command signal, the sirens kept on whaling until the radio-based system was disabled.

This breach does not come in a good time for Dallas – last year their traffic signals were hacked in order to publish jokes.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Saturday, April 8, 2017

Cyber Updates - 08/04

Hey all,
Here are this week's cyber updates:

(1) Broadcom Wi-Fi chip was found to be vulnerable (CVE-2017-6956) to remote code execution. Security researcher Gal Beniamini has found a stack overflow vulnerability in the vendor's Wi-Fi chip, allowing a malicious user to craft Wi-Fi frames to the Wi-Fi controller. This allows an attacker in close proximity to your mobile device to overwrite the phone’s RAM, hence allowing them to execute malicious code on the mobile device.
Since Broadcom is the most used Wi-Fi chip for mobile devices, numerous mobile phones were vulnerable to this hack, including Apple (CVE-2017-6975) and Nexus, both of which have issued a fix for this new vulnerability.


(2) ATMs in Russia were hacked using a fileless malware, allowing the attackers to steal $800,000 in a single night. The malware has allowed the attacker to approach the infected ATM machine and collect the cash without touching the ATM!
According to TheHackerNews, the malware is remotely installed and executed on ATMs via their remote administration module, thus giving hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Wednesday, April 5, 2017

Monday tech: SHA1 Collision - don't use SHA1 anymore!



Hi all
A hash function as you all know takes any data and produces a digest of the same data, that “represents” it.
Many think of a hash function as a one-to-one function, meaning the same original value will produce the same digest value every time, and the same digest value will be produced by the same original data everytime.

This is only half-true. The same original value indeed produces the same digest value all of the time – this is why you can store the hash value of a password in the DB and validate this value against the entered password all of the time. But the same is not true for the second part of the sentence above: The same digest value can be produced by different original values in theory.
Why? Because not matter what the size of the original data is, you will always get a digest value of the same length – depends on the algorithm that is being used.
SHA256 for example always produces digest value of the size of 256 bits.
And if you take infinite length long data and infinite arrays of data, you will eventually get collisions.

So why is this only true mostly in theory? Because the digest key length is so large, that even for non-secured algorithms such as MD5, it is extremely hard to find 2 original values that will produce the same digest value. So it’s practically infeasible to find 2 identical values that will produce the same hash digest value, making it true mostly in theory.
In practice, collisions should never occur for secure hash functions.

About a month and a half ago, Google announced a shocking discovery: They have managed to find a mathematical weakness in the SHA1 algorithm, and produced a practical way to produce 2 different values that will produce the same SHA1 digest value.
They nicknamed that collision attack SHAttered.
What are the consequences? As Google say in their article: “The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart. For example, two insurance contracts with drastically different terms”
It does not give you a practical way to easily brute-force SHA1 as “the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.”

The research took 2 years to complete, and included some staggering amount of computational resources:
·         Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
·         6,500 years of CPU computation to complete the attack first phase
·         110 years of GPU computation to complete the second phase

Unbelievable.
Google announced that they will publish a tool that will allow anyone to create 2 different PDF files that produces the same SHA1 digest value.

What does that mean in our everyday PT lives? SHA1 is not safe anymore. It is not only weakened as previously believed, it is significantly weakened and should be avoided altogether.
Although it is still hard to brute-force SHA1 passwords, it should not be used for passwords nor for signing verification.
If you do encounter SHA1 being used to validate the authenticity and validity of a file, put a medium-high finding in your report saying this is obsolete and invalid.

Have a great day


Gil Cohen
CTO