Irongate & Customized ICS Malware: Don’t Hit the Snooze Button This time

icspic3

ICS or Industrial Control System networks are integral to running our critical infrastructure, industrial and manufacturing processes, hospitals.  These are specialized systems that have been kept separate or “air gapped” from main networks, but that has been changing over the past few years as everybody finds ways to get connected. However, a mindset persists that because these systems are “special” and “different”, and because they have been segregated from conventional networks for so long, they are inherently protected. This past week heralded the discovery of “Irongate”, customized malware for ICS that is still in the testing stages and has not been used against production facilities – yet. The fact that somebody has carried on from where Stuxnet left off is a warning to us all that our assumptions on what keeps us secure no longer apply.

Stuxnet showed us that specialized systems offer attackers, especially at the nation state level, a unique opportunity for this reason. Nobody is looking when they think they are secure. The fact is that attackers live within our networks for long periods. We have seen this proven in recent months through the rapid escalation of ransomware and lateral movement through networks to accumulate info and destroy data; in the attack on the power grid in the Ukraine where attackers harvested credentials to access the VPN and get into supposedly secure systems; and the SWIFT banking heists where attackers learned the most intricate details of how to manipulate printer outputs and redirect huge monetary transactions.

‘Airgaps’ are great in theory, but don’t hold up given the growing reality of the Iot and now the IIoT. With pressures to cut costs, increase productivity, and just make things easier, these systems are being connected to corporate networks and the “Cloud”. There’s a whole lot of scary here because the truth is that ICS systems are not well monitored. Experts like Chris Sistrunk and Robert M. Lee have made this pointedly clear in emphasizing the need for NSM, network system monitoring and DFiR, digital forensics, to look for what attackers leave behind.  You can’t find the danger if you aren’t looking.

While the big announcement of Irongate was this week, researchers actually found samples late 2015, and reports show that the malware can be dated as far back at 2012, and was submitted to VirusTotal through the web interface in Israel in 2014. There is no evidence of this having been used in any campaign, nor is it associated with known threat actors.  Siemens ProductCERT confirmed that “the code would not work against a standard Siemens control system environment”. As it stands, it is not proof-of-concept for an actual weapon or adversary. Yet, the code was found when searching for droppers compiled with PyInstaller; Irongate droppers are Python scripts converted to executables from that same software. Somebody saw the need to make this, and the opportunity for exploit.  We need to read into that and act on it before it moves from test to production.

According to Robert M. Lee,

“ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets… The unique nature of ICS offers defenders many advantages in countering adversaries but it is not enough. You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism. It is a great vantage point for defenders but must be taken advantage of or adversaries will overcome it.”

Right now, there is a lot of speculation around why this exists in test, without a known contributor. Dan Scali, senior manager for FireEye Mandiant ICS Consulting, posits “Is someone trying this in a simulated [environment] before taking it to a production environment? Or is it a researcher saying ‘look what I can do … a Stuxnet-type thing?”

Robert M Lee expressed concern that this illustrates a fundamental security problem with ICS/SCADA. “It’s a sign of the interest in this by pen testers, security companies, as well as adversaries…I am not confident that a majority of the industry could respond to it. We don’t know what’s out there; antivirus companies aren’t finding it and even if they had, who would know what to do with it [the threat]?”

If we’re not looking, we’re not finding. And we won’t be able to prepare for attacks which are already in the works. We would be foolish to think otherwise.

This argument is made by Lior Frenkel, CEO of Waterfall Security.  He expects attacks similar to Stuxnet “are in the pipeline”.

these attacks will increase in their sophistication and complexity so any solution needs to be completely comprehensive and robust to cover the full perimeter of an ICS site … (adding that) unidirectional gateways are the optimal solution for these attacks”.

Add to that this assertion by Sean McBride, attack synthesis lead for FireEye iSIGHT Intelligence: “I would not be surprised to see sandbox evasion and file replacement attacks incorporated by future ICS malware deployed in the wild.” This is yet another wakeup call for ICS SCADA, and other sensitive segregated systems.

Irongate is

  • sophisticated,
  • has the capacity to be persistent,
  • is evasive
  • undetected by AV
  • introduces new features to existing knowledge of customized ICS malware.

The key feature is a man-in-the-middle (MitM) attack, where the malware replaces existing DLL (Dynamic Link Library) files with malicious ones, enabling it to come between a PLC and legitimate monitoring software to engineer the next step. Like a scene from a movie, where the security camera footage is manipulated, the malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface. This “footage” goes on replay while other data gets sent back to the PLC. Hence an attacker can alter a controlled process without alerting the process operators.

Causes for concern should be:  this malware was undetected by AV, even though some strings had the word “dropper” and there was an actual module named scada.exe; the malware is evasive, and will not run if it detects the use of VMware or Cuckoo Sandbox environments – something Stuxnet could not do.

