Many Cyber Security Startups are Failing

2017 was the year that had a lot of hacking headlines. The Equifax outbreak was one of the most critical ones. These cyber-attacks deterred many security startups. The timing of the situation is strange as the amount of cyber attacks should pave the way for many cyber security startups (Cyber security start-ups fall on hard times). Some of the reasons are that they are struggling against advanced hackers along with bigger companies developing same technology (Cybersecurity Startups Struggle). In the crowded market, a lot of them are failing to live up on their promises on how good the security is. The situation was very uncommon that David Cowman, a partner at Bessemer Venture Partners, mentioned that he has never seen such a fast-growing market with so many companies on the losing side. The cyber security industry is driven on the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves (Baker).

Even then, only a handful of startups succeeded. The failed startups have become “corporate zombies” due to their inability of fetching a good price in an initial public offering or becoming acquisition targets according to some experts. These startups failed also because their inability to adapt to the evolving technology behind cyber attacks. Some companies tackle this problem by consolidating their security work, using just a few large players rather than spreading business around (Baker). This also saves money and a lot of trouble.

-Anil Adharapurapu

Sources:

https://www.pymnts.com/startups/2018/cybersecurity-startups-ipo-cybercrime-cyberattacks/

https://www.itnews.com.au/news/cyber-security-start-ups-fall-on-hard-times-481445

https://www.reuters.com/article/us-cybersecurity-startups-analysis/under-threat-cyber-security-startups-fall-on-harder-times-idUSKBN1F62RW

Advertisements

New Ransomware Spreads across Europe

A new ransomware, dubbed “Bad Rabbit”,  has been spreading quickly throughout Europe in the past few months.  The Petya-like attack (27% of BadRabbit code has been seen in Petya samples) has struck corporate and personal networks alike utilizing “drive-by” download attacks.  An initial analysis by Kaspersky Labs states that the malware spreads by luring victims using fake Adobe Flash Player installers meaning that no exploits were used in the distribution of the malware, the victim must manually execute the malware dropper.

Once executed, BadRabbit scans the internal network for open SMB (Server Message Block) shares and tries a hardcoded list of commonly used credentials to spread the ransomware.  It also uses the post-exploitation tool “Mimikatz” to extract the credentials off of the infected systems. This is notable because it marks a new wave of ransom attack, one that doesn’t utilize the “EternalBlue” exploit, the exploit used by notable ransomware such as WannaCry and Petya to spread throughout networks.  The same report also stated that numerous compromised websites have been detected “all of which were news or media websites.”

After spreading through a network, BadRabbit utilizes an open-source full drive encryption service called DiskCryptor that encrypts files using RSA 2048 keys.  After this, a ransom note appears on the screen asking victims to log into an onion website to make an initial payment of .05 bitcoin (or ~$285) in order to get their encryption key.  A countdown timer, originally set for 40 hours, is also displayed with the threat of increasing the price of the key if no payment is sent within the time frame.

badrabbit.png

Image result for bad rabbit screenshots

Affected organizations include Russian news agencies Interfax and Fontanka as well as the payment systems used in the Kiev Metro, Odessa International Airport, and the Ukranian Ministry of Infrastructure. Interfax was hit particularly hard, 24 hours after the attack their website still displayed the message “our service is temporarily unavailable.”

The head of Russian cyber-security firm Group-IB, Illya Sachkov says, “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.” U.S. officials have stated that they have “received numerous reports ofBadRabbit ransomware infections in many countries around the world.”  The Russian central bank released a statement that there were recorded BadRabbit attacks on several of the top 20 Russian financial institutions, but that none had been compromised.

So far, attacks have been heavily concentrated in Russia, however, attacks have also been recorded in Ukraine, Turkey, and Germany.  An analysis is still being done on BadRabbit to try and find a way to decrypt computers without having to pay, as well as how to stop it from spreading further.

