A New Form of Cold Boot Attacks

By Robert Gray:

Security researchers at F-Secure have developed a new method to extract encryption keys or other sensitive data in memory from a laptop in sleep mode if an attacker can gain physical access to it.

A quick explanation of how this type of cold boot attack works.

A “cold reboot” occurs when a computer is improperly shut down.  When that happens, the contents of the system RAM briefly remain after power is lost and might be readable when the system boots back up.  In response to this security issue, computer manufacturers programmed the BIOS to overwrite the RAM early in the boot process.  This new issue comes in how this fix was implemented.  The BIOS stores a value in flash storage to determine whether it needs to wipe the RAM on the next boot, but that value can be set by the operating system or through hardware tweaking.  An attacker can then boot the system from a USB drive and read the contents of memory.

This attack is theoretically possible against any Windows-based computer or any Apple computer released prior to 2018 that an attacker can gain physical access to.  Microsoft’s current recommendation is for anyone using encryption to use Hibernate mode instead of Suspend mode for keeping a laptop in sleep, as Hibernate wipes any encryption keys from RAM.  A more complete fix will require hardware and BIOS changes and likely will not be available for a while.

Sources:
https://blog.f-secure.com/cold-boot-attacks/
https://arstechnica.com/gadgets/2018/09/cold-boot-attacks-given-new-life-with-firmware-attack/

How Abandoned Domain Names Pose a Major Cyber Risk to Your Business

Many businesses don’t realize that abandoning their previous domain names that they no longer use can pose a huge security threat. A domain name is a name you can register to identify your business on the internet. For Canadian businesses, this is typically a domain name ending in .com or .ca such as example.com.ca. This is a typical example of a domain name. The problem with domain names are that they usually hold onto a decent amount of information about the company and they are left to be managed by lower leveled technician people or outsourced IT support providers to renew these domains. Domain renewals are often seen as a waste of money to many companies due to circumstances such as a change of branding name, reconstructing of the company, or abandoning the domain as a whole. The issue of the abandoned domain name occurs when the domain is no longer paid for and it is out of service so it is then available for anyone to claim after a certain grace period. After this grace period is over and the domain is available up for grabs, this means that even attackers can claim the domain name that was left behind with no proof of identity or ownership regarding the domain. After the domain is snatched by a new owner the domain can then be setup to do a “catch-all” email service which means emails meant for the previous owner will be rerouted to the new owner of the domain which can then end up in the hands of an attacker. As stated by the article “online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.” This is an example of how hijacking an old domain can be devastating towards a business.

 This is an image from the article that shows researchers were able to access documents intended for the former clients. (Source: blog.gaborszathmari.me)

Often times even if business have joined other businesses to merge into one, there is still sensitive information to be leaked through emails between clients, colleagues, vendors, suppliers, and service providers.

Research found by Gabor Szathmari and Jereimah Cruz that they were able to:

  • access confidential documents of former clients;
  • access confidential email correspondence;
  • access personal information of former clients;
  • hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
  • hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.

Active LinkedIn accounts belonging to former staff can be hijacked via abandoned internet domains (Source: blog.gaborszathmari.me)

There are many steps one can take to protect their data from abandoned domains. According to the Australian Cyber Security Centre these following steps should be taken to minimize risks for businesses:

  • Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
  • Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
  • Unsubscribe the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
  • Advise clients to update their address book.
  • Enable two-factor authentication, where the feature is supported for online services.
  • Use unique and complex passwords.

– Rusaf Talukder

Sources:

https://securityboulevard.com/2018/09/how-abandoned-domain-names-pose-a-major-cyber-risk-to-your-business/

https://cyber.gov.au/individual/news/domain-names/

https://www.csoonline.com/article/3300164/hacking/dont-abandon-that-domain-name.html

https://blog.gaborszathmari.me/2018/09/18/abandoned-domain-names-are-risk-to-businesses/

Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

 

 

Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Cryptocurrency mining malware, Ransomware, and who is at risk

By: Chase Alexander

9/11/2018

It is no secret that hackers are trying to gain something when they carry out an attack on a target, usually money. However the way that they do this can vary. It does not always mean that they are stealing credit card information, or bank account logins. Another way to exploit hacked targets is through cryptocurrency mining malware. There is also malware that takes over a system until a ransom is paid. Today I would like to look at three things. Ransomware, cryptocurrency mining malware, and who is at the greatest risk for these kinds of attacks.

First I am going to examine ransomware. This is an interesting case, as it has been around for quite some time now. The attack method dates all the way back to 2016. You would think that they would have been stopped by now, and you would be somewhat correct. Gone are the days of spreading ransomware through spam emails and outbreaks, where the philosophy was to cast a net as wide as possible and see what we catch. Today ransomware exists as a targeted attack on an individual or specific group. The goal of doing ransomware attacks this way is to carry out one strong attack, which will yield more reward then many weaker attacks. So how do they work? You gain entry into a system via weak Remote desktop protocol passwords. Escalate your privileges up to administrator. Use your new privileges to overcome security software. Spread your ransomware to encrypt files on the system. Finally leave a message with the ultimatum,” If you want your files to be decrypted, contact via email or dark web website.” And then you wait. If they pay the ransom, then mission success for the hacker. If they do not pay the ransom then it is almost inconsequential to the hacker. They will just move onto the next target and try again.

The other form of attack that is of interest is a cryptocurrency mining malware. What this attack does is take over a machine and use it to mine cryptocurrency for a hacker. This attack is very different because it requires no interaction between the hacker and the hacked. Unlike the previous method, this one allows the hacker to try and remain undetected. For ransomware, the hacked has the choice to either give up their machine and data, or give into the hacker. This method though gives no choice to the hacked. If they don’t hear their computer fan operating louder, then they will have no idea that they have been hacked. In addition to these facts, cryptocurrency is effectively an unregulated currency. This means that once the hacker has it, they are in the clear. If a hacker were to steal bank account credentials, there are still difficulties with actually attaining the currency inside of those bank accounts. A problem with this method however is that the profits are not immediate, they take time to incur. If ransomware is successful, then profits are made instantly.

So who is at risk for these attacks? Ransomware attacks are targeted attacks. They go after one group or individual. That group or individual will have to give up money in order to secure themselves. It is as simple as this; if you do not have money or credit, you are at a very low risk of this attack. The goal of ransomware is to get ransom. A hacker will go after someone who they know will be able to pay ransom. They are not going to go after the poor because they have very little to offer. A cryptomining attack however can happen to anybody. You don’t need any money or credit, if you have a computer it can be used for mining cryptocurrency. In terms of large targets we can look at Vietnam. Last year malware cost Vietnam 12.3 trillion VND or the equivalent of 540 million USD.

 

Sources:

  1. https://e.vnexpress.net/news/news/vietnam-vulnerable-as-new-cyber-security-threat-emerges-3804240.html
  2. https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
  3. https://www.zdnet.com/article/cryptocurrency-mining-malware-why-it-is-such-a-menace-and-where-its-going-next/