Although Irongate is not as complex, the similarities to Stuxnet stand out:

  • Both types of malware search for a single, highly specific process.
  • Both replace DLLs to manipulate processes
  • Both are evasive. IRONGATE looks for sandbox or VMware that allow observation of malware; Stuxnet sought out antivirus software.
  • Both manipulate process data. IRONGATE actively records and plays back to conceal it manipulations however.

A key difference is that unlike Stuxnet, “Irongate has no worm-like spreading function, nor any apparent ties to nation-state actors”.

Recommendations on how to secure against this latest variant of ICS malware include integrity checks and code. But it really comes down to following through on best practices and those areas already identified as weak. The problem is that what we’ve been doing will fail us going forward, and we’re failing at doing the basics right. Know your baselines and actively look for anomalies. NSM needs to happen, as does DFiR within ICS, comprehensively and without further delays and excuses. Otherwise, we are turning a blind eye to attackers who know these systems better than we do.

This latest variant of customized ICS malware may be in the testing stages as we found it. But you can bet if someone else is working on this, things have already moved toward production and deployment. Irongate is yet another major wakeup call and we can’t keep hitting the snooze button.

Resources:

https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

https://www.helpnetsecurity.com/2016/04/13/ics-network-attacks/?utm_content=buffer3b349&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

http://www.darkreading.com/threat-intelligence/shades-of-stuxnet-spotted-in-newly-found-ics-scada-malware-/d/d-id/1325753

https://www.helpnetsecurity.com/2016/06/03/ics-focused-irongate-malware/

Yes Virginia, Dreams Really Do Come True!

securityunicorn

Sorry to have neglected you this past while. Big changes have happened. But that’s a good thing. A really good thing. And something I hope to carry forward.

You may have heard about the lack of talent in cyber security. And the lack of women in tech. And the resulting lack of women in cyber security. I am thrilled to tell you that I have now changed that statistic by one.

Yes Virginia, dreams really do come true. Because  I was offered the role of my life. My dream job.

I now do Threat Intel with the cyber security team at KPMG. As a cyber security consultant.

Repeat after me:

OMG! OMG! OMG!  Now breathe. (that really was fun, wasn’t it!)

Now I can stay up all night, every night, looking for cyber boogeymen and playing what-if til I can’t keep my eyes open. And people actually want to know about what I find. Oh, holy cow – it is amazing!

I have to learn more about all. the. things. Which is fantastic because I like all the things. Networks. SCADA ICS. Mainframes. Web Application Firewalls. And of course my 3 favourite letters: APT or Advanced Persistent Threat. Because the biggie of all those, Stuxnet, is what led me here in the first place.  I get to work with amazing people whose knowledge and skill just inspires me every day to do more.  We plan and build and evaluate things most people have no idea about, but that will actually make the world a better and safer place for everyone. And that is the realization of one of many childhood dreams. I still haven’t walked onto a Starfleet Enterprise class ship yet, but believe me, this is what it would feel like.

And this is where I tell you the really good stuff. That you have it in you to make your version of this happen. I stopped listening when people told me “you can’t do that” or “you  got that all wrong” or “maybe you’d be better at’.  I listened to that voice inside me, that passion pushing me further even when it seemed impossible. Even when I couldn’t understand it the first time, or someone said no, and said no again.  Because something inside of me wouldn’t let it go. I loved it too much.  Listen to that piece of you that won’t let go.  Find that thing you love enough to fight for it – and fight.  You deserve the sweetness of this victory. And oh, if it can happen for someone like me without all the proper degrees and traditional routes, then it can happen for you. Believe.

So come along and join me for my next incredible, amazing adventure. I’m only just getting started!

(Necessary Disclaimer bit that all these posts are my own and not my employer’s)

The Future of Ransomware

ransom

Ransomware is like like a nasty game of tag: you can try to avoid it but once you’re hit, you’re out. For all we know about doing defence right, following the best practices advocated by NIST and SANS, this particularly malevolent threat has been on an upward trajectory out of the gate since 2016, after trending through 2015.  It’s gone way beyond just phishing for targets and locking down individual files.  Current strains are evasive: like tag, they figure out what anti-virus and security is running on the target system that might detect it and stay hidden. They now go after websites. They lock down entire servers. And they don’t care who the victims are – not even hospitals.

Samsam-ransomware-attack-chain-768x391

If you’ve been reading along with me on Twitter, or happen to be up at 2:00 a.m. like I am, you know that ransomware is what keeps me up at night. Along with some other brilliant minds in our security community who are dedicated to tracking and shutting down this ever-growing threat. These guys really know what they’re doing. Countless hours of research, investigation and analysis have produced this paper:  Ransomware: Past, Present, and Future.   There are definitive pieces that give the lay of the land and map out the course ahead. That is what this piece does. Sincere appreciation for the efforts of  @da_667 @munin @ImmortanJo3 @wvualphasoldier (and others) who put this together. They understand just how widespread the risk is, and time is not a luxury we have. This is essential reading for anyone in tech, security, business, critical infrastructure. Essentially, anyone who needs to safeguard the data and networks their daily business relies on.