The malware is still undetected by the majority of anti-virus programs according to Virus Total. For now, Kaspersky Labs suggests that you disable the WMI service on your computers to prevent the malware from spreading over your network, as well as changing default credentials within your network.

sources

http://www.bbc.com/news/technology-41740768

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

http://www.intezer.com/notpetya-returns-bad-rabbit/

 

RSA Key Factorization Attack

Following the revelation of the KRACK WPA2 vulnerability,  another widespread vulnerability, dubbed ROCA, appeared affecting millions of devices running Infineon Technology’s Trusted Platform Module chips.

Cryptographic RSA pairs generated on Infineon’s TPM are vulnerable to a factorization attack. It allows attackers to reverse-calculate someone’s private key based solely off of their public key. The risks of this vulnerability are that the attacker can impersonate the key owner, decrypt the user’s data protected by this key, injecting malware into signed software, etc.

Major vendors including Infineon, Google, and Microsoft have already released the software updates for affected hardware and software as well as guidelines for mitigation of the vulnerability.

End users are encouraged to patch their affected devices as soon as possible.

– Matthew Turi

Sources

https://thehackernews.com/2017/10/rsa-encryption-keys.html

Reaper Botnet Dwarfs Mirai

Mirai-botnet-diagram-1


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here

Vulnerabilities in systems without updated EFI

Recently there has been a study done. A company by the name of “Duo” has been analyzing the firmware in many models of Apple computers. What they had found is that while the OS may have been up to date, in some cases the computers EFI firmware was not. Duo’s reasoning behind using Apple products was that Apple themselves handle everything, from the software, to the hardware, and everything in between. This is not to say that the issue doesn’t occur on windows systems.

Actually, it might even be worse due to the fact that most windows systems use parts from other manufacturers. This essentially means that unless you update the firmware yourself you probably will not be receiving updates for it. On the other hand an Apple computer is usually set to install EFI firmware updates as the operating system updates. However, the problem has become when that doesn’t happen.

I’ve been going on about EFI and that it probably isn’t being properly updated on the systems, but what is it? EFI, or Extensible Firmware Interface, is a type of firmware. Firmware is a type of software that is fully independent from the operating system and can perform many tasks. The first and foremost job of EFI is to get your system up and running, though it can take on other roles like remote diagnostics to fix problems on a computer without anyone being present at the physical device.

So, what can be done by an attacker if your EFI isn’t up to date? Well, in an Apple system there are a few attacks that come to mind. The first being Thunderstrike. Basically what Thunderstrike allowed an attacker to do was flash a new EFI in place of the current Apple firmware version. This allowed for the attacker to have control of many aspects of the system without the user realizing it or being able to remove it. This mode of attack required physical access to one of the machines thunderbolt ports in order to write the new boot ROM. Later, Thunderstrike 2 came around. This did basically the same thing, except that the attacker could do it remotely.

Who is at risk? On average about 4.2% of the systems Duo analyzed had the wrong EFI version for their respective models. That doesn’t sound like a lot, but given the vast user base of Apple products this is actually quite a lot of systems. It also depends on the model you have. Some are more likely to have the wrong version over others. Duo released a table of Mac models that are likely to not have the correct firmware version.

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacbookAir MacBookAir2,1
MacBookPro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1

If your device is listed in this table then it has the potential of not having the correct version of EFI firmware or the firmware may have never been updated at all.

The bottom line is that EFI is just important to keep up to date as our operating systems, but most of us don’t even realize that it’s an issue. It doesn’t generally affect system performance so we generally don’t even think about it. In the world of Apple consumers this shouldn’t be a problem, seeing as the newest updates were supposed to fix the issues of EFI patches not being installed. However if you are on a Windows, Linux, or any other type of system, you may want to update your EFI firmware. In most cases this comes as a BIOS update for your motherboard.

Duo analyzed about 73,000 real world Mac systems, only using systems with updates that had been released within the last three years.

–Brett Segraves

Duo also has their study publicly available in PDF format.
Duo Labs Report: The Apple of Your EFI

Sources:

Duo Apple of your EFI Security Research
Wired: Critical Code in Millions of Macs isn’t getting Apple’s Updates
Info-Security: Many Patched Macs Still Vulnerable Via EFI Issues