From the Talos blog: A fictional Adversary’s workflow of compromise and takeover

dadiagram

Right now, here is what I would advise anyone.  Back you stuff up, frequently, and separately from the network.  Check your patch management situation. Where are your exposures?  How are you handling security awareness, especially around phishing? Do you monitor your systems regularly, so that you have a baseline to compare events against?

And finally, take the time now and please read this: Ransomware: Past, Present and Future by Talos. Because the more people who know about ransomware and where it’s headed, the better we can all work together to secure things.

Thank you for stopping by!

My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.

tweetsamsa

WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.

NEEDS TO HAPPEN:

Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.

Sources:

Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Back it up! Back it UP!

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Why The Internet Is Broken … Again

drown1

In the ongoing saga of our quest for powerful encryption online for all, free from backdoors and government restrictions, this week we stumbled again over the inherent brokenness of what the existing standard is.  Yet again, there is a massive vulnerability impacting the TLS or transport layer security.  And it stems back to a very short-sighted decision by the US Gov’t during the ’90’s.

DROWN attack renders messages vulnerable that are sent online between HTTPS servers – yes, that is correct, you saw the letter ‘s’. When stuff like this happens, it kind of defeats the whole purpose of making things HTTPS. The acronym is pretty self-explanatory. It stands for “Decrypting RSA using Obsolete and Weakened eNcryption”. Obsolete and Weakened says it all.

The impact is huge. It means that TLS connections to over 33% of HTTPS servers are open to attack using fairly fast and easy methods. That’s the other problem. The attackers won’t have to work hard for the money on this one. More about how later.

TLS matters because encryption matters, so it is the most important security protocol on the internet.  It began as SSL, or Secure Socket Layer, back when dinosaurs sat in power. And if we recall from previous briefs about similar problems, those stem back to the US government meddling in the ‘90s and making encryption work for their purposes ie dumbing it right down to do business abroad.

So the cause, simply put, is dangerously outdated SSLv2.  Gone but so not forgotten.While browsers or clients have gotten rid of SSLv2, many servers still support the protocol.  This can be attributed to carelessness and obsolete embedded devices that don’t get updated.  And while OpenSSL was supposed to offer a configuration option to disable SSLv2 ciphersuites, it doesn’t seem to be working because even when that option is selected or set, clients still can choose the SSLv2 option.  Here is an excellent explanation of why this is so serious by cryptography expert Matthew Green, and you can read his thoughts in detail in his recent blogpost on DROWN

If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client toever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.

So what happens is that a server is using both SSL/TLS. Double the flavour, double the fun  would necessitate separate certificates and private keys. Except that people don’t want to do more or pay more: so they use the same thing on both.  And yes, Virginia, a buggy SSLv2 will impact the security of TLS.

drown2

NOTE: a patch for this matter was issued in January but not well publicized. This doesn’t help because we need folks to get the patches up on their systems. Otherwise, we have what is still ongoing because of Shellshock Bash.  Unpatched instances propogating exploits. So please, do everyone a favour and patch your systems.

How does the bad stuff happen? In what is called a cross-protocol attack. It uses bugs in one protocol say SSLv2 to attack the security of connection made in another and different protocol ie TLS.  The irony is that while TLS is designed to defend against well-known attacks on this encryption  SSlv2’s export suites have been proven not to do that (via the Bleichenbacker Attack, and that’s all you really need to know about it here).

What we need to acknowledge is just how realistic an attack actually is. The answer is very. It will only cost a few hours and $440 dollars using the available power of Amazon EC2. The attacker would watch about 1000 TLS handshakes to find a vulnerable RSA ciphertext, use 40000 queries to the server and 2to the 50th offline operations. That may sound like a lot, but it really isn’t given today’s resources. We know attacks only get faster and more sophisticated.  Researchers have now found a new version that can decrypt a TLS RSA ciphertext in ONE minute on a single CPU core.

What can you do?  Start by checking your systems. Follow this link here:  https://test.drownattack.com/ (the link is safe). While there is a patch again that should help, it only works when applied. The DROWN Attack site will help you to learn more about how this vulnerability impacts various systems and how to disable SSLv2.

Read more here:

http://www.symantec.com/connect/blogs/drown-vulnerability-could-sink-secure-internet-connections

https://drownattack.com/

http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

Hope that was helpful! Thanks for reading.

Ransomware: Don’t Get LOCKY’d Out

